Professional Information Security Association
SEP-2012
PISA Journal
BYOD Dilemma and Tactics Securing Amazon Linux AMI Book Review | “IT Security Metrics” Targeted Attack Analysis 「域」見未來
www.pisa.org.hk
Issue
16
Mobile Security 05 BYOD Dilemma and Tactics
Cloud Security 11 Securing Amazon Linux AMI
Book Review 17 Book Review : “IT Security Metrics” Page 2 of 32
An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
2012
Professional Information Security Association
Emerging Attacks and Defenses 21 「域」見未來 23 Targeted Attack Analysis
Intranet 04 Message from the Chair 29 Event Snapshot 32 Joining PISA
Royalty free images used from www.sxc.hu: p.05: #152864 by Alenq of Croatia, p.11: #1195576 by Lusi of Croatia, p.13: #1395342 by puffin2006 of Netherlands, #1341228 by yan81 of Russia, p.17: #640488 by iwanbeijes of Netherlands, p.21: #49702 by annaOMline of Spain, p.23: #637512 by bjearwicke of USA, p.28: #180450 by OzRock79 of Australia. Page 3 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Message from the
Chair
I
t is my honour and greatest pleasure to serve in the Chairperson’s role of PISA after joining the executive committee for three years.
In Hong Kong, PISA plays a prominent role in various areas relevant to information security such as establishing the (ISC)2 Hong Kong Chapter, providing advisory supports to the IT professions, setting different SIGs for the members, and promoting awareness education to the general public. These could not be accomplished without your dedication and efforts.
trust. Through this platform, members can address the impacts and challenges of emerging information security threats. PISA needs your involvement and commitment to keep going forward. Let us work together to bring PISA a successful year.
PISA is a platform for our members to network, to share knowledge and to build up
The Executive Committee 2012-2013 (from left) Andy Ho, WS Lam, Mike Lo, Frank Chow, Alan Ho, Jim Shek and Raymond Tang
Page 4 of 32
An Organization for Information Security Professionals
Frank Chow CISSP-ISSAP-ISSMP CSSLP CISA CISM CBCP
P I S A J o u r n a l
SEP-2012
BYOD DILEMMA AND TACTICS
B
ring your own device (BYOD) involves various challenges related to security, privacy, infrastructure, etc. There is no one-size-fit-all solution to address BYOD and will be subject to business environments in order to find a right mix of the solutions.
Alan Ho CISSP CISA CISM CGEIT
Page 5 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
BYOD Dilemma and Tactics
With the advancement of enabling technologies (in smart devices and mobile networks) and the maturity of social media in changing the ways people do businesses, "mobility" is becoming the key trend moving forward. We are seeing better hardware and user interfaces in smart device technologies as well as improved bandwidth, speed and coverage in mobile/wireless technologies.
could be a threat to run company's applications or even store company's data on the devices. ●
●
For convenience, mobility and productivity, employees are eager to bring their own smart phones, tablets and notebooks into the work environments. On the other hand, employee-owned notebooks or low-cost smart devices give cost-incentive to companies to lower the cost of ownership. All these give rise to new requirements of network access policies and capabilities to allow users to "bring your own device" (BYOD). BYOD involves various challenges related to security, privacy, infrastructure, etc. There is no one-size-fit-all solution to address BYOD and will be subject to business environments in order to find a right mix of the solutions.
●
●
Data security -- There may be difficulties to enforce data/storage encryption (e.g. via BitLocker) due to device ownership or technical platform issues. Support burden & expertise -- Given the limited IT support resources in the company, there may be issues to support or troubleshoot problems of company applications or data in these devices of different technologies. Liabilities -- There may be liability issues if the devices are physically damaged or the employee's software/data is damaged/lost. Control and compliance ●
1. Challenges
●
Under BYOD, while employees have flexibility to choose and bring their devices to office environments, these "foreign" unmanaged devices could be a nightmare to companies. The challenges can be classified from a company's or employee's perspective. Company's perspective ●
●
Page 6 of 32
●
Compatibility -- There may be compatibility issues to run company's applications on the devices that involve various operating system platforms and software in the devices System security -- As company does not have much or even no control on the device, the software installed in the device may be outdated or security patches are not properly managed or applied. Also, anti-virus/anti-malware software and personal firewall may not be properly managed or in place. This
●
Since company has limited or no control of the software and system configurations of these devices, it may be a challenge to manage or track the company related activities on these devices. Businesses that fall under compliancy rules (e.g. PCI DSS (Payment Card Industry Data Security Standard)) must still comply when BYOD is implemented. It may be a concern of how to define and enforce an acceptable use policy for devices that are not owned and (completely) managed by the company. Consideration also needs to accommodate reasonable personal use of the BYOD devices
Data privacy -- These devices may contain company's data. There may be a risk of data leakage to the outsiders via the employee's devices.
