Posted on Tue, Jul 27, 2010 @ 09:00 PM
Authored by Mosi Platt, Sr. Audit Consultant at Pivot Point Security.
We’ve been talking about simplified security processes a lot at Pivot Point the last six months and I would like to use this space to discuss simplified security auditing. IT security is inherently complex but I think people need simple solutions to help them manage the security risks that complexity causes. I’m going to discuss two different ways to simplify security auditing – scope and rigor.
Simplified Scope
One way to simplify a security audit is to limit the scope of controls the audit will cover. For example, the CobiT framework includes 34 processes with 210 control objectives. The IT Governance Institute (ITGI) has provided tools to simplify an audit using the CobiT framework by identifying control processes of High, Medium and Low Importance. There are only nine CobiT processes with 66 control objectives labeled High Importance, which reduces the scope of the audit by 69%. Additionally, the ITGI published CobiT Quickstart which provides another method for organizations to reduce the scope and complexity of an IT audit by 72% to 59 control objectives.
Simplified Rigor
“Simplified rigor” sounds like an oxymoron but rigor describes the extent of testing required for an audit. The Open Source Security Testing Methodology Manual (OSSTMM) provides auditors the flexibility to conduct every test imaginable or no test at all in order to complete a Security Testing Audit Report. An OSSTMM audit can be simplified by only conducting the tests necessary to count the visibility, trust and access in the scope. OSSTMM identifies this calculation as “porosity”, which is the number of holes in the scope that allow interaction with people, processes and technology. According to OSSTMM, the porosity calculation establishes the Operational Security of the scope which is different from the Actual Security. The Actual Security includes controls and any limitations they may have. While Actual Security would be preferred in most cases, identifying Operational Security can also provide value because it illustrates what needs to be controlled – a valuable starting point for any security discussion.
Hopefully, CobiT and OSSTMM can help you simplify your next IT security assessment and begin to manage your IT risks with more confidence moving forward. If not, then maybe some of the methods that I’ll be discussing next month will help simplify your next security audit.
Posted on Mon, Jul 26, 2010 @ 11:34 AM
Authored by Mike Gargiullo, Sr. Security Analyst at Pivot Point Security
We were in a bad place. I was tasked with finding some data in a 
15TB database table. It was partitioned, but not indexed on the field we needed. I worked with the DBAs to see if we could query the data, but they stated it would take a week to return. However, we needed it faster than that, and we also needed additional information for the same time period.
We kicked it around for a bit and decided to dump the data to a flat file for the dates specified. I reasoned that as long as the data was dumped as one record to one line in the flat file, we should be able to use grep to find the records we needed. I did some mental calculations regarding record size and number of records and figured the dump file should be around 350GB. Dumping and grepping through it should be very fast, maybe 48 hours tops.
I got an email stating they were splitting the output into three files and the first was finished. I logged in and saw the first 800GB file. I emailed back and explain my concern with the difference between my calculation and the actual file size. It turned out that one record spanned 12 to 16 lines in the file. Grep wouldn’t work. The file looked a bit like this:
ase3de5g-j4dj-8jf8-1jdj4h2dje9 | DATE |
LOGIN | FROM | | |
| |
| TO| DATA | MORE
DATA| | |…
We had a short discussion and decided to work with the files provided. I put together a short perl script that did two things.
First it stripped all of the extra white space and new lines, and then it looped through that data searching for our target data. Let me preface this by saying, yes there are more elegant ways to do this, but this technique was also used to show someone else how to do it…a “Teach him how to fish” moment.
To strip out the white space, we used:
s/\s+\|/\|/g;
s/\|\s+/\|/g;
The regex does the following:
The structure s/ / /g means ‘Let’s substitute’. The g on the end means ‘everywhere on the line’.
The \s means it should look for whitespace and the + that follows means ‘one or more’, so \s+ looks for one or more whitespace characters. The \| is just an escaped pipe character. It must be escaped, otherwise it would be interpreted as an ‘or’ metacharacter. We did the same with new line characters with this:
s/\n+//g;
This is slightly different; it effectively deletes all the new line characters in the file. Wait, I know, now you’re thinking, “How do you know where one record starts and one record ends now?”. Each record starts with an identifier, which we can match with a pattern. Let’s look at it:
s/(?=[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12})/\n/g;
I know… looks a bit crazy compared to the previous examples. Let’s walk through it.
