My favorite Keynote speaker was far and away Johnny Long.  His talk was on "No Tech Hacking" and he is as entertaining as he is talented.  If you ever get a chance to see him speak, definitely do so.  Also, be sure to check out his website at IHackCharities.org.

My least favorite Keynote speaker was Ken Watson.  He spoke all monotone and the presentation on these centers around the country that the government is using to team up with industry to prevent attacks on critical infrastructure was pretty lame.  I guess I just expected more and from talking with others it seems like I'm not alone.

My favorite presentation was Robert Hansen and Rob MacDougal's talk on "Assessing Your Web App Manually Without Hacking It".  It was a simple concept that everyone from managers to developers to IT guys can follow to get an idea as to how many vulnerabilities their application might contain.  RSnake!

My least favorite presentation was "The Importance of Log Management in Today's Insecure World" by Ricky Allen and Randy Holloway from ArcSite.  Too vendory, not technical enough, and kinda a lame presentation in general.  Maybe I'm just bitter because I heard that the other presentations that took place while I was in this session were really good.

This was the first year that TRISC had a Casino Night and it was awesome.  I played Texas Hold 'Em most of the night and took Nathan Sportsman's money and a bunch of Rob MacDougal's as well.  They had Roulette, Blackjack, and Craps tables there as well and the goal was to start with $10,000 in chips and for every $5,000 you had at the end of the night you got a raffle ticket.  I ended up with over $40,000 and 9 raffle tickets and won three different items.  Score.

Overall, TRISC 2009 was not the best conference that I've ever attended, but was certainly the best TRISC to date.  I was very impressed and am looking forward to next year.  FYI, all presentations from the conference are online and available for viewing here.

• Barbarian Horde
  • Our castle walls must keep us safe
    • Script kiddies and DDoS

• Ninjas
  • Knowledgeable “Haxx0rs” with deliberate intent
    • Social engineering to exploits
• Vampires
  • Generally have to be “invited” in
    • Convert others to their side
    • Malware, worms, and botnets
  • Vampires are social creatures

Problems with Traditional Mechanisms

• The Barbarian Horde
  • How do we know its working?
• Ninjas
  • Ninjas are stealthy and think outside the box
  • Social Engineering can grant all manner of access
• Vampires
  • What happens if you’re the first one bit?
  • Where do you have your safeguards?

How can Flow Data help? (Packet level logging for network devices – Ex: NetFlow)

• Global Accounting
  • Who, what, where, when, how
• Barbarians
  • Who made it through the castle wall?
• Ninjas
  • Forensic data
  • “Soft-Firewall” like rules
• Vampires
  • Containment is key – one hop away
  • Policy verification

Why Flow?

• Leverage your existing network infrastructure to quickly, accurately detect, contain and remediate incidents.
• Anywhere from a 3-10% impact on processor.  Memory impact is even smaller.

Freeware flow data

• FLOW-TOOLS
• NMon

Behavioral Analysis?

• Flow data is awesome.  Why the expert system?
  • Flow data is plentiful – drinking from the firehose can hurt
• The problem of context
  • Signatures and rules may not always be appropriate
• Bobby Sue doesn’t normally upload this many files to the Net
• Who has staff available to constantly scrub files and graphs?

• As many as 65% of merchants are still not PCI compliant
• Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions·
• Many retailers still don’t have a clear view of compliance, and cannot effectively identify gaps
• The first steps to PCI compliance are a thorough internal assessment and gap analysis – many merchants skip these steps and launch multiple costly projects
• PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments
• The framework is comprehensive and effective but adherence to the specific standards is often challenging – primarily due to the complexities involved in both program design and implementation
• Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS.  Specific obligations vary based on transaction volumes.
• Focus right now is on the Level 4’s.
• TJX subject to 20 years of mandatory computer systems audits after massive breach

Challenges

• Providing adequate and clear program management for all of the entire spectrum of PCI remediation activities (60-70% give to “Compliance guy” and typically fail.  Should go to senior security guy)
• Accurately scoping requirements throughout the organization, including remote sites and international operations
• Evaluating and then implementing a wide variety of complex technologies – including encryption
• Redesigning or replacing internal applications and payment systems to adequately protect cardholder data
• Developing, implementing and enforcing new or revised policies and procedures across the entire organization
• Differing opinions with auditors regarding PCI compliance requirements, especially related to the concept of “Compensating Controls”
• Verifying PCI compliance for 3rd party partners that process data on behalf of the merchant

