(Book) Carrier-Scale IP Networks: Designing and Operating Internet Networks

This book is pretty old. written in 2001, talking about more than 10 years ago! However, I find there is no change of requirement in terms on Network Security for IP Carrier.

(1.2.4) Network Security

• Make the components of the network secure from attack --- this is done by ensuring that only idenified management systems have access to the management interfaces of network components; there may be capabilities which equipment vendors put in certain items of network equipment to make them easier to manage in a secure enterprise environment, but which are not suitable for an insecure public Internet environment -- these capabilities must therefore be turned off.  (now so-called call port security and back door)

• detecting an attack --- heuristic methods can be used to determine the differences betweeh the legitimate attempts by network management people to access equipment, and those by attackers; similarly heuristic methodes can be used to determine if equipment is being attacked, by scrutiny of appropriate logs of the equipment's activities. (now so-called threat detection, like anti-DDoS)

 

• knowing your own vulnerabilities --- network equipment can be checked by security-checking software to test for vulnerabilities; network operators should also ensure that their equipment vendors notify them of bugs that might affect security (we now call vulnerabilities assessment)

 

• Controlling management access rights carefully --- as a network might be attacked by an insider, it is importment not to grant access rights to everybody in network operations, but only sufficient rights to each individual to enablve that person to perform their identified role; it is also important that, as individuals change jobs or leave network operations, their management rights are changed or revoked in a timely manner. (now so-called segragation of duty)

 

• Shutting-off attackers --- has plans to deal with attackers, eg. by ensuring that an attacker can be cut-off to prevent them doing any more damage; this may require co-ordination with other networks or agencies (now so-called clean pipe)

• undoing an attacker's damage -- configuration management systems are required that can restore the network configuration in the event that the attackers has managed to change the configuration  (now so-called configuration management)

Find this book on Google: http://books.google.com.hk/books?id=5BbTeaFGOIIC&hl=zh-TW

(Demo) Ethical Hacking - Web Parameter Tampering

It could be fun and effective to show simple but interesting hacking demo while discussing application security with clients, to show how easy it is, and how serious the results could be.

One of the recommended "simple demo" is Web Parameter Tampering, on payment gateway.

Scenario:

- When people are going to pay for an item online, it is not difficult to change the price (so-called "Web Parameter") with the assistance of hacking tools.

- There are easy tools for Web Parameter Tampering. I take TamperIE as an example.

Tool: TemperIE (Download: http://www.bayden.com/tamperie/)

Demo Site for a "successful" tempering:

http://www.bayden.com/sandbox/shop/

I would suggest you go through with above demo site first.

Here I "test" this with an online shop......Let's see if I could succeed.

Important Note: I do not engage hacking as a habit, but to share with the public how back guy would perform hacking. Through this exercise, good guy understands how bad guys act, and try a different way to make the bad guy a hard time.

#1 - I (a bad guy) would like to purchase a blouse online, however, I think $45 is too expensive for me.

#2 Once I click "pay now", my pre-installed parameter tampering tool prompts, and shows me parameters on this webpage. Price is one of those as highlighted.

#3 $49 +$30 shipping. Total $79. Too expensive for me! So I change the price to $9 with the tool.

 

#4 However......The website is smart enough to detect the change of a parameter (the price).

#5 How Taobao detect this? We could see a parameter "SecStrNoCCode", which is believed to be a hash of the page and is used to check against the change of web parameters from page to page. Any change of parameter would induce a different hash. My best guess of the full meaning of this name is "Security String No Change of Code"

 

(My Note) Security Solutions Catalog

10 years ago, Security used to be = firewall (gateway) and anti-virus (end point).

Then a few years later, some enterprise thought about IPS.

If your company had a website providing corporate information only, then you didn't have to concern about data / servers side......except website defacement prevention (maybe).

As a security sales person who wanted to sell more? What about those anti-spam solution on email services.

But today's enterprise.....

