In the coming weeks, I will be providing a few simple methods to baseline your network at a high level. Nearly all external attacks and many internal ones will be initially based on the exploit of a network service. Knowing the systems and services running over the network will greatly aid in securing the organization.
Breaking this process into manageable sections is the key to successfully completing it. Each stage of the overall process of creating a secure and compliance network is then “projectized” into controllable chunks.
You may have guess from my collection of their certifications that I like the SANS model. The SANS audit strategy is defined using the following steps:
1. Determine Areas of Responsibility
2. Research Vulnerabilities and Risks
3. Secure the Perimeter
4. Secure the DMZ and critical systems
5. Eliminate Externally Accessible Vulnerabilities
6. Eliminate Internally Accessible Vulnerabilities
7. Search for Malware
These stages allow the organization to move from the outside in. Starting at the perimeter, the organization can test and provide a deeper level of defense of its systems in the most effective manner, locking external attacks out and reducing noise as the testing proceeds.
With the many other areas we will touch on, in coming weeks we will look at a phased approach to securing your network and systems.
Saturday, 13 August 2011
In the coming weeks, I will be providing a few simple methods to baseline your network at a high level. Nearly all external attacks and many internal ones will be initially based on the exploit of a network service. Knowing the systems and services running over the network will greatly aid in securing the organization.
100 Spaceport Way, Cape Canaveral, FL 32920
In my many random rants and battles with the world at large I have managed to have a retort from one Nancy Weston who argued that “Sumer did ok without capitalism.”
She has argued further that:
“Wealth is made by draining and using those Third world countries to the benefit of Capitalist countries, if we didnt have China making our consumer goods do you really believe Australia could afford to produce it at the same cost whilst paying our award wages?”
To this topic of course I posted on the lack of trade with Africa. It remains that the issue with Africa (and for that matter any third world country) is a lack of trade. The US has an economy of $14.772 trillion (2011) based on GDP. This is $47,275 (2010) per capita or man, woman and child.
Trade to Africa accounts for just 0.607% of the US economy. Even trade with China only accounts for 2.27% of the US economy. All up, adding all of the impoverished nations that trade with the US, the total trade just accounts for 3.25% of the US economy.
This is, 96.75% of the US economy is derived from countries other than the third world. I have to ask, How can ““Wealth be made by draining and using those Third world countries to the benefit of Capitalist countries”?
Basically, the lack of trade and the lack of capitalistic markets is the issue. Capitalism is not draining resources from the poor, the poor are not engaged with trade. The are poor as the do not trade.
To the topic of this discourse.
The Sumerian civilization was founded upon the flood plain of the lower reaches of the Tigris and Euphrates Rivers about 4,000 B.C.E. Some argue earlier and to 5,000 B.C.E. but these were basically small tribal societies and did not in themself form what we would call Sumerian civilisations.
The economy of the Sumerian city-states were based on agriculture and trade. Basically, they started as a merchant economy. A form of proto-capitalism. Writing was “invented” as a means to account for the states taxation system and as a means of controlling debt and contractual obligations.
As the society grew, they became more and more specialised and started to industrialise creating manufactured goods in large factories. The Sumerian city state was also a slave culture and there was a heavy reliance on the capture and enslavement of the surrounding peoples and tribal groups.
These city states imported the goods needed for a bronze age society. Copper was imported from as far away as what is now the UK. Tin was found throughout Europe and Asia minor. Timber was sourced from the coastal regions of the Mediterranean including Lebanon (as it is now called) and Northern Africa. These imported goods were exchanged for dried fish, wool, wheat, and and finished metal goods.
The machine of the time, the engine was the slave, but this was a distinctly different slave culture to that most people would think of when comparing the South of the USA today.
Basically, Sumerian society thrived (ignoring the slavery) for the reason of trade and what was an economy derived on proto-capitalism.
At about 3,000 B.C.E. the invention of the wheel was used to enhance trade speeding movement inland and making it profitable to trade with those further from the coastal regions.
At the start, slavery was a minor part of Sumerian society. As the city states fortified and the priest and warrior cast started to be subsumed by the rise of the Kings, slaves became more important in the economy right to the point where the Sumerians disappeared from history around 2,000 B.C.E. This was a result of the military domination by various Semitic peoples that surrounded the region. Most importantly, at the period around 2,000 B.C.E. Sargon established an empire in Mesopotamia and this consumed Sumer. That stated, Semitic peoples had been encroaching into Sumer long before Sargon's conquest.
Basically, as trade was controlled more and more and more capital was consumed by the state for a military Kingship, the nation moved from prosperity to collapse.
Many supporters of communism have proposed some new progressive structure of society that is really the same agrarian society of the middle Sumerian city states. This system was created with a priesthood controlling the society and parallels that called for by those wanting to see a Marxist form of welfare state. In this case, the Party replaces the priest, but for all intents and purposes it remains the same.
Over 90% of the Sumerian people were involved in agriculture. In any standards, they were poor and disenfranchised.
Basically, any early agrarian was poor and undernourished. The people who made the city work were the merchant class and these became the first middle class society.