Employee's perspective ●
Data privacy -- These devices contain employee's own data. There may be a risk of data leakage to the
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
company when the devices are connected to the office environments. ●
Device seizure -- Under certain circumstances, judicial or legal authorities may warrant the seizure of the hardware for investigations
2.2
Agent-Based vs Agentless
Technical solutions can be generally classified agent-based or agentless. ●
Agent-based solutions -- Require installing an agent on client devices ●
2. Considerations BYOD is a complex issue not only involving technical issues but also involving management, privacy issues, etc. The BYOD issues are not just about the devices and also the business applications that run on the devices and also the business data that may be resided on the devices.
●
There are different areas of considerations for the solutions. These different areas of considerations or approaches may be adopted in different combinations that best fit the need of a company.
●
●
2.1
Device-Centric vs Data-Centric
●
Page 7 of 32
●
Device-centric approach: By controlling the device (or hardware), IT can attain a level of control and security over who's on the network and what that user is accessing. Data-centric approach: Rather than controlling so much on the devices, the focus is to control the data the devices are accessing. This will require security measures to make sure the data is password-protected at multiple levels. One technique is to set up a mobile-oriented password policy that require more often changing of passwords. The data-centric approach will not address the problem of malware on the device that sniffs the data.
●
2.3
Can have more granular or in-depth configurations/capabilities for auditing, monitoring, security and reporting. Can ensure connected devices have the right software, permissions, and security settings before allowing them to connect to the network. Can also enforce the use of encryption. The agent running on the client device may cause impacts of performance or resources More effort to implement since installation of agents is required
Agent-based solutions -- No agent is needed on client devices ●
To manage BYOD, some may focus on controlling the device, some may focus on controlling the data, or a hybrid of both. ●
16
No installation effort is required on client devices May classify the devices based on user identity, device type, location and time Does not have in-depth analysis or statistical capabilities
Hardware- vs Software-Based
Some solutions leverage the use of hardware-based technology for more robust security and also with better performance. However, this will require the devices to have the required hardware or parts. Software-based solutions will have comparatively lesser restrictions on the device hardware/platforms, however, they are comparatively less robust.
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
BYOD Dilemma and Tactics
2.4
Open Standards
●
The use of open or industry standards can allow better compatibility to different devices & platforms and is more robust. Trusted Computing Group (TCG) has developed security solutions for computers and servers based on a Trusted Platform Module (TPM), for mobile devices through the Mobile Trusted Module (MTM), for data integrity and privacy based on Self-encrypting Drives (SEDs), and for enterprise networks based on the Trusted Network Connect (TNC) specifications.
2.5
Policies and Processes
Apart from the technical solutions, a successful BYOD implementation will require complimenting policies and sustainable processes. 2.5.1 Policies regarding term of use and liabilities Due to different ownerships of the physical hardware and data, it is important to pre-define the policies regarding the term of use and liabilities. Also, it is necessary to accommodate a reasonable level of personal use for the devices. 2.5.2 Ongoing review and monitoring processes BYOD implementation should not be considered an onetime exercise. There should be ongoing review and monitoring processes to ensure the effectiveness of the solutions and upgrade the solutions according to the changing business and technical environments. TCG recommended the following strategies: ●
●
●
Page 8 of 32
Continuous assessment of the user, device, network, physical location, etc.
Monitoring and responding using standardsbased techniques, automatic or manual
2.5.3 Compliance Especially for businesses that fall under compliancy rules (e.g. PCI DSS), companies must review and ensure compliance when BYOD is implemented.
2.6
Other Technology Solutions
2.6.1 Partitioning Partitioning allows a clean separation of personal and business applications and data. Hence, business applications and data can be managed and locked down without impacting personal content on the device. 2.6.2 Virtualization 2.6.2.1 VDI (Virtual Desktop Infrastructure) VDI solutions eliminate most of the mobile device management issues because the solution is essentially secure terminal emulators and data are not stored on the mobile devices but on the remove VDI servers. This provide a more secure approach from enterprise perspective. 2.6.2.2 DaaS (Desktop as a Service) There are solutions (e.g. Desktone) to virtualize users' desktop computers and deliver them as a service so that they can be configured to access from physical desktop, notebook computer, tablet or smart phones. DaaS allows companies to set policies for how the desktop service can be accessed and with which devices. 2.6.2.3 Run a second virtual phone
Reducing risk by provisioning countermeasures
There are solutions to allow a company to deploy its own secure virtual phone images to employee-owned smart phones.
Controlling access to sensitive resources based on established corporate policies
An example (e.g. Red Bend Software) is to use type 1 Hypervisors on particular Android handsets to create essen-
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
tially 2 virtual phones running simultaneously on the same physical hardware, one for personal use and one for business use. Similar solution can also be found with VMware.
