Secunia

Threats to systems have been traveling up the stack which is to say that instead of operating system exploits attackers are finding incursions through applications. With the wealth of applications and vulnerabilities being discovered and a lack of coherent means to keep them up to date it is a welcome relief to see Secunia.com offer a free tool for checking Windows systems for the most common application vulnerabilities.

Secunia offers both an online test tool as well as a downloadable client for Windows 2000 and higher systems. I tested the online version on both my Windows Professional XP SP2 and Windows Vista Home premium systems. I found vulnerabilities for Adobe Flash and Java on both systems. When you update Adobe Flash player it removes the vulnerable version but the older Java versions must be manually deleted since some application may require them.

On XP running the tool was straightforward. To run the online tool on Vista I had to add the Secunia site to my "Trusted" zone which results in IE running that site with Protected Mode off. When I tried to run the site with Protected Mode on then it threw errors concerning available Windows patches. Running the downloadable executable on Vista was straightforward although I did run the installer as "administrator". The executable is handy as I was able to exclude certain paths such as my other bootable partitions and the $Recycle.Bin.

In every case the Secunia tool gave helpful information and links for the vulnerabilities and fixes available.

I have always like Secunia because you can find how many vulnerabilities exist for a myriad of systems and how critical they are. While some security experts complain about how many patches must be applied to some software I like the view of how many patches are NOT available for some given software.

September 06, 2007 in Web/Tech | | Comments (0) | TrackBack (0)

Welcome BCR readers!

I was contacted to publish an article in the for pay magazine Business Communications Review regarding security controls with some depth but not drilling down too deep in any technology. The result was a two issue series (I couldn't get trim it down enough for a single article) that is referenced on their blog here.

As research often uncovers the real solutions to security lie in process, policy and governance but we often resort to technology since that is frankly easier to deal with.

April 15, 2007 in Weblogs | | Comments (0) | TrackBack (0)

SecureWorld 2006

SecureWorld 2006 in Detroit was a great opportunity to network with peers in the region and hear about security related projects and products.

Here is a recap of some of the best events I attended:

Creating Identity: It's Worth The Effort - David Sherry – VP Information Security at Citizens Bank (8th largest US Bank & parent is Royal Bank Scotland 5th largest bank in the world)
Discussed his experiences implementing an Identity Management (IdM) solution for Citizens Bank.
An interesting term he used was ‘colleagues’ to refer to employees and contractors within their system. (Note the blurring of the lines of demarcation between on premise employees and others.
He listed important actions that helped and hindered his project (in 3rd year of 5 year deployment).
His bottom line was that Identity Management is hard but doable and expensive.
The original drivers and benefits were seen in the security/ID admin arena but ultimately the project is yielding benefits enterprise wide.

Opening Keynote - Gary Warner "PIRT: A Neighborhood Watch For Phishing (Help Wanted!)" PIRT (Phishing Incident Response & Termination) http://www.castlecops.com/

Gary works for a southern energy firm (Energen) and a regional Infragard member which formed PIRT to respond to Phishing attacks.
He emphasized that very little criminal justice is being taken against phishers and that PIRT is a voluntary organization whose mission is to obtain forensic information on phishers and supply government with this information and then shut down active sites worldwide.
He described the link between spam & botnets and phishing as well as detailing the anatomy of phishing scams.
He stated that most phishing originates from very few people and cited specific figures about reported incidents and damage.
Mentioned that new suspected viruses can be submitted online to: Totalvirus.com

InfraGard Keynote - Ira Winkler "Secrets of SuperSpies" (former NSA staff, HP security strategist and currently at ISAG) and author of Spies Among Us
He works for organizations that are examining their security – his initial aim is to ‘find the most valuable information’ which is something that we (as organizations) should be protecting.
(As a side note he also had worked for HP in 2003 (as chief security strategist) and was being interviewed in CNBC as someone who left HP due to their culture.)
He recounted startling stories of how easy is was to compromise very valuable information at ‘secure’ organizations, able to enter and compromise critical information within one hour at facility that designs nuclear plants, able to enter and compromise critical information within five hours at commercial business HQ.
He emphasized how important it was to identify the most valuable information and work to protect it.
He distinguished the differences between security and counter intelligence (descriptions of actions and posture of those threatening you)
He also emphasized the need for defense in depth and awareness.
He illustrated typical line of business attitudes towards security (stifles innovation and productivity - even though this is a serious inhibitor to security)

Outsourcing Information Security: Truth or Fiction? Tim Bates GM Lead Info Security manager - North America

