where do we go from here? -...

“Common Sense Security for Common Businesses”

A Free Publication on Information Security from Security Horizon, Inc.

Volume 9 - Fall 2004 Edition

Where do we go from here?

Seco

nd

An

niversary E

ditio

n

Making good choices for the future...

Security Horizon, Inc. was founded in 2000and is headquartered in Colorado Springs,Colorado. As a company, we believe that

sound security services are based oneducation, experience, standards, ethics

and unquestionable integrity.

All content used by permission orCopyright 2000-2004,Security Horizon, Inc.

5350 Tomah DriveSuite 3500

Colorado Springs, CO80918

http://www.securityhorizon.com

Editor in Chief: Russ RogersLayout Editor: Michele Fincher

For more information on SecurityHorizon, please visit our web site or

email us at: [email protected].

Table of Contents:

Notes from the EditorBy Russ Rogers..............................p.3

NSA IAM Course Schedule...........................................................p.4GSS Security Education ProjectBy Greg Miles..................................p.6

Biometrics and the Advancementof ComputingBy Clovis Najm..............................p.15

The Security Journal is alwayslooking for quality writers for this

publication. If you’re interested insubmitting an article for an upcoming

edition of The Security Journal,please contact Russ Rogers at

[email protected].

Airjack and WEPlab:Should You Believe the Hype?By Chris Hurley................................p.9

Network Behavior AnomalyDetectionBy Brendan Hannigan...................p.19

NSA IEM Course Schedule.......................................................p.13

Page 1

Windows XP Embedded SecurityBy Travis L. Schack......................p.23

Interested in advertising in TheSecurity Journal? Contact us at

[email protected]

Special thanks go out to Ping Look fromLook Designs for the creation of the newSecurity Horizon logo and the new cover

masthead images for The Security Journal.

For more information on Look Designs:www.republicofping.com

[email protected]

Don’t Believe Everything YouHear: A CommentaryBy Joe Grand................................p.30

Defense in DepthBy Ed Fuller...................................p.33

Book ReviewBy Brian Martin..............................p.37

What is FISMA?By Matthew Hoagberg..................p.39

Upcoming Black Hat®

Events

Upcoming Black Hat®

Events

Black Hat Singapore 2004Training: October 11-12

Black Hat Japan 2004Briefings: October 14-15

Black Hat Europe 2005Briefings & Training:

March 29-April 1

Black Hat USA 2005 Briefings & Training:

July 25-28

For more information, please go to

www.blackhat.com

Have you ever noticed how people just seemto get very comfortable in their existence? Mydad used to warn me ‘not to get stuck in a rut’.To him it meant that I needed to try a lot ofdifferent things and find one that I reallyenjoyed doing so that when I went off tocollege, I’d be a success. Honestly, at thetime, I never really understood what he meantor how particularly far reaching that statementwas. That one statement actually touches onfacets of my world that I would have neverconsidered before. Today, I look across thespan of humanity and it’s fairly easy to seehow we’ve fallen into a day-to-day haze,where only the thought of a tropical vacationseems to break us from the norm.

Well, folks, the same thing is happening in lawenforcement and information security.Consider the forensics and incident responsemethodologies used within law enforcement.How much have they really changed over thelast five years? In contrast, how much hastechnology changed in that same five yeartime span? If an individual is not in anindustry that requires constant update andevolution, then their minds lose their edge.

The key here is that the folks that want intoyour system love research and development.They genuinely enjoy the puzzle associatedwith breaking things or making them performactions that were never originally intended.This, in turn, leads to the evolution oftechnologies that are more mature and robustat breaking into systems than those products

Notes From the Editor

Russ RogersCISSP, CISMEditor in Chief

intended to protect our systems.

Now, don’t get me wrong. There are somegreat products starting to come out on themarketplace, but to some degree ourchallenge comes when we try to think outsidethe box. Most of the technological advancesof today are simply extensions of previoustechnologies. For instance, we progressedfrom technologies that allow us to sniffnetwork traffic and see everything on the lineto the creation of technologies that sniff for usand tell us when something unusual occurs;these are called Intrusion Detection Systems,or IDS. From here we’ve added thecapabilities of earlier firewall products toblock that network traffic when we decide wedon’t like it. The point I’m trying to make isthat our defensive mindset is based on a pathfrom our previous technologies. That’s nottruly thinking outside the box, it’s a derivativemindset.

But Hackers, both good and bad, do not thinkalong those same lines and that’s where we,as security professionals, get ourselves intohot water. We’re fighting a war that pits ourintellectual content against someone else’s.We have rules, both legal and ethical, thatcontrol our actions. They do not. And they’rein a constant state of technological innovation,whereas many modern information securityproduct and application companies are ‘in itfor the money’. That’s not intended to be aderisive statement, it’s simply the truth.

So, if we have this problem, what’s thesolution? The solution is growth. The solutionis to step past all the things we’ve done in thepast without ignoring the lessons we’velearned along the way. We need to adopt themindset of the traditional hacker, whereexperimentation, speculation, hypothesis, andtesting are a way of life. There are securityissues coming down the pipe that will require

Notes From the Editor, cont.us to think harder and more creatively aboutthe solutions we implement.

This is the first issue of our third year inelectronic publication and our readership hasgrown beyond anything I would have everimagined when I did the layout for the original.I’ve asked some very smart people toparticipate in this issue of the Security Journalbecause I wanted to make a point that we, asa community, both professionals andlaypeople, need to accept what we’ve done inthe past as good, but not necessarily marryourselves to those ideas as the only means toour end. Think creatively. Consider thepossibilities. What potential does the futurehold for our technologies? Think like youradversary. Don’t be morally offended thatsomeone else is trying to understand whatcould be. It doesn’t make them a bad person,nor would it make you a bad person. It’s thatparticular mindset that consistently breaksnew ground. Think of it as yoga for your mind.

Peace,Russ Rogers

Page 4

By: Greg MilesBy: Ed FullerContinued

The IAM is a two-day course forexperienced Information Systems Securityanalysts who conduct, or are interested in

conducting INFOSEC assessments ofU.S. Government information systems.The course teaches NSA’s INFOSEC

assessment process, a high-level, non-intrusive process for identifying andcorrecting security weaknesses ininformation systems and networks.

10/25-10/26, 2004 Atlanta, GA

11/2-11/3, 2004 Dallas, TX11/15-11/16, 2004 Hanover, MD

12/6-12/7, 2004 New York, NYInfoSecurity

12/14-12/15, 2004 Colorado Springs

1/24-1/25, 2005 Honolulu, HI

2/15-2/16, 2005 San Diego, CA

Training so good we teachthe competition!

FREE 1 Year license to the SAINTVulnerability Scanner just for attending

any of our courses!

To register for one of these courses orto get further information, please

contact us at:

(719) [email protected]


One device that unifies business processes and enables complete systems integration.

One device that securely accesses all networks and doors, including VPNs and the Internet.

One device that eliminates the need to remember multiple passwords and access codes.

One device that operates remotely, through computers, PDAs and cell phones.

One device that can’t be stolen.

One device that can only be used by you.

One solution, less risk.

The Power is Yours.

CryptoLex is actively recruiting four strategic

partners for a unique program to begin

November 1, 2004. Be the first on your block

to unify physical and virtual security with the

only authentication device worthy of the task.

All participating organizations will become part

of our Security Innovation showcase at the

Wireless Mobio official launch in Q1 2005.

Contact

Clovis Najm – VP Sales and Marketing

Mobile: 613.293.7311

Phone: 301.862.5312

Fax: 301.862.5315

www.cryptolex.com

44425 Airport Road - Suite 110

California, Maryland 20619 USA

(Empower your organizationwith CryptoLex Mobio®.

Mobio is the Power of One™—one ultimate solution to improve business processes,

productivity, and information flow by empowering individuals and organizations with

secure communication and transaction capabilities. With Mobio, passwords, smart cards

and ID tokens are rendered obsolete. Mobio unifies disparate networks, systems and

security devices into one complete portable biometric authentication solution.

However, there is not a well defined path forgetting future (and even current) securityprofessionals the types of curriculum that willbenefit them most from career perspective.There is a trend starting toward certificates,bachelor degree programs, and master’sdegree programs in computer security. Someare well structured, while others are just anover glorified hacking class.

The purpose of the GSS Security EducationProject is two fold: 1) Present ideas andconcepts related information securityeducation, and 2) Stimulate discussionaround what should we be teaching “up andcoming” security professionals and at whatpoint in their education. This project is aneffort designed to address the securityeducation needs of the security community. Itis not focused on making a security person anexpert in every aspect of security, but ongiving individuals with the desire to become asecurity professional a baseline of knowledgenecessary to be successful in not only what istaught, but the ability to pursue additionalknowledge either through self research oradditional training and educations. Theprimary idea behind the Security EducationProject is to create an open sourcerecommended curriculum that can beadopted by colleges and universities as a

GSS Security Education Project By: Greg Miles

The security profession hasevolved over the last twodecades. The technology

available at our fingertips today isscary by comparison even from

just five years ago. Manycolleges have seen a moneymaking opportunity in creatingsecurity related certificate or

degree programs.

as a basis for establishing their securityeducation programs. As a side affect of thiseffort, the GSS hopes to also incorporate abasic security education program for highschool aged individuals interested incomputers, networking, and computersecurity.