16
2.6.4 Remote data wiping Some solutions can remotely wipe corporate data from devices when employees leave the company or change job roles, as well as when devices are lost or stolen.
2.6.3 Authentication and authorization To authenticate and authorize mobile BYOD devices, it is recommended to configure company's wireless network with WPA2-Enterprise (802.1X) with individual username/ password and acceptance of a server certificate for authentication. User identity can tie back to Active Directory (or other directory server). Regarding the access policies, Trusted Computing Group's Mobile Security Architects Guide recommends that different users are given different levels of access to corporate resources based on how much the enterprise trusts them. (Figure 1)
2.7
CYOD (Choose Your Own Device)
BYOD may involve a vast number of devices and platforms that is hard to manage (in terms of workload and risks). CYOD will limit the range of devices and thus limiting the range of hardware & platforms for support. CYOD is comparatively more manageable than BYOD and can give employee some flexibility to choose the devices.
Figure 1. "Architect’s Guide: BYOD Security Using TCG Technology", by Trusted Computing Group (www.trustedcomputinggroup.org), June 2012
Page 9 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
BYOD Dilemma and Tactics
3. Conclusion
References
An effective BYOD implementation can probably improve employee satisfaction and productivity. How trust can be built with adequate levels of controls to avoid data breaches and ensure compliance will be the core issue. There are numerous solutions and options. As there is no one-size-fit-all solution, it will be subject to the business nature/ environments, technical infrastructure (e.g. terminal service solutions, RADIUS, active directory/LDAP, etc), the support resources/structure in order to decide the best mix for a company. CYOD may be an viable option to BYOD implementation as it is comparatively more manageable and employee can enjoy some flexibility to choose the devices. I hope this article can provide a good highlight of concerns/ approaches for decision makers/implementers to consider the right mix of solutions.
Architect’s Guide: BYOD Security Using TCG Technology, Trusted Computing Group, June 2012
●
Bring your own device, Wikipedia
●
http://en.wikipedia.org/wiki/Bring_your_own_device
For BYOD Best Practices, Secure Data, Not Devices, Thor Olavsrud, CIO, July 17, 2012
●
http://www.cio.com/article/print/711258
Navigating the “Bring Your Own Device” Policy: An IT Manager’s Guide, Brian Proffitt, Feb 15, 2012
●
h t tp : / /h 3 0 5 6 5 .w w w 3 . h p . c o m/ t 5 / F e at u r e - A r t ic l e s / Navigating-the-Bring-Your-Own-Device-Policy-An-ITManager-s/ba-p/1664
From BYOD to CYOD, Rebecca Merrett, August 7, 2012
●
http://cw.com.hk/news/byod-cyod
Alan Ho ■
Contribution to PISA Journal
• To join the Editorial Committee of this professional publication Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 10 of 32
• To contribute to the next issue and make your publication public
SC Leung, Chief Editor editor@pisa.org.hk
Next Issue: Issue 17 (Mar‐2013)
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Securing Amazon Linux AMI
A
mazon cloud services are very popular. The Amazon Elastic Compute Cloud (Amazon EC2) provides a virtual computing environment which Amazon customers could quickly launch virtual machines for different purposes. The virtual machines provided in Amazon EC2 are mainly Linux servers
George Chung CISSP CISM CISA Program Committee
Page 11 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Securing Amazon Linux AMI
Among the Linux servers, Amazon provides its own Linux distribution, Amazon Linux AMI (Amazon Machine Image). Amazon Linux AMI is derived from CentOS which is a recompilation of Ret Hat enterprise Linux (RHEL). So it is very handy for RHEL/CentOS system administrator to use Amazon Linux AMI. It comes with AWS API tools which could be used for scripting Amazon cloud services. The package repository is within Amazon cloud, so the traffic for updating of the server will not be counted in data transfer fee. Amazon also provides package updates for bug fix and security updates. The most importantly, it is free! An Amazon Linux AMI EBS instance is started from Amazon Management console. The version is “Amazon Linux AMI release 2012.03” by reading /etc/system-release.
The default EBS instance is about 8G in disk space and it consumes about 900M disk space when it is launched at the first time. This is a default minimum installation by Amazon.
Only openssh (22/TCP) and ntpd (123/TCP) are run by default.
There is no firewall rules setup by default.
SELinux is not enabled. IPv6 is enabled by default. Only a normal user, ec2-user, can be logged in to the host via ssh with public key authentication.
Page 12 of 32
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
Since the virtual machine uses private IP address, Amazon use a security group to port forward the desired public ports to virtual machines. The security group looks like a public firewall to the virtual machine. It gives a false sense of security to the Amazon customers. Since there is no host firewall enabled in Amazon Linux AMI by default, running services are exposed to other Amazon cloud virtual machines. The following screen capture shows the result of nmap scanning to the hosts in the same subnet. Services like MySQL and tomcat could be identified in others’ virtual machines.