Differences from PCI DSS 1.1 to 1.2

• Active monitoring plans for all 3rd party PCI Service Providers (Requirement 12.8)
• Visits to offsite data storage locations at least annually
• Mandatory phase out of weak encryption for wireless networks
• Additional requirements for the use of “Compensating Controls” for specific PCI security requirements
• Assessor testing procedures changed from “Observe the use of…” to “Verify the use of”
• Quality assurance program for PCI assessors
• Process restricts or eliminates assessors from performing PCI work due to poor quality assessments
• Assessors must now go beyond cursory observation of security controls and provide statistical samples
• Assessors now going much deeper to include verifying individual system settings, requesting and analyzing configuration files, studying data flows, …

The Cost of Compliance and Non-Compliance

• According to a comprehensive Forrester Research report on PCI compliance, companies spend between 2%-10% of their IT budget on PCI compliance
• Credit card companies are levying fines on non-compliant merchants
  • Up to $25,000 per month for each month of non-compliance for L1’s ($5,000 for L4’s)
  • $10,000-$100,000 per month for prohibited storage of magnetic stripe data
  • Up to $500,000 per incident if a confirmed compromise occurs
  • Continued non-compliance may result in revocation of CC processing privileges
• Banks and acquirers may increase processing fees for non-complinat merchants.  In 2008, one retailer estimated an annual increase in operational costs of $18 million due to this increase in processing fees on VISA card transactions alone.
• Banks and acquirers can often pass on damages they incur to merchants
• Repeat or additional PCI assessments & internal audits

Corporate Compliance Framework

• Although PCI provides compliance requirements in most areas, it’s only a subset
• ISO 27002:2005 is what they used for PCI
• Good general requirements, but no explanation on how to do it
• PCI sets best practices
• For example, ISO 5.1.1 maps to PCI 12.1, 12.4, and 12.6.2

How to “Sell” PCI Compliance to Senior Management

• Gloom and Doom
  • Fines and sanctions will sink us
  • Probability of success 40-50%
• The PCI Umbrella
  • We need these 15 projects and ten new security products to be PCI compliant
  • Probability of success 40-50%
  • Who has done the gap assessment
• The Long Term Approach
  • If we achieve PCI compliance we will also be well on our way to other requirements
• PCI compliance is not a project or technology based solution – it is being able to demonstrate that an organization has the means in place to protect sensitive information
• Use as a building block to sell to senior management

Importance of Security Policies

• Govern expected behavior and process
  • Expected and prohibited behavior
  • Security process
• Establishes roles and responsibilities
  • Management & oversight
  • Execution
• Define protection measures
  • Access controls
  • Physical security measures
  • Monitoring, audit, and oversight
  • Response priorities

Hazards of Weak Security Policies

• Unclear expected behavior
  • Personnel guess at what is allowable & expected
  • Minor “infractions” – undefined & unnoticed
  • Leads to eroding culture of trust
• Unclear roles and responsibilities
  • No oversight – administrator actions go unchecked
  • No management – activities according to whim
• Unclear protection measures
  • “Heroes” define network security
  • Extremely tech-centric security posture

Security Architecture Mistakes

• Mixed audience policies
  • Ex: Encryption policy
    • Use of encryption – users
    • Selection of encryption algorithms – system owners
    • Implementation of encryption – custodians
    • Key escrow – system owners
    • Oversight – auditors/management
  • Ex: Security Updates
    • Do not block network updates – users
    • Patch every Tuesday – admins
• Who is the audience?

