People tend to not prioritize their risk correctly. SANS Top Cyber Security report in September 2009 pointed out that people are not patching third party applications or taking care of web servers correctly.
I recently ran across the image below (click for full size) that showed the number of deaths in the last 300 days broken down by category and compared that to the number of deaths for H1N1.
(not sure who to credit on the photo, it wasn’t giving to me in context, here is the original link..
Posts tagged ‘SANS’
Understanding Risk
Enterprise Windows Application Patching
SANS Top Cyber Security Risks report shows application patching is much slower than Operating System patching.
Why does this occur?
Is patching applications more difficult? In some cases patching JAVA may be cause issues with internal applications. But I haven’t seen a case yet where a Flash or Adobe Reader update has caused an issue. (I’m talking security bulletings not major releases).
Is the problem culteral? It took people a while to get in the habit of rolling out Operating System patching. Perhaps they just haven’t crossed the Application hurdle yet.
Is it the tools? SMS/Config Manager doesn’t seem to make deployment easy. Perhaps I’m doing it wrong, but with third party applications I have to use a script I downloaded from myitforum.com in order to customize the user install experience (ability to postpone). Having to update that for each application I’m pushing is a pain. My impression is that ConfigMgr’s competitors are much better at doing this. ConfigMgr is also quite difficult to use under our security policy if you want to patch remote users who don’t use the VPN.
I suspect a lot of mid-size and smaller businesses have just set up a WSUS server. WSUS lacks the capability of deploying application updates. (although googling shows an interesting add-on from a third party to add this functionality).
Applying third party application updates is time intensive. I deploy them one at a time. With Microsoft patches they are all deployed at once. Upgrade fatigue sets in much more quickly due to the greater frequency of these individually deployed third party plugins.
Improving application patching requires more than telling the administrator to work harder. The tools need to be improved so we can do our job. Microsoft needs to step it up with ConfigMgr. It needs to be easier to patch non-Microsoft products or customers will start checkout out competitors.
GIAC: Going for the Gold
“Step back, I’m certified.” I just passed the test for the GIAC Certified Forensic Analyst (GCFA). So I’m certified at the Silver level. I was happy to pass and happy to get the score I was shooting for.
The GIAC certifications now have a Silver and Gold level. Back when I first received my GCWN there was only the Gold level. The Silver level certification is what you receive when you pass the test. The Gold level is attained by additionally writing a practical (technical paper).
When this requirement was changed, Richard Bejtlich of TaoSecurity blogged “Of course students will perform this assignment. Who would want to drop $3000-$4000+ and end up with a “Silver Certification?”.
I think time has proven that wrong. If I’d blogged about that I back then I would have disagreed with him concluding most people would stop at Silver. Silver gets GCFA on the resume. My experience shows that Human Resources and HIring Managers do not understand certifications. They often dont bother to verify that they were really earned. In addition to not verifying them, they dont know what they mean. I’ve seen resume after resume claim MCSE. MCSE in what? Windows NT 4.0? This says to me that HR and Hiring Managers wont know the difference between a GIAC Silver and a GIAC Gold unless I take the time to explain it to them. GIAC Gold wont help get me through the HR resume filter. Once I make it to the Hiring Manager and future co-workers, the emphasis should be on skills not credentials; can I actually do forensics.
It looks to me like the market agrees with me. Unless the SANS listing of certified professionals is horribly out of date, no one has obtained a Gold GCFA in about 9 months. People haven’t gone Gold regularly since the requirement was dropped.
I’m a sucker for resume bling, so most likely I’ll be dropping my $300 for the Gold attempt . Or maybe I should just spend that on a professional resume writer.
Enterprise Vulnerability Management
The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale.
” The way we manage patch and vulnerability information is something out of the mid-80′s.”
Tell me about it. Today I read RSS feeds (US CERT, SANS ISC, vendors, white hats, bloggers etc) and emails from vulnerability alert services (Deepsight, Microsoft Technical Account Manager, random people who read about a patch/virus in the Wall Street Journal). That gets entered into a spreadsheet with the CVE, Bugtraq, and vender reference ID. Once Qualys releases a detection the Qualys ID gets added as well along with the detection count.