- More companies understand the business benefit that Internet brings, for example:

- "Cloud" provides an instant service without huge furst time investment, where bring security and data privacy concern

- BYOD allows company to leverage staff mobility resource, and again this also means rapid number of insecure "doors" (mobile devices) which make hacker live easier.

- More security devices in a company means a more difficult operation and monitoring

- etc.

Security is getting more complicated, not for my clients, but for me as well. :P

I always put a so-called "security solution catalog" in my mind as below. This helps my security discussion (selling) with client. More than that, this facilitate me to classify and position differents solution in my security solution portfolio. This is so far the easiest way for my poor memory.

TrustGo - Android Apps Scan for Security

From an article regarding secure mobile device, I read about TrustGo Antivirus & Mobile Security, which offers a great mix of security features and tools for optimizing your device's performance.

TrustGo is an award-winning Android security apps, and it is completely free. I put both AVG and TrustGo into my Android phone. They work well so far.

TrustGo scans for harmful app.

Oop...one suspect app is found.

Uninstall it, and scanning finishes.

The following shows permissions (e.g., location track, contacts access, etc) acquired by apps. In this examples, 24 Apps on my Android phone track my location. Watch out!

There are still some other useful security tools. Enjoy!

Penetration Test for Enterprise Data Loss

An enterprise suspects leakage of confidential information to competitors, because of frequent bid loss recently. Senior management would like to have an external party (security service provider) to find out if there exist possible channels, that internal or external hackers leaking out or sniffering bid information.

What should be involved in a Penetration Test for Data Loss Prevention:

1. Define Objectives of the Penetration Test

- What area is going to be evaluated? (DLP, etc)
- What are required to be found out? (Vulnerabilities, Risks, Recommendations)

2. Define the Scope of Penetration Test (ie. The Investigation Focus)
Service provider has better to spend most effort in this part in the early phase of project.

- What are being investigated? ...data loss (DL) in this case
    (DL via email, **
     DL via removable medias,
     DL via other service (eg. Web Portal, File Server to external)
     DL via physcial access
     DL via network level attack)

- Taking DLP via Email as an example, analyse what are the possible "cause" of data loss?
   (Human Factors - e.g., user mistakes or being social engineering attack,
    Under Password Attack - e.g., brute force attack,
    Machine Remote Controlled - e.g., PC or server being controlled and email box can be easily accessed,
    Login Credential Sniffed - e.g., by sniffing on network,
    etc.)

- Not at the causes can be proved/tried in the pentest, especially when limited budget or resources are available. Should works according to priorities.  For example, enterprise would focus on "Machine Remote Controlled" and "Login Credential Sniffed", this could be because these are usually the high risk area that the service provider/enterprise has experienced.

- Service provider will plan the pentest by assuming herself as the possible internal/external hackers who steal data by  (A) "remotely control on target machine (email server in this example)" and  (B) "sniffing (email) login credential".

3. State Assumptions

State role and responsibility of service provider and enterprise and what are excluded, which could otherwise become controversy.

4. Standard and Guideline that the pentest follows

(for example)
- White Hat. Inc
- ISO 17799

5. Explain the Methodology

(as from open standard or service provider usual practice.)

6. Zero Knowledge Pentest (Step-by-step what to do)
- Targets service (Email, WebMail, Some other important related services)
- Netcraft Search Web by Domain
- DNS Whois Query
- Domain Lookup
- Traceroute
- ICMP Traffic Test
- Sifting Contents by Server and by Google
- SSL Server Certificates
- Identified Services
- Email OWA Passward Guessing
- Identified Vulnerabilities

7. Internal Vulnerability Assessment (Step-by-Step what to do)
(for example, if focus on wireless network...)
- Wireless access points
- Devices that connected to wireless network
- Vulnerabilities identified in access points and end-point devices