Common Policy Architecture Mistakes

• One topic = one policy
• Magic Policies
  • Templates
  • Handbooks
• Pros
  • Solves the “blank piece of paper” problem
• Cons
  • Old
  • No consideration for your environment, culture, or organization
  • Discourages analysis
  • No SME (Subject Matter Expert) involvement
  • Thwarts adoption
• Match policy to requirements
  • PCI Policy project
  • HIPAA Policy project
  • TAC 202 Policy project
  • Etc
• Problem
  • Requirements by controls
  • Policies organized by audience & topic

Clean Slate Approach

1. Assess what you have
   • Independent & complete review process
2. Determine controls framework
   • COBIT, ISO 27001
3. Map in requirements
   • PCI DSS, HIPAA, TAC 202
4. Organize create policy statements
   • For each control (rows) and requirement (column)
5. Create policy architecture
   • According to audience & topic

Policy Assessment Approach

• Step 1 (Essential Elements Checklist)
• Steps 2 (controls & framework) & 3 (map requirements)
• Steps 4 (policy statements) & 5 (policy architecture)

Conclusion

• Administrative Controls
  • Management, oversight, process
  • Address organizational and insider issues
• Lack of policy architecture
  • Leads to weak administrative controls
  • Unplanned technology implementation
    • “implementation by appointment”
• Ensure your controls are complete
• Reaction is NOT a strategy (Don’t do it because a vendor called you or because an auditor said to do it)

• ISPs’ “advanced network management” practices are changing the way that bits are transmitted across the internet
• Content of online communications is now inspected as it travels between endpoints
• ISP customer contracts require users to consent to the monitoring of their online activities
• ISPs claim increasing Internet traffic is leading to network congestion that requires new non-standard network mgmt practices
• Many ISPs are introducing network systems that identify traffic by type or application to delay “low-priority” bits
• One HD video download is roughly equivalent to visiting 35,000 web pages
• A few users account for most of the downstream traffic.  Upstream disparity is even greater.
• Mandatory and non-negotiable ISP customer contracts authorize the wholesale inspection of user communications.
• As a condition of service, customers (individuals and businesses) must consent to this inspection

Deep Packet Inspection

• Network-level appliance that captures Internet traffic on ingress and egress.
• Examination of the packet’s header information and payload (content).
• Analysis of (up to) all 7 layers of the OSI model
• Network-based parental controls, spam filtering, detection and protection against adware, spyware, malware, or viruses
• Network-based bandwidth prioritization
• Filtering of IP, child porn, and provider or government-determined “unacceptable” or “illegal” speech
• Targeted advertising through monitoring and data-mining
• Enforcement of “Net Neutrality” based “nondiscrimination” imperative

Network-Level Targeted Advertising

• In 2006 and 2007 Phorm and British Telecom began secretly monitoring 54,000 Internet users and testing DPI-facilitated targeted advertising
• By the end of 2009, all British Telecom Internet users will be monitored and presented with targeted ads
• In 2008, NebuAd partnered with 30 American ISPs to track users on the Internet and perform targeted advertising
• Network-level targeted advertising uses DPI to monitor everything that users transmit or receive over their Internet access connections
  • Web browsing
  • E-mail
  • IM
  • Downloads
  • Applications and Devices
• Advertising systems generate a profile which is then sold

No Way to Opt-Out of DPI

• ISPs claim that users can opt-out of targeted advertising by installing a cookie that will turn off the ads, but not the tracking
  • Purging cookies will re-opt-in users
  • Disabling cookies will default to opt-in
• ISPs provide now way for users to opt-out of the underlying DPI
• New DPI systems can block, segregate, or defeat user encryption

DPI: Privacy Implications

• Consent to monitoring is a waiver of privacy rights
  • Including automated, non-human inspection
• All privileges are waived on an inspection network
• Private communications will be available to others through a 3rd party subpoena to the ISP with a showing of mere relevance, and without user notice
• ISP TOS require businesses to consent to the monitoring of their online communications
• Information gleaned from inspection can be used for any and all purposes by the ISP
• Trade secrets, proprietary information, confidential communications, transaction records, customer lists, etc are all exposed
• Businesses risk violating customer privacy laws
  • Allowing third party access to medical, tax, financial, and credit records is often prohibited

Solutions to Protect Privacy on the Internet

• DPI has legitimate uses and need not be banned
• However, wiretapping without a warrant should require express, voluntary (opt-in) and informed user consent
• Full and complete disclosure of inspection practices and legal consequences to users
• Educated and voluntary consent is OK
• Requiring consent as a condition of receiving service is not voluntary
• Intrusive regulation by industry-captured regulators is the wrong way
• Need an administrative or legislative declaration of a public policy against internet access contracts that fail to disclose practices and privacy implications and/or require waiver of privacy rights as a condition of service
• Privacy is preserved without regulation

What is log management?