To learn far more, I highly recommend the following book:
The Invention of Enterprise: Entrepreneurship from Ancient Mesopotamia to Modern Times (Kauffman Foundation Series on Innovation and Entrepreneurship) by David S. Landes, Joel Mokyr and William J. Baumol (Jan 11, 2010)
Money in the early Sumerian city state was in the form of small silver disks. The record systems and accounting used in these city states has led to Sumer being referred to as “the birthplace of economics”.
Basically, we have a society that started through trade. As trade (and an early form or proto-capitalism) made wealth, a type of political parasite took off. This was the Kings.
The Kings made more war, they needed more slaves and they drained more from the society.
So, Sumer started with what was an early form of capitalism and collapsed as a top heavy government took more and more and gave back less and less.
- Economic Texts from Sumer (Yale Oriental Series, Babylonian Texts) by Carl H. Lager and Professor Daniel C. Snell (Feb 8, 1992)
- Sumerian Economic Texts from the Third Ur Dynasty by Tom B. Jones (Jan 30, 1961)
- Trade & Finance in Ancient Mesopotamia: Proceedings of the First Mos Symposium by J. G. Dercksen (Oct 1, 1999)
- The Invention of Enterprise: Entrepreneurship from Ancient Mesopotamia to Modern Times (Kauffman Foundation Series on Innovation and Entrepreneurship) by David S. Landes, Joel Mokyr and William J. Baumol (Jan 11, 2010)
The table below shows the 2010 Trade figures for these three geographic locations as a total for 2010 in millions of US$.
The table below has imports INTO the USA and Exports from the US.
|Country||Total Exports $||Total Imports $|
|USA - Africa|| |
|USA - Canada|| |
|USA - Germany|| |
Clearly, the African people are not suffering from excessive trade with the USA or cannot be said to be exploited by the USA (They are by their own governments, but this is a separate issue).
In fact, the nature of money is that it can be used to purchase goods and services. The more trade there is in Africa, the more food and essential goods that the people there will be able to buy.
Simple answer, more trade will help these people come out of poverty and this means more companies making goods that others want.
 "World Population Prospects: The 2010 Revision" United Nations (Department of Economic and Social Affairs, population division)
 Statistics Canada
 CIA World Factbook
I write articles such as the following that are published and taken up in newspapers…
MY response… (and yes I am a Christian but I also tolerate others and their creeds).
Business is made with all else from the people in business. It is a benefit in itself. People are enriched through trade. These silly ideas of exploitation are just that, silly. The fact is, the absence of trade is the biggest issue, not exploitation. People are not exploited through trade, they are exploited through small local governments that have a hold over them and limit open trade.
Places such as Africa suffer from a lack of trade. Look at the figures. There is more trade between Canada and the US than with the entire African continent.
The simple act of trade enriches.
Ecclesiastes 11:1-2 (Good News Translation)
1 Invest your money in foreign trade, and one of these days you will make a profit. 2 Put your investments in several places - many places even - because you never know what kind of bad luck you are going to have in this world.
Or there is Luke 17:7-10; Matt 25:14-30…
Paris Hilton is the idle rich in all this, but she is not a capitalist, she is simply a spoilt child of such. The middle class and even a person in a profession is not rich as is implied.
Next, business and companies are NOT the masters. ANY person who has EVER built a successful company knows that their customer is king. Business is all about servanthood (2 Tim 2:24).
The SIMPLE answer is that ANY person in a capitalist country can start a business. They can raise capital with an idea and supplant the existing incumbent. This occurs again and again.
Finally, Paul was a leather worker and tent maker. A trade that seems lowly now, but it was really up in the levels of an IT worker 2000 years ago. It was one of the “higher” roles. He worked where he went. He traded and made businesses. These communities did not simply survive on love Byron, the practiced Ecclesiastes and the Parable of the Talents. They traded and they worked.
Now, the fact I am a capitalist (and libertarian seems to be ignored) blinds others to any ethics I may have. I see responses basically assuming I have no moral conscious (and I am not accusing you of this Byron). Yet, do these people even take the time to understand, a simple no is an answer.
I came from abject poverty, not privilege. I worked and I studied in a system that allows me to do this (and this also has meant full fees for my studies). Like many others, I give as I CHOOSE to give. I do this as I create something new in what I do and make something that did not exist. I enrich. I have not taken something and exploited, I create something new. This means, I do not care about the exact fairness of distribution and allocating the slices of the pie.
I (as with other capitalists) make a BIGGER pie. Yes the percentage may not be fair – who cares really, the slice is bigger for all. Even the poor!
Do we want to quibble over how 10 people divide 1 fish or do we want to have 20 fish for those ten people with at least a fish each? This is the question. In the first, lots go without, in the latter, maybe one person gets 8 fish and most just have one fish, but the answer is, the latter makes ALL better off. Who cares what the percentages are!
Business does NOT make a moral society. It is NOT the role of business to do this. Business is a mirror to society. It offers people what they want. IF people are virtuous, then people will want virtuous services. IF they are not, they will want other things.
Through business, I get to help make people more virtuous. I have donated over 300 computers and placed the heads of over 100 families through TAFE courses and given them skills. I have ONLY been able to do this through business. Not exploitation, creation.