As a security professional and an instructorwithin a security degree program, I see aserious disconnect between what collegesand universities are teaching in theirprograms and what some believe is neededin the way of understanding the underlyingconcepts of security in a business oroperational environment. Although I stronglyagree the best experience is hands-onexperience, I do believe that universityprograms can be better structured to preparestudents with the basic skills to prepare towork as a security professional. From myexperience I have noticed that securityprofessionals have grown mostly from theirjob experience, not from formal education.Most security professionals have hadtechnical jobs, technical degrees, orgovernment security experience. The basis offormal credentials for the security professionalhave primarily been based on certifications(CISSP, Security +, CISA, etc.).

GSS Security Education Project, cont. By: Greg Miles

Goals: This project is meant to providesecurity professionals with an opportunity toprovide their professional input into theevolution of a best practice in securityeducation.

Results: The end result will be an opensource curriculum that will be available for anyinstructor, college or university to review whenimplementing their security programs.Results of the discussions will be posted onthe Global Security Syndicate website.(www.gssyndicate.org)

What is Needed: Volunteers to participatein the discussions and provide input into thebest security topics, teaching strategies, andbest practices that need to be made availableas recommendations for this curriculum.

Greg Miles, Ph.D. CISSP, CISM is a co-founder of both Security Horizon and theGlobal Security Syndicate.

Page 7

About the GSS: The Global SecuritySyndicate (GSS) is a global, not for profit,organization of security professionals andcompanies (products and services)dedicated to advancing Information Securitypractices for all levels of business andgovernment agencies by:

• Knowledge sharing throughcollaborative effort of local communityand industry research projects

• Increasing global security awarenessand education

• Developing secure strategies andstandards to enhance the securitylifecycle of security programs andproducts

For more information, contact Greg Miles [email protected], www.gssyndicate.org

Why do you think they call it a Master’s degree?

Any Master’s degree puts you in an elite group. But a Master’s from the University of Advancing Technology puts youin a powerful group.

Regardless of your college major, the single best move to make you more valuable is to gain proven understanding andexpertise in technology.

The Master’s of Science in Technology from UAT will greatly increase your recognition and prepare you for a higher level of leadership. You can customize your program to match your career goals. And, you can finish your Master’s in a year and a half – online or on-campus in Tempe.

Master majors such as:• Artificial Life• Networking/Security/MIS• Human Computer Interaction

…or customize your own

Learn more.2625 W. Baseline Rd. > Tempe, AZ 85283Phone 800.658.5744 > Fax 602.383.8222

www.uat .edu/masters

Airjack and WEPlab: Should You Believe the Hype? By: Chris Hurley

Page 9

WEP is flawed...

BackgroundA few days ago I was involved in aconversation on the NetStumbler forumsabout cracking Wired Equivalent Privacy(WEP) keys on 802.11x networks. I havealways maintained that even though WEP isflawed, it is strong enough for the home userbut should never be used on a commercial orgovernment WLAN. The authors of a two newWEP cracking tools disagreed with mystatements citing relatively newmethodologies for cracking WEP keys.

weakness, the most popular beingWEPCrack and AirSnort. The greatest hurdlean attacker had to cracking the WEP key wasthe amount of traffic that had to be captured inorder for a WEP key to be cracked.WEPCrack (and AirSnort) required about2000 weak initialization vectors to crack thekey. Because not every initialization vector isweak, this could take weeks or months tocollect depending on the network load.

A New WayThe initial release of WEP cracking tools didnot fully realize the potential for cracking WEPkeys, in part because all of the potential weakinitialization vectors were not taken intoaccount. Dwepcrack by h1kari optimized theattack even further, bringing WEP crackingcloser to a realistic attack method. In thesummer of 2004, Korek further expanded thiswith a new statistical attack designed toquickly crack WEP keys and brought it to lighton the NetStumbler forums. This attack,called chopping, involves taking a WEPpacket and chopping off the last byte. TheCRC/ICV is broken so if the last byte is 0, thelast four bites should be xored with a certainvalue. The CRC will become valid again.Retransmit the packet. If it does not getthrough then if the last byte is 1. This methodhas been implemented by two relatively newWEP cracking tools, airjack (by Devine) andweplab (by Topo [LB]).

New ToolsIn order to test the effectiveness of these toolsI set a WEP key on my home access point(Linksys WRV54G) that was generated with astrong passphrase. Both tools claim that thekey can be cracked with somewhere around

WEP is FlawedScott Fluhrer, Itsik Mantin, and Adi Shamirinitially detailed the flaws in WEP in theirpaper Weaknesses of the Key SchedulingAlgorithm of RC4(downloads.securityfocus.com/library/rc4_ksaproc.pdf). They discovered thatbecause WEP uses a fixed secret key, weakinitialization vectors are sometimes generatedto encrypt WEP packets. After enough weakinitialization vectors have been captured, thesecret key can be cracked. Several toolswere released that took advantage of this

Airjack and WEPlab, cont.

500,000 unique initialization vectors. Thisequates to somewhere in the neighborhood of1.5 million packets.

As I started gathering packets (usingairodump, which is included with aircrack) Iquickly realized that one problem remained.Getting enough packets. Under normal use(which for me is significantly more than the‘average’ user) it would have taken me aweek or more to gather 500,000 uniqueinitialization vectors. I decided to start addingsome traffic to my network. I establishedseveral outbound connections (irc, instantmessenger, mail, etc) and starteddownloading large files (Linux iso’s frommultiple sites). This activity allowed me toquickly increase the amount of time to get500,000 initialization vectors. In the end, ittook about 10 hours to gather enough traffic totry the attacks. An attacker utilizing a replayattack could simulate this type of activity. In a

Page 10

By: Chris Hurley

replay attack an attacker captures anAddressResolution Protocol (ARP) packetand repeatedly sends it back to the router/access point. This will generate additionaltraffic and can be used to speed up collection.

After my 10 hours it was time to put the toolsto the test. First I tried aircrack. Usage ofaircrack is pretty simple. The command lineargument to run it against my capture file(wlancap.pcap) was simply

aircrack ./wlancap.pcap

This command attempts to crack the key ofthe first encrypted network in the capture file(which happened to be mine). It is alsopossible to specify the BSSID of a specificnetwork with the –b flag.

I expected that it would be able crack the keyeventually. I did not expect it to crack the keyin 6 seconds!

Airjack and WEPlab, cont. By: Chris Hurley

Next, I moved to weplab. I initially tried withthe same capture file that I had used withaircrack. The command line arguments arenot as intuitive with weplab:

weplab -r ./wlancap.pcap -s 3 —perc 100 —key 128 —fcs —debug 1 ./wlancap.pcap

It was unable to crack the WEP key. Weplabcame very close, capturing 10 of the 13 KeyBytes almost immediately. But as minutesdragged into hours I decided to capture more

packets and try again.

I tried periodically with the same results, the11th Key Byte was not being crackedsuccessfully. I changed the command lineoptions (particularly the fudge factor andprobability) but this didn’t help. In fact, withsome of the options weplab returned withoutcracking the key and instructed me to getmore packets. After capturing over 888,000unique initialization vectors, I gave up.


All told I generated and captured traffic for over 24 hours. It should be noted that weplab isacknowledged by the author to be in beta at this time, and cracking WEP keys isn’t an exactscience to begin with, so it may have been possible to get the key by continuing to change thecommand line options.


ConclusionsSomeone made the statement that these newtools had taken the theoretical and made itpractical. I think to a large degree that is afair statement. However, these tools continueto suffer from the problem of gatheringenough packets to crack the key. Sincereplay attacks can be used by an attacker togenerate traffic, it is now possible to crackWEP keys in a relatively short period of time.

If possible, you should use WiFi ProtectedAccess (WPA) on your WLAN. Home userswill still find better protection using WEP as adeterrent, but corporate or governmentnetworks should not even consider usingWEP on their wireless networks, but that hasalways been the case.

Chris Hurley is a Senior INFOSEC Engineerwith Assured Decisions, LLC in Columbia,MD and is the author of “WarDriving: Drive,Detect, Defend” from Syngress Publishing.His experience ranges from SecurityEngineering and Architecture to vulnerabilityassessments and penetration testing on bothwired and wireless networks. In addition torunning the WorldWide WarDrive heorganizes the annual DefCon WarDrivingcontest.

Did you know the IEM isCVE® compatible?