Need to know company’s risk posture and outsourcing strategy
GM’s two main drivers:

  1. Cost (now use 250 people from vendors support organizations)
  2. Constant expertise (always up to date)

Do Outsource:

  • Infrastructure Security Admin
  • Security Monitoring (not oversight) (incident mgmt – emerg response & forensic analysis)
  • Perimeter protection (incl fw, IDS, VPN, vuln assess, pen test)
  • AV & Content Filtering
  • Info Sec risk assessments
  • Data archiving & restoration

Do Not Outsource:

  • Governance
  • Security Policies
  • Architecture requirements
  • Strategy development

GM security has 15 staff for managing contracts and SLAs
Plus 1 architect assigned from global architecture group
Key outsource requirements:

  1. SLAs (which are solid)
  2. Relationships (develop relationships between company and vendor)

Need to audit performance – poor contracts can mean worse availability and less security
Standardized global processes

By 2010 90% of all enterprise information security will be outsourced (Yankee Group)

Randy Sanovic (GM) & Deloitte & Touche – Privacy and Compliance Peer to Peer Roundtable
See "Hall of Shame" - www.privacyrights.org

Int’l Assoc Privacy Professionals - IAPP  http://www.privacyassociation.org/

Interesting discussions about the wide range of privacy and compliance issues around the globe.

September 26, 2006 in Conferences | | Comments (1) | TrackBack (0)

Usenix and MetriCon 1.0

This year’s Usenix Security Symposium and first Security Metrics Conference “MetriCon 1.0” was highly interactive and valuable.

Dan Geer delivered a one day tutorial titled “Measuring Security” which was well attended and had quite a few notable attendees.

An initial quote was very telling: “Amateurs study cryptography; professionals study economics.” See the whole presentation here.

An assumption is that measurements should be used for a decision support.

It is also acknowledged that the field of security metrics is very immature with plenty of opportunity to grow.

Dan Geer was trained as a biosciences statistician and was really in his element for this conference. He was able to cleanly integrate IT Security scenarios with the fundamentals of statistics and probabilities. This session proved to be a great primer and warm up for the next days MetriCon session. Additionally it afforded a great opportunity to network with some of the recognized leaders in the field as well as to establish relationships with peers.

MetriCon 1.0 was also very well attended (although it was an invitation only event) and included many of the people that had attended Geer’s session.

The day was broken into four sections dealing with security metrics: software design, enterprise case studies, other case studies and risk management/governance – where 4-5 attendees delivered presentations for each section.

I found Dennis Opacki’s a presentation on human factors very interesting. He looks at the psychological research behind the effectiveness and use of metrics. As an example studies show that people respond ‘better’ to metrics expressed in dollars. He also notes that the presentation of metrics is very important (well presented metrics more effective than poorly presented metrics (even if the quality of the data is better).

I also found a research presentation by Shawn Butler fascinating as she discussed her finding about enterprise security metrics usage. Her emphasis was on the lack of measurement of ‘value’ or ‘business impact’ when enterprises report internally. She mentioned that enterprises are good at counting frequency (of events) but don’t correlate to impact. (An example is virus controls which are well understood in terms of cost and occurrence but typically equate to very little risk in terms of potential business impact; whereas information that has very high business impact risk [think intellectual property and sensitive data] often has very little security metrics applied.)

Andrew Sudbury from ClearPoint Metrics presented his firm’s tools to created balanced scorecard-like metrics presentations. This tool looks expensive but effective.

Another highlight of the conference was Kawika Daguio, Executive VP of Financial Information Protection Association, discussing governance and accountability. His organization has invested $10’s millions in risk modeling and presents a very nice 15 layer model built upon the traditional 7 layer ISO model. He emphasizes the importance of baseline and aspirational models and the use of ordinal measures (to prevent inappropriate comparisons).

An significant ‘formula’ presented was that you must first start with defined goals which lead to well articulated questions which is the basis for determining what the appropriate metrics should be. Throughout the two days it was repeated that enterprises have lots of measurements and reports that are not meaningful (do not answer important questions or support business decisions). Put in another way, ‘be careful what you measure because this can drive behavior’.

A very nice definition of metrics is:

Metrics are a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with the procedures to carry out such measurement and the procedures for the interpretation of the assessment in the light of previous or comparable assessments.

Notice that metrics require periodic measurements, defined procedures, an explanation of interpretation and a basis in history (baseline).

Shawn Butler will be speaking at the upcoming Security Decisions Conference in Chicago this October. Next year the Usenix Security Symposium will be held in Boston on August 6-10.

