January 27, 2014

2.2.6 Implement policies and procedures to prevent data loss or theft

Implement policies and procedures to prevent data loss or theft

There is no “one size fits all” solution to information security. The security controls should be designed to fit the risk and should be backed up by a robust set of policies and procedures and a well-trained user and staff base.

The threat of data loss or theft is a risk to the organization. The organization typically will respond by conducting a risk analysis and then employ appropriate risk management strategies.

A risk analysis is the identification of the risk and planning of a mitigation technique to manage the risk. Risk identification involves a systematic identification of all assets and a cataloging of vulnerabilities and threats against each asset. For example, the company’s Internet facing web site is vulnerable if it is not secured effectively in a DMZ and if the backend database is not stored on a redundant storage array. The associated threats include hackers modifying the web pages and data loss from disk failure.

Vulnerabilities can range from a lack of physical security to inadequate deployment of system and security updates. Threats can include hackers and malicious insiders, system failures, fraud, improper configuration and settings, improper exposure of private information, etc.

After the threat has been identified and analyzed, the next step is to analyze the impact of the threat to the organization. The impact to the organization could include: company reputation, financial, compliance, productivity, revenue, safety, employee morale.

Once the threats have been identified and analyzed for their impact to the organization, the next step is to prioritize the threats based on their impact and probability of occurrence. The loss of specific types of data is more impactful than others, for example client financial information and other personally identifiable information (PII) should have more stringent protections than posts in a public distribution list.

The next step involves choosing and deploying an appropriate risk mitigation technique to combat the threat, in this case, of data loss or theft. The risk mitigation technique will be based on the impact of the threat and focused on data loss and theft. For example, the ISO/IEC 27001 certification standard provides controls to manage and protect the organization’s valuable information assets.

“ISO/IEC 27001 is a management framework for protection of business-critical information.”

There are protections, screenings and defenses on ingress. I.e. a user entering your organization is challenged with firewalls, anti-virus programs and passwords. Similar measures should be taken on egress. When a user leaves, security controls should be in place to ensure that data is not compromised including:
  • encryption and passcode  – protect the data so that even if it stolen it cannot be (easily) accessed
  • physical security – employ security guards, security monitors, badges and coded keypad entry
  • secure removable media – laptops, flash drives and other removable media should be secured so they are not used to transport data from the organization inappropriately
  • backup solution – in case of data loss and/or corruption, it is important to have a known good source for restoration
  • training and education – incent users and staff to be part of the solution to data theft and loss prevention

2.2.5 Perform routine audits

Perform routine audits

An audit is a formal and systematic assessment of how closely the organization's policies and procedures are being deployed against the organization’s assets. There are various types of audits including information security and financial audits.

With respect to information security, it is important to perform routine audits periodically in order to maintain a secure environment. An information security audit is the formal review of how the confidentiality, availability and integrity of the organization’s information is secured.

Formal security audits are typically conducted by outside agents with the full permission and cooperation of the organization. Security audits are formal and systematic. The scope of the security audit should be pre-defined and include all assets related to the organization’s information security including:
  • personnel
  • databases
  • email
  • servers
  • cloud
  • passwords
  • storage
  • access control lists
  • security policy
  • network
  • industry and government regulations
  • log files
As the user base and security threats are constantly evolving, security audits should be considered a process (not an event) and should be carried out on a periodic basis. The security auditor’s toolbox includes penetration tests and vulnerability scans, one-on-one interviews, event log reviews, analysis of configuration settings, review of security policy and procedure documents, etc.

2.2.4 User rights and permissions reviews

User rights and permissions reviews

A privilege is a property of an agent, such as a user while a permission is a property of an object, such as a file. A privilege lets the agent do things that are not ordinarily allowed while permission says which agents are permitted to use the object, and what they are permitted to do (e.g. read it, modify it).

A privilege is an ability or activity that a user account is granted permission to perform.
Privileges or rights are something you are allowed to do based on who you are. One or more privileges are bundled together to form a role. A role is a predefined set of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
A privilege is a permission to perform an action.

Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

Users are assigned privileges based on their roles or work activities. The principle of least privilege states that people or processes should have the lowest level of user rights necessary to perform a task and they should retain those privileges for the shortest necessary period.

Privilege escalation is the malicious acquisition or exercise of higher privilege levels than was intended for the user or application. Privilege escalation is a security violation and is enabled by a flaw in the policy, configuration, service or application and can occur when administrators fail to audit assigned privileges.