You see the same substitution s/ / /g. Our goal is to look for the identifier, then insert a new line character before it. We use a look ahead feature which looks like this “(?= )”. We’re going to attempt to find our identifier, which isn’t the same for each record, but does have a pattern. These records have an identifier made up of 8 alpha-numerics, followed by 3 groups of 4, then a group of 12. So if we walk through our regex the first group:
[A-Z0-9]{8}
This translates to “Look for any 8 capital letters or numbers”, so if we put it all together:
[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}
It looks for alpha numeric groups like so:
8-4-4-4-12
Once our regex finds this in the look ahead, it inserts a new line character.
Overall, the result is that there is no excess whitespace, no extra line breaks and one record per row. This alone reduced the 800GB file down to 62GB. Grepping through the file now took minutes to find the data we were looking for, and this tool is now available for future searches.
Since looking for that proverbial “data-needle” is often not a fun task, I hope this formula helps someone else down the road!
Posted on Tue, Jun 29, 2010 @ 09:35 AM
Authored by Michael Gargiullo, Sr. Security Consultant at Pivot Point Security.
I've been working on my old Mustang for about 15 years now. 
It seems like there's always something that needs work; a light bulb here, a bit of polish there. While griping about this with an older car nut, I asked "When does it ever end?". His answer... "When you sell it.".
That term popped back up while discussing a infrastructure patch management policy with a client. We spoke about patching Microsoft servers and Red Hat Servers. We discussed the difficulty in tracking down the more elusive patches for things like switches, routers and third party software. We spoke about testing patches before deployment. Towards the end the customer looked up with a smile and asked, "When does it end?". I smiled back and said... "When you sell it."
While it can sometimes be difficult to track down needed patches for older software, as long as the device is in operation it needs to be kept up to date. So as long as you ‘own' it, you need to patch it. A number of times we've discovered a long forgotten unpatched Windows 98 or NT machine that allowed us that first foothold onto the network. So keep in mind an information security "Golden Rule" - If you can't patch it... it's time to sell it!
Posted on Mon, Jun 21, 2010 @ 09:08 AM
Authored by Marc Silverman, Sr. Security Consultant at Pivot Point Security 
ZeuS (aka Zbot, PRG, Wsnpoem and Gorhax) is a Trojan kit designed to generate a binary that installs a suite of data theft tools on a victim's system. ZeuS is most often spread via drive-by downloads or phishing attacks. Once infected with ZeuS, the victim system:
• Performs keystroke logging for HTTPS, HTTP, FTP, and POP3 traffic.
• Takes screen shots at relevant times to capture supplemental login data.
• Modifies web page content on-the-fly to hide its illicit activity.
• Transmits collected data via Jabber IM to the attacker's servers, providing real-time credential data, circumventing one-time password access controls.
• Generates SPAM.
• Monitors a pool of Command and Control (C&C) servers on the Internet for new instructions, including software updates.
If you're concerned about ZeuS, I recommend the following:
1) Browse smart. Check what you're clicking on, make sure any links or attachments you're provided are from trusted sources, and when they arrive without warning, check with the sender that they are kosher. Keep your browser, e-mail, and anti-virus patched and up-to-date.
2) Check for signs of infection. ZeuS is normally detected post infection either by communication with its C&C servers or by anti-spyware software.
• In a home or small business environment - Examine the host for signs of compromise by running anti-spyware software. I recommend scanning with both Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.ph) and SUPERAntiSpyware (http://www.superantispyware.com/superantispyware.html?rid=3596). If both scan as clean, odds are that you're clean. If you're still concerned, you can also run GMER (http://www.gmer.net/), a rootkit detection tool, and HijackThis (http://free.antivirus.com/hijackthis/), a windows configuration and integrity checker.