8. Recommendations
bla bla bla based on the foundings...  :)
~~~~~

Again, the above is not a complete security review on DL.  Instead, this exercise is a pentest against certain high risk DL areas, like possibly infected email and important servers, wireless access point, and the endpoint device that connected to access point, etc.

End Point Protection @HK$200, Good for SME

SME's IT Management should be planned in a simple manner, no complication there. This is because of the flatter personnel structure involved, as well as the very limited resources in most SME's IT Supports.

For SME IT Manager who is looking for End Point Protection (DLP, Port Control, Encryption,but no Anti-Virus), I would recommend to start straight away with GFI.

Price for ideas: (for about 200 end points in a SME)
     US$27  Perpetual + 1 year subscription per node
     US$4.5 Renewal of 1 year subscription per node

Deployment is simple. Once management console is installed, nodes connected on network would be auto-detected. On this example, 4 nodes are detected on the network. Then agent would start to be remotely installed onto each nodes. Only AMICEWON is installed in this example. Because I don't have the admin right to other nodes.
So, make sure you have admin right to each node, before you can make things happen.

What you can protect on targeted computer/notebook:

Device control and security settings:

Alert options :

(My Note) Secure Enterprise Mobility - 4 Areas to Remember

Note for myself  ~~A Secure Enterprise Mobility ~~

Consists of 4 different areas indicated in the diagram (as shared with my clients :D  )

(1) Mobile phone "Self Health"
(2) Secure communication channel from mobile device to enterprise resources
(3) Authentication, and Authorization to different allowed resurces
(4) Mobile device inventory/compliance/loss management ("Mobile device management")

Unfortunately, possible solution in the markets are not that clear-cut corresponding to different areas.

AVG:  (1)
AirWatch :   (4)
BlueCoat Mobility Security Management :     (1) (launched or not? not sure)
Check Point Mobile Access Blade :    (2), some (3) and some (4) 
Cisco Identity Service Engine :  (3)
Good Technology :      (2), (3) and (4)  (imagine: BlackBerry)
McAfee Enterprise Mobility Management :  (1) and (4)
Sophos:  (1)

I expect the above list would be significantly changed and longer 1 year later.

Signatures are Useless ?

I was shocked by a pre-sales consultant of a vendor telling that "Signature is Useless. Today we are facing challenge from zero day attacks."....Then he further emphasized his company security solution is strong in detecting new attacks.

The vendor has a strong network optimization background and has been aggressively penetrating to security area recent years. I just hope he is not going to spread this incorrect message to too much clients.

I agree that zero-day (or even negative-days) attacks pose serious security challenge to enterprises and vendors. However, an effective and comprehensive security practice on patches or signature updates is essential part of a solid security defense.

As from Gartner, “90% of successful attacks occurred against previously known vulnerabilities where a patch or secure configuration standard was already available.”

A few vendors emphasize "too much" on new attacks, zero-day attacks, or even negative-day attacks as for their marketing and promotion purposes. Known vulnerabilities, signature's importance has never decreased.

You may be interested in this article from Juniper, about "Understanding Our Approach to Addressing Known and Unknown Vulnerabilities".

Most MNC or large enterprise has vulnerabilities subscribed or purchased. I would say it is a wise investment. There is also available managed vulnerabilities scanning services which charge is very affordable for most companies.

Should All the Security Vendors Merge into ONE ?

Most enterprise looks for the so-called "best-of-breed solution" to cater each different levels of security concerns.

Network Firewall : Vendor A

Proxy                  : Vendor B

Web Filtering       : Vendor C

Application Control / Application Firewall : Vendor D

......and finally....

Security Incident and Event Management (SIEM) - to manage all above vendor solutions : Vendor Z

One day, one client would like us to provide the commonly used brands for different security solutions in the market. Frankly, it is not our style to start with telling about product straight away. Instead, we prefer to discuss with a risk management prospective, so as to advise what his company really need and what his company don't need. However, he "claims" it is only used for his internal reference. (Alright :| ) We try our best to "help" him. Hope we are not unintentionally making a trap for him.

(blurred image, no commercial here. :D )

While preparing a table as above (different types of security in different industries), ..

I think of :    Should all Security Vendors Merge into ONE?