Administrators and security personnel should audit overall organizational policies and procedures as well as the assignment and use of privileges by individual users and groups. “Knowing what users are doing and how often they do it may assist administrators in assigning and managing privileges.”††

Auditing is the process of ensuring that an organization’s security policies are implemented effectively and consistently and where they are not, corrective measures can be taken. For audits to be effective, they require the cooperation of various departments in the organization. For example the human resources department should proactively inform the information security department when employees leave the organization or they change jobs or roles.

User, group and role management involves understanding the rights, privileges and users required to complete specific work tasks and monitoring these over time to ensure that the right users maintain the right privileges for their specific roles. As users change roles, or leave the organization, their privileges and permissions must be adjusted promptly.

For audits to be effective, they should be done periodically and should cover areas such as:
  • Privileges – to ensure that accounts and roles are assigned and followed appropriately
  • Escalation – ensure that the process of gaining privileges is not compromised
  • Usage – ensure that system resources are used commensurate with the organization’s policies
  • Administration – involves documenting policies and procedures, tracking assets and responsibilities and managing event log files.
The output of an audit should include an outline of the findings listing and explaining any violations and should make recommendations for improvement.

User education is an important component to effective user and privilege management. Users should be familiar both with the security policy and the resulting risk to the organization if the policy is not implemented effectively.

2.2.1 Implement security controls based on risk

Implement security controls based on risk

Assets like data have intrinsic value and as such an associated risk of misuse. Misuse in this case is a euphemism for falling into the wrong hands, lost, fraudulently modified, etc. Security controls are the measures that can be taken to protect assets from misuse. Risk is the potential that a specific action (or lack of action) will lead to a loss; where “loss” is an undesirable outcome.

Where the risk is low, security controls aimed at protecting the asset can be minimum. Where the risk is high, security control measures should be elevated appropriately. The organization will decide what measures or security controls to implement based on likelihood of risk. The controls the organization will undertake can range from minimal to elevated.  Depending on the cost of mitigating the risk, the organization can decide to follow one of the following risk management approaches:
  • Risk Acceptance – is being fully aware of the risk and its effects and deliberately choosing to do nothing about it
  • Risk Avoidance – an informed decision to deviate from actions that could lead to the risk
  • Risk Mitigation – accomplished anytime you take steps to reduce the risk
  • Risk Deterrence – adopting policies and procedures that deploys consequences for the attacker
  • Risk Transference – risk mitigation through a partnership
In risk acceptance if the cost of mitigation exceeds the cost of the asset or resulting harm then a cost/benefit risk calculation could be undertaken that informs the organization to accept the risk and do nothing.

Risk calculation or risk analysis deals with threats, vulnerabilities, and the impact of a loss. Even after a risk calculation has been done and the appropriate security controls have been implemented, it is advisable to conduct an audit of the risk.

A risk calculation weighs the potential threat against the likelihood of the threat occurring. A risk calculation identifies both the asset you want to protect and the threat or potential harm to the asset. An example of such a calculation likely kept the EMV chip technology (known as Chip and PIN in the United Kingdom) off of credit cards in the US. Credit cards with the embedded chips are more secure than those with magnetic stripes however they are also more costly to produce. Until the potential threat (e.g. liability of stolen credit card numbers) exceeded the cost of conversion, the conversion did not make sense.

January 09, 2014

3.2.18 Client-Side Attacks

Client-side attacks

Because that’s where the money is. – Quote apocryphally attributed to bank robber Willie Sutton when ask why he robbed banks.

People create structures to provide security from attack for their persons and property. As with most security mechanisms, it becomes an “arms race”; the attacker devising increasingly sophisticated measures to penetrate the defense and the defenders improving their security profile to repel the penetration attempts.

Nomadic humans first formed camps as a way leverage resources and protect each other from attacks by marauders and other hostile forces. As the attacks against the camps became more sophisticated, the protections evolved to repel the threat. The camps evolved into forts, forts became castles, castles grow into fortified towns, etc. At each stage, the strength of the fortification becomes a deterrent to the attacker who then cast about for more effective penetration techniques or an easier target.

In computing, the server is the fortified structure created to serve and protect data and services. As the target of attacks, it may be initially vulnerable, however it eventually improves defenses enough that most attackers begin looking for easier targets.

Using a castle analogy, if one cannot breach the castle walls to plunder its resources, the next best thing is to intercept it before it reaches the castle. This is the equivalent of the client-side attack.