• In a corporate environment - Since checking every host may not be feasible, examine any available network logs for any unexplained network connectivity. If suspect traffic is discovered, you can compare the suspect IP against the list of known infections at https://zeustracker.abuse.ch/monitor.php. If that's inconclusive, you can scan the suspect host with the above anti-spyware software.
3) Eliminate the infection. Perform the remediation recommended by Malwarebytes Anti-Malware and SUPERAntiSpyware, followed up by a full-system AV scan. Once all infections have been addressed, repeat the antimalware and AV scans until clean.
Posted on Mon, Jun 07, 2010 @ 08:46 AM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security.
In this compliance-driven age of information security, regulatory requirements are increasing audit costs nearly as much as the auditors themselves. But the value of an audit is driven by the assets, not the controls. Let me explain why.
Controls have no intrinsic value - their value is determined by the assets they were put in place to protect (e.g. people, processes & technology). If you accept that as true, then the value of a controls assessment is not dictated by the controls being assessed but the value of the assets being protected by the controls under assessment. Therefore, a controls assessment is an evaluation of asset protection from loss/damage. The purpose of a controls assessment is to identify how effectively an assets' value is being protected from loss/damage. If the process itself is fundamentally asset-based, then how can the value of an assessment be legitimately based on anything else? A gap assessment is no different. It's a measurement of the gaps between actual & desired asset protection.
So with that in mind, some of the advantages of an asset-based assessment are as follows:
1. Provides a measure of asset protection from the loss/damage of value.
An asset-based assessment provides an evaluation of the impact controls have on the risks that threaten an assets' value. An assessment solely focused on the compliance of the controls' design with a standard doesn't provide an evaluation of asset protection from risk because the only "risk" that falls within the context of that type of assessment is the risk of non-compliance. That approach works for a compliance assessment like the PCI-DSS self-assessment but it doesn't work for ISO 27000 assessments because compliance is only important if the organization has already identified the necessary controls for effective asset protection and the purpose of the engagement is to support the requirements for monitoring & review. That type of engagement provides no value to an organization that doesn't already have an ISMS in place because it hasn't been established that compliance equals effective asset protection.
2. More cost-effective use of client resources.
An asset-based assessment only focuses on those controls necessary for asset protection while a compliance assessment will consume resources to evaluate controls that may not be necessary for asset protection. This extends beyond the costs of the auditor's time because the client will also spend resources reviewing the consultant's deliverables that include analysis of compliance with useless control requirements. A potential side effect resulting from this approach is waning support for the assurance effort as people begin to wonder why they're spending resources on analysis that doesn't impact actual security. Additionally, the work required for an asset-based assessment will have to be done sooner or later and will probably be cheaper if it's done up front than after an unnecessary compliance assessment.
3. Focus on long-term value instead of short-term gains.
An asset-based assessment provides long-term value by establishing a picture of asset protection that's independent of changing standards. It may be a snapshot of a point in time but it can still be used as a baseline. In a situation where compliance isn't mandatory, the only possible value of a compliance assessment is that it provides an estimate of work that may be required for asset protection. But even if the estimate turns out to be "very little work required," it's not very trustworthy because it was done outside the context of asset protection, so "very little work required" for one asset to be adequately protected may be "a lot of work" for another asset to be adequately protected.
Posted on Fri, May 28, 2010 @ 01:01 PM
Authored by Mike Gargiullo, Sr. Security Consultant, Pivot Point Security
Ever need to work on a remote computer which is behind a typical firewall. Well if there is no inbound connectivity, you can play a bit of leap frog using ssh in order to gain access to that server. Here's a quick example.
For this example we'll assume you are sitting at Host A and would like to have access to Internal Host C. Both firewalls are assumed to allow ssh traffic out.
Our goal here is to have the Internal Host C machine start an ssh session to External Host B (which is on the internet).
SSH -R 2200:localhost:22 User@ExternalHostB
This will start an ssh session from Internal Host C to External Host B and ask the ssh daemon to forward all traffic on External Host B's port 2200 back to Internal Host C's port 22 over the established ssh session.