Virtue is NOT the function of business to teach. It is the values of the people that make a business. That said, businesses DO help make people more virtuous, they make people interact and trade and this leads to increased understanding and acceptance.
So, here I am the “big bad capitalist” who has donated over $10 million (more than my total net worth at any point) over the years to Burnside, St Vincent’s Community Services and a number of other charities what have others done?
The founders of PayPal have given far more than I. This is their created wealth, yet we are sitting her arguing their virtues as well.
Simply, they provided a service. THEY created something and ENRICHED society.
ANYONE here can make their own business and compete. ANYONE. This IS democratic.
If you do not like PayPal, pull your finger out and make something better if you see something that can offer more. IF and I mean IF there is a service that people care more for, that is virtuous and as such people want for its virtue, they will use your service.
So, it is simple. Create something better and stop bitching about what we have as an armchair critic.
OTHERS have created the wealth that is here and is benefiting us all and we sit here wining about distribution of their created wealth and NOT making more.
Tell me, who is really doing more?
Friday, 12 August 2011
Windows 7 has a little known Easter egg called “GOD”. This is a useful (for administrators we hope) way to get access to tools in one place.
Start by creating a folder on the desktop...
Next, rename the folder as:
Once you have renamed this file, it automajically populates and fills with a all in one selection of useful administrative Windows tools...
The thing is to also make sure that users cannot create this, or if they do... remove it.
Yes, if users have access to this, they still do not have admin rights and need a password to run the tools (local admin is bad for most people). That said, it is still a good idea to limit what users are exposed to.
It is important to plan the scope of all audit and system testing engagements, network mapping is no different. A failure to adequately plan will quickly lead to being overwhelmed. Plan a risk based approach to mapping the network. Start at the perimeter and work in towards the centre, gradually gaining more and more depth as each of the systems is audited.
It is important to ask where the real value lies within the organization. This is not a job for the auditor alone and management should consider the value of the data and information assets. Work from the outside in. With each step go deeper into mapping the weaknesses associated with the organization’s information assets. This should align with the following steps:
- Map the network devices and perimeter,
- Scan the internal systems and Servers,
- Test and map Databases and Applications,
- Create Images and baselines.
There are many tools that can be used to scan systems and make a network map. The best known of these tools is nmap. Nmap is available from http://nmap.org/. There are many excellent sources of information for the auditor or security professional wanting to discover more about this tool. Other then the section in the Firewall chapter of this book, the following sites should be one of the first stops in this process:
We covered using nmap for individual scans in an earlier chapter, “Testing the Firewall”. In this section we look at how to automate the response and make this tool useful for reporting.
The prime limitations with nmap are its reporting capabilities. Nmap does provide output in a “grep’able” format, but there are far more effective tools that can query the data. PBNJ (this package includes ScanPBNJ and OutputPBNJ) can import nmap scan results from an nmap “-oX”, XML format and provides the capability to query this data. The program is written in Perl and provides a means to instantaneously identify changes to the systems and network.
ScanPBNJ can be used directly to scan the network using nmap directly. Using nmap to scan and then import the output into ScanPBNJ requires the use of the nmap XML output format (-oX). ScanPBNJ with the “-x” option can import the results of the nmap XML report.
PBNJ is a suite of tools that provides that capacity to monitor change across a network over time. It has the capacity to save nmap results into a database and check for changes on the target host(s). It saves the details concerning the services running on these hosts as well as the service state. PBNJ can then parse the data from an nmap scan and store the results in the database. PBNJ uses Nmap as a scanning engine. It is available from http://pbnj.sourceforge.net/.
The benefits of PBNJ include:
- The ability to configure automated Internal and external Scans,
- A configurable and flexible querying language and alerting system,
- The ability to parse Nmap XML output files
- The ability to access Nmap output using a database (SQLite, MySQL or Postgres),
- The ability to use distributed scanning with separate consoles and scan engines, and
- PBNJ runs on Linux, BSD and Windows (Linux or UNIX are recommended over Windows in this instance).
By default, ScanPBNJ runs an nmap scan using the command options; “nmap -vv -O -P0 -sS -p 1-1025”. This output is extremely verbose with operating system identification set. It will also not ping host by default. The options above run an nmap SYN scan over TCP ports between 1 and 1025.
It is possible to override the default options in ScanPBNJ using the “-a” switch. For instance to scan all TCP ports on the host 10.50.20.10 the following command could be used;
ScanPBNJ –a “-A –sS –P0 -p 1-65535” 10.50.20.10
The other options of the previous command include using the SYN scan option, version scanning, not pinging the host and using operating system detection. Any of the standard nmap switches and scan types may be used.
The ability to query the ScanPBNJ results is provided using OutputPBNJ. OutputPBNJ uses a query yaml config file to perform queries against the information collected by ScanPBNJ. OutputPBNJ display the results of the scans using a variety of formats (such as csv, tab and html).
A number of predefined queries have been included with OutputPBNJ. These may be used to query the nmap results. The configuration file “query.yaml” contains default queries that have been defined on the system.