As server-side resources, i.e. resources stored on the server, become increasingly difficult to access due to improved processes and security advances, malicious users instead direct their attacks against the less well-defended client devices and applications. I.e. they moved from attacking the server to attacking the client.
An Exaggerated View of Server-Side & Client-Side Security
A client can be a standard web browser such as Internet Explorer or Google Chrome or it can be an embedded browser object in an application such as an email client, media players, e-book reader, etc.

Servers are juicier targets for the malicious user as they contain the data sought by the malicious user and because servers are naturally designed to make information available to users.

Web servers, database servers, mail servers, streaming video servers, etc. all contain data they want to make available to users. The trick is to increase the defenses of the server enough that the strategic value of the data is less than the cost of measures needed to penetrate it.

Servers are improving their defenses, encouraging attackers to turn increasingly to client-side attacks.

Two reasons why client applications are more inviting targets for attackers include:
  • Clients generally undergo less rigorous security testing than server applications
  • Clients are more difficult to patch due to the diverse range of client versions, owners and environments
Executing code at the client, such as by embedding JavaScript in HTML pages, makes dynamic and interesting content possible. An example is the page interactivity possible in Google Maps. However these capabilities add complexity and introduce the potential for security vulnerabilities into the application.

“Cross-site scripting (XSS) is a vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into contents of a website not under the attacker's control. When a victim views such a page, the injected code executes in the victim's browser.”‡

Cross-site scripting or XSS is a type of client-side attack. XSS takes advantage of interactions between the client and server to exploit any resulting vulnerabilities.

What does the “cross-site” in cross-site scripting mean? A good explanation is the one from apache.org, “It was coined earlier on when the problem was less understood, and it stuck.”

Cross-Site Scripting is an attack technique that embeds malicious code into a user’s browser instance. When the malicious code is triggered, it executes on the client-side (i.e. in the user’s browser) and is generally used to add, modify or delete data. The malicious code can be in one of various script languages including Java, JavaScript, VBScript, ActiveX.

When running in the local browser instance, the malicious code the privileges of the user, as such it has the ability to access and modify potentially sensitive local user data. Via XSS a malicious user can take control of the session between the browser and a website, and access sensitive data or redirect the browser to a malicious web site.

Categories of XSS

There are several recognized categories of XSS attacks including: Stored XSS, Reflected XSS, Cross Site Request Forgery (CSRF), Cross-Site Tracing (XST) and DOM-based XSS. In this article we will look at Stored and Reflected XSS.

XSS vulnerability is introduced when a web site accepts input from the client without first validating that the data is “clean”, i.e. in the format it was expecting and also when the web site outputs data to the web client without sanitizing it, i.e. removing or masking any potentially dangerous code.

When an attacker discovers a server that is not validating or sanitizing data, it will send the server malicious data, e.g. by filling out a form with input that is a script instead of simply text. Since the server is not doing input validation, it either incorrectly stores the script in its database where it gets executed by the next user accessing the database or it gets reflected back to the browser.

Stored XSS Attacks – are those where the code to exploit the vulnerability is permanently stored on the target servers (typically in a database) and can be retrieved to create pages sent to any user visiting the site. The victim retrieves the injected script from the server when it requests the stored information.

Forums and blogs that allow the use of HTML and that store information in databases are potentially vulnerable to this form of exploit. Protecting against stored XSS exploits involves input validation and output sanitization, i.e. translating the elements such that it will not be interpreted by the browser as code.

Stored Cross-Site Scripting is also known as Persistent Cross-Site Scripting.

Reflected XSS Attacks – are those where the attack is in the request itself and the vulnerability occurs when data submitted by the client is processed by the server and sent back (reflected) to the browser without first being properly encoded or sanitized. The Reflected XSS attack begins when a victim visits a URL with the embedded malicious script. The malicious URL can be distributed in the form of an email sent by the attacker. An exploit is successful when the:
  • victim loads the malicious code in his/her browser
  • code gets sent to the server listed in the URL
  • server “reflects” the malicious code back to the browser embedded in the response, (such as an error message or search result)
  • browser dutifully renders the malicious code (as it came from a “trusted” web site)
  • malicious code does its work
Step #0 of this exploit is finding a web server that processes raw HTML on input without scrubbing or filtering and on output without encoding or sanitization.

XSS exploits can perform various malicious activities for the attacker, including:
  • steal information in script variables
  • set or read information in cookies
  • send requests to a server as the user
  • redirect to another site
  • modify displayed content
  • send captured data to another site
  • log keystrokes, capture camera data, etc.
Unlike with Stored XSS where the malicious code is persistently stored on the server and activated by any visitor to that page, the Reflected XSS is commonly delivered via phishing attacks or via a compromised web site.