Page 13 of 32
A Publication of Professional Information Security Association
16
P I S A J o u r n a l
Professional Information Security Association
Securing Amazon Linux AMI
Enable Host Firewall Without host firewall, the services running within Amazon cloud could be easily attacked. So the first thing to do is to enable host firewall. Since Amazon Linux is derived from CentOS, copy CentOS iptables configuration to /etc/sysconfig/iptables could be good starting point. Only ports that are enabled in security group should be enabled in the host firewall. Reboot the machine or run “service iptables restart” to make it effective.
Enable SELinux The second thing to do is to enable SELinux. SELinux provides a mandatory access control in the Linux kernel. It is very good to confine some popular services like apache and mysql server. Even if the confined services are compromised, the damage can be limited to only those files permitted to access by SELinux policy. To enable SELinux, add “security=SELinux enforcing=1” in kernel line of /etc/grub.conf and touch a file .autorelabel in root directory.
Some SELinux packages may not be installed by default. Install the required packages by issuing this command: “yum –y install policycoreutils selinux-policy selinux-policy-targeted libselinux libselinux-utils libselinux-python setools-console mcstrans policycoreutils-python” After rebooting the virtual machine, SELinux will be enabled and all files will be relabeled. The enabling method of SELinux is different from CentOS. Configuring /etc/sysconfig/selinux doesn’t work for Amazon Linux.
Page 14 of 32
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
16
Run “sestatus” to make sure SELinux is running.
Run “getsebool –a” to check required Boolean value is turned on or off. If some values are needed to change, run “setsebool – P boolean_variable on/off”
Disable IPv6 The third thing is to disable IPv6. Amazon EC2 doesn’t support IPv6. Disabling IPv6 reduces the attack surface. To do that, edit /etc/sysctl.conf and add the following line at the end of the file.
After reboot, the IPv6 address will disappear.
Install Packages The fourth thing to do is to update installed package by “yum –y update”. Amazon Linux AMI bundles cloud-init script which will install security update automatically when it boots. Running the command will update all packages including non-security fixes. Setting up yum-updatesd to email-notify the availability of package updates will be a good idea.
Page 15 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Securing Amazon Linux AMI
Make Partition for /tmp The fifth thing to do is to make separate partition for /tmp and separate partition for /var. Amazon Linux AMI comes with only one partition. Without separate /tmp, hackers could consume all disk space by writing files in /tmp and make the system stop running. An EBS volume could be created in AWS management console and attach to the instance. Use fdisk to partition the volume and make filesystem on it. Edit /etc/fstab and make the partition mount in appropriate mount point.
After reboot, the mount point will be mounted automatically.
Secure AWS Management Console
The last thing is to secure AWS management console. The virtual machine is secure only when AWS management console is secure. If AWS management console is hacked, all virtual machines run by the account could be compromised. To secure the AWS management console, two-factor authentication is recommended for AWS management console login. Google authenticator could be used to act as a second factor in authentication. It is freely available for iOS, Android and Blackberry OS. The setup is very simple. Use Google authenticator to capture a QR code in the two-factor authentication registration page and input two authentication codes. The following capture is the login page for authentication code using google authenticator.
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 16 of 32
Security Hardening Other Services Other service security hardening should be done if other services like httpd and mysql are run. They are out of scope in this discussion. NSA security configuration guide and CIS security benchmark could be used a reference to further enhance the hardening process. George Chung ■
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
Book Review:
IT Security
Metrics I
n the consulting field, I often meet and discuss with customers on security related matters. One of the most frequently asked questions from customers is “how good or how bad is our security?”, “how is our security compared with similar organizations of our size and business nature?”
Henry Ng CISSP-ISSAP CISA Program Committee
Page 17 of 32
A Publication of Professional Information Security Association
16
P I S A J o u r n a l
Professional Information Security Association
Book Review: “IT Security Metrics”
CISO and security managers want a way to measure security and present to management to show the effectiveness of the security technologies and programs they put in place. Unfortunately, there doesn’t seem to be any recognizable framework to measure and compare the effectiveness of information security.
very intuitive). The 12 chapters are logically arranged in 4 parts:
Lance Hayden is a solution architect and information scientist with Cisco System’s worldwide security practice. He is also a trained social scientist, holding a Ph.D. in Information Science from the University of Texas, where he teaches courses on information security and surveillance in society.
1)
introducing security metrics
2)
implementing security metrics
3)
exploring security measurement projects
4)
beyond security metrics
Because of the vast amount of content covered by the book, this book review article will cover the first half of the book, i.e. the first 6 chapters about introducing security metrics and implementing security metrics.