• Ensuring your enterprise log data is accessible, easily retrievable and forensically sound
• Properly dealing with mammoth amounts of event data stores in thousands of vendor generated log files
• Achieving compliance (SOX, HIPAA, PCI, FISMA), Security and IT operation usage of log data that does not break the bank
• Log data now represents over 30% of ALL data generated by enterprises – creating a real need for log management
• Dominant uses for log data include:
  • IT operations – systems/network health and availability
  • Security monitoring – perimeter or insider threat detection
  • Compliance monitoring – for regulations and industry standards

Why should I care?

• Overwhelming flood of logs
• Islands of defense
• Week long manual investigations
• Massive false positives
• Heterogeneous consoles
• Many different formats
• Regulations and their commonly used frameworks impose various requirements when it comes to log management
• Regulatory mandates have further increased log retention requirements
• Increased need to store both security and non-security
• There continues to be an increased emphasis on audit quality data collection
• Regulatory requirements
  • SOX: 7yrs
  • PCI: 1yr
  • GLBA: 6yrs
  • EU DR Directive: 2yrs
  • Basel II: 7yrs
  • HIPAA: 6/7yrs
• Compliance requirements
  • More logging
  • More types of devices
  • Higher volumes of log data
  • Extensive reporting requirements
  • Broader user access
  • Long term retention requirements
  • Audit quality data

What can effective log management do for me?

• Self-managing & scalable
• Automated & cost-effective audits
• IT Operations SLA Efficiency
• Compliance
• Simplified Forensic Investigations

Best Practices – NIST 800-92

• Common log management problems
  • Poor tools and training for staff
  • Laborious and boring
  • Reactive analysis reduces the value of logs
  • Slow response
• Solutions
  • Establish log management policies & procedures
  • Prioritize log management appropriately
  • Create and maintain a secure log management infrastructure
  • Provide proper support for all staff with log management responsibilities
  • Establish standard log management processes for system-level admins
• The directive to only log and analyze data this is of the greatest importance helps provide sanity to the logging process
• Collecting and storing all data regardless of its usefulness increases complexity and deployment costs
• Secure storage and transmission guideline directly points to the importance of secure and robust capture, transmission and storage of logs
• Organizations should carefully review the collection architecture, transmission security and access control capabilities of SEM solutions to ensure support of this section of the standard
• Filtering and aggregation are recommended as a means to only capture logs of security and compliance value based on the corporate retention policy
• Guideline helps organizations support a “reasonableness” position in not collecting useless log data

Developing a Log Management Program

• Understand your log management needs (regulatory and operational requirements)
• Review NIST 800-92
• Understand your environment
  • Lots devices to collect logs from
  • Multiple locations with no IT staff
  • Collection agents are not an option
  • Network time settings
  • Low bandwith links
• Devices
  • Firewalls/VPN
  • IDS/IPS
  • Servers and desktop OS
  • Network equipment
  • Vulnerability assessment
  • Anti-virus
  • Applications
  • DBs
  • Physical infrastructure
• Establish prioritized log management policies & procedures

Log Management Checklist

1. Scalable architecture
2. Minimal footprint at remote sites
3. Transaction assurance
4. Audit and litigation quality data
5. Universal event collection
6. Ease of manageability
7. ….

Step 1: Exploit Overachievers

• Maximize value by using free tools
• OWASP (Open Web Application Security Project)
• WASC (Web Application Security Consortium)

Step 2: Learn

• Security is not an arcane art reserved for people with a special gift.  It’s campfire knowledge.
  • Assess your security posture regularly
  • Do not neglect any aspect of your security; bad guys don’t (Social Engineering, Internal Network, Firewall, Web Apps, etc)

Step 3: Chase Your Tail

• Remember where you started
  • Free tools can provide extreme amounts of value
    • OWASP (Eg: OWASP Testing Guide)
    • WASC
  • There is no magic to security

Tools Needed

• Web Developer Toolbar
  • POST to GET
  • Response headers
• NoScript or QuickJava