By default, there are only a small number of queries are limited. It is both possible to modify the existing default queries and/or to query the database directly. An ODBC connection to the database could also be used to load data from the database into another tool.
Understanding the Map
Networks change over time. New hosts, servers and services are added and removed. Network maps are not just Visio diagrams. It is nice to have a detailed visual map of what is running on the network, but a representation that can be automatically tested and used as a baseline is better.
The map of the network is the basis of being able to see what is authorized and what is not. Even if the systems on the network are not all tested and verified to be at an acceptable level of security, the map gives a way to get there.
Think of it this way, you have a system that is baselined, but has not been tested and verified. You already have a way to know two things:
- You have a starting point to check for unauthorized changes,
- You have a set of details about the system such as a list of services that are running on the system and which operating system it is using.
Another way to see changes to the network is with a tool called ndiff.
Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from http://www.vinecorp.com/ndiff/. The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the “-b” option to select the file that is the baseline with the file to be tested using the “-o” option. The “-fmt” option selects the reporting format.
Ndiff can query the system’s port states or even test for types of hosts and Operating Systems using the “-output-ports” or “-output-hosts” options.
The options offered in ndiff include:
Ndiff output may be redirected to a web page:
ndiff –b base-line.txt –o tested.txt –fmt machine | ndiff2html > differences.html
The output file, “differences.html”, may be displayed in a web browser. This will separate hosts into three main categories:
- New Hosts,
- Missing Hosts, and
- Changed Hosts.
If a new host has appeared on the network map that has not been included in the change process and authorization, it will stand out as an exception. This reduces the volume of testing that needs to be completed.
Further, is a host appears in the “Changed Hosts” section of the report, you know what services have been added. This is again going to come back to a control failure in the change process or an unauthorized change. This unauthorized change could be due to anything from an internal user installing software without thinking or an attacker placing a trojan on the system. This still needs to be investigated, but checking an incident before the damage gets out of hand is always the better option.
Thursday, 11 August 2011
The unfortunate thing is that the easiest targets are rarely aligned with risk. A risk-based approach dictates that the vulnerabilities that pose the highest risk to the organization are addressed first.
To go about this it is necessary to build a prioritized list of vulnerabilities. SANS created a “Top 20” list for just this reason. For most organizations, this is a great place to start.
SANS sponsors the consensus top twenty vulnerability list. The list is available free from the web at http://www.sans.org/top-cyber-security-risks/. Just securing the network against the 20 exploits in this list will provide your organization with a greater level of security than most organizations. A list of ports that should be blocked is also available. Start with the organization’s perimeter security. Address the top vulnerabilities first. Next move down to the next riskiest level of vulnerabilities. The exercise may never end, but security has never been a point in time exercise.
In thinking about what to include in a vulnerability mitigation list consider the following:
- Historical exploits,
- Current exploits, and
- Trojan programs and other malware.
DNS is that unknown worker which goes considered until there is a problem. DNS resolves host names to IP addresses (and also conversely IP addresses to host names). Without DNS the Internet would stop. This is a big claim until you realize that people do not remember numbers. We can remember several thousand names but we cannot remember even 50 IP addresses easily.
Even within organizations DNS is key to the security of access as individuals connect to named servers and (usually) not to IP addresses. To secure a DNS server is essential to consider the following points:
1. Restrict zone transfers. DNS zone transfers are needed from the primary DNS to the secondary. Never allow anything else, not even secondary to secondary transfers.
2. Disable recursive checks and retrievals. There is no reason to allow recursive queries from ever host on the Internet. At best it is a waste of resources, at worst an attack path.
3. Log ALL zone transfer attempts. Any attempt to do a zone transfer should be treated as an incident. This is always going to be someone or some program looking for information about the configurations of systems. This should never be permitted.
4. Restrict queries. Not all queries are necessary. Information that is not necessary should be restricted on a need to know basis.
5. Restrict dynamic updates. Only authorized hosts should be allowed to change DNS entries.
6. Deploy split DNS. Split DNS involves logically and physically separating the external and internal address spaces.
o External IP addressing should include that information that is necessary for services on the Internet to function correctly.
o Internal IP addressing should be restricted to your organizations own systems.
A DNS Server is recursive when it assumes the duty of resolving the answer to a DNS query. DNS servers are generally recursive by default. Exposed recursive servers can be used by attackers (e.g. Cache poisoning attacks). At best they are lost system resources doing lookups for unrelated entities.
Bind version 8.x and above provide the capability to configure the server to be non-recursive with selected exceptions for explicit IP addresses. This allows the servers to answer recursive queries for the organizations own hosts while blocking recursive queries from unauthorized hosts on the Internet.
To configure DNS correctly:
- Recursive queries can be allowed for internal DNS
- Recursive queries should be blocked for external hosts
Secondary DNS servers use the zone transfer function to update changes to the DNS zone databases. These changes are received from the primary (or SOA, Start of Authority) DNS servers.
Only allow zone transfers between the primary and secondary DNS servers. Secondary DNS severs should never be allowed to respond to a zone transfer request.
Do not block TCP 53 and think that you are ok. TCP is used for valid DNS queries. The blocking of TCP port 53 is breaking DNS and not fixing zone transfers.