Title: IT Security Metrics Author: Lance Hayden, PhD CISSP CISM Publisher: McGraw-Hill Osborne Media Publishing Date: 1 edition (June 21, 2010) ISBN-13: 978-0071713405
Page 18 of 32
He composed this book to contribute to the ongoing conversation about security measurement and explain how to put metrics to effective use within an organization.
Chapter 1
This book has 396 pages, separated into 12 chapters. 4 case studies about security measurement are included (real examples of how organizations apply security metrics which I find
Lance starts off by defining metrics as records of our observations, whereas measurement is the activity of making observations and collecting data in an effort to gain practical
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
insight into whatever it is that we are attempting to understand. Lance goes on describing five common security metrics used today as well as their shortcomings: Risk – based on expert judgments which are a set of opinions about risk. It don’t measure actual risk but rather human judgments about security risk Security vulnerability and incident statistics – Lance however points out a fallacy that more reported Internet vulnerabilities doesn’t necessarily mean Internet security getting worse because there can be hundreds of new technology products every year Annualized loss expectancy – ALE = ARO x SLE (CISSP should recognize this formula right?) ALE measures what people think rather than objective reality. IT security doesn’t have the data necessary to define actual probabilities, hence ALE primarily deals in opinions and expectations. Also, ALE cannot measure losses involving productivity, efficiency or competitiveness. Return on investment – IT security has to do with loss presentation and not undertaken as profit center Total cost of ownership – many costs remain hidden; like ROI, it has been co-opted by vendors that recognize it as a purchase decision supporting metric Lance wraps up this chapter by referring how metrics are used in Insurance, Manufacturing, Design industries and that security decision will improve as we improve our capabilities to collect, analyze, and understand data regarding security operations.
Chapter 3
Chapter 2 Lance drills in what metrics and measurement are, and how to choose good metrics for measurement. If you are setting metrics without really understanding how you want to use the metrics to gain insights, the metrics schemes won’t work well.
Page 19 of 32
After Lance elaborates with examples of the who, what, when, where, how and why aspects in relation to defining metrics for a security program, he introduces the GoalQuestion-Metric (GQM) method - a simple three-step process which can be used for developing security metrics. First of all, you will set a goal (leverage the SMART goal-setting rules). Then ask relevant questions to enable components of the goal to be achieved or evaluated for success. After questions have been developed to define the goal operationally, metrics can be assigned. Lance illustrates a number of examples using GQM which I find practical. For instance, a goal can be to improve user compliance with corporate security policies that are not effectively disseminated or enforced (aren’t we too familiar with this situation?). Relevant question can be “what is the current level of enforcement of corporate security policy” and corresponding metrics is “number of reported security policy violation in the previous 12 months” and “number of enforcement actions taken against policy violation in the previous 12 months”. Another question can be “is enforcement of the security policy increasing?” and metrics can be defined as “increase in security policy enforcement actions over baseline”, “increase in awareness of corporate security policy”, “increase in efficiency of the security policy process” and “improved response from surveyed users on policy familiarity and usability”. Although GQM seems straight forward, I believe the trick is to ask the right questions in order to achieve the goal. This requires experience and knowledge of your corporate IT environment how security should fit into it.
This is a short but academic chapter with Lance describing types of quantitative data versus qualitative data. I think it is still worthwhile to understand because you will need to know what types of data you can collect in order to fulfill the defined metrics. I find the DIKW hierarchy informative which I haven’t come across in the past. This model actually
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Book Review: “IT Security Metrics”
exists for over 20 years and is used to describe a 4-tier relationship of how context and experience allow data to be transformed to information and to knowledge and eventually to wisdom. I believe the concept is important to explain to senior management how we can gain wisdom of making prudent and succinct security decisions based on the raw data collected from security metrics.
Chapter 4 Why do we want to collect data for security metrics? What do we want to achieve by measuring security? Ultimately, we want to improve security right? So how can IT security metrics convert into security improvement? Lance introduces a security process management (SPM) framework tying security metrics, security measurement projects, security improvement program and security process management together. If you ever want to engage a project to establish security process management framework, Lance advises that you will need to 1) analyze how to buy-in by knowing the business drivers, stakeholders, and resources required to be spent on SPM, 2) set expectations of the end goal of SPM, and most important of all, 3) show tangible results to meet the set expectations. All very true, but actually also applicable to other information security initiatives, in my opinion.
Chapter 5
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 20 of 32
Another academic chapter by Lance explaining how data can be analyzed. If you have statistics background or strong in mathematics, you can easily skim through this chapter because Lance merely introduces various generic data analysis models. For instance, descriptive statistics shows what is present in the actual data collected using mathematical formulas such as mode, mean, median, range, variance, standard deviation. Inference statistics on the other hand seeks to use a sample set of data to infer things about the larger population from which the sample is drawn. Good examples are sampling and hypothesis testing.