Estimating Vulnerabilities

• Site Age – Care & Feeding
  • “Copyright 2003”
  • Alexa
  • Archive.org
  • Whois
  • Last modified date
  • Old server + modules version #’s
• 2-3 years (2), 3-5 years (3), 5-10 years (4), 10+ (5)
• Programming Language
  • .cfm (1)
  • AJAX (1)
  • .do/.jsp (1)
  • .cgi/.pl/.shtml (2)
  • .asp (2)
  • .php (2)
  • .aspx/.jspx/.html (0)
  • Languages + Demographics theory
• Size of the Site Logic Complexity
  • Surf around manually
    • Sitemap
  • Google inurl: search
  • Spider (added download + added time)
  • Small (0), Medium – typical retailer (1), Large – Yahoo (3)
• Search
  • XSS tests (1)
    • “Company”
    • I <3 U
  • SQL injection (1)
    • O’Malley
  • DoS (.5)
    • a AND b AND c …
• Registration
  • Does it exist?  Yes (1)
  • Email validation and/or CAPTCHA (1-2)
  • Password complexity? (1)
  • Can you choose “admin” as a username? (1)
• Security Functions
  • Does change password enforce password complexity rules
  • Does change password require the existing password
  • Can you change email address without a password
  • Can emails be changed without validating them
  • Are secret questions “strong”
• Contact forms
  • Do they have an email address in a hidden field (1)
  • Submit a blank contact
    • Does it work without an error (1)
  • With and without JavaScript
    • Does it say “Thanks” without JS but errors when JS is turned on (1)
  • Can users contact other users on the site (Eg: Private message) (2)
• Login
  • Does it use SSL (1)
  • Does it allow auto complete (1)
  • Does it stop me from being able to type failed logins (3)
    • Horizontal, Vertical, & Diagonal Brute Force attacks
  • Can you switch POST to GET (1)
    • Session fixation
    • CSRF (1 per major site function, EG: change password, change secret question, change email address, etc)
  • Does it auto-logout (1)
  • javascript:alert(document.cookie) (1)
• Forgot password flow
  • Does it send the plaintext password (1)
  • Does it send a “small” key (1) – 20 bits or less
  • Does it tell you if your username is valid or not (.5)
• File Upload
  • Does it check file extensions (.5)
  • Does it check file types (.5)
  • Does it allow re-displaying of the file (1)
• HTML/JS/CSS Comments
  • Intranet IPs/addresses (.5)
  • Passwords (1)
  • Functionality comments (.5)
• URL Structure
  • function?path=/files/file.asp (1)
  • something?id=104 (1)
  • search?q=bob&charset=UTF-8 (1)
    • alternate charset
    • header injection
  • redir?url=http://www.cnn.com/ (.5)
  • chngpasswd?usr=bob&pass=1234 (2)
  • /images/ If it shows a directory (1)
• Obvious admin interfaces (2)
  • /admin/
  • /blog/wp-admin/
  • /administrator/
  • /adm/
  • admin.url.com
• Outdated Open Source or Commercial Programs
  • PHP nuke
  • WordPress
  • Drupal
  • 3/instance
  • +1 for every major revision out of date
• Other questions
  • Does it allow rich HTML user comments (1)
  • Does it have a send-to-friend function (1)
  • Virtual host? (MSN IP search) (1)

Things this doesn’t cover

• Timing attacks, buffer overflows, etc
• Network infrastructure flaws (including DNS)
• Predictable file locations (VCS trees, etc)
• Logic flaws
• Backup files/folders/CVS trees, etc
• Alternate paths of exploitation (email, FTP, APIs, etc)

• CEO of Intrepidus Group
• Adjunct Professor at Carnegie Mellon University
• Frequent speaker at BlackHat, OWASP, MISTI, Hack in the Box
• Phishing: The act of electronically luring a user into surrendering private information that will be used for identity theft or conducting an act that will compromise the victim’s computer system.
• Example of spear fishing used for pump-and-dump scam
• Example of spear fishing used to download a Trojan, crack the admin password, and create domain administrator accounts on a windows server.
• Have a service called fishme.com that is used to run mock attacks against companies.
• 23% +/- 3% are susceptible to phishing attacks based on surveying on fishme.com
• Convincing people to click via authority works better than reward
• People are more “click happy” on a Friday afternoon
• Use an existing website that’s vulnerable to XSS or create a fake SSL certificate