Split DNS involves the logical separation of the external and internal name resolution functions.
- Information that is necessary for hosts on the Internet is maintained on the external DNS servers.
- Information about the internal hosts and IP space is maintained and resolved using the internal DNS servers.
- When a system is required to support reverse PTR lookups, generic information should be provided.
A split-split DNS is the idea DNS architecture. In figure 1, the split-split DNS architecture is displayed. This involves a back to back private address DMZ segment with two firewalls (it is possible to do this with a single firewall and 3 interfaces as well). The DMZ network and internal private network each have:
• Two DNS Advertiser hosts on the DMZ
• Two DNS Resolver hosts on the DMZ
• Two internal DNS servers on the internal network
Figure 1 Split-Split DNS
There are at least two of each kind of server to provide for fault tolerance and load balancing. At least one of each type will be primary and the other a secondary DNS server (Windows Active Directory DNS servers do not use this system). Zone transfers are allowed only to occur between the primary and secondary servers. This is:
o External DNS. Acts as an advertiser and resolver system
o Internal DNS. Acts as to resolve queries for internal client hosts
o Each zone needs its own Primary and Secondary DNS. Zone transfers should only be allowed from primary servers to secondary servers (and not the other way)
Split-split DNS has multiple DNS servers located in the DMZ. Separate DNS servers provide name and domain advertising and resolution. A pair of DNS servers are positioned within the internal network as well. These are all run as duplicates to provide fault tolerance and load balancing.
A total of at least six DNS servers (three primary and three secondary servers) are required for a split-split DNS configuration. The three classes of DNS servers are:
· DNS Resolvers. DNS resolvers provide only DNS caching. These systems are configured to be DNS forwarders and allow access only from the internal network hosts.DNS resolvers do not maintain a DNS zone database and are not authoritative for any domains. This setup allows split-split DNS to aid in stopping DNS hijacking attacks.
· DNS Advertisers. DNS advertisers maintain the organizations domains that are “advertised” over the Internet (the organizations authoritative zones). DNS advertisers don’t allow recursive queries to be preformed.
· Internal DNS Servers. Internal DNS servers resolve queries that originate from the internal network hosts. Internal DNS servers function identically to internal DNS servers in a “split DNS” setup.
Wednesday, 10 August 2011
The following documents the logs that are created by a fairly normal company and the related time that these logs should be maintained.
Security and audit logs and the reporting on the systems that produce these logs must be centralised. It is necessary to have these records centralised so that systematic attacks across the servers can be pinpointed in a timely fashion. It also significantly lowers the risk of the logs being compromised.
The security logs must be backed up and kept for the duration of the audit period (e.g. 1 Year minimum). This can be extended with other requirements and should be deemed to be the absolute minimum requirement.
For instance, in Victoria, changes to the Crimes Act (1958) [Crimes (Document Destruction) Act 2006; Act No. 6/2006] have created “a new offence in relation to the destruction of a document or other thing that is, or is reasonably likely to be, required as evidence in a legal proceeding”. This act, punishable by indictment for a term of up to five years imprisonment affects anyone who destroys or authorises the destruction of any document that may be used in a legal proceeding (including potential future legal proceedings).
The distinction between correct and circumstantial evidence is that direct evidence categorically establishes the fact. Circumstantial evidence on the other hand is only suggestive of the fact. Authentication logs are generally accepted as direct evidence short of proof that another party used the access account. The consequence of this is that system logs can be critical to a legal case and hence must be maintained.
A section noting the “minimum document retention guidelines” has been included below.
- “Can you tell me when Joe Bloggs logged in and logged out?”
- “Can you see if someone has tried to open this file”
- “Can you tell me who the last person to open this file was?”
- “We need to know if this person has been chatting (Office Communicator) with this person outside the company”
- “We need to know what these people have been chatting about (office communicator) both inside and outside the company”
- “We need to know when people add external contacts to their communicator list”
- “Who had this IP address on
- The concern is leaking of information, more people resigning and things of that nature. What can you give me?
In addition to normal system logs, an operating log must be maintained that records any significant events and action taken by the system operator or administrator. These logs should be maintained on a centralised and isolated server. Proper recording would indicate whether operators were following instructions for halts in programs, change control, etc.
There are more reasons to maintain logs than for security alone. Some of the reasons to maintain system and network logging include:
- Optimizing system and network performance; to record the actions of users
- Identifying security incidents, policy violations, fraudulent activities, and operational problems;
- Performing audits and forensic analyses;
- Supporting internal investigations;
- Establishing baselines; and
- Identifying operational trends and long-term problems.