I am not talking about all-in-one solution, like UTM, but having ONE single vendor to research and develop all the security products. Feasible or Not?

As a Security Specialist, one of our roles is to interface with different security vendors. Sometimes I dreamed of a day when every security vendors are integrated in one. My life could become easier, provided that I would not lose my job due to this "too-easy" work.

Back to the questions:  Should all Security Vendors Merge into ONE?   (Feasible?)

Despite of my personal preference of having an easier job, I still prefer existence of different vendors, because this generates....

1.  A healthy competition among vendors
• R&D teams to strengthen the products endlessly, they don't want to lag behind
• Sales and marketing team of different vendors aggressively promote their security solution to end client, which in turn provides free security awareness training to public


2. (Comparatively) Difficulties and complexity for hackers
• There is not "single vendor of failure"
• Hackers need to break into several layers of security control (provided by different vendors) before getting their target (for some cases)
3. Vendors' concentration on handling particular outbreak or vulnerabilities
• Recent example: Oracle is now focusing on fixing JDK v7 vulnerabilities, while other security vendors are aggressively promoting (teaching) how they are good at minimize the risk over browser.

When Selling UTM, NGFW, Network Firewall, IPS

An NSS Labs report has triggered me to share opinions and experience on selling UTM, NGFW, Traditional Network Firewall, and Network IPS.

• Most enterprise would NOT refer UTM
• I started to hear of UTM since 2005, when I was handling sales and marketing for SME segments. At that time we are selling Fortinet and Zywell UTM. However, most of the time, SME client use them as an afforable firewall or VPN Gateway. Check Point, Nokia, Cisco are considered as a luxury products for most SME. Clients seldom using the value-added anti-X features on the UTM.
• From my observation, larger clients (which I called Enterprise) would not prefer UTM. UTM are consideraed as a SME products.
• Nowadays, although UTMs are available in much larger throughputs and solution are getting more mature. Enterprises are still hesitate to use UTM (even used as a pure firewall) mainly because of corporate standard that can "encoded" Check Point (and the acquired Nokia), Cisco, or Juniper as the Firewall Standard.
• Another reason I could "feel" is a pretty political one (Please forgive me if I am saying it wrongly. Just my personal sharing here.). Most Enterprises (again large companies) has different personels or teams assigned to handled different IT solutions, like Team A is handling Firewall solution for e-banking and internal staffs, and Team B is handing IPS for internal staffs while Team C is taking care of DLP and End-Point security of internal staff. Each team is using different best-of-breed solution in that area. Most of the time those are not the same brand of solution, and are managed by different managment consoles by corresponding teams. It is not difficult to image the political and personel issue that could be generated if all the mentioned solutions are "integrated" into a single big UTM.


• Vendors of Tradition Firewall are "Changing" their solution to Next-Generation Firewall

• Due to increased attack on application level, traditional firewall no longer satisfied the need. Therefore, NGFW is getting market attention.
• Check Point and Cisco, having a strong footprint on Enterprise market, are developing NGFW to target lower end market, like Mid-Market and SME, since around 2009. Obviously, aims of this action is to expend the market share as well. There has triggered a lot of struggle among these vendor and their key partners, because of this stift of focus on the solution, where the mid-market and SME segment may not be the focus of those key partners.
• However, when coming to Mid-Market, these "big" vendor would face competition from other "smaller" vendor, like Fortinet, Juniper, Sonicwall, etc.
• On the other hand, "smaller" vendors are no longer still small. By referring Fortinet and Juniper website, firewall/NGFW with extremely high throughput are generally available. These vendors are starting to win some big cases in FSI, due to it price/value performance.
• Beside the shift of market position among vendors, pricing of firewall/NGFW has been changing quite a lot. Firewall price is getting higher, while NGFW is getting lower.


• No Matter UTM or NGFW, Best-of-Breed are still more Technically preferred.
• Throughput the years of my selling of UTM (or NGFW), it is not rare to hear client's negative feedback on "additional" features of on the "Firewall". For example, the non-working bundled SSL VPN, un-ready secure remote access from mobile device with only beta version of hotfix available. Poorly downgraded performance is recorded when anti-X features are activated.