Chapter 6 Lance describes how to embark the security measurement project (SMP) in this chapter. To prepare for SMP, one should conduct GQM analysis, review what has been done before, and get the buy-in from stakeholders and sponsors. SMP can be executed in five phases. Phase one is to build a project plan and assemble the team. Phase two is to gather the metrics data. Phase three is to analyze the metrics data and build conclusions. Next phase is to present the results, and the final phase is to reuse the results. Although this chapter is pretty straight forward and easy to read, the crown jewels of IT security metrics are not covered yet. In fact, I view the first six chapters as more of background and preparation materials to prep the readers for the next six chapters which will cover more practical advices on usage of IT security metrics.
Henry Ng ■
Please state tuned for my next book review article covering the remaining six chapters in the next issue of PISA journal.
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
「域」見未來
二
零一二年六月十三日,互聯網名稱與數字地 址分配機構 ( Internet Corporation for
Assigned Names and Numbers,簡稱 ICANN ) 公 布申請營運新通用頂級域名的名單,共有 1930 份, 其中香港的企業共提交了 42 份申請,佔全球申請百 分之二,令香港 IT 業界喜出望外。
互聯網現時除地區頂級域名(如「.hk」、 「.cn」、 「.tw」等) 以外,通用頂 級域名共有 22 個,最為人熟識的有「.com」 、 「.net」、「.org」 等。時 至今日,互聯網服務遍及至每個行業,現有的 22 個通用頂級域名已不能滿足 各行各業的需求,而且缺乏選擇。ICANN 預期新增的通用頂級域名可以為互 聯網帶來更多創新、選擇和競爭,最終為用戶提供更優質的服務。舉例說, 銀行業可申請使用「.bank」、唱片業可用「.music」、酒店業可用「.hotel」 等頂級域名。世界各地企業也可以公司的註冊名稱或品牌申請頂級域名,如
郭榮興先生 CISSP
「.ibm」、「.microsoft」、「.skype」、「.android」等。
活動項目委員
申請新通用頂級域名所涉費用令人咋舌,申請人先要付出 18.5 萬美元 (約
Page 21 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
「域」見未來
145 萬港元) 首次申請費, 日後每年還要繳交 2.5 萬美元
網絡保安方面,新通用頂級域名將有助阻止釣魚網站的
(約 20 萬港元) 的行政費。ICANN 在審批每個域名時還
猖獗。舉一個例,現時電訊盈科所有網站都依賴「.com」
會考慮申請人的背景,包括技術支援、財政及營運能力,
頂 級 域 名,不 法 份 子 可 利 用 如 pccw--hk.com 或
要有足夠實力才能獲批。保守估計,平均每個新通用頂
pccw1.com 等近似域名建立釣魚網站,企圖瞞騙。假若
級域名的成本,可能超過百萬美元。
電訊盈科以「.pccw」作為唯一的互聯網域名標識,則可 將每家子公司及各經銷商的網站都統一在 「.pccw」之 下, 用戶只要分辨網址後綴是
香港的兩家電訊服務商,分
不是「.pccw」,就能分辨網
別是電訊盈科有限公司和
站的真偽。 可見新通用頂級域
中信國際電訊(信息技術)
名能有效地保護大企業的域
有限公司,合共申請了八個
名及商譽。
頂級域名作日後業務之用, 包括 「.pccw」、「.hkt」、 「.電訊盈科」、「.香港電
另一項網絡保安的優點是新
訊」、 「.now」、 「.nowtv」、
通用頂級域名在運作時必須
「.中信」及「.citic」。筆者
啟動域名系统安全擴展協議
發現有多達六家公司申請
(DNSSEC),在各層域區作信
「.now」,而只有電訊盈科有限公司申請 「.nowtv」,
息交換時,以數碼簽證來確認資料真確,防止用戶被轉
至此筆者不得不佩服該公司的部署和策略,他們早已估
到詐騙網站,提高網絡安全。
計「.now」會引發一場爭奪戰,一旦競投「.now」失手, 還有「.nowtv」可即時補上。 總的來說,這次盛事是互聯網的一次重大改革,預期新 Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 22 of 32
在眾多申請中,最觸目的是「.app」,共有 13 家公司爭 奪,包括亞馬遜 (Amazon) 和谷歌 (Google)。業界估計,
一批通用頂級域名最快在二零一三年年中投入服務,屆 時互聯網將會出現一番新景象。
谷歌對「.app」是志在必得的,谷歌會不惜動用過千萬 美元,擊敗其他對手,最終奪得「.app」的擁有權。
An Organization for Information Security Professionals
郭榮興 ■
P I S A J o u r n a l Anthony Lai
SEP-2012
Targeted Attack Analysis
Know Your Enemy
SANS GREM (Gold)
Founder and Security Researcher, Valkyrie-X Security Research Group (VXRL)
Page 23 of 32
Frankie Li
SANS GREM (Gold)
Security Researcher, Valkyrie-X Security Research Group (VXRL)
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Targeted Attack Analysis : Know Your Enemy
My Recent Move In the past few years, other than working on penetration test, I started my another research interest on malware analysis and connected to various top researchers to analyze some samples together. One of my fellows, Frankie Li, and DDL (i.e. He don't want to disclose his name) have worked together and published a targeted attack (a.k.a. APT (Advanced Persistent Threat)) research paper [1] in IEEE Malware 2011 conference. Meanwhile, our works are recognized by one of the top malware researcher, Nart Villeneuve [2]. What is the difference between targeted attack and routine malware? Let me try to highlight a few areas: Targeted Attack
Routine Malware
Level of target understanding
High: They are made and sent according to target's background, profile, human connections and applications
Low: It should be more general, not specific targeting an individual or enterprise regardless of the system/applications they used.