The following should be used as guideline in storing logs. This table sets the times for local storage. The central logging system should maintain all logs for at least 12 months online and maintain an offline backup for longer periods.
|Category||Low Impact Systems||Moderate Impact Systems||High Impact Systems|
|How long to retain log data?||1 to 2 months||3 to 6 months||12 to 36 months|
|How often to rotate logs||Optional (if performed, at least every week or every 25 MB)||Every 6 to 24 hours, or every 2 to 5 MB||Every 15 to 60 minutes, or every 0.5 to 1.0 MB|
|Transferring log data to the log management infrastructure - how frequently that should be done?||Every 3 to 24 hours||Every 15 to 60 minutes|| At least every 5 minutes |
(If not automatic – e.g. syslog-ng)
|How often log data needs to be analysed (through automated or manual means)||Every 7 days||Every 12 to 24 hours||At least 6 times a day|
|Whether log file integrity checking needs to be performed for rotated logs||Optional||Yes||Yes|
|Whether rotated logs need to be encrypted||Optional||Optional||Yes|
|Whether log data transfers to the log management infrastructure need to be encrypted or performed on a separate logging network||Optional||Yes, if feasible||Yes|
The analysis of the logs should be automated and use a correlation system to make review simpler.
Entries from the logging system that are deemed to be of particular interest should be retained on the system and also transmitted to the log management infrastructure. Reasons for having the logs in both locations include the following:
· If either the system or infrastructure logging should fail, the other should still have the log data. For example, if a log server fails or a network failure prevents logging hosts from contacting it, logging to the system helps to ensure that the log data is not lost.
· During an incident on a system, the system’s logs might be altered or destroyed by attackers; however, usually the attacker will not have any access to the infrastructure logs. Incident response staff can use the data from the infrastructure logs; also, they can compare the infrastructure and system logs to determine what data was changed or removed, which may indicate what the attacker wanted to conceal.
System or security administrators for a particular system are often responsible for analysing its logs, but not for analysing its log data on infrastructure log servers. accordingly, the system logs need to contain all data of interest to the system-level administrators.
All logs could (should) be sent to a SQL database. Syslog, Syslog-ng and many other logging formats can be sent to MySQL, Informix and other database formats. This provides the capability to create custom queries to a database in order to retrieve selected logs.
· Anti-malware Software. The most common form of antimalware software is antivirus software, which typically records all instances of detected malware, file and system disinfection attempts, and file quarantines. Additionally, antivirus software might also record when malware scans were performed and when antivirus signature or software updates occurred. Antispyware software and other types of antimalware software (e.g., rootkit detectors) are also common sources of security information.
· Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention systems record detailed information on suspicious behaviour and detected attacks, as well as any actions intrusion prevention systems performed to stop malicious activity in progress. Some intrusion detection systems, such as file integrity checking software, run periodically instead of continuously, so they generate log entries in batches instead of on an ongoing basis. This section includes Tripwire and a NIDS (such as Cisco Secure IDS or SNORT).
· Remote Access Software. Remote access is often granted and secured through virtual private networking (VPN). VPN systems typically log successful and failed login attempts, as well as the dates and times each user connected and disconnected, and the amount of data sent and received in each user session. VPN systems that support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed information about the use of resources.
· Web Proxies. Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make additional accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to add a layer of protection between Web clients and Web servers. Web proxies can keep a record of all URLs accessed through them. This would include the ISA systems and other Web Filtering systems.
· Vulnerability Management Software. Vulnerability management software, which includes patch management software and vulnerability assessment software, typically logs the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates. Vulnerability management software may also record additional information about hosts’ configurations. Vulnerability management software typically runs occasionally, not continuously, and is likely to generate large batches of log entries.
· Authentication Servers. Authentication servers, including directory servers and single sign-on servers, typically log each authentication attempt, including its origin, username, success or failure, and date and time. This would include the Security and Application events from the Active Directory DNS servers.
· Routers and Switches. Routers may be configured to permit or block certain types of network traffic based on a policy. Routers that block traffic are usually configured to log only the most basic characteristics of blocked activity (as is the case generally). These logs should be increased to incorporate both allowed and dropped traffic. Switch traffic should log unusual events associated with VLANs and any violations of ACLs.
· Firewalls. Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more sophisticated methods to examine network traffic. Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to have more complex policies and generate more detailed logs of activity than routers. In many companies, logging is disabled for both allowed and blocked traffic rendering the logs of little use. The Firewall logging needs to be changed to record both ALLOWED and DENIED Traffic to and from the network.
- DNS (All active servers)
- DHCP (All active servers)
- Network Devices
- Firewalls (Cisco ASA, Load Balancers)
- Cisco Router and Switch Logging (Both internal and external switches)
- SAMBA logging (Unix/Linux SMB Servers)
- Web server logs (Apache, IIS, TomCat, PHP etc)
- Proxy Logs (Websense, ISA)
- Tripwire logs (Servers)
- Mail Server logs (Sendmail, Exchange etc)
- Databases (MySQL, Informix, MSSQL)
· System Events. System events are operational actions performed by OS components, such as shutting down the system or starting a service. Typically, failed events and the most significant successful events are logged, but many OSs permit administrators to specify which types of events will be logged. The details logged for each event also vary widely; each event is usually time-stamped, and other supporting information could include event, status, and error codes; service name; and user or system account associated with an event.
· Audit Records. Audit records contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges. OSs typically permit system administrators to specify which types of events should be audited and whether successful and/or failed attempts to perform certain actions should be logged. The Windows Domain systems should be configured to log security events.
