(Book) Carrier-Scale IP Networks: Designing and Operating Internet Networks

This book is pretty old. written in 2001, talking about more than 10 years ago! However, I find there is no change of requirement in terms on Network Security for IP Carrier.

(1.2.4) Network Security

• Make the components of the network secure from attack --- this is done by ensuring that only idenified management systems have access to the management interfaces of network components; there may be capabilities which equipment vendors put in certain items of network equipment to make them easier to manage in a secure enterprise environment, but which are not suitable for an insecure public Internet environment -- these capabilities must therefore be turned off.  (now so-called call port security and back door)

• detecting an attack --- heuristic methods can be used to determine the differences betweeh the legitimate attempts by network management people to access equipment, and those by attackers; similarly heuristic methodes can be used to determine if equipment is being attacked, by scrutiny of appropriate logs of the equipment's activities. (now so-called threat detection, like anti-DDoS)

 

• knowing your own vulnerabilities --- network equipment can be checked by security-checking software to test for vulnerabilities; network operators should also ensure that their equipment vendors notify them of bugs that might affect security (we now call vulnerabilities assessment)

 

• Controlling management access rights carefully --- as a network might be attacked by an insider, it is importment not to grant access rights to everybody in network operations, but only sufficient rights to each individual to enablve that person to perform their identified role; it is also important that, as individuals change jobs or leave network operations, their management rights are changed or revoked in a timely manner. (now so-called segragation of duty)

 

• Shutting-off attackers --- has plans to deal with attackers, eg. by ensuring that an attacker can be cut-off to prevent them doing any more damage; this may require co-ordination with other networks or agencies (now so-called clean pipe)

• undoing an attacker's damage -- configuration management systems are required that can restore the network configuration in the event that the attackers has managed to change the configuration  (now so-called configuration management)

Find this book on Google: http://books.google.com.hk/books?id=5BbTeaFGOIIC&hl=zh-TW

(Demo) Ethical Hacking - Web Parameter Tampering

It could be fun and effective to show simple but interesting hacking demo while discussing application security with clients, to show how easy it is, and how serious the results could be.

One of the recommended "simple demo" is Web Parameter Tampering, on payment gateway.

Scenario:

- When people are going to pay for an item online, it is not difficult to change the price (so-called "Web Parameter") with the assistance of hacking tools.

- There are easy tools for Web Parameter Tampering. I take TamperIE as an example.

Tool: TemperIE (Download: http://www.bayden.com/tamperie/)

Demo Site for a "successful" tempering:

http://www.bayden.com/sandbox/shop/

I would suggest you go through with above demo site first.

Here I "test" this with an online shop......Let's see if I could succeed.

Important Note: I do not engage hacking as a habit, but to share with the public how back guy would perform hacking. Through this exercise, good guy understands how bad guys act, and try a different way to make the bad guy a hard time.

#1 - I (a bad guy) would like to purchase a blouse online, however, I think $45 is too expensive for me.

#2 Once I click "pay now", my pre-installed parameter tampering tool prompts, and shows me parameters on this webpage. Price is one of those as highlighted.

#3 $49 +$30 shipping. Total $79. Too expensive for me! So I change the price to $9 with the tool.

 

#4 However......The website is smart enough to detect the change of a parameter (the price).

#5 How Taobao detect this? We could see a parameter "SecStrNoCCode", which is believed to be a hash of the page and is used to check against the change of web parameters from page to page. Any change of parameter would induce a different hash. My best guess of the full meaning of this name is "Security String No Change of Code"

 

(My Note) Security Solutions Catalog

10 years ago, Security used to be = firewall (gateway) and anti-virus (end point).

Then a few years later, some enterprise thought about IPS.

If your company had a website providing corporate information only, then you didn't have to concern about data / servers side......except website defacement prevention (maybe).

As a security sales person who wanted to sell more? What about those anti-spam solution on email services.

But today's enterprise.....

- More companies understand the business benefit that Internet brings, for example:

- "Cloud" provides an instant service without huge furst time investment, where bring security and data privacy concern

- BYOD allows company to leverage staff mobility resource, and again this also means rapid number of insecure "doors" (mobile devices) which make hacker live easier.

- More security devices in a company means a more difficult operation and monitoring

- etc.

Security is getting more complicated, not for my clients, but for me as well. :P

I always put a so-called "security solution catalog" in my mind as below. This helps my security discussion (selling) with client. More than that, this facilitate me to classify and position differents solution in my security solution portfolio. This is so far the easiest way for my poor memory.

TrustGo - Android Apps Scan for Security

From an article regarding secure mobile device, I read about TrustGo Antivirus & Mobile Security, which offers a great mix of security features and tools for optimizing your device's performance.

TrustGo is an award-winning Android security apps, and it is completely free. I put both AVG and TrustGo into my Android phone. They work well so far.

TrustGo scans for harmful app.

Oop...one suspect app is found.

Uninstall it, and scanning finishes.