The attacker may attempt to evade detection by encoding portions of the malicious script in hexadecimal characters, making it less like a script and less suspicious.

A Cross-Site Scripting (XSS) vulnerability arises when Web applications take data from users and dynamically include it in Web pages without first properly validating the data.†

Minimizing the vulnerability of Stored and Reflected XSS involves following web good coding practices such as validating, filtering or scrubbing input at the server-side and by sanitizing or encoding output before execution at the browser-side. If input data is not validated, malicious script can be inserted into the page that is sent back to the browser where it runs in a trusted context.


January 06, 2014

3.2.15 Malicious Insider Threat

Malicious insider threat

We have met the enemy and he is us. – Walter Crawford Kelly, Jr.

IT security professionals and laypeople alike are aware of IT security threats posed by external forces such as hackers, malware, denial of service attacks, etc. Systems and policies to mitigate these “outsider” security threats such as firewalls, intrusion detection and prevention systems, antivirus software, etc. are well defined. However these security mitigation efforts are largely ineffective against what several studies have recognized as a significant threat to an organization’s security profile, the malicious insider.

Electronic Crimes most costly or damaging to an organization
Bob Bragdon, VP and publisher, CSO puts it this way “Cyber threats can come from outside and inside the organization. Public awareness has been largely focused on the more sensational successful cyber espionage attacks from nation-states, but the fact is insiders with malicious intent also pose a great security risk.”

Insiders necessarily have legitimate access to internal resources and are familiar with the organization's security controls for protecting them. A malicious insider is a current or former employee, contractor, or business associate who has or has had authorized access to an organization’s resources and has (incidentally or intentionally) misappropriated that access in a way that negatively impacts the confidentiality, integrity and availability of the organization’s resources.

According to research by CERT, the malicious insider is motivated in many cases by revenge and greed and as such his or her activities will include sabotage of computer systems, extortion, theft of Intellectual Property and exposure of private information.

Most Common Insider Cyber Incident
Unintentional exposure of private or sensitive data 34%
Theft of intellectual property (IP) 34%
Theft of other (proprietary) info including customer records, financial records, etc… 31%
Unauthorized access to/ use of information, systems or networks 30%
Source: 2013 US State of Cybercrime Survey

Malicious insider threats are difficult to defend against since the insider has intimate knowledge of security controls and methods bypass them. The scope of the impact of malicious insider threats may be underreported and likely underappreciated. The following table from a 2006 survey highlights how over 400 organizations handled both insider and outsider threats: ‡‡

Insider Outsider
Handled internally without involving legal action or law enforcement 72% 75%
Handled internally with legal action 13% 6%
Handled externally by notifying law enforcement 14% 18%
Handled externally by filing a civil action 2% 1%

At the 2013 RSA Conference in San Francisco, Patrick Reidy of the Federal Bureau of Investigations (FBI) shared five lessons-learned for security practitioners based on the FBI’s experience investigating malicious insider threats.
  • Insider threats are not hackers.
    • The Insider Threat Study in 2008 by CERT and the National Threat Assessment Center (NTAC) describes several key findings:††
      • A specific event or series of events triggered most insiders’ actions.
      • Revenge was reported as the main motive in just over half the cases.
      • Frequently reported goals of insider attacks included financial gain, theft of information and sabotage to the organization.
    • The first step to mitigation is gaining an understanding of the motivation of the malicious insider.
  • Insider threat is not a technical or "cybersecurity" issue alone.
    • Mitigating insider threats calls for controls that move beyond IT and include solutions that are people-centric.
    • Successful mitigation strategies look at the interplay between business processes and information technology.
    • “Adopt a multidisciplinary whole threat approach”
  • A good insider threat program should focus on deterrence, not detection
    • Create an environment that makes it “really difficult or uncomfortable to be an insider.”
    • Crowdsource security, i.e. solicit input from the user community on how to improve controls to protect data
  • Avoid the data overload problem
    • Deploy data filters
    • Periodic audits
    • Implement segmentation of duties
  • Use behavioral based techniques for detection of insider threats
    • “Base detection on user’s personal cyber baselines”
    • “The idea is to detect insider bad behavior closer to that tipping point of when a good employee goes rogue.”
The following table describes some differences between insider and outsider threats and point to why insider threats demand special categorization.