- · AV logging (Malware detected etc)
- · Deep Freeze logs(and similar products)
- · Authentication logs (from Domain Controllers)
|Basic Commercial Contracts||6 years after discharge or completion||4 years after discharge or completion||6 years after discharge or completion|
|Deeds||12 years after discharge||A minimum of 6 years after discharge||12 years after discharge|
|Land contracts||12 years after discharge||6 years after discharge||12 years after discharge|
|Product liability||A minimum of 7 years||Permanent||A minimum of 10 years|
|Patent deeds||20 years||25 years||20 years|
|Trade marks||Life of trade mark plus 6 years||Life of trade mark plus 25 years||Life of trade mark plus 6 years|
|Copyright||75 years after author’s death||120 years after author’s death||50 years after author’s death|
|Contracts and agreements (government construction, partnership, employment, labour, etc.)||A minimum of 6 years||Permanent||A minimum of 7 years|
|Capital stock and bond records||7 years after discharge||Permanent||12 years after discharge|
Any logging from systems associated with the above listed areas should be maintained for the period listed as a minimum.
“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”
This section of the PCI requirements then sets out the formats required for logging.
Tuesday, 9 August 2011
MITM attacks have always been a favourite of the average hacker as it is relatively easy to perform using readily-available tools. Furthermore, once an MITM assault has been launched successfully, it opens the way for more malicious and aggressive types of attacks, potentially resulting to more damage and irreversible harm.
Several areas of concern exist around MiTM attacks. These include administrative systems (such as Databases and UNIX servers) that run insecure protocols. This post, in the end, hopes to raise awareness and thus improve the overall site security at your organisation.
In the ideal scenario above, information within a session passes privately between the client and server, and vice versa.
In a man-in-the-middle attack, an attacker hijacks the supposedly private session. The attacker makes it appear to the client that it is still communicating directly with the server, while in truth, any information being sent to, and received from, the server is being read and maybe even being modified by the attacker. The same deception is performed on the server, where it thinks that it is still communicating with a valid source (the client) when in fact the requests for information are coming from the attacker.
MITM proxy tools
As the term implies, these tools generally perform “proxy only” functions, where they merely act as “sniffers” to read the data passing between the Client and the Server. The harvested information can be used for more aggressive attacks later on.
- Achilles (http://www.mavensecurity.com/achilles)
- WebScarab and its followers
- Paros Proxy (http://www.parosproxy.org)
- Spike Proxy
These tools are used for more aggressive, and usually more licentious, attacks. Aside from establishing a proxy between the Client and the Server, these tools can also re-route traffic, inject commands, introduce specially-crafted packets, and alter information in the data stream.
- Ettercap (http://ettercap.sourceforge.net/download.php)
MITM risks with clear-text protocolsThe table below lists some protocols that send information in plain or “clear” text that have been noted to be used within the networks in I have audited.
Obviously, sending information in unencrypted form makes it possible for an attacker employing MITM to easily obtain that information. With relative ease using various tools and techniques, the attacker can then tamper with the data’s integrity (modify the data) and authenticity (make it appear that the data came from a legitimate source).
As an example, let us say that the Client has been using telnet to connect to a remote Server. Let us also assume that an Attacker has previously done some reconnaissance and obtained the IP addresses of the client and the remote server. The following is a likely scenario for carrying out the MITM attack:
- The attacker launches a TCP sniffer tool such as Hunt, Juggernaut or Ettercap and waits for a session to be established between the Client and the Server.
- The client logs in to the server using Telnet.
- The attacker is alerted of a new connection.
- The attacker performs packet sniffing (read all information passing through the session). With Ettercap, usernames and passwords can be easily obtained. The attacker saves the harvested information for later use.
- The attacker can then inject commands into the data stream without the Client knowing, and which the Server will interpret as valid commands from the Client.
- When the session is terminated by the client, the attacker can log in into the server using the previously obtained username and password of the Client.
- If the account has administrator privileges, the attacker can install more malicious tools such as rootkits to further compromise the integrity of the server.
To mitigate MITM attacks against clear-text protocols, it is advised that their use be minimised or discontinued altogether. There are also more secure protocols that can be used in their place as listed below:
|Protocols / Port Numbers||Encrypted / Port Numbers|
|Telnet / 21||SSH / 22|
|FTP / 20, 21||SCP or SFTP / 22|
|POP3 / 110||POP3S / 995|
|HTTP / 80||HTTPS / 443|
|IMAP / 143||IMAPS / 993|
|SMTP / 25||SMTP over TLS/SSL / 465|
|MySQL / 3306||Encrypt the traffic|
MITM risks with SSLSecure Sockets Layer (SSL) protocol was designed to provide security for client/server communications over networks. This is accomplished by providing endpoint encryption and authentication.
SSL is widely implemented in web (HTTP) sessions, such as in online banking and eCommerce. Despite its well-publicised susceptibility to MITM attacks, HTTPS (HTTP over SSL) continues to be a popular choice for web security implementations.
The main flaw with SSL (without client side certificates – which are still rare) is it only authenticates the server, not the client. The client is given a level of assurance of the authenticity of the server using a validation process of the server’s digital certificate by the browser, but not vice versa.