• This is pretty in-synch with NSS labs comment in 2012 NGFW group testing.

This free-to-download brief report, although not disclosing very much in details, has discovered some key point from NSS labs. I would recommend you can download and take a look. NSS Labs Report (What do you need to know about NGFW)

Mobile Device Management (MDM) (5) - Containerization Features (Demo with Good)

Besides basic provisioning, policy enforcement and administration function (as discussed in Part 3, Part 4) , MDM solutions are differntiated by their containerization nature. 

 

Native MDM solutions

Container Security applications

Native MDM solutions are build upon API natively offered by differemt OS (iOS, Android, Windows Mobile, etc …), only light weight MDM agent is to be installed on the device, whereas Container Security Applications are developed as independent having their own security standards whatever the OS you use, a MDM "application" needs to be installed on the device.

There are many native MDM solutions (Mobile Iron, Airwatch etc …) and a few Container Security applicaitons (GOOD etc)
 
(source: Gartner)

Here we take Good as an example to demostrate how "containerization" looks like.

Dowload and install Good as if other usual application you used to download from Play Store. Log with the account and key provided by the administrator.

Once login to Good (the "Container"), you could see several application developed by Good, like email, calender, etc.

You can also see  a browser within Good, adminstrator can configure to control allowable websites. In case of visit to unauthorized website, Good will force log out (from Good) and will trigger use to use his/her browser OUT of the Good "container".  User has to login again if wants to use the MDM and those application with Good.

Administration page porital

(Happy New Year!) Security Best Practice for Enterprise 2013

One of the client asks me for Security Best Practice, so he can propose security improvement to his management for the coming good year.

I found two lovely papers from:

1. SAN reading room --- "Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information System".
2. CERT --- "Common Sense Guide to Mitigating Insider Threats 4th Edition"  (Not just common sense at all)

My client is not a Government Agency. Instead :

• it is a large enterprise group' headquarter office.
• This group are having many subsidiaries on business in different areas, like retail, trading, telco, etc.
• In the headquarter office, there are around 100 senior management having mobile device remote access right.
• A number of applications within the group to be used, where servers has been installed in headquarter, and subsidiaries can access those service/server through IPSec VPN, that has been built.
• My clients office seems likes a "government" within the group.

Therefore, I choose to share with him this paper with a bit of summary.

Agenda:

(1) Threats to an Enterprise Information System (Internal, External)
(2) Risks to Information System
(3) Creative Ways for CIO to Stretch for IT Budgets
(4) Techniques for Protecting Enterprise Information System (Hardware, Software, Policy)

Summary

(1) Threats to an Enterprises Information System

• Attacks form individuals and groups with malicious sources of threat include information warfare, hackers, virus writer and disgruntled employee and contractors.
• Sources can be classified into two types of threats to information system: internal and external

(1.1) INTERNAL:

• Internal threats:  mostly defined as either current or former personnel (employee or contractor).
• These individuals have greater access to sensitive information and security weaknesses through their current or previous work experience.
• Additionally, an insider has established a trust relationship so the person may not be question if seen in an authorized location or asks for special networks access.
• Cybercriminals may use internal employees as their attack vector for causing mayhem as well (Most Successful Method: Social Engineering)
• Social engineering is when an attacker convinces an individual to perform an action and provide information about their computing environment that is not public knowledge. The attacker will usually state they are an IT support personnel and ask the “victim” to perform “diagnostic” activities which can assist them in their attack.

(1.2) EXTERNAL:

• External threats:  can be defined as “any vulnerability which can be exploited to gain access to an environment from outside the [host] environment”.
• Vulnerability can be viewed as an attacker using weakness in the information system or security policy to their advantage
• Examples of vulnerabilities:
• Lack of software patch management,
• Cross site scripting,
• Weak passwards, or
• Unnecessary ports open on the firewall
• Espionage
• Competitors that damage information system for political or economic gain