Now If I were on External Host B, to get a shell on Internal Host C all I'd have to do is:
SSH -p 2200 User@localhost
Now the USER in the above statement would have to be a valid user on Internal Host C, not External Host B.
To connect from Host A to Internal Host C you can do several things. The easiest is to leap frog.
SSH USER@ExternalHostB
Then
SSH -p 2200 USER@localhost
The first session opens a shell on External Host B. The second opens a shell on Internal Host C by connecting to the reverse shell we started in the first command.
This has been a simple reverse shell ssh post. Stay tuned for more port forwarding fun.
Posted on Fri, May 07, 2010 @ 02:48 PM
Authored by Bob Gorski, Sr. Security Consultant, Pivot Point Security
Several years ago I witnessed what was, at the time, possibly an ingenious method of theft. I was in a retail store that sold Apple 
products. A gentleman wearing iPod headphones was in the area, and appeared to be listening to some music while using one of the display computers to surf the web. It turns out, the music he was bobbing his head to existed only in his head, because he had configured his iPod to act as an external hard drive, and a FireWire cable was snaked out of his pocket and into the computer he was using. One of the joys of using Apple's OS X operating system (installing software by simply dragging the icon into the Applications folder) also makes it very easy to steal from (drag that icon from the Applications folder onto an external hard drive). By the time I located a store employee to point out what was going on, the guy had finished his business and moved on. I believe he got away with a copy of Microsoft Office (or about $300, from the retailer's point of view).
I was recently reminded of this when I attended a convention. A video game publisher had set up in the expo hall, and had PCs available for attendees to try out their latest, as-yet-unpublished game. One attendee thought so highly of the new game that he plugged a USB drive into the PC he was using and attempted to copy it so that he could continue to play on his own time. Unlike the gentleman in the previous story, this one did not make off with his ill-gotten goods, and ended up in the custody of the local police. If nobody had noticed what he was doing, that game probably would have been available on a peer-to-peer network by that evening. I don't know how to predict the cost of something like that, but I suspect I'm not out of line if I say, "A lot."
If you are a software publisher, it makes sense that you'd want to allow some level of "try before you buy" to your potential customers. Retail locations and conventions/trade shows are natural places to allow your target audience an opportunity to experience your product in its fullest form. What controls do you have in place to protect your product from the very public you want to interact with it?
Posted on Mon, Apr 26, 2010 @ 07:21 PM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
A few months back my wife and I were in our doctor's waiting room together. We were just chatting and enjoying each other's company. (We have three young kids... so this might have constituted a date!) We were looking at the trees outside and happened to notice someone rolling a cart to the dumpster in the parking lot with what appeared to be computers and LCD monitors.
After our appointments, we strolled over to take a look. Another company in the doctor's office complex had thrown away 5 Dell Optiplex machines complete with 15" LCD monitors. Well, of course I backed the truck up and tossed them in! Worst case, I thought they could be repurposed or used for parts. (Ask my wife, I have parts everywhere...you never know when you'll need something.)
Once home, I noted that they were all 1Ghz Pentium 4 boxes with a Gig of RAM... Not too shabby. I also noted that they booted into Windows NT (Yeah Windows NT in 2010) with a domain name of "Joe's Hospital Billing"...Ok, not really Joe's Hospital, but a well known and respected University Hospital System. I then booted them with a Knoppix Live CD to take a look at the hard drives. I noted that while they were only 20G drives, they were packed with years' worth of medical billing records and patient information.
Well, since I had no interest in knowing that Shirley So and So has such and such a medical issue or that her SSN is 123-45-6789, I shut down the machines and zeroed the drives. I also sent a nice letter to Joe's Hospital addressing both the Legal and IT departments explaining what I found and how I found it. I explained I had zeroed the drives and even offered to drop them off to them if they wanted. I got a nice reply from the IT department explaining they had outsourced the upgrades and thanking me for letting them know.
It turned out that one of the IT staff there was someone I knew, so I found out later that the hospital in question has since changed its upgrade practice. The IT team still uses an external company, but this company wipes the drives before they go to the recycler and not the dumpster. While it's somewhat comforting to know the hospital has changed policy, it's also scary to think that people's personal information is so easily "trashed". What would have happened if I hadn't found those machines? (I am an "ethical hacker" by trade, after all...) So while HIPAA supposedly "protects" our data, like anything else, it's only as "secure" as the humans and processes handling it!