The following shows permissions (e.g., location track, contacts access, etc) acquired by apps. In this examples, 24 Apps on my Android phone track my location. Watch out!

There are still some other useful security tools. Enjoy!

Penetration Test for Enterprise Data Loss

An enterprise suspects leakage of confidential information to competitors, because of frequent bid loss recently. Senior management would like to have an external party (security service provider) to find out if there exist possible channels, that internal or external hackers leaking out or sniffering bid information.

What should be involved in a Penetration Test for Data Loss Prevention:

1. Define Objectives of the Penetration Test

- What area is going to be evaluated? (DLP, etc)
- What are required to be found out? (Vulnerabilities, Risks, Recommendations)

2. Define the Scope of Penetration Test (ie. The Investigation Focus)
Service provider has better to spend most effort in this part in the early phase of project.

- What are being investigated? ...data loss (DL) in this case
    (DL via email, **
     DL via removable medias,
     DL via other service (eg. Web Portal, File Server to external)
     DL via physcial access
     DL via network level attack)

- Taking DLP via Email as an example, analyse what are the possible "cause" of data loss?
   (Human Factors - e.g., user mistakes or being social engineering attack,
    Under Password Attack - e.g., brute force attack,
    Machine Remote Controlled - e.g., PC or server being controlled and email box can be easily accessed,
    Login Credential Sniffed - e.g., by sniffing on network,
    etc.)

- Not at the causes can be proved/tried in the pentest, especially when limited budget or resources are available. Should works according to priorities.  For example, enterprise would focus on "Machine Remote Controlled" and "Login Credential Sniffed", this could be because these are usually the high risk area that the service provider/enterprise has experienced.

- Service provider will plan the pentest by assuming herself as the possible internal/external hackers who steal data by  (A) "remotely control on target machine (email server in this example)" and  (B) "sniffing (email) login credential".

3. State Assumptions

State role and responsibility of service provider and enterprise and what are excluded, which could otherwise become controversy.

4. Standard and Guideline that the pentest follows

(for example)
- White Hat. Inc
- ISO 17799

5. Explain the Methodology

(as from open standard or service provider usual practice.)

6. Zero Knowledge Pentest (Step-by-step what to do)
- Targets service (Email, WebMail, Some other important related services)
- Netcraft Search Web by Domain
- DNS Whois Query
- Domain Lookup
- Traceroute
- ICMP Traffic Test
- Sifting Contents by Server and by Google
- SSL Server Certificates
- Identified Services
- Email OWA Passward Guessing
- Identified Vulnerabilities

7. Internal Vulnerability Assessment (Step-by-Step what to do)
(for example, if focus on wireless network...)
- Wireless access points
- Devices that connected to wireless network
- Vulnerabilities identified in access points and end-point devices

8. Recommendations
bla bla bla based on the foundings...  :)
~~~~~

Again, the above is not a complete security review on DL.  Instead, this exercise is a pentest against certain high risk DL areas, like possibly infected email and important servers, wireless access point, and the endpoint device that connected to access point, etc.

End Point Protection @HK$200, Good for SME

SME's IT Management should be planned in a simple manner, no complication there. This is because of the flatter personnel structure involved, as well as the very limited resources in most SME's IT Supports.

For SME IT Manager who is looking for End Point Protection (DLP, Port Control, Encryption,but no Anti-Virus), I would recommend to start straight away with GFI.

Price for ideas: (for about 200 end points in a SME)
     US$27  Perpetual + 1 year subscription per node
     US$4.5 Renewal of 1 year subscription per node

Deployment is simple. Once management console is installed, nodes connected on network would be auto-detected. On this example, 4 nodes are detected on the network. Then agent would start to be remotely installed onto each nodes. Only AMICEWON is installed in this example. Because I don't have the admin right to other nodes.
So, make sure you have admin right to each node, before you can make things happen.

What you can protect on targeted computer/notebook:

Device control and security settings:

Alert options :

(My Note) Secure Enterprise Mobility - 4 Areas to Remember

Note for myself  ~~A Secure Enterprise Mobility ~~

Consists of 4 different areas indicated in the diagram (as shared with my clients :D  )

(1) Mobile phone "Self Health"
(2) Secure communication channel from mobile device to enterprise resources
(3) Authentication, and Authorization to different allowed resurces
(4) Mobile device inventory/compliance/loss management ("Mobile device management")

Unfortunately, possible solution in the markets are not that clear-cut corresponding to different areas.

AVG:  (1)
AirWatch :   (4)
BlueCoat Mobility Security Management :     (1) (launched or not? not sure)
Check Point Mobile Access Blade :    (2), some (3) and some (4) 
Cisco Identity Service Engine :  (3)
Good Technology :      (2), (3) and (4)  (imagine: BlackBerry)
McAfee Enterprise Mobility Management :  (1) and (4)
Sophos:  (1)

I expect the above list would be significantly changed and longer 1 year later.