• Attackers will target the enterprise and also key contractors as well
• Contractors may be slower in adopting the same security standard of the enterprise
• Spear-phishing
• Attackers aim to gain unauthorized access to confidential data
• Examples of a successful spear-phishing attack email subject line include “mailbox exceeded”, “helpdesk assistance required” or “password expired”
• The message ”appeared” from a trusted source (e.g. IT admin)
• Employee click on the link supplied in the message, they are asked to “log in” with username/password
• Attackers use the victim’s login for network access, and send the same email message to increase the pool of people to be compromised.

(2) Risk to Information System

• Risk Management : defined as “the process of managing risks to enterprise operation”
• Risks to Information system include:
• Resources: company financial information, business transaction information
• Sensitive information: internal staff record, client records, 

(3) Creative Ways for CIO to Stretch for IT budget

• BYOD
• Security professionals now need to weight the business case for using personal devices and their lack of security in a new light

• Cloud
• Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS)
• The premise behind using cloud computing is to eliminate the need for agencies and departments to have their own data centers for application hosting, and security monitoring.
• Instead, enterprise are to reply on certified third-part vendors to host agency data and applications.
• With these new changes, security professionals new need to keep their data and information system secure when they are located all over the place.

(4) Technique s for Protecting Enterprise Information Systems

• Hardware
• Firewall, intrusion detection system (IDS), intrusion prevention system (IPS), host intrusion protection system (HIPS) and Multiple-factor devices (eg. secure token devices, etc.)
• Portable media encryption – Sensitive data stored on desktop and laptop computers are protected
• Network Access Control / Identity Service Engine (eg. Cisco) – device is required to be “securely checked-in” every time when it is trying to connect to the network (including mobile device)
• Data loss prevention/ email security (especially on email) (eg. Ironport, Check Point) and web-content filtering (eg. Check Point, BlueCoat, Palo Alto ) deployed in the gateway, to avoid phishing and malware
• Two-factor authentication solution


• Software
• End point devices (desktops, laptops, mobile devices) are needed to be deployed with Anti-Virus (Anti Malware) software (eg. McAfee), which can be centrally managed by McAfee E-Policy Orchestrator (ePO). (including Mobile devices)
• Patch management for all Windows based equipment is required
• (optional for confidential email): Public key infrastructure (PKI) encryption should be enforced
• (for sensitive desktop or laptop): Device is suggested have Encase forensic software applet installed. This allows IT/Security team to conduct initial forensic investigation “over the wire” as means to catch potential compromise in real time. In the event that the “over the wire” forensic did not work, IT support will remove the drive and send to a proper custody procedure.
• USB Port control and Removable media encryption solution

• Policy
• Ensuring contracts have the standardized security clause.
• “Policy” is the duties of Information Security Officer (ISO) but IT personnel, contracting officers (Cos) and supervisors play a role in compliance as well.
• Segregation of duty (personnel who manage the data, personnel who protect the data)
• Software protective measures (in previous slide) to enforce security policy as a means to decrease exposure to malicious software.
• All employees, contractors are required to take security awareness training and privacy training within 30-day entry into duty, to be trained on their information security responsibility
• Security training provides information on what should be done in certain situations (eg. sensitive information protection, avoidance of providing logins via suspicious email links)
• Refreshment training is required annually
• All employees with significant information security responsibility should complete role-based training. Depending on the role, the individual may take one course which is tailored to their specific job (e.g. database admin, system admin, CIO, etc)
• Ticketing system and Reporting Procedure to report potential information security or privacy incident
• Incident handling procedure (Print copies must be always available) in place
• Incident Response Team should be ready there  - this team ensures that all necessary reporting procedures are followed if a breach has been confirmed.
• Have to maintain the security posture through continuous monitoring

Reference:

Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information Systems
Common Sense Guide to Migrating Insider Threat 4th Edition