The INFOSEC Evaluation Methodology(IEM) is a hands-on methodology forconducting evaluations of customernetworks utilizing common technical

evaluation tools. Students can expect tolearn an easily repeatable methodology that

provides each customer a roadmap foraddressing their security concerns and

increasing their security posture.

10/27-10/28, 2004 Atlanta, GA

11/4-11/5, 2004 Dallas, TX11/15-11/16, 2004 Colorado Springs11/18-11/19, 2004 Hanover, MD

12/6-12/7, 2004 New York, NYInfoSecurity

12/16-12/17, 2004 Colorado Springs

1/6 - 1/7, 2005 Sierra Vista, AZ

To register for one of these courses or to getfurther information, please contact us at:

(719) [email protected]


www.hackwire.com

Your source for hacker news

from the underground

Windows

LInux

Macintosh

Gaming

Cryptography

Security

...and more...

Biometrics and the Advancement of Computing By: Clovis Najm

biometrics but are hard-pressed to seepractical applications. Why would the averageperson need a Star Wars-like device todigitally transmit fingerprints, retinal or facialscans to gain access to top security buildingsand computers? Recently, biometrics hasbeen thrust into the mainstream via TV showsand movies like Minority Report and I, Robot.Even though, the general public may not beaware the concept of and practical use forbiometrics has been ongoing for decades.Most recently a number of innovativecompanies have turned their attention toenabling and installing biometrics foreveryday use. In a world overrun with identitytheft, fraud and security breaches, biometricsmay be the silver bullet everyone has beenwaiting for. But adoption of this technology isslow. This could be partially due totechnological limitations, fear of change,perceived cost and implementationchallenges, however, the lag of adoption canbe overcome with awareness and educationaround the elements of biometricauthentication and the processes involved.

Page 15

Proof of identity (authentication) is part of oureveryday lives and its necessity is growing ata rapid rate. Think of all the cards in yourwallet and what each is used for. Think of allthe networks those cards access to allow youto get on with the business of living. You needa passport to board a plane. You need adriver’s license to legally operate your vehicle.You need an access card to get into your

your office. You need your bank card to getcash from an ATM while your credit cardallows you to make purchases online or overthe phone. Most of these authentication“devices” require passwords, access codesand PINs. We are required to remembermultiple passwords especially for banking,telephone and Internet transactions. As asociety we are now required to operate as a“system” and we must interact with othersystem to get our business done. Interactionbetween systems requires some form ofauthentication. Unfortunately, present-dayauthentication techniques are riddled withweaknesses and limitations. Mostauthentication devices are “transferable”,which means they can be lost or stolen orhacked or misused. Some might argue thatweak authentication is the root cause of the$5 billion identity theft problem in the UnitedStates.

Biometrics has the capability to address andovercome the weaknesses inherent in otherforms of authentication. Traditionally, we utilizebiometrics everyday in the form of face-to-face contact, eye witness testimony, DNAscreening, and signing documents and creditcard receipts. Biometrics is our mostimportant and powerful form of authenticationbecause it is based on building a trust chainbetween individuals and organizations.Biometrics is the most definitive proof ofidentity in a court of law. Traditional biometricprocesses work extremely well and areheavily relied upon by society as biometricinformation is “non-transferable” – yourphysical person can’t be stolen. Your proof ofidentity is absolute. This is a requirement forproductive, safe and reasonable humaninteraction. So, what happens when there isno face-to-face contact? No photo IDs withsignatures to verify? How do you prove youare who you say you are? How do you safelyand securely interact, transact and

Most people understand the concept of

Biometrics, cont. By: Clovis Najm

authenticate in the world of computing?

Biometrics has been an underutilized humancomponent for computing and onlinetransactions due to one large hurdle - theInternet. Biometrics and the Internet have notyet been connected. The Internet is thelargest network in the world; however, Internettechnologies are being used to connectmultiple sites and systems. We can, therefore,define Internet technologies as sharednetworking – enabling systems while notbeing directly connected via cable to a centralhost. Buildings are being wired with Ethernetand TCP stacks, appliances aremanufactured with IP addresses, andwireless technologies linking everyoneto a network including the Internet.Business depends on the Internet tooperate internally and interactexternally.

Expansion is fueled by decreasedcost, increased speed ofcommunication, and more efficientinformation sharing. The cost issubstantially lower for sharedcomputing because bandwidth isspread between different applicationsensuring optimal use. The Internet enablescommunications and information sharing totouch every corner of the globe. Essentially,the Internet is becoming a faster moreefficient virtual replica of our daily lives.Internet technologies are now able to connectsystems and employees to organizations fromremote locations. Human interaction fortransactions and general business are nowconducted online.

Zeros and ones are presently used toauthenticate these interconnected systemsand their users. This authentication protocolcan easily be falsified, copied and transferredat high speed – creating an enormous

security problem. The Internet and itstechnologies are designed for sharing –naturally open for anyone to copy – whichcreates havoc for authentication systems notdesigned for unsecured dispersed networks.New systematic identity theft schemes arepossible because everything is connectedand most network endpoints are typicallyprotected by a simple password. Passwordsare universally regarded to be the weakestform of authentication. In such a high riskenvironment, wouldn’t strong biometricauthentication be a logical solution?

Currently the answer is a resounding,no. Layer upon layer of complexitiesexist in the biometric arena that make

make implementation virtuallyimpossible. Strong authentication inthe physical world requires physicalinteraction to initiate. Biometricsare different – the challengebecomes how to effectively enablesecure personal and digitalidentification through a network.

People carry their biometric data withthem. Therefore, scanning devices

require one of two criteria: 1. The individualmust have visited the scanner before. 2.Biometric scanners must be networked. Thefirst situation is problematic given the manypotential entry points into a network. Thesecond, however, is very possible givenshared network environments like the Internet.The practical side of such a deployment,however, is challenging given the size ofvarious biometric scans and the various non-standardized scanning technologies unable tomatch nonproprietary scans. Given ourcomputing industry has difficulty standardizingdatabase fields; it is difficult to imagine thesebiometric scanners ever being able to sharetemplates. Or is it?

The solution could be based on a hybridtechnology of biometrics and cryptography.When biometrics are used to authenticate toa system, the interaction between human andsystem begins to replicate that of the physicalworld, with enhanced benefits. Personalbiometric data could be loaded on a trustedthird party server and cryptography could beused to securely match the templates.Cryptography would protect the biometricdata in transit enabling two parties to becomeknown from any two networked computers.Finger, facial and retinal scans could all bematched centrally, which would providebiometric confirmation between a person anda system for the purpose of informationsharing, communications, and Internettransactions. The process would legallyreplicate the physical world providingirrefutable biometric proof of fingerprints,retinas, or even capillaries that are just aspowerful as an eye witness or personalsignature. Unlike many physical interactionsor transactions between two people,biometrics can be confirmed by a trusted thirdparty for every authentication attempt. Thisadditional layer of security does not presentlyexist anywhere in the traditional world ofsecurity and authentication.

User concerns arise, however, whenindividuals are asked to believe a “trustedthird party server” is protecting their biometricdata properly and the data is being sharedsecurely. Every time a person’s biometricdata is scanned, individuals feel theirbiometric data is being taken from them,which evokes reluctance and limited useracceptance. From an organizationalstandpoint, businesses are accepting liabilityfor becoming a biometric extension of itsemployees. This is a tall order for anyorganization. In addition, biometric scannersmust be loaded on all network endpoints. Animpossible feat at best.

Biometrics, cont. By: Clovis Najm

Clovis Najm is Vice President of Sales atCryptolex, Inc.

www.cryptolex.com

But what if it was possible? What advantageswould this provide to our world? We couldstop worrying about losing our wallets orhaving our credit cards stolen. Getting apassport replaced in a foreign country wouldbe possible through a vending machineconnected to the Internet. If we met someoneonline, we could quickly trust they are whothey say they are. Business relationshipswould develop at lighting speed as noreference checks would be required. Internetfraud would disappear. Identity theft would bea thing of the past. Access to secure areasand equipment would only be provided toproperly authenticated individuals and not toimposters using someone else’s ID card,smart card or password. Biometrics andcryptography hold the key to expandinghuman interaction in the world of computing.Networks and computers could be utilized inways we only previously dreamed of.

In a world overrun withidentity theft, fraudand security breaches,biometrics may be thesilver bullet everyonehas been waiting for.

Infosecurity deliversinformation, education, and networking for a higher level of security.

Protecting your business and its information assets requiresconfidentiality,availability, integrity and risk mitigation. As the securityprofessional, you areconstantly challengedto demonstrate yoursecurity plan’s effectiveness as the threats and dangers to yourenterprise become larger and more complex.

Knowledge sharing,community building.

Interact with many of thethought leaders in the securityindustry. Debate the issues and latest trends. Discover how to better manage the security strategythat’s right for your organization.

All New conference content.(ISC)2 has partnered with

Infosecurity to bring continuingprofessional education throughthe Security LeadershipConference Series, the gold

standard in informationsecurity education.This year’s seven-trackprogram also includessessions developed byGovernment Security News, LexisNexis Mealey

Conferences, NYMISSA and the Larstan’s Black Book onCorporate Security.

Proactively identify, assessand eliminate vulnerabilities.

In an industry that is constantlyevolving, this is where you find the tools and technology to keep your information secure. More than 100 top suppliers come toInfosecurity to present the newesthardware, software and services thathelp you assess and manage risk.

Register today!Infosecurity 2004 is the only

event that brings together anindependent,knowledge-basedconference, a robustexhibition hall, andhigh-level networkingopportunities all underone roof – in New York

City. Come discover, learn anddiscuss ways to reduce risk andprotect your organization’sinformation assets.

For early-bird conferencediscounts and free exhibition admission, register online atwww.infosecurityevent.com. Questions? Call (800) 417-8646, or (203) 840-5690. To Exhibit, pleasecall (203) 840-5387.

Protect yourassets.

December 7-9, 2004 Jacob K. Javits Convention Center, NY.www.infosecurityevent.com

PremierEducation Partner:

Produced andManaged by:

AnnualConference:

Annual ChapterConference:

Official MediaSponsors:

MediaSupporter:

GlobalSponsor:

Gold Sponsor:

Silver Sponsors:

Premier MediaSponsors:

(ISC)2®

New York Metro

Global MediaSponsor:

InfoSecurity_Ad_8.125x10.875_2 8/18/04 9:01 PM Page 1

Network Behavior Anomaly Detection By: Brendan Hannigan

Page 19

Stopping Zero-Day Attacks, Combating EvolvingSecurity Threats and Addressing Internal Security

As the security industry moves from passivereaction to proactively stopping threats, newtechnologies provide both opportunity andconfusion. Enterprises must deal with anincreasing influx of new attacks that slip byperimeter defenses. Although securityarchitectures are built in layers to provide a“defense in depth” approach, zero-dayattacks and internal security breaches havebecome the most challenging threat. There will always be new security threats. While layered security can mitigate risk fromgeneral nuisances, real protection dependson identifying and reacting to any new threatthe instant it hits your network. This article willlook at Network Behavior Anomaly Detection,a technology recognized by many securityexperts as the key to combating the plethoraof threats that security managers face daily.We’ll evaluate the technology’s ability toprovide enterprise-wide security that extendsbeyond the perimeter and stops subtleblended threats in their tracks.

What Is NBAD? Why Do I Need It?Continued innovation has created many waysto protect against known threats. We evaluateevery new attack that hits, spending valuabletime analyzing and creating defenses thatprotect against major worms, viruses,commonly-known hacking vulnerabilities andother threats. Yet a malicious attacker canchange only a few lines of code and the sameworm, virus or Trojan will slip right by thereactive signature or patches developed tostop the original. Hackers creatively find newways to breach traditional signature-basedsecurity defenses. Ongoing changes andupgrades in network infrastructures, Webservices and new software continue to create

vulnerabilities and opportunities forexploitation.

Simply detecting an attack isn’t enough.Network and security administrators reallyneed a means to enforce network behavior sobusiness can move forward. They need toidentify potentially malicious activity andcontain or resolve it before it can causedamage. NBAD profiles network behavioracross the extended enterprise, flagsanomalies, isolates the source of the issue orattack, and identifies corrective measures toresolve or mitigate the threat. The net gaincomes from faster reaction to breakingthreats and shortened time to resolution. Thattranslates into increased uptime andefficiency combined with decreasedoperational costs and losses.

Network Behavior Anomaly Detection:Surveillance, Analysis & ControlNetwork Behavior Anomaly Detection (NBAD)technologies model traffic flows, transactionsand network activity and analyzes them tolearn what normal behavior looks like,including run-rate activity spikes. It detectsaberrations—changes in traffic levels,communication patterns or other anomaliesthat serve as an early warning system for

attack or internal misuse of the network.Pinpointing suspicious behavior, NBADisolates the source of the anomaly andrecommends resolution before damage canbe caused. Successful NBAD requires a three-tieredapproach of surveillance, analysis and control.Surveillance recognizes malicious activity,catching even the most insidious low-and-slow probes of network defenses withoutsounding false alarms based on every trafficspike. While firewalls and other appliancesprovide a limited view at a single point in thenetwork, NBAD surveillance looks across anentire network to ensure that threat analysisand detection is performed enterprise-wide.

Behavioral analysis is the key tounderstanding and applying what is learnedfrom network surveillance. NBAD technologytaps both real-time and historical views ofnetwork activity to model the behavior ofusers, applications, servers and networkresources. The latest NBAD technologiesinclude a classification engine that profilesnetwork behavior to identify fluctuations inbehavior. It raises an alarm when it perceivespotential threats based on deviations fromthis baseline. NBAD does not rely upon asignature to identify a malicious internal user,or an evolving worm. It understands thedynamic complexities of modern networks,recognizing normal and acceptablebehavioral changes as safe. Behavioralanalysis identifies everything from theanomalous behavior caused by a new attackor hacking attempt, to internal threats such asinsider scans and stealthy attacks. NBADeven recognizes policy violations amongnetwork users who use P2P file sharing andinstant messaging, as well as any type ofnetwork misuse.

The third element, control, empowers security

Page 20

Network, cont. By: Brendan Hannigan

and network professionals to enforce networkbehavior. Simply identifying an anomaly is notenough; NBAD also identifies correctivemeasures. New attacks and security threatswill continue to hit every network withincreasing sophistication—and far greaterdanger. The control element prioritizes theseverity of threats so administrators canaddress the most critical issues first. Armedwith real-time surveillance and analysis,NBAD systems can either flag abnormalactivity and give precise steps for hands-onremediation by network and securityadministrators, or provide automatedresolution. It can address different types ofactivities in different ways, and is flexibleenough to enforce network behavior based onunique customer use. After all, some parts ofthe network are more critical than others, anddifferent types of threats require differentapproaches to resolution. Advances in NBADtechnology put remediation options in theuser’s hands.

Where Does NBAD Fit In My SecurityStrategy?In a crowded security market, every vendorhypes a different technology as the mostcritical element of a layered security defense.So where does Network Behavior AnomalyDetection fit in your security strategy andnetwork architecture?

NBAD incorporates security event feeds andnetwork traffic flows from your existinginfrastructure to ensure that the enterpriseinfrastructure is fully leveraged. But the mostdirect value NBAD provides, and the primaryreason people choose NBAD systems, is toaddress the critical flaws left by traditionalsignature-based technologies—addressinginternal security concerns, and stoppingsubtle blended threats and zero-day attacks.


The bulk of ongoing security expenses, andthe biggest nightmare for security andnetwork managers, is identifying, reacting to,and cleaning up damage from the “next bigattack.” No other technology matches NBAD’sability to defend against new attacks that areas unpredictable as they are inevitable.NBAD serves as the first responder productfor identification, understanding, control andremediation for any new attack.


Brendan Hannigan is Executive VicePresident of Marketing and Product

Engineering at Q1 Labs Inc.

www.q1labs.com

Top 10 Benefits of Network Behavior Anomaly Detection

1. Stops external threats—NBAD provides the first (and often only) defense against theproliferation of zero-day, blended and internal threats, without the time delays or alarmoverload of signature-based systems. This means identifying and locating worms, Trojans,denial of service, spam, viruses and blended/hybrid threats quickly and providing automatedresolution.

2. Enforces internal policies—Exposes and locates internal threats so you can stop themquickly and eliminate future problems, whether from violation of internal policies or intentionalmisuse. Such misuse wastes resources and exposes enterprises to unnecessary legal andsecurity risk.

3. Ensures regulatory compliance—Provides monitoring, detection, alerts and audit trails tocomply with new regulations and compliance issues that demand IT participation.

4. Avoids legal risks and liabilities—Provides the processes and information to protect yourorganization against risks and liabilities such as lawsuits from illegal file sharing ofcopyrighted material, lawsuits from accidental disclosure of confidential information, andpenalties for non-compliance with regulations.

5. Improves operational efficiency— Identifies problems quickly, isolating the source ofnetwork bandwidth issues or security threats to speed resolution without additional staff.

6. Provides an enterprise-wide security system—Holistic enterprise-wide view of securitygoes beyond segment-based, perimeter-focused point products.

7. Secures the “perimeter-free” network—Protects open, distributed networks frompotential threats for the most advanced defense of infrastructures that can’t rely uponperimeter security solutions.

8. Eliminates breaches from mis-configured systems—Identifies network mis-configurations quickly and effectively, isolating the source to close vulnerabilities andconduits for hackers.

9. Provides live window of network activity—Gives network and security administrators aninstant real-time view into network behavior, along with access to terabytes of data. Itidentifies issues in real-time and archives a complete audit log of activity without costlyadditional storage requirements.

10.Combines network and security analysis—Integrating asset discovery, vulnerability dataand observed network profiling provides context-sensitive detection of known events.Pivoting between security and network data simplifies the process of finding, fixing andpreventing threats.

Windows XP Embedded Security, Pt 2 By: Travis L. Schack

This article is part two of an overview of important security issuesconcerning Windows XP embedded and the critical security

functionality it offers for embedded devices.

File System SecurityTo encrypt data on your embedded disk, you must be using NTFS. NTFS also allows you tocontrol access to directories and files. Some applications, especially legacy applications, onlysupport FAT32. To protect data from local unauthorized access, the following XPecomponents must be added.

Feature Required ComponentsEncryption File System (EFS) User Interface Core

NTFSPrimitive: Crypt32Local Security Authority Subsystem (LSASS)

NT File System (NTFS) Primitive: SfcWindows File Protection Primitive: Sfc

Primitive: SfcfilesPrimitive: Sfcos

Driver Rollback Add Hardware Control PanelPrimitive: Setupapi

System Restore System Restore CoreVolume Shadow Copy Service Volume Shadow Copy Service

File Sharing

Network SecurityWill your embedded device be accessible from the Internet? Does it need to transmitsensitive data over a network securely? Will your embedded device rely on IIS or any otherapplication that needs SSL support? XPe offers IPSec and SSL/TLS support. The followingtable shows the network security features and the components that must be added to supportthem.

Feature Required ComponentsIPSec IP Security ServicesSSL/TLS Local Security Authority Subsystem (LSASS)

Cryptographic Network ServicesPrimitive: Secur32Primitive: Crypt32Primitive: CryptdllPrimitive: Netapi21Netlogon/Netjoin

Secure RPC RPC Local SupportPrimitive: Secure32Primitive: AuthZSecure RPC over KerberosSecure RPC over NegotiateSecure RPC over NTLMSecure RPC over SSL

Page 23


WirelessWill your embedded device offer some type ofwireless service or utilize wireless to function?The only wireless security feature that issupported in XPe is WEP. Today, it is hard tocall WEP a security feature without smirking.A risk assessment must be performed todetermine if WEP will be a suitable securityfeature for your wireless device. The authorrecommends that you consult the wirelesssecurity section of your company securitypolicy.

Feature Required ComponentsWEP Primitive: Wzcsvc

Wireless Zero Configuration

Internet Connection SecurityWill your embedded device need protectionfrom the Internet or from a public accessiblenetwork? Need a secure method to remotelymanage your device? The followingcomponents can be used to assist in securingthe network connection of your embeddeddevice.

Feature Required ComponentsInternet Connection Firewall Internet Connection Sharing and FirewallS/MIME Mapi32 Libraries

Cryptographic Network ServicesPrimitive: Crypt32

WebDAV/WebFolders Web FoldersHTTPS Wininet Library

Local Security Authority Subsystem (LSASS)Primitive: Secur32Primitive: Crypt32Primitive: CryptdllPrimitive: Netapi32Netlogon/NetJoin

PPTP/L2TP Dial-up Networking Common Libraries


Security ManagementManaging and monitoring the security configuration of your device will depend on the locationof the device. Will you have to remotely maintain your device? Do you need command-linecapabilities for automated scripting of configuration management? How will you performregular audits on the security configuration? The following components will aid you in yoursecurity management tasks.

Feature Required ComponentsCertificate Management Certificate MMC Snap-In ToolSecurity Configuration, Windows Security Configuration Editor EngineAnalysis Windows Security Configuration Editor Client Engine

Security Accounts Manager ClientSecurity Accounts Manager ServerSecurity Settings EditorSecurity Configuration Engine Command-Line Utility

IP Security Management IP Security Tools and User InterfaceGroup Policy Management Group Policy Core Administration MMC Snap-InLocal Users and Groups Users Control PanelManagementCredential Management Credential Management User Interface

Key Manager

Configuration ManagementThe overall goal of configuration managementis to maintain control of systems orapplications throughout their life cycle,ensuring that all additions, deletions, orchanges occur in an identifiable andcontrolled environment, and that suchchanges do not adversely affect any desiredproperties or functions. It is recommended toutilize a configuration management databasefor you XPe image to track all components ofyour final image.

While this might sound like a daunting task, itis even more critical to track this informationfor XPe than it is for a full install of XP Pro.“Why is that?” you might be asking. Onereason is when a critical security patch isreleased for XP. You know that it will beapplicable to your XP Pro installation. Whatabout your XPe image? It is a“componentized” version of XP Pro. How doyou know if the components that are affectedby the patch are included in your image? The

most efficient way to know is by inquiring yourconfiguration management database to checkif the patch is applicable to your XPe image.

ImplementationBy now, you should have identified businessfunctionalities and security requirements foryour embedded system. This phase includesbuilding the XPe image, installing thecompleted image on the device,configuration, and testing. Application of asecurity-hardening checklist to both the OSand all applications are performed. Toconsistently and rapidly apply security settingsto XPe, it is recommended to make use ofsecurity templates.

Security templates are text-basedconfiguration files that contain system securitypolicy settings, service settings, and filepermissions. Templates can be deployedusing several methods. Through the console,you can locally apply the template using theSecurity Configuration and Analysis Microsoft


Management Console (MMC). If your deviceis part of a domain, you can distribute thetemplate using the Group Policy Editor. Youcan also use the secedit.exe tool with acustomized script to apply the securitytemplate.

Guidance to configure your template shouldcome from your security policy. If you do nothave a security policy, you can find guidancefrom one of the following: NIST, Center forInternet Security (CIS), National SecurityAgency (NSA) and SANS.

Once you have installed and securelyconfigured your XPe system, you shouldthoroughly test the system. All functions thatwere identified during the design phaseshould be thoroughly tested. Additionally, asecurity assessment should be performedagainst the system. The system should betested externally and internally. Externaltesting should be performed using at least twovulnerability scanners. The reason twoscanners should be used is that one scannercould identify a vulnerability or weakness thatthe other scanner missed. Example scannersare Nessus, Newt, Retina, Saint, ISS InternetScanner, and GFI LANguard SecurityScanner. Microsoft offers the MicrosoftBaseline Security Analyzer (MBSA) but itdoes not support XPe. Internal testing shouldbe conducted by comparing a baselinesecurity template with the current systemsettings using either the MMC or secedit.exe.

Defensive LayeringIn 2003, ATM’s running Windows XPe wereshut down by malicious activity from theWelchia and Blaster worms. These attacksdemonstrated the importance of defensivelayering of critical systems, keeping systemsup-to-date with patches, and the ability torespond to an attack. Host hardening hasproven to not be the panacea of security.

Firewall ProtectionAs mentioned earlier, XPe is bundled with astateful firewall called Internet ConnectionFirewall (ICF). In XPe Service Pack 1, ICF isdisabled by default. Enabling of ICF can bedone two ways: 1) During the initial startup,which offers protection during and after theboot process; 2) Manually after the bootprocess.

To setup option 1, you have to download theICFUtil.exe tool, create a custom componentwith it, and build the component into your XPeimage. Once this component has beenadded to your image, you can use severalscripting and programming languages toconfigure ICF through the ICF API’s.Microsoft published an article on this entireprocess on their website with the title “EnableInternet Connection Firewall in Windows XPEmbedded with Service Pack 1 Images”.

Page 26

ICF and <packet filter> were the only firewalloptions you had to protect your XPe system.On May 17, 2004, Sygate Technologiesannounced the release of the “first” securitysolution for XPe systems. Their SecurityAgent software provides intrusion detectionand prevention, a personal firewall, hostintegrity, and the ability to manage the agentcentrally.

Host hardeninghas proven to notbe the panacea of

security...


Anti-Virus ProtectionAt this time, XPe offers limited protectionfrom viruses and malicious code by using theEnhanced Write Filter (EWF). EWF providesa means for protecting a volume from writes.This allows the system to boot from read-onlymedia. There are two types of EWF: DiskOverlay and RAM Overlay. Disk overlayallows write data to be redirected to aseparate partition on the hard disk and canbe committed to the protected partition. RAMOverlay allows write data to be redirected tomemory. The data is lost once the system isshut down or rebooted.

The impact of a virus that infects a XPesystem with user credentials is minimal. Afterreboot, the virus would have been eliminatedfrom the system. If the virus were to infect thesystem with admin or system privileges, itwould be able to access the protected diskand cause damage. Anti-virus software wouldhave to be used for this protection. At thistime, there is not anti-virus software thatsupports XPe. Additionally, anti-virus vendorshave not disclosed which XPe componentsare needed to run their software on a XPesystem.

the XP OS. Companies are discovering thatit is critical to keep systems up-to-date onpatches to increase the survivability of theirmission critical systems. Microsoft offersseveral methods to deploy patches.

The first method uses the Device UpdateAgent (DUA). DUA is a service that runs onthe XPe system called Duagent.exe. Thisservice is scheduled to retrieve updates andconfiguration tasks, via HTTP (or HTTPS),from a remote or local system. To deploy anupdate, you first download the QFE updateand unpack it. You will find details of whichfile and registry settings are being updated inthe Additional Information section of the QFErelease notes. These file and registry settingsare used to create a Device Update Program(DUP) script and converted to a program.This converted script is placed on your updateserver with the updated binaries from theunpacked QFE. When the DUA contacts theserver, it recognizes that a new script is thereand downloads the updated binaries with theupdate script. Once downloaded, it executesthe commands in the command script toinstall the update. There is now a tool called

Operation/MaintenanceOk, at this point, you have designed, built,secured and tested the XPe system. It is nowtime to deploy the system into production.How are you, or your customer, going todistribute patches and updates to thesystem? That depends on how many systemsyou have and how are they deployed. Is thedevice deployed in multiple locations? Isthere network connectivity to all devices? Willthe system be a standalone system? Can youcentrally manage your XPe devices?

PatchesPatches are released weekly for newlydiscovered vulnerabilities and weaknesses in

Page 27

Travis L. Schack,CISSP, CCNA, is thePresident of Vitalisec, Inc.

Contact him at [email protected].

DUAScriptGen that will assist you in importingthe full list of file and registry changes from aXPe QFE and generate the DUA script file.

The second method offered by Microsoft is tocreate your own custom patch processthrough scripts. Depending on yourapplication, this might be an option. For mostcompanies, this will not be an option.

Recently, a third option was made availableform Microsoft. SMS 2003 was released andit supports XPe devices. Using the SMS2003 XPe agent, you have the ability toinventory and update your XPe systems.

SUS does not support updating XPe images.Windows Update (WU)is not supported onXPe either, even though the WU client is in thecomponent database and can be built intoyour image. Because of the unique nature ofXPe, SUS and WU do not support checkingrelational dependencies between features,files, or registry keys.


Page 28

For systems that are standalone, unless theyuse dialup to receive updates, a service orfield technician will have to update the system.

SummaryI realize that this article scratched the surfaceon designing, implementing and operating asecure XPe system. While the article did notcover application security, like IIS or SQLServer, you should have a goodunderstanding of the types of security featuresthat XPe offers and the components that areneeded to support each feature. As moreembedded devices are positioned in theindustry and become critical components inbusiness infrastructures, it is imperative thatsecurity becomes an integral part of theoverall system design.

+ALERT

ROGUE SERVER

-

-

Security is focused on your network’s

perimeter. So who’s monitoring internal activity that’s threatening

your network? QRadar maintains 24-hour vigilance to counter

these threats. It learns normal behavior, flags irregular activities

and their source, then identifies corrective measures. You’ll find

and fix problems immediately, no matter where they originated.

To learn how to reduce downtime and losses while improving

operational efficiency, go to www.q1labs.com.

Only QRadar can pinpoint network anomalies in real time.

© Copyright 2004, Q1 Labs, Inc. QRadar is a trademark of Q1Labs, Inc. All rights reserved.

www.q1labs.com | 781-250-5800The nexus of security and networking

-

TM

Don’t Believe Everything You Hear By: Joe Grand

A Commentary on

Security

Tech

no

log

ies

Waiting for my flight from San Diego toBoston to board, I became curious to whatsorts of devices people were using in day-to-day activities. I saw a man leaning against thewall using a Palm-based Kyocera mobilephone. I saw two BlackBerry devices sittingnext to each other on a chair like brother andsister. I saw a laptop balancing precariouslyon the edge of a payphone’s narrowaluminum shelf, connected to the payphone’sdata port. I saw airport personnel wavingproximity cards in front of doors to gainaccess to restricted areas. I saw PCs runningWindows at each gate, with lockedscreensavers flashing a message stating“This terminal is for authorized personnelonly.”

What I quickly realized is that most users usetechnology without caring about how it wasdesigned, the security, or even how it works.Why should they? They just want the productto function as they expect. But, for us, assecurity professionals, we live and breathesecurity. We design and implementtechnology and need to make sure it’s secure.This holds true for the consumer market justas it does for the enterprise, government, ormilitary organization. We, as a population,have become so dependent on technologythat we often forget the major risksassociated with using it.

If you look around, most organizations,including those that are solely dedicated tocomputer security consulting and those thathave dedicated computer security teams, arequick to adopt new technologies based on therecommendations of others or withoutverifying the claims of the vendor. “Trust us,

we’re secure.” is what they’re told, and withoutblinking an eye, they believe it. Specifying andpurchasing products based on your securityneeds is not a “one size fits all” decision.Nothing is 100% secure, and if someone saystheir product is, proceed with caution.

Before specifying or purchasing a technologyfor your network, always ask technicalquestions to the people that designed theproduct, not the people who sell the product(unless, of course, they are one in the same).Be cautious of dealing with companies whowill not let you interface directly with theirengineers. Ask them why they think theproduct is secure, ask how it was designed,ask how it was tested, ask how they can backup their claims, ask about their securitypolicies and procedures. If they can’t explainany of that, become suspicious.

A further problem is related to the actualdesign of the products in the first place. Dueto a general lack of understanding of securedesign practices in the product developmentindustry, many products are protected by“security through obscurity,” improperlyimplemented security, minimalist securitymechanisms, or just sheer luck. Many vendorsactually believe their own security claims. “Theattacker will never be able to figure out howwe encrypt the data,” they say. “Our scientistshave created an unbreakable code”.

Adopting

Vendors and integrators alike need tounderstand how to design and implementproducts securely, how to gauge the threatsagainst their products, and how to understandthe mindset of an attacker. But, this sort ofinformation can’t be taught in a day, and itmost definitely can’t be learned in a day. Acrash course in computer security will giveyou nothing but a false sense of safety.

In a recent engineering industry trademagazine, I saw an advertisement for a pairof DES-encrypted RF modules. The conceptwas simple: A 56-bit symmetric key was usedto encrypt and decrypt the data travelingwirelessly through the air. The problem is thatthe DES key is stored in a notoriouslyinsecure Serial EEPROM (ElectricallyErasable Programmable Read Only Memory)within each module. So, once an attackerdetermined the location of the crypto keys inmemory and retrieved the keys using astandard device programmer, they would beable to clone the module and sniff and decryptall wireless communications between the twopoints. This is a perfect example of what canhappen if the designers do not understand thepotential attack risks.

Don’t Believe Everything You Hear, cont. By: Joe Grand

Joe Grand is the President of GrandIdea Studio, Inc., a San Diego-based product

development and intellectual propertylicensing firm, where he specializes in

embedded system design, computer securityresearch, and inventing new concepts andtechnologies. He has testified before the

United States Senate Governmental AffairsCommittee and is a former member of thelegendary hacker collective L0pht Heavy

Industries. Joe holds a Bachelor of Sciencedegree in Computer Engineering from Boston

University. You may reach him [email protected].

professionals, we will undoubtedly discoverproblems with technology that most otherpeople would never think of. We’ll look inplaces that other people don’t even knowabout. We’ll analyze physical hardware,circuitry, firmware, look for problems in sourcecode, evaluate operational behavior, whateverit takes to make sure we understand thelimitations of the technology and how we canbest implement it for ourselves or ourorganization.

We are the security professionals. It’s not theend user’s responsibility to make sure that theproducts they use are secure. It’s ours.People, especially clients or your fellowemployees, rely on us to make sure theproducts we recommend and implement meetsome sort of security baseline. Don’t let themdown.

We need to, by default, never trust a productstraight out of the box. Challenge the claims.Scrutinize what you’re told. We must installand test products in a laboratory beforeimplementing them in a real environment. Wemust get ourselves into the minds of attackersand try to break the product. As security

Page 31

Syngress: The Definition of aSerious Security Library™

Nessus Network AuditingCrackers constantly probe machines looking for both old andnew vulnerabilities. In order to avoid becoming a casualty of acasual cracker, savvy sys admins audit their own machinesbefore they're probed by hostile outsiders (or even hostileinsiders). Nessus is the premier Open Source vulnerabilityassessment tool, and was recently voted the "most popular"open source security tool of any kind. This is the first bookavailable on Nessus and it is written by the world's premierNessus developers led by the creator of Nessus, RenaudDeraison.

Security Assessment: Case Studies for Implementing the NSA IAMIn 1998, the National Security Agency (NSA) InformationAssurance Methodology (IAM) was developed to meet thedemand for information security (INFOSEC) assessments—a demand that was increasing due to Presidential DecisionDirective 63 (PDD-63) while at the same time NSA was down-sizing. The NSA sought a way to maximize its resources toassist as many customers as possible and so they created a listof organizations that could perform the same service as theNSA. The NSA quickly realized that this system would not onlyprovide valuable information to consumers—it would also provide a vehicle for standardization of INFOSEC assessments.

Available from Syngress Publishing Now!

New Books by Security Horizon and Russ Rogers!

Also Available Now from Syngress Publishing:

www.syngress.com

“A comprehensive and authoritative guide toWarDriving and wireless security.”—Mike Kershaw (Dragorn), Kismetauthor

From the EtherealDevelopment team, comes

the first book ever onEthereal.

Ethereal PacketSniffing

$49.95 US$69.95 CAN

608 pp, 7 x 9.1875ISBN: 1-932266-82-8

WarDriving: Drive, Detect,Defend$49.95 US$69.95 CAN512 pp, 7 x 9.1875ISBN: 1-931836-03-5

$69.95 US$89.95 CAN448 pp, 7 x 9.1875ISBN: 1-932266-96-8

$49.95 US$69.95 CAN

544 pp, 7 x 9.1875ISBN: 1-931836-08-6

Defense in Depth By: Ed Fuller

WOW, the second anniversaryof the Security Journal.

By now as you’ve been reading these articlesyou know that there is a lot to accomplish inorder to adequately protect your information.All of the topics that have been coveredrepresent facets in a protection schemaknown as Defense in Depth.

Defense in Depth was first coined by theDepartment of Defense as part of a strategyto focus InformationAssurance protection.Defense in Depth is not asilver bullet to protection, butis a “best practices” strategythat relies on the intelligentapplication of technologiesand techniques to implementand maintain the protection.As with any good riskmanagement approachDefense in Depthrecommends that there is always a balance tobe achieved. Protection must balance withthe cost of the protection; operationalconsiderations must balance with theoperational performance. In order to makegood decisions on what technologies andtechniques to employ in Defense in Depththere are a few things that have to beconsidered.

Adversaries or Threats. Each organizationneeds to identify who or what is the threat,what is their reason for attacking (motivation)and possible ways they can attack.Adversaries can be anything from a scriptkiddy that wants to make a name for themselves in the underground up to and includingnation states who want to weaken the country.In between these vastly different threats are

things like corporate espionage and criminalswho would attack to make a profit at yourorganization’s expense. These are maliciousadversaries that are commonly thought of butdon’t forget the non-malicious threats such asfire, water, power failures and the mostprevalent threat, user error.

Once you have identified the threat you canlook at what the currentprotection schema isproviding you when you lookat Confidentiality, Integrity,and Availability. Think ofthese as protection servicesthat you are providing foryour organization orcustomer. These servicesare always based on theconcept Protect, Detect,Respond and Sustain.

Organizations should expect attacks. Youwould not be in business if you did not havesomething important that needs protection.Organizations should employ tools andprocedures that allow them to react andrecover from attacks.

Protect is based on the hardening orsecuring of the system and components. Inthe commonly used Computer NetworkDefense this is proper implementation ofSystem Configuration Management andRemediation Management. If you don’t knowwhat you have and how it is “supposed” to beused, how can you protect the system? If youdon’t have a defined approach to fixingproblems that pop-up, how will you fix things?Unfortunately in many organizations this is anADHOC process and is why Protect is difficult

Page 33

to implement and maintain.

Defense in Depth, cont. By: Ed Fuller

Page 34

Detect is based on the ability to identifyanomalous activity. Simply put this is theimplementation of Audit. If you don’t monitorwhat activities are occurring on the network,how will you know if something unusual isoccurring? Yes this means that you will haveto identify what is normal activity to be able toidentify abnormal activity.

Respond is the ability to report and react toanomalous activity. This definitely builds off ofthe Detect. Once you have identified anabnormal activity you must determine if it ismalicious or non-malicious. Then what do youdo? How and who will the activity be reportedto? Are there defined processes forreacting to the abnormal activity?

Sustain is the ability tomaintain the proper levelof security through amature process. This isthe normal day-to-dayactivity normally knownas Network Management. Networkmanagement can be a nightmare for someorganizations because they have notimplemented Protect, Detect, or Respond.This creates an organization that iscontinuously in the fire-fighting mode. Dealingwith issues over and over again based onwhat is going wrong today.

As we are all aware to implement these andcreate a sound Defense In Depth strategy youhave to have three things or elements:People, Technology, and Operations. Thesemust be balanced to provide the bestcoverage for the price and relying too muchon one will result in exposure to attacks.

People are the beginning of InformationAssurance starting with the senior

management. The senior management musthave a commitment to protecting theinformation based on a clear understanding ofthe threats. Senior management provides thepolicy and procedures needed for effectiveInformation Assurance. Senior managementmust provide the resources needed toimplement the policies and procedures withclear understanding of roles andresponsibilities and personal accountability.Training must be included in this resourceassignment for all critical personnel. Havingthe senior management commitment includesthe establishment of both physical andpersonnel security. This will allow theorganization to monitor and control access tofacilities, information, and critical elements of

the informationtechnology environment.

Technology is available ina variety of components andservices. Technology can beused to detect attacks,malicious activity, or evennon-malicious activity. But

what technology should be used? Everyorganization should utilize defined policy andprocesses for technology acquisition. Theseare normally based on the InformationAssurance architecture and standards foundin the Security Policy. There should bedefined criteria for selection and procurementof products. These products should beimplemented with defined and standardizedconfiguration guidance. Prior toimplementation there should be a process toassess the risk that could be introduced to thesystem by implementation of the technology.When you implement technology in theDefense in Depth strategy you should look atthe Information Assurance principles thatinclude the following:

• Defense in Multiple Places. Adversaries


Page 35

can and will attack from multiple angles. Yourorganization or customer must employprotection mechanisms at different locationsto be resistant to all classes of attack.Defensive locations are called “focus areas”and include; Networks and Infrastructure,Enclave Boundaries, and ComputingEnvironment.

a. Defending the network andinfrastructure providesprotection of the LAN and WANby ensuring confidentiality andintegrity of the data transmitted.

b. Defending the EnclaveBoundaries provides resistanceto active network attacks.

c. Defending the ComputingEnvironment provides accesscontrols on hosts and servers toresist the insider or distributedattacks.

• Layered Defenses. There is no singleproduct or service that is a cure all for theinherent weaknesses of the network. Givenenough time and resources an adversary willfind an exploitable vulnerability. The bestmethod to mitigate this threat is through theuse of multiple countermeasures that presentdifferent obstacles to the adversary. Thesecountermeasures should include bothprotection and detection measures. This willincrease the risk to the adversary of detectionand reduce the adversary’s chance ofsuccess. A common example of this in largenetworks is perimeter firewalls in conjunctionwith Intrusion Detection and implementation ofmore granular firewalls and controls on theinternal network.

• Specify the Security Robustness. Thismeans understanding the value of what youare protecting and placing appropriatetechnical controls in the appropriate place.One example of this is the deployment of


strong perimeter defenses andimplementation of security templates for theworkstations and servers. This makes senseas it is usually operationally effective andsuitable to deploy stronger mechanisms at thenetwork boundary than at the user desktop.

• Robust Key Management. Infrastructuresare lucrative targets. Deploying robust keymanagement and public key infrastructures,such as PKI or PGP, that support all theInformation Assurance technology that isdeployed will ensure that you are resistant toattack.

• Event Correlation. Deployed infrastructuresshould be able to detect intrusions, analyzethem and correlate the results to provideenough information to react accordingly. Thiswill allow the “Operations” staff to answer thefollowing questions: Am I under attack? Whois the source? What is the target? Who else isunder attack? What are my options?

Operations focus on all the activitiesrequired in maintaining and sustaining theorganization or customer’s security postureon a daily basis. This will always include:

• Maintaining the security policy and ensuringthat all personnel are aware and following thepolicy.

• Certifying and accrediting systems toensure that good Risk Managementdecisions can be made.

• Managing the security posture by keepingpatches and virus definitions and accesscontrol lists updated.

• Providing key management services.

• Performing security readiness reviews,

commonly call assessments to ensure thecontrols are functioning correctly.

• Monitoring and reacting to threats orattacks as they occur.

• Recovery and resumption of operationsfrom attacks or non-malicious events such asfire or flooding.

Defense in depth is simply a means of usingmultiple controls to implement a morecomplete security posture based on theperceived threats or adversaries. We knowthat we are not going to achieve a 100%security because that would leave us with 0%usability. For example, we could deny allinbound or outbound connections to theInternet, and in today’s computingenvironment the network usability would suffergreatly. We want to avoid weak links throughthe balance of People, Technology, andOperations. Each of these are used tomaintain the organization or customer’s abilityto Protect, Detect, Respond, and Sustain theirInformation Assurance.

Ed Fuller is Senior Vice-President and ChiefOperating Officer for Security Horizon, alsofunctioning as the lead instructor for NSAtraining and assessments. Comments orquestions can be sent [email protected].

Page 36

Book Review By: Brian Martin

Security WarriorCyrus Peikari & Anton ChuvakinPaperback - 581 pages (January, 2004)$44.95 - O’Reilly ISBN: 0-596-00545-8

Security Warrior is one of the latest books thatattempts to cover hacking and securityinformation in a way that appeals to all levelsof the field. Most books of this nature willpresent a wide variety of concepts andtechnologies that fall under the “security”blanket. These topics usually include anintroduction to security, networking,reconnaissance, social engineering, attackand defense. As with most professions,attempting to disclose the ins and outs in acomprehensive manner would take volumesof information and could never be summed upin a single book.

Breaking away from the mold, SecurityWarrior stands out in a crowd of securitybooks by delving into the world of softwarecracking through reverse engineering. Whilethis is not a skillset many security personelluse or know, it can be a very handy skill tohave. Peikari and Chuvakin spend almost onethird of the book on reverse engineering byproviding detailed explanations, real worldexamples and even excercises to test yourability to break past software that restrictsyour access to a program on your owncomputer. While the skill of reverseengineering is useful, it is also fairly intensiveand requires a solid programmingknowledge. The extensive use of programsource code in the book can get a bitoverdone as most people reading the bookwill already understand it and find no use for ittyped out in a book, or find themselves lostafter the second line.

The next major section covers the basics ofnetworking and reconnaissance as relates tosecurity testing. After a brief outline of TCP/IP

and other protocols that make this big Internetthingy work, they immediately dive into the artof Social Engineering before going back tonetwork recon, OS fingerprinting and hidingyour attacks. While this information is allvaluable, the sudden turn to SocialEngineering in the middle of technical networkattacks is disjointed to say the least.

Once you have identified your targets vianetwork recon, the next step is to figure outwhat specific platform attacks may work foryou. Unfortunately, you need to read thechapter on Unix defense before Unix attacksin this book. While the order of the chapters isa minor nuisance, the author’s consistancy isa tad annoying. After learning about Unixdefense and attack, you then get treated toWindows Client Attacks and Windows ServerAttacks. Apparently, the chapter on Windowsdefense got left on the cutting room floor.Even more odd is the next chapter on SOAPXML Web Services Security followed by theSQL Injection attack chapter. While these areall well written chapters that convey theinformation very cleanly, the order and choiceof topics is very messy.

The last section covers Advanced Defenseand goes into audit trails, intrusion detection,honeypots, incident response and forensics.Each chapter receives a good share ofattention and falls back into an orderly fashionfor dispensing the details of each technology.This material is a solid conclusion to a bookthat has a place in the security professional’slibrary. For someone just entering the securitycircle, this book will be a rough start.

Brian Martin is a member of Attrition.org(http://www.attrition.org),a computer securityWeb site dedicated to the collection,dissemination and distribution of informationabout the industry for anyone interested in thesubject.

Page 37

How Vulnerable areYour Networks?

SAINT® is certified CVE-compatible by MITRE and winner of PC Magazine’s 4-Star award.

Two new ways to scan ...

Just plug into your network and yourvulnerability worries are over. Formore information visit:www.saintcorporation.com

A quick easy way to get SAINT’sreliable results with no down-loading or configuring. Scan fromwww.saintcorporation.com

© 2004 SAINT Corporation. All Rights Reserved.

SAINT®

Find out with

NETWORK VULNERABILITY SCANNER

What is FISMA? By: Matthew Hoagberg

Page 39

With hackers, cyber intruders, andterrorists, it has become

increasingly important, now morethan ever, to protect our nation’s

information technology andsystems.

To improve our nation’s informationsecurity posture, Congress approved the E-Government Act of 2002 (E-Gov) whichincluded the Federal Information SecurityManagement Act of 2002 (FISMA). FISMA isTitle III of E-Gov that was signed into law(Public Law 107-347) on December 17th,2002 by President George W. Bush. E-Govaddresses information technology amongFederal agencies, standards in Informationsecurity, and addresses ways to protect theconfidentiality of an individual’s informationthat exists for statistical purposes.

FISMA replaced the Government InformationSecurity Reform Act (GISRA) which wassigned into law in November of 2000, as wellas building upon the Computer Security Act of1987, the Paperwork Reduction Act of 1995,and the Information Technology ManagementReform Act of 1996. FISMA is built off ofGISRA making GISRA’s provisionspermanent, broader, and stronger, as well asincluding minimum requirements forinformation security. In addition to continuingprovisions from GISRA, like the role of theInspectors General (IG), FISMA has directedthe National Institute of Standards andTechnology (NIST) to continue to developinformation security guidance for federal

agencies. This guidance will set standardsfor systems operated by the federalgovernment. FISMA sets the goals forinformation security and grants the authority ofsetting guidance for the minimum securitysettings to NIST. NIST has releasedRecommended Security Controls for FederalInformation Systems. Special Publication800-53 (SP 800-53) outlines guidance forfederal agencies to be able to achieve FISMAcompliance. The SP 800-53 will serve as atemporary guide for agencies’ informationsecurity controls. As agencies gainknowledge and experience through the SP800-53 they will be able to comment on thepublication and provide feedback to NIST.From the agencies feedback, NIST willdevelop the new Federal InformationProcessing Standard (FIPS) 200. The FIPS200 will expand on the FIPS 199 andmandate the minimum security controls for allfederal information systems.

Purpose of FISMA

There are six key purposes of FISMA.

1. To provide a comprehensiveframework for information securitycontrols;

2. Provide effective management and

oversight of security risks;3. Provide development and

maintenance for controls to protectinformation systems;

4. Provide an instrument for improvedoversight of Federal agencyinformation security;

5. Acknowledge that commerciallydeveloped security products can offeradvanced solutions; and

6. Give individual agencies the authorityand freedom to select commerciallydeveloped products.

What is FISMA?, cont. By: Matthew Hoagberg

Purposes 1 through 4 are directly taken fromGISRA while 5 and 6 were added to thepurposes section acknowledging thatcommercially developed information securityproducts can offer advanced and effectiveinformation security solutions. Whileacknowledging that individual agenciesshould select their own specific hardware andsoftware information security solutions fromamong these commercially developedproducts.

Requirements of FISMA

Some of the basic requirements to Federalagencies in an effort to better secure federalinformation and systems are:

• Provide an inventory for allsystems within an organization;

• Provide minimum informationsecurity for their systems;

• Have a basic security structurethat can help provideinformation security;

• Conduct annual evaluation ofsecurity;

• Require the Office ofManagement and Budget(OMB) to operate a federalincident response center,whose functions include:

i. technical assistance tofederal agencies

ii. collecting dataiii. analyzing data;

• Authorize the OMB to overseethe development andimplementation ofrequirements; and

Ensure that information security managementprocesses were integrated with strategic andoperational planning.

FISMA also requires government agencies toreport on their IT security as compared to theminimum requirement on an annual basis aswell as requiring all federal agencies tosubmit to the best practices for informationsecurity. Within the evaluation, the agencymust list the possible risks to their informationand systems, and work to reduce that risk.Agencies will use a Plan of Action andMilestones (POA&M), a report that identifiesvulnerabilities and a plan to eliminate them.The POA&M will be reviewed monthly and

Page 40

What is FISMA?, cont. By: Matthew Hoagberg

turned in quarterly to the IG and agencyofficials will be held accountable for theirsecurity posture.

Obstacles and Challenges of FISMA

Obstacles and challenges that governmentagencies face are the lack of funding and thelack of staff which not only must continue withdaily operation but now must implement newsecurity. This includes maintaining the currentrisk management and policies. Another issueis a cultural change, which must take place inthe way we look at and address IT security, forFISMA to work. As new policies andguidance are created, each organization mustdetermine how they apply to them and howthey are going to implement them.Government agencies will be expected toreport on their information security postureonce a year and will be graded A though F.As well as financial and personnel obstacles,FISMA brings with it new challenges.Agencies must gather, study, and understandtheir organization’s security risks pertaining totheir information systems and be able todemonstrate to the IG that they are complyingwith the new government regulation outlined inFISMA. Agencies must show that they aretaking care of the vulnerabilities within theinformation systems and continually striving toimprove their information security.

Conclusion

In conclusion, the Federal government hasdeveloped a law that mandates informationsecurity. FISMA was designed to keep theindividual government agencies not onlysecure, but accountable for their informationsecurity. The agencies then have to be ableto defend their security posture with greaterreporting requirements. The reporting willshow where government agencies are andhow they plan to improve their securityposture on a yearly basis. FISMA allows theagencies to evaluate all of its bureaus andcompare each organization. The FISMAreport is a checklist that details thecompliance with policies and procedures.

The bottom line is to protect our governmentassets and to continue to improve the securityof our government agencies. I have littledoubt that this will bleed over into privatebusinesses creating a country dedicated tosecurity of our information technology.

Matthew Hoagberg is a Security Consultantwith Security Horizon. You may contact him [email protected]

Page 41

where do we go from here? -...

Documents