Bob Jacobson's risk management materials were referenced and are impressive.

August 03, 2006 in Education | | Comments (0) | TrackBack (0)

Security Conferences

I am looking for some good security conferences that would allow someone to network with peers, grow in knowledge and expand our horizons. Here is a preliminary list. I will also create some typelists for future reference. Feel free to suggest others along with any comments. There are also plenty of vendor conferences where you can learn a lot about products - I'll try to keep those off the list.

The Gartner IT Security Summit
June 5-7, 2006
Washington DC
http://agendabuilder.gartner.com/SEC12/webpages/Home.aspx

CSI NetSec 06
June 12-14, 2006
Scottsdale, Arizona
http://www.csinetsec.com/

Microsoft Tech·Ed 2006
June 12-16, 2006
Boston, Massachusetts
http://www.microsoft.com/events/teched2006/default.mspx

Identity Mash-Up Conference Who controls & protects the digital me?
June 19-21, 2006
Cambridge, Massachusetts
http://www.identitymash-up.org/

Workshop on Privacy Enhancing Technologies
Workshop on the Economics of Information Security
June 28-30, 2006
Cambridge, United Kingdom
http://petworkshop.org/2006/
http://weis2006.econinfosec.org/

SANS Fire
Washington DC
July 5-13, 2006
http://www.sans.org/sansfire06/

IT Architecture Practitioners Conference (Open Group)
Miami, FL
July 17-19, 2006
http://www.opengroup.org/miami2006/

Black Hat
Las Vegas, Nevada
July 29 - Aug 3, 2006
http://www.blackhat.com/html/bh-link/training.html

15th USENIX Security Symposium
Vancouver, BC
July 31 - Aug 4, 2006
http://www.usenix.org/events/sec06/

The Security Standard (IDG)
September 6-7, 2006
Boston, Massachusetts
http://www.thesecuritystandard.net/

Digital ID World 2006: Managing The Decentralization of Identity
September 11-13, 2006
Santa Clara, California
http://conference.digitalidworld.com/2006/

Interop
September 18-22, 2006
New York, New York
http://www.interop.com/

Security Decisions conference (TechTarget)
Chicago, Illinois
October 18-20, 2006
http://infosecurityconference.techtarget.com/

Network Security Conference (ISACA)
Las Vegas, Nevada
November 13-15, 2006
http://www.isaca.org/nsc

RSA Conference
San Francisco, California
February 5-9, 2007
https://2007.rsaconference.com/US/

6th Annual Security Conference
Las Vegas, Nevada
April 11-12, 2007
http://www.security-conference.org/

May 18, 2006 in Education | | Comments (1) | TrackBack (0)

An Overview of Systems

I first want to describe the components in creating a typical network VPN system along with some aspects of those choices.

The client

The software on the end device must be compatible with the VPN 'head end'. The natural choice for years was the Cisco VPN client which does not cost additional money. The Cisco client does work and supports a wide variety of platforms, such as Linux, Macintosh and many Windows platforms including CE. There are also some nice proprietary features such as the support for Cisco head end load balancing and firewall integration. But there are also a number of shortcomings when using digital certificates, particularly the lack of support for integrated Windows login and the software's propensity to use any available certificate even those not designed to be used for client authentication.

On the other hand, the native Microsoft L2TP over IPSec client software is bundled with Windows XP and Windows 2000 - no separate software download is required nor is there the difficulty in upgrading software when required. There is also a client download available at no extra cost for Windows 98, ME and Windows NT 4.0 although due to poor certificate handling I only can recommend using certificates with Windows XP Pro or newer systems.  I find the Microsoft client to be far more secure than the Cisco client from a system perspective.
The Cisco client will allow you to use any available certificate (despite its intended purpose) to establish a tunnel that the head end can validate as being in its chain and not revoked. Then a user is prompted to supply any logon ID and password of the user's choosing. In practice this means that I could use any legitimate machine certificate or user certificate to connect, then I could use any legitimate ID and password from any other user to authenticate and be on a corporate network.
The Microsoft client first uses the machine certificate to create a tunnel, then uses the logged in user's certificate and cached password to authenticate the user. This is all done transparently without the need for user input (unless there are multiple user certificates registered to that user's ID). There is no provision for choosing other certificates (as well as those that are not intended for authentication) which enhances the security operations as well as making the user experience better.