Delivery Channel
Email attachment
Email, drive by download
Payload characteristics
The payload will be deployed to the victim on need basis.
Most of the time, a single payload is uploaded to the victim instead of making multiple staged payloads
Targets
● ● ● ● ● ● ●
Research Institutes Political Bodies Militaries Governments Multinational Organizations Financial Institutions Business Organizations
Individuals or group of unrelated individuals but owns the similar digital assets (such as credit card information and online banking passwords)
Actors
State actors or a group of sophisti- Hackers or organized crime groups cated, determined and coordinated mainly for the purposes of financial moattackers for the purposes of collect- tive ing of national secrets, political espionage or industrial/business espionage.
Delivery carrier
Documents including PDF, DOC, Other than documents, they could send DOCX, XLS, PPT. The most freoff JPEG, compressed files (.rar and .zip). quent used carrier is RTF formatted file.
Skills required The technical analysis skills required include: ●
Page 24 of 32
Compare any state change in registry, process and files in infected system(s)
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
●
●
●
Looking for any interesting strings in the malware sample like connecting to Command and Control Server (CnC or C2 server) Debugging the process with Windows Debugger and OllyDbg Reverse engineering with IDA Pro software [3]
Understand our enemy Recently, I also have monitored the traffic of the infected system(s) and wait for the attacker coming in and learn their activities. For example: 1.
Searching all the files with .doc/.xls/.ppt/.pdf/.rtf
2.
Planting a backdoor to the machine
3.
Modify and replace some critical systems files and applications like cmd.exe
4.
Piping out the valuable information and files to their remote C2 server(s).
5.
Remove their activities logs and change back the time stamp of their accessed files
16
cers in this planet, whether he/she gets to know whether they are targeted or not once they received a malicious attachment of email. Most of them said they have no idea and even just uploaded the suspicious sample to Virustotal so as to finish their incident response “homework” and close the file. Be frank, the battlefield is changing and typical anti-virus software could not deal with a targeted attack. Attacker is smart enough that all of those targeted samples have been scanned with typical AV software in prior for the basic quality assurance, could you still believe in those sandbox engine?
Developed an APT analysis engine I have worked with Taiwanese researchers and formed a Xecure Lab and developed an engine called Xecscan [4]. It is used to analyse your uploaded document file so that it could help to analyze the sample in details and understand its behavior, resident process and calling sequence of malware as well as identifiable C2 server(s). This engine is public as well as recognized by many top APT researchers and malware analyst.
Case Study Habit and Tradition doesn't work anymore I have already asked many practitioners and security offi-
Let us pick a Microsoft Excel sample as an example (shown as a second entry in Figure(1)). From Figure 1, we could find our the date of analysis and the MD5 hash value of the sample. There are columns showing the identified IP ad-
Figure 1. Submitted samples
Page 25 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Targeted Attack Analysis : Know Your Enemy
Figure 2: Detailed Technical Analysis
dress(es) of CnC server(s) The analysis (see Figure 2) shows that once we execute the .xls file, a dmadmin.exe file is created in % UserProfile%\Local Settings\dmadmin.exe with hash value fb850b70f45494b47020272c6bf72e94. The file is executed in the process of svchost.exe. It spoofs as an Adobe application executable. Meanwhile, a registry entry HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\ CURRENTVERSION\RUN\dmadmin
is added for autorun purpose after reboot the operating system.
Figure 3: Identified Exploit
Page 26 of 32
From Figure 3, we could identify the exploit used by the .xls is CVE-2012-0754, which attacks against the Adobe Flash Player vulnerability. The affected platforms are not just limited to Windows only but MacOS and Andorid OS as well.
From Figures 1 to 3, it looks like we could make a complete analysis work. However, the story does not end yet, could you tell whether an individual and enterprise are targeted or not?