This is a tediously manual process that no one seems to actually give a damn about. The auditors didn’t like the way we were (are?) managing vulnerabilities (it may still be a POAM item). And the reports seemed to mean nothing to management. It worked better when I didn’t bother creating the spreadsheet, and just told them what patches we deployed this month, and the detection count for a few key vulnerabilities that I felt required management attention, (Adobe Reader, MS08-067, etc).
At the Gartner Information Security Summit in National Harbor, MD (near DC) I attended a track titled “Qualys, Inc.: Using SaaS to Build Full Life Cycle Program for Security and Compliance.” I was hoping this might have a suggestion for how to do this. Unfortunately it seemed like the solution was creating a home grown database and correlating the results of multiple scanners. I’m sure that works great, but without instructions on building such a database, its a lot of work to build from scratch.
iDefense is now integrating the your Qualys vulnerability scan results into their vulnerability intelligence. If you could afford such a thing (apparently we can’t), you’d still have a problem. Vulnerability scans run at set times and systems may not be online when the scan is run. While its great for scanning servers, Qualys alone does not give an accurate reflection of all vulnerabilities for your end user equipment. While talking with Forescout, I found that they had a plugin for Retina. Forescout is a NAC product. When a computer comes online, the plugin would check with Retina and find out when the device was last scanned. If its longer than your configurable setting (hasn’t been scaned in X days), then it fires up Retina to initiate a scan. Qualys provides the appropriate APIs to do this as well, so I asked Forescout to look into improving their Qualys plugin.
The combination of iDefense, Qualys and Forescout (if Forescout updates the plugin) would be quite formidable in vulnerability lifecycle management. What’s left is desired configuration monitoring. Are my systems continuing to conform to my security policy. I am not currently scanning that regularly. Once I get a tool for that, then its one more thing to integrate.
There is no simple solution. I may have to polish up the SQL skills and take a run at building something myself.
#sansforensicssummit Day1
I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday.
Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst courses was Forensics taught by Florian Buchholz. It was in the last semester, and we were checking out mentally (ready to graduate)
Its fun to take a week long conference on the subject. Hopefully it will stick better than the college course. I do fear that since I wont be doing forensics every day, I’ll lose a lot of this knowledge quickly.
A couple of interesting tidbits from today.
1. A single pass is good enough when disk wiping. That would save a lot of time for us if true. The instructor says the idea of wiping 7 times comes from a Guttman paper in the late 90s. It theorized an electron microscope could be used to recover if wiped less. This is purely theoretical. Never been done. Forensics people will call it a day if its been wiped once.
Of course what is technically correct isn’t always what auditors or policy requires. Trying to change that is difficult. The instructor says NIST recommends one pass. I’ve read the document he mentions. Apparently I need to re-read it because I dont recall one pass. I recall a preference for the UCSD Secure Erase which uses ATA commands to wipe. I recall degausing or destroying also preferred. I think for over right utilities they were still recommending 6+, but I will have to verify.
2. The second interesting thought had to do with “limited personal use” allowances in corporate policies. Companies don’t want to have policies they wont enforce, so they allow limited personal use. I thought the big danger in that was not defining exactly what that meant. According to the instructor, limited personal use is a forensic nightmare and a potential legal liability. The claim is that the limited personal use gives the user an expectation of privacy for that personal use. Since it is company policy it trumps the logon banner that says “no expectation of privacy”. Interesting thought, and one I’m going to have to run by legal. They took a year when I asked them to approve the login banner, so I expect to hear back from them around 2015.
CAG Critics
SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really drew my eye was the “critics” page.
The critics page contains solely glowing praise. Often that praise is from people who wrote the CAG. Maybe I’m taking “critics to literally, but I am reminded of the movie “critics” that write with the goal of their review being included in the advertising.
There has been plenty of criticism of the CAG.
Richard Bejtlich points out that it doesn’t help keep score, its controls are reactionary. Additionally its controls map to the already existing 800-53 so its redundant if you’re already doing that.
Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.” Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.)
I’m starting to think the CAG (sorry now its CSC – Critical Security Controls) is like the SANS FBI Top 20. Its not written for me. Its written to get in the press. Its written for people who have no clue where to start. For me, I’m taking away some idea on how to proactively audit some of the CAG items, but the box is already checked in FISMA for those items so buying anything new is a tough sell right now.
I’m still going to try to get the company to send me to the 20 Critical Security Controls: Planning, Implementing and Auditing 2009. I just found the SANS CAG Critics page amusing.
iPhone and CIS Secure Config Guide
The Center for Internet Security released a secure configuration benchmark for the iPhone.
SCMag touts this as a good thing “For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees.” I would argue that there are a couple things wrong with this statement.
First it seems to admit that the iPhone isn’t secure and needs to be locked down. When Microsoft releases a hardening guide, Alan Paller of SANS goes ape and encourages the government to use their buying power to force Microsoft to apply a “secure” configuration prior to shipment. Second, reading the document, I’m not convinced that the CIS config allows enterprises to to enforce security best practices.
The first half of the CIS security guidelines are settings for the user to do on their phone. Fine for the individual, but not for a enterprise. The second half focuses on settings in the iPhone Configuration Utility. I’ve never used this utility and I dont own an iPhone, but it appears that this utility creates a config file you then mail to the user to apply or place on a website. Great way to distribute security policy. Doesn’t seem like a mandatory security policy either. There are a few mentions of ActiveSync which would enforce policy, but it is not explored enough for my tastes in this document.
Recommendation: Keep firmware up to date.
Doing this requires the installation of iTunes. My skin kind of crawls when someone wants that buggy bloated software installed in a business environment in order to load phone firmware. But hey, at least the user gets to sync their music at the same time. The CIS paper does not report a way that the enterprise could verify the installed versions on each deployed iPhone.
Recommendation: autolock at 5 minutes I wish we could enforce an autolock at five minutes. Ours is a bit longer.
With the Blackberry you can set it to lock when holstered. I dont believe the iPhone can do that.
If you needed someone to tell you to set a PIN and a password timeout on a device with, you probably need someone to tell you to come in out of the rain.
Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap
Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader.
The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out by Shadowserver states:
There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it.
Secunia reports that they have “managed to create a reliable, fully working exploit (available for Secunia Binary Analysis customers), which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.”
Even without this method of exploiting without javascript, a SANS commenter has pointed out the potential problem of disabling javascript. When a user opens a PDF containing javascript, they are prompted to re-enable javascript by clicking yes. How many users are really going to stop and consider the source of the file before re-enabling javascript.
Zero Day in Adobe Acrobat and Reader Part 2
Adobe has posted a security advisory for the zero day in Adobe Acrobat and Reader that I blogged about yesterday.
They say they are
“planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow”
Last time the updates for version 7 followed along about 8-10 months later if memory serves. Their little incentive for people to upgrade. I’m surprised they haven’t sunset-ed version 7 already. I’ve looked for software support life-cycle information from Adobe and haven’t found it.
The recommended mitigation for this vulnerability is disabling javascript until a patch is available. I’ve never seen anyone mention what effect that might have.
Every article says to disable javascript in Adobe through Edit -> Preferences -> javascript. In an enterprise you would want to know Is there a way to disable javascript in Adobe programatically (by pushing a registry entry via a login script, SMS or Group Policy).
Using Process Monitor from Sysinternals, I see that when you disable javascript in the GUI it sets HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS to 0. Googling bEnableJS, I found that SANS ISC has a ADM file (used in Group Policy for the non-windows admin types) they posted during the last Adobe exploits back in November. It disables javascript for 6, 7 and 8 Acrobat and Reader.
Zero Day in Adobe Acrobat and Reader
As linked from SANS ISC, shadowserver is reporting targeted attacks using a zero day vulnerability in Adobe Acrobat and Adobe Reader. Versions 8 and 9 are vulnerable.
Disable javascript in Acrobat/ Reader to avoid the code execution vulnerability, however the application will still crash.