Trusted Untrusted Insiders have intimate knowledge and are able to sidestep security measures more easily without raising alarm.
Legitimate Access Unauthorized Illicit activity by insiders can more easily be masked as authorized because they have legitimate access to the resource.
Operational tools Specialized tools Relatively low-tech tools can be deployed by insiders as they are already behind the firewall, already know the administrator password, etc.
Revenge Financial The motivation of the insider is usually less sophisticated, however in many cases, it is also less predictable and more expensive to prevent or detect.
Insider vs. Outsider Threats

As in most cases, effective security measures calls for a multi-layered approach to security. To mitigate malicious insider threats, in addition to technology-based deterrents such as firewalls, intrusion detection systems and monitoring, behavioral and policy-based deterrents should also be deployed.

Behavioral and policy-based deterrents include tools such as acceptable use policies (AUP), background checks, account management policies and segregation of duties. In a 2006 E-Crime Watch Survey conducted by the United States Secret Service (USSS), the SEI CERT Program, and CSO Magazine, the top five security policies and procedures used by organizations in the survey were:‡‡
  1. Account/password management policies
  2. Acceptable use policy/ Formal “inappropriate use” policy
  3. Employee/contractor background check
  4. Employee education & awareness programs
  5. Conduct regular security audits
Here are some best practice considerations suggested by various security principles:
  • Monitor how users interact with information
    • Establish a baseline of normal user behavior with respect to data and resource usage, conduct trending analysis and alert on deviations from baseline with respect to data movement, channels and usage.
    • Log, monitor, and audit employee online actions
  • Anticipate and manage workplace issues across the employee lifecycle
    • Deploy policies and procedures designed to monitor, manage and respond to disruptive and suspicious behavior.
    • Deactivate computer access following termination
  • Implement comprehensive and consistent information controls to minimize data exfiltration
    • Require accountability regardless of endpoint (e.g. desktop, tablet, smartphone)
    • Employ controls across all information states (at rest, in motion, and in use) and across all endpoints (network, tablet, desktop, smartphone, etc.)
    • Understand, monitor and lock down all exit points for data, e.g. wireless, removable media, fax/printers, social media, FTP, etc.
    • Implement secure backup and recovery processes
  • Institute stringent access controls and monitoring policies on privileged users
    • Institutionalize system change controls
    • Centralize security control management for rapid incident identification, analysis, and response
    • Enforce separation of duties and least privilege
    • Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities
    • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
    • Collect and save data for use in investigations
  • Institute periodic security awareness training for all employees
Related Terms: stochastic forensics

January 04, 2014

3.2.14 Privilege Escalation

Privilege escalation

In this context of computer security, privilege escalation is the malicious acquisition or exercise of escalated access to resources that are normally reserved for administrative or other authorized users or applications.

When applied in an unauthorized way, privilege escalation is a security violation and is enabled by a flaw in the configuration, services, installed software or operating system. It results in a regular user being given more access than was intended by the developer or the administrator.

In November 2013, Microsoft issued a security advisory on vulnerability that would allow privilege escalation exploits in computers running Windows XP and Windows Server 2003. The security advisory (2914486) reads in part, “The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”

Countermeasures against privilege escalation include implementing good system security practices such as:
  • Review and apply up-to-date system and application patches
  • Remove or protect software that will allow a regular user to create executable applications (e.g.  compilers and software installers)
  • Protect system configuration files from access by regular users.
  • Run applications with the lowest privilege required, e.g. if you browse the Internet as root (or administrator), any browser exploits will be run with root or administrator privileges on the system.
  • Conduct periodic security audits of the system
Related terms: horizontal escalation (gaining the privilege of a peer user, with this a regular user can impersonate another regular user) and vertical escalation (gaining the privilege of a higher level user).

The microkernel model computer hardware architecture offers another concept of privilege escalation. In microkernel based operating systems, major system functions such as device drivers, protocol stacks, file systems, etc. are moved out of the kernel, keeping the kernel code to a bare minimum. This reduces the kernel’s attack surface and as such it’s security vulnerability.

Microkernel operating systems are run on hardware that provides multiple protection modes. Here is a model of a 4 privilege level system. The program running in Ring 0 is the most trusted, and has the most access (privileges) to system resources. The program running in Ring 3 is the least trusted and any access to resources must be moderated.

Note: Linux defines two levels of protection:
  • level 0 – includes kernel and device drivers
  • level 3 – includes standard libraries and user programs
Creating multiple protection modes offers fault tolerance and security.