The VPN concentrator (head end)

The VPN concentrator handles VPN tunnel termination. It's job is to handle encryption/decryption functions and controls for VPN tunnels as well as authentication control. For this example I chose the Cisco 3000 series concentrator since it is the most common VPN head end in use in large companies. As a purpose built appliance these models have the ability to scale to the size companies need. There are other similarly functional systems such as Nortel's Contivity. Other popular VPN systems are software based systems that run on general servers such as Microsoft's ISA and Check Point VPN-1 Pro. Without special hardware the amount of encrypted sessions is extremely limited and extra attention must be paid to hardening a system to prevent unauthorized breaches. Although the Cisco VPN concentrator supports a wide variety of clients, those choices are much more limited when using digital certificates.

The Authentication system

A key reason to use digital certificates is to ease the administration and management efforts while maintaining or improving the security of the system. Using a central database of user identities tied to digital certificate management will afford this and is at the heart of an authentication system. Although VPN concentrators can authenticate users with their own internal lists, for certificate based authentication you will authenticate users to an external database (such as a Windows Active Directory system). Using the Microsoft L2TP over IPSec protocol the actual user authentication is done after an IPSec tunnel has been established and done with PPP encapsulation to a RADIUS server using EAP-Proxy methods. The initial tunnel in a Microsoft environment will typically be done with Kerberos using the machine certificate. Then the user certificate requires a RADIUS server. There are quite a few RADIUS servers to choose from: Open Source FreeRADIUS; Funk Steel Belted RADIUS; Cisco ACS; Microsoft IAS, Lucent NavisRADIUS.

The Digital Certificates (PKI)

Digital certificates (specifically X.509 version 3 certificates) provide a strong system to positively identify end users and machines provided that the distribution and protection of private keys is well managed. PKI provides a large scale certificate management system, including the creation (CA or Certificate Authority) , revocation (CDP or Certificate revocation list Distribution Point) and distribution of certificates. Microsoft Active Directory includes Enterprise CA functionality although commercial CA systems will provide more flexibility. Microsoft 2003 Server will provide easier certificate handling than 2000 Server as well as better support for Version 2 templates.
Basic tips when handling certificates include: ensure that the device or person receiving the certificate is who you expect it to be; make certain the device that stores the certificate is capable of storing them securely (Windows XP or newer); mark the certificates as being non-exportable; ensure that the user device validates certificates that it accepts; the head end also requires an identity certificate - protect it as well; enable CRL checking on the VPN head end; enable CRL caching on VPN head end for better performance; protect each CA and the private keys for each root certificate.

March 10, 2006 in VPN | | Comments (2) | TrackBack (1)

Remote Access VPN issues

I am surprised by how difficult it is to find clear and practical information on configuring the world's most popular operating systems (Windows XP Pro as well as Windows 2000) to work with the world's most popular VPN concentrator (Cisco 3000 series formerly Altiga).

I plan to write a series of posts that discuss how to configure the Windows built in VPN client to work securely with a Cisco VPN concentrator. The obvious protocol is L2TP over IPSEC using digital certificates. Both Microsoft and Cisco lack any clear configuration guides so my hope is that this series of posts will help others trying to accomplish the same.

I have found that many companies choose to use the Cisco VPN client (the latest version is 4.8 currently) but I have found that this poses far too many issues to continue using. Namely:

  • Lack of support for Windows integrated login APIs. (When you attempt to make a VPN connection you are prompted to provide an identity and a password[even though you already did that when you logged in]. Aside from the obviously redundant effort to re-enter the information, you also enable someone to login to Windows as one identity then connect remotely as another. The Microsoft client is seamless - your credentials are passed through to the VPN gateway.
  • The painful process (especially in a large enterprises) of upgrading client software each time a new release is required. For the Cisco client this often involved three complete system reboots. The Microsoft client is patched as part of the Microsoft security patching process.
  • The painful process (especially in a large enterprises) of configuring Cisco clients remotely either initially or as parameters change. Microsoft clients can be configured using GPO updates.
  • Poor certificate handling. Cisco VPN client software will allow (perhaps encourage is a better description) users to choose any valid certificate regardless of the certificate's specified purpose.  An example of this is that the VPN client will allow you to use a certificate designated only for signing as a certificate for authentication and encryption. The Cisco interface doesn't help the user easily distinguish between certificate purposes. The Microsoft client only uses certificates that are designated for specific purposes. You will normally use two certificates. The first one is a machine certificate for initial client authentication then the second is a user certificate for authentication.

Your participation is welcome!

January 29, 2006 in EAP, PKI, VPN | | Comments (1) | TrackBack (0)