We have analyzed all the submitted samples (and it is around 15,000 up to August 2012) and extract various pieces of information among them and become our signature database. We applies Rough set theory [5] on the extracted data fro the samples so as to ensure representative information/strings/data are sufficient to match any existing APT attacker group or simply a new group indeed.
From Figure 4, an APT group map is provided and we could check out whether the submitted suspicious document belongs to any APT attacker group. It looks like the victim company and individual is targeted by a large-scale APT attacker group).
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
16
Figure 4: The pointing arrow illustrates the sample submitted is from a large-scale APT attacker group
Summary We need to revolute our attack detection and incident response into a new phases instead of just depending on the AV engine in the gateway and mail server. I could say APT target attack and routine malware are two different animals and we need different way and strategy to deal with them.
Copyright & Disclaimer
Once you get the findings and analysis from above sections, if you were the target, what will you do next?
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 27 of 32
Anthony Lai ■
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Targeted Attack Analysis : Know Your Enemy
REFERENCES [1] Evidence of Advanced Persistent Threat: A Case Study of Malware of Political Espionage: https://sites.google.com/site/valkyriexsecurityresearch/announcements/ aptpaperacceptedbymalware2011conference [2] Top APT Research of 2011 http://blog.trendmicro.com/trendlabs-security-intelligence/top-apt-research-of-2011-that-you-probablyhavent-heard-about/ [3] IDA Pro Disassembler Software: http://www.hex-rays.com/products/ida/index.shtml [4] Xecscan – APT Document Scan Engine: http://scan.xecure-lab.com [5] Rough Sets: A Tutorial: http://secs.ceas.uc.edu/~mazlack/dbm.w2011/Komorowski.RoughSets.tutor.pdf
Page 28 of 32
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
Event
16
Snapshot We Share. We Progress.
Talk Delivery @ 3rd Asia Pacific Telecommunity Cybersecurity Forum (27-Sep-2012)
The Forum was organized by Asia Pacific Telecommunity and hosted by the Bureau of Telecommunications Regulation (DSRT) of Macao Special Administrative Region Frank Chow, our Chairperson delivered a talk on "Build Cybersecurity Management System." http://www.apt.int/2012-CSF3
Talk Delivery @ DNSSEC.Asia Summit 2012
(29-Aug-2012) DNSSEC.Asia was organized by ISOC-HK and Cyberport. Warren Kwok represented PISA to share “DNSSEC Deployment - from a Network Administrator's Perspective”.
(from left) Richard Lamb (ICANN) Phil Regnauld (NSRC), Hervey Allan (NSRC), SC Leung (ISOC-HK, moderator), Warren Kowk (PISA) and Ben Lee (HKIRC).
Page 29 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
PISA AGM, Election and Theme Seminar (25-Aug-2012) Prof. Eric TSUI, Associate Director (Business Development), Knowledge Management and Innovation Research Centre (KMIRC) at the Hong Kong Polytechnic University delivered a theme talk with topic “Evolution of Knowledge Management Systems”.
Andy Ho, Chairperson (left), Frank Chow, Vice Chairperson of PISA (right) took a photo with Professor Eric Tsui.
Founding of ISC2 Hong Kong Chapter The ISC2 Hong Kong Chapter was established under PISA and an SIG. The Founding Members of the SIG had a photo in the AGM.
Page 30 of 32
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2012
Issue
Event
16
Snapshot We Share. We Progress.
PISA and ISC2 Lunch Meeting (16-Aug-2012)
Hord Tipton, Executive Director and Elise Yacobellis, Director of Corporate Development of ISC2 visited Hong Kong. PISA was invited to a lunch meeting with them.
Talk Delivery @ Macao Clean PC Day (25-Jul-2012)
The Data Management and Social Networking Risks seminar of Clean PC Day Macau was organized by Macau CERT and Manetic. Mike Lo delivered a talk "NFC Security on Mobile Application" . It aroused a lot of attention.
Seminar: Data Loss Protection (DLP) Strategy and Technology (26-Jun-2012)
Gareth Bridges, Business Manager, Security and Information Management of Symantec Hong Kong Limited delivered a talk on Data Loss Protection Strategy and Technology.
Page 31 of 32
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Enquiry email:
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements
membership@pisa.org.hk
Membership Annual Type Fee (HK$)
Membership
Full
500
Associate
300
Affiliate
300
Student
100
Application Form: http://www.pisa.org.hk/ membership/member.htm
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm
Page 32 of 32
• •
Qualifications
Requirements Relevant Experience
Recognized Degree in Computing discipline, OR other appropriate educational / professional qual. Tertiary Education
3 years Info-Sec working experience
Interested in furthering any of the objects of the society Full-time student over 18 years old
Nil
Info-Sec related experience
Nil
Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals