Measuring Human Risk: What is Your Organization’s Security Score? The methodology and results of a multi-year human security risk assessment and security awareness initiative at Michigan Technological University.
You’ve just been hired and Information Security is now your responsibility.
Who has immediate concerns?
Introduce yourself and ask what most concerns them. Get their names. This is for your use only. Try to remember their names. Can you take a photograph?
NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment [pdf]
What company policies and regulatory requirements exist? What compliance programs (SOX, PCI, HIPAA, SSAE 16) must be observed?
The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists. For more information relating to the NCP please visit the information page or the glossary of terms.
The California Department of Technology Risk Assessment Toolkit has links to great resources.
What gaps do you you fill first?
There will always be risk. What level of risk is acceptable?
Check your work. Repeat.
Scenario: Your Windows laptop has Bitlocker protection that prevents unencrypted access to the hard drive if the laptop was powered off.
There are three successful physical attacks:
- Seize the hardware while the user is logged in and Windows is not locked.
- Seize the hardware while the user is logged in and has locked Windows.
- Seize the hardware immediately after the laptop as powered off.
In the first attack the thief has access to the unencrypted information. This is to be expected.
In the second and third cases, you would expect the thief to be denied access to the encrypted information. Actually, the thief could obtain the encryption keys through a Direct Memory Access (DMA) attack (attack 2) or by reading DRAM before the bits decay and memory fades (attack 3). This last approach is referred to as a “Cold Boot Attack”.
iSECPartners has made You’ll Never Take Me Alive to mitigate DMA attacks. If Windows is locked and either the power cord or wired internet is disconnected, then the system goes into hibernation. A side effect of hibernation is removing the encryption keys from memory. If you were working off battery power with a wireless network connection, then YoNTMA does not mitigate your risk.
How practical is a DMA attack? See Inception.
The problem: You want to transport information. A USB drive is a convenient solution, but comes with risks. There is always the risk that the drive could be misplaced or stolen. You need some way to encrypt the data so that your loss is limited to the drive, and the data on the drive does not fall into unscrupulous hands.
Dedicated secure drive and a strong password. By using a secure USB drive (and a strong password), the information on the lost or stolen secure USB drive is not disclosed. Avoid the older implementations, see Update Your Secure USB Drive.
- TAC Drive
- Imation secure USB drives
- Kingston DataTraveler 4000-M, a managed version of their secure USB drive has been announced. “Full device-state management for tight policy enforcement and lockdown of stolen/lost drives – without bricking; customization for easy asset tagging; and, full audit and backup/recovery for forensic analysis and compliance – including adherence to all data-at-rest regulations.”
- Victorinox Secure Pro USB drive has been discontinued by the manufacturer. Return these devices for a refund.
Passthrough encryption device and strong password used with generic USB storage device.
- The Enigma module is an inline USB encryption solution designed to provide real-time full disk encryption for any USB mass storage class (MSC) drive.
Dedicated secure drive with integrated keypad. A benefit of USB drives is their platform independence. If the USB drive requires a driver and a device with a keyboard, then you can’t plug it into your TV or Blu-Ray player. There are other dedicated secure drives with integrated keypads to enable the device to transport files to any device which accepts a USB drive.
- LOK-IT Secure Flash Drive
- Corsair 16 GB Padlock 2 USB 2.0 Flash Drive CMFPLA16GB
- Apricorn Aegis 4 GB USB 2.0 Military Grade 256-bit AES CBC Hardware Encrypted Secure Key Flash Drive
Dedicated secure drive with integrated biometrics.
- Apricorn Aegis Bio 3.0 USB 3.0 external drive safeguards data with secure fingerprint access and military grade 265-bit AES-XTS hardware encryption.
Ordinary USB drive with encryption software and strong password.
- Ordinary USB drive and Bitlocker encryption.
- Ordinary USB drive and TrueCrypt encryption. A copy of TrueCrypt Portable on the USB drive means you won’t need to install TrueCrypt on the host device to read the encrypted portion of the USB drive. (While use of TrueCrypt has been discouraged, it will still defeat almost any thief. See “Open Crypto Audit Project TrueCrypt Security Assessment” [pdf].)
- Ordinary USB drive and Rohos Mini Drive or USB Safeguard. Both can reside upon the USB drive. Both offer a free version which encrypts up to 2 GB.
- Password strength. Easily guessed passwords turn encryption into an ineffective control. How do you enforce a strong password policy?
- Remote wipe. The goal of an encryption implementation is to make it take longer to crack than is practical. (Easily guessed passwords make cracking practical.) After a short number of attempts, the device should wipe itself.
- Key management. Can keys for these encrypted devices be managed centrally? If they cannot, is the information on these devices managed in another fashion?
- Maintenance. If these devices must be updated, what approaches are available?
- Inventory. How will these devices be tracked? What are the costs of not tracking them?
When reviewing these challenges, remember the risk from lost, unencrypted data. You may choose to accept a less-than-perfect management solution to limit the risk of information disclosure.
RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.
- I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
- The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
- The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
- Add a batch file (preserve.bat) to the c:\cygwin\bin folder:
if (%1)==() goto ERRPARM
ren ..\ratproxy\report.html %1.*
“C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
echo Name for report and zip file is required.
With that preparation complete, and with Firefox ready to submit your interaction:
- Open a command shell (cmd.exe).
- Paste these two lines into the command window:
ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC
This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.
- Change your browser to use this proxy (localhost:8080). Traffic that is passed through the browser will go through RatProxy.
- Your test traffic occurs here.
- In the command window (from step 2) press Ctrl+C to quit RatProxy.
- Undo the browser proxy changes (from step 3).
- Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.
./ratproxy-report.sh ratproxy.log > report.html
This will require another Enter.
C:\cygwin\ratproxy\report.html, C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.
- Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter
where <project> is a term you choose to remember what you were testing.
You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.
In the html file you will see each POST transaction followed by a [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.
Q: I have “Microsoft .NET Framework 4 Client Profile” installed, but when installing Microsoft Attack Surface Analyzer I get the message:
You are attempting to install Attack Surface Analyzer on a system without .Net 4 or above. If you continue with the installation, only the command-line executable asa.exe and the data collection components of Attack Surface Analyzer will be installed. To continue with installation, click Next. If you do not want to continue with installation, click Cancel.
A: Do you also show “Microsoft .NET Framework 4 Extended” installed? If not, then install it before installing Microsoft Attack Surface Analyzer. Alternately, the command-line executable asa.exe is not such a bad idea.
A web application SQL injection vulnerability disclosed accounts and passwords.
Mitigation: Test, sanitize input, use library routines instead of creating your own sanitization routines.
Passwords were encrypted with an MD5 hash and no salt. This enables unencrypted passwords to be determined offline, using rainbow tables.
Mitigation: MD5 is broken. Salt to make the use of precomputed password hashes (rainbow tables) impractical.
The accounts and passwords were used for initial access to a server.
Two-factor authentication would mitigate this.
A local vulnerability on the server enabled root access to the server.
Patch deployment would mitigate this.
The content management system password was the same as the email management service.
Do not reuse passwords.
Control of the email system enabled social engineering access to other vendors. You appear to be their trusted partner.