Posted on Tue, Apr 20, 2010 @ 07:21 PM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security
Our Principal Enterprise Security Consultant, John Verry, said he needed to know how the HIPAA Security Rule compared to ISO 27002 in order to put together a proposal for a prospective client. You can see the result of my investigation described in the table below. Based on my estimation, 65 of the 134 controls in ISO 27002 map to the HIPAA Security Rule's safeguards. The only HIPAA standard that is not addressed by ISO 27002 is section 164.308(b)(1), "Business Associate Contracts and Other Arrangement."
As you can tell from our website, Pivot Point is a big supporter of ISO 27001 and ISO 27002 and I think this analysis provides a good justification. If an organization has multiple compliance requirements like HIPAA, PCI-DSS, GLBA, etc., then ISO 27001 and ISO 27002 can centralize and simplify those compliance efforts. As the table below shows, an organization only has to implement less than half of the ISO 27001 security controls and it achieves compliance with a significant set of regulations. I think this is why the Shared Assessments Program, which was founded by America's leading financial institutions and accounting firms to establish a single standard for managing vendor security risks, decided to expand its membership to include healthcare organizations. The Shared Assessments Program is based on ISO 27001 and provides a simple way for vendors to reduce their compliance costs and manage their security risks. If you're interested in a more detailed analysis of using ISO 27001 to address HIPAA compliance, see the Shared Assessments Program's detailed mapping.
Table 1 - Mapping HIPAA to ISO 27002 Security Controls
Posted on Thu, Apr 01, 2010 @ 08:30 AM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
In my last article I detailed a discussion I had with my parents about using an Ubuntu Live USB Drive to do their banking. I realized that it may be helpful to show the steps involved in creating one. It doesn't take long at all. So as a follow up to my previous article "Banking With Live CDs", here's "How to Create a USB Live Drive for Banking"
A few notes before we get started. Older computers won't allow you to boot from a USB drive so you will have to use the CD method instead. For the Live CD visit http://www.ubuntu.com, download, burn and enjoy. Something else I've notice is older Dell computers may have issues with networking. There are fixes available, but they are beyond this article.
UNetbootin is the program that makes creating a USB Live Drive quick and simple. It allows you to create a USB key from which you can boot your computer with Ubuntu. To get started, point your browser to: http://unetbootin.sourceforge.net
This program allows for a lot of nice customizations, but we're going for a straight setup. Since I'm on my Windows computer (and I assume you are as well), download the Windows Version.
Insert an empty USB key into your computer and note the Drive letter Windows assigns it. Launch UNetbootin once it has finished downloading. In the left-hand dropdown, scroll to the bottom and select Ubuntu. The right-hand dropdown should automatically pick the latest version. At the bottom, select the drive letter of the USB drive. This will allow the tool to automatically download Ubuntu and install it to the selected USB drive.
Click OK. The tool will then start the process.
Depending on your internet connection speed it may take a while. For instance, my download took 20 minutes on a good sized cable modem.
Ok, the USB drive is ready. You should choose "Reboot Now" if you'd like to test your USB Live Drive.
Most computers have a method of selecting the medium to boot from. My Thinkpad uses F12. Holding the F12 key while booting brings up a menu.
Select the USB Drive you just created.
A few seconds later you will see the boot screen. Select Default and hit Enter.
In a few moments you will see the Ubuntu desktop. You can see that it immediately saw our wireless network and asked me if I would like to connect.
Since the all the files live on the USB disk the configuration changes you make should be saved.
You can now safely visit your bank online using the Firefox icon on the top menu bar without fear of the current generation of Malware that targets Windows computers.
(ONE NOTE OF CAUTION: After using the USB loaded with Ubuntu, be sure to check your computer's clock after restarting in Windows. There have been some incidences where the clock has reset after starting in Ubuntu. It's an easy "fix" in the Accessories.)