The MITM attack is carried over an HTTPS connection by establishing independent SSL sessions – one between the Attacker and the Server, and another between the Attacker and the Client. When the Client attempts to establish an HTTPS connection with the Server, it is actually the Attacker it is connecting to, which at this point is masquerading as the Server. Usually, the client’s browser warns the user that the digital certificate used is not valid. Below are some examples of warnings issued by some of the more common web browsers:
Some users particularly the less-savvy may ignore the warning, usually because of lack of understanding of the risks involved. In some cases there are no warnings at all, as in situations when the Server certificate itself has been compromised by the attacker or, although less likely but still possible, when the attacker certificate was authenticated by a trusted Certificate Authority or CA (such as VeriSign, Thawte, etc) and the Common Name (CN) is the same with the original web site.
When the warning is ignored, the user in effect accepts the site as legitimate. The browser will then proceed with loading the website. If the website is in fact a bogus site, every transaction performed by the Client will be read and open to tampering by the man-in-the-middle attacker. From the Server’s point of view, since it does not authenticate the client, it does not know or care whether the computer it is transacting with is legitimate or not, so it treats every transaction as valid.
To mitigate MITM attacks against SSL, users are advised to at least pause and investigate warnings issued by their browsers before proceeding on accessing a website, particularly when the website will be used to facilitate confidential and/or sensitive transactions.
On the server-side of things, it is recommended that all SSL protocols be upgraded to the latest versions, which is currently SSL version 3 or ideally be replaced with TLS 1.0.
MITM risks with SSHSecure Shell (SSH) was designed as a replacement to some of the clear-text protocols specifically Telnet, rsh and rlogin which have been proven to be vulnerable to MITM attacks.
In an SSH environment, computers or network devices exchange information inside a secure channel. SSH uses a public-key (PK) to encrypt the data, which then requires a private key to decrypt it.
Currently SSH version 1 (SSH1) and its upgrade SSH2 exist, however the two are regarded as entirely different protocols. Furthermore, SSH2 is deemed more secure than SSH1, the latter being known to be vulnerable to MITM attacks. Fortunately, very few SSH servers use SSH1 nowadays.
One of the more popular MITM attacks exploits the weaknesses of the SSH1 protocol, in what is known as an “SSH downgrade” attack. This type of attack tricks the server and the client to communicate via SSH1 instead of SSH2.
The following is a likely SSH downgrade attack scenario.
- The attacker, using Ettercap or other ARP poisoning tools, sends fake ARP requests across the network which will enable the attacker to capture and modify the packets intended for the target machine.
- The client initiates a request for an SSH connection to the SSH server. Usually, it requests for an SSH2 connection.
- The attacker sends a reply back to the client saying that the server supports only SSH1.
- If the client accepts, it will establish an SSH1 connection with the server. Due to the weak encryption protocols of SSH1, any information such as usernames and passwords can be read by the attacker.
To mitigate MITM attacks against SSH, server and client configurations should be made to support SSH2 only. Any transaction requests to the contrary should be treated with suspicion and should warrant an elevated level of caution and investigation.
There are also tools that can be employed to detect ARP and DNS poisoning.
Posted by Craig Wright at Tuesday, August 09, 2011
Monday, 8 August 2011
There are ways to improve on the Linux “all-or-nothing” security model.
Root is almost always connected with the global privilege level. In some extraordinary cases (such as special UNIX’es running Mandatory Access Controls) this is not true, but these are rare. The super-user or “root” account (designated universally as UID “0”) includes the capacity to do practically anything on a UNIX system. RBAC (role-based access control) can be implemented to provide for the delegation of administrative tasks (and tools such as “SUDO” or super-user do also provide this capability). RBAC provides the ability to create roles. Roles, if configured correctly, greatly limit the need to use the root user privilege. RBAC both limits the use of the “su” command and the number of users who have access to the root account. Tools such as SUDO successfully provide similar types of control, but RBAC is more granular than tools such as SUDO allowing for a far greater number of roles on any individual server. It will come down to the individual situation within any organization as to which particular solution is best.
For now, sudo is a simple free tool that will allow us to create a good level of control over what the users on a Linux system can access.
Basically, you do not want to have to give all your users the root password and hope for the best. The simple answer for this is “sudo.”
The purpose of sudo is to allow users to run selected (or all) commands with privilege and enhanced logging. When configured, users use their own password and not the root password.
More, the Administrator (root usually) can setup separate groups of commands and access to the system for different users and groups.
You never need to issue the root password to the users!
On top of this, a user who runs an Unauthorised command can be set such that an alert will be issued. This could be an email for instance.
Sudo solves three primary issues in Linux. These are:
- Least Privilege
Finally, when a user leaves, as they do not have the root password, there is no need to run about changing password on systems, just lock or alter the individual users account (and believe me, it can be a real pain to change root passwords).
There are methods that can be used to bypass sudo (such as a vi shell break) but these are beyond today’s post.
The access restrictions and alerting are configured using the "/etc/sudoers" file:
In coming days, I will load a few examples on how to configure this file and how to user SUDO to restrict access to key files.
See the following page for some more information on the command: