welcome new batch of students. i hope you will use this site as you must. here is the first set of notes for this semester.

see you in class.

introductory notes security

Excellent Lessons Learned from Major Incidents

There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.

As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title:  Aligning Security and Company Risk

I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.

The article really got my attention when I read the first paragraph:

After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.

The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses. 

Are you organization’s security, compliance and risk management efforts aligned?

Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?

Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management?  Compliance Management?  Risk Management? Reputation Management?

Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?

In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.

The ebook for the Topic of  Computer IT professionals and Students like:

“Convergence of Technologies and Networking in Communication”  (CTNC)

This Ebook Series is based on the Syllabus provided below:

Series is in the form of Chapters,checkout later for some new chapters based on this subject.

Chapter 1: Introduction to CTNC.....................	Chapter 2: Convergence Technology	Chapter 3: Modem Computation...........
Chapter 4: Band pass Modulation	Chapter 5 :Multiple Access	Chapter 6: Network Services
Chapter 7: Transfer modes

********************************************************************

SYLLABUS FOR CTNC IS:

1. Introduction:

Communication model, Data Communication, Data representation transmission, modes of data transmission, synchronous and asynchronous communication, Network and services. Introduction to 2G, 3G and 4G Wireless communication system.

2. Convergence Technology

The blending or integration of voice, video, data and image into one flexible network, overview of network topology.

3. Modem

Digital modulation methods, ASK, PSK, FSK. Modem and standards, Data multiplexers, Multiplexing techniques, Comparison of data multiplexing techniques ADSL, RADSL, HDSL, SDSL.

4. Bandpass Modulation

Binary phase shift keying, Probability of error for Binary phase shift keying Differentally encoded phase shift keying, Probability of error for DEPSK , QPSK, M-ary PSK, Quadrature amplitude shift keying, Binary frequency Shift keying, M-ary FSK Minimum shift keying (MSK).Error performance for binary systems, Probability of error for coherently detected Binary orthogonal FSK, GMSK.

5. Network Services and Protocol Layering

Connection oriented & connectionless services, their comparison layered architecture, services Interface, primitives and service access points, Ad-hoc wireless networks, Handoff Algorithms, Bluetooth Technology and Infrared Technology.

6. Transmission and Multiple Accesses

Transfer Modes circuit switching, routing, virtual circuit switching comparison of transfer modes Asynchronous transfer mode. Multiple access concepts FDMA/TDMA in GSM networks, CDMA in UMTS Networks.

7. Data Transmission Functions

Probability of error for coherently detected BPSK, Data link control, Data link line configurations, data link layer functions, services offered to network Layer DLC protocol layering logical link control (LLC) Media access control (MAC), Flow control protocols Error detection and correction mechanisms e.g. HDLC Bridging Transparent source route bridging in ETHERNET LANS, switching components of typical switch performance measures in switch design switching, switching issues, switching architectures shared-memory architecture, shared-medium architectures space division architecture switching in ATM and its examples.

8. Communication Network Functions

Addressing techniques, classification of addressing techniques, addressing structure in INTERNET addressing structure in Telecom Networks, signaling complexity in Different Networks, Classification of signaling techniques signaling issues, Signaling models, point to multipoint signaling, ISDN signaling, Routing protocols/techniques, core routing concepts, core routing concepts.

9. Traffic Management

Concept of traffic, concept of service, Network capabilities, Types of traffic, Traffic Management, Traffic contract management, traffic policing, priority control, priority control Flow control versus congestion control, Traffic Management in ATM.

10. Network Management

Goals of Network Management, Functional Areas of Network Management Telecommunications management Network (TMN).

11. Security Management

Security Management, symmetric (secret key) Encryption Techniques, Asymmetric encryption techniques, Key management, Hash functions, Digital signatures and certificates, Firewalls, Security management in Third generation UMTS network.

12. Convergence Technologies for 3G Networks

Operation and integration of GSM, GPRS, EDGE, UMTS, CDMA2000, IP, and ATM, practical examples of 3G connection scenarios. Signaling flows and protocol stacks, IP and ATM as used in a 3G context, issues of QoS and real-time application support IP/SS7 internetworking and IP soft switching, the architecture of the IP Multimedia Subsystem (IMS) for UMTS

Secure Your Stuff or you'll be a pillar of salt

eIQ’s own security and compliance evangelist John Linkous took some time to step away from his bully pulpit to contribute a list of practices for Linda Musthaler’s Network World column. Although he’s no Jim Bakker, John can sling security fire and brimstone with the best of them. He provides some good food for thought for any security professional. Check it out and be converted.

I just wanted to make sure everyone remembers to register for this great conference in DC this year.  From their website:

Press Release August 20th 2009 — Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together.

Need to access your passwords, secret questions, and personal ID information anywhere, anytime?  Then you need to take a look at the new RoboForm online service.  I recommend it.

RoboForm isn’t new.  A product by Siber Systems, Inc., the RoboForm desktop application has been helping users auto-fill forms and remember important information for some time.  What IS new is an online service (beta) which allows you to:

1. Sync your passwords, secret questions, and other identity information with RoboForm servers.  All data shared with RoboForm is encrypted with AES using a password which only the user knows.  RoboForm cannot access your data.
2. Access your online information from any computer with Internet access, without installing any software.
3. Access your online information using selected smartphones, including iPhones and Blackberries. 

Before we get to the online capabilities, let’s walk through the RoboForm Pro client application functionality.

Client Functionality

The RoboForm Pro client, with a $29.95 price tag for the first license, is available for download.  There is a nice quantity-discount calculator at the site, but $15.95 seems to be as low as it goes.

I downloaded the client and installed it on my desktop (Windows 7 and Firefox 3.5).  After activation (see Figure 1), I restarted Firefox.  The toolbar shown in Figure 2 appeared.

The time-to-live setting for the RoboForm master password is an important setting during setup.  As you’ll see as we step through this section, maintaining an active login to the client provides access to passwords and other private information.  So you want the login to expire without having to think about it.  The default is 120 minutes.  I set mine to 10.

The core of RoboForm password management is the passcard.  A passcard contains login and address information for a specific site or application.  There are two ways to set one up.  First, you can navigate to the login screen of the target site or Web application and enter your account ID and password.  You can also pre-configure a site login.   

To create my Gmail passcard, I provided a name and left Password-protect checked, as shown in Figure 3.  This requires the encryption password before I can access it.  I then created an email folder in which to place the passcard.  I also checked Add Shortcut to Links Toolbar.  When I clicked save, a button with the passcard name appeared in the RoboForm toolbar (See Figure 4).  Also saved was the URL to the login page.

The button performs two functions.  If the Gmail login page is not currently displayed, RoboForm instructs the browser to go there.  The second function is the same whether you are at the page or not.  RoboForm auto-fills the account name and password fields.  If you’ve previously used this function , a persistent cookie exists on your computer.  When the cookie is present, clicking the button causes the browser to navigate to the page, enter the login information, and login.  You can disable the persistent cookie feature by removing the asterisk in the field shown in Figure 5.  (Note: When editing passcards, the password is displayed in plain text.  This is so you can retrieve an unremembered password.  So beware shoulder surfers…)

In addition to passwords, you can store all personal information–including credit cards, bank account info, and social security number–in an identity form.  See Figure 6.  Note that the identity information, like all passcards, is encrypted with AES.  When saved, the identity appears in the RoboForm toolbar, as shown in Figure 4.  You can use it to fill-in any browser-based forms, and you can create multiple identities.

Finally, you can create free-form safe notes.  I created one to hold a sample security question, as shown in Figure 7.

This is a good time to talk about encryption strength.  The strength of the AES encryption used depends on the password used to protect your RoboForm information. 

• Master password less than 32 characters – 128 bit
• Master password from 32 to 47 characters – 192 bit
• Master password greater than 48 characters – 256 bit

If you can’t decide on a password for an account, the create-a-password feature built-in to RoboForm can help.  There was a small issue with the sample password shown in Figure 7.  It contained a dictionary word.  While this might not be a huge problem, you should be aware this might happen.  Play with this a little.  You can watch the bit strength change as you change the provided parameters.

So far, this looks like something I can use.  However, what happens when I’m not in front of the computer with my client software installed?  Well, I can create a repository with software loaded on a thumb drive.  Or I can use the new RoboForm online service (beta).

Features of Online Service (beta)

The online service provides you with your passwords, identity information, and safenote data anytime, anywhere.  The data is encrypted with your master password, which only you know.  If you lose the password, you lose your data.  Not even RoboForm can help.

To synchronize your local information with the online service, you first have to create an online account.  RoboForm must be installed on your computer to use this service.

Once the account is created, and you have synchronized your computer with your online repository, you can access your RoboForm data using an SSL connection as shown in Figure 8.

To sync your computer, click the Sync button in the toolbar.  If this is your first sync, RoboForm needs your online user ID and password, as shown in Figure 9.  Sync settings can be set or changed at any time by using the button shown in Figure 10.  Once configured, the prompt shown in Figure 10 is displayed, allowing you to manually sync your data and select auto-sync if you don’t want to worry about pushing future changes or additions to the online repository.  Note that you can also sync to local or network storage devices.

There are differences between using the online service and the local client.

1. Auto-navigation to the login page is not enabled, although the link is provided
2. Auto-fill is not enabled, so you have to copy and paste your account ID and password, which is displayed in plain text, to the login fields

The online service is free to try while in beta.  No future cost information is currently available.

The last online feature I tested was access via smartphone.  This worked flawlessly when I tried using my iPhone 3GS.  Figures 11 and 12 show the screens provided.

Recommendation

I recommend both the client software and the online solution.  This is the best password, identity, and general sensitive information repository solution I’ve seen.  If you are worried about how RoboForm manages passwords in memory, check out the user manual.  Passwords are purged from memory during events you select.

Any organization with an effective software development lifecycle (SDLC) builds QA and development environments to test new or upgraded systems.  Testing, either unit (developer) or user acceptance (UAT), requires data available to the application which looks very close to production data, including construction of all data dependencies.  The fastest way to make this happen is to copy production data into the test and development databases.  However, perception of the sensitivity of data in these non-production environments is often… well… wrong.

I like to practice data-centric security.  This means security controls are about protecting sensitive data and access by critical systems to that data.  So if someone moves a customer database, for example, to a development server the data should be protected with the same controls used to protect it in production.  Organizations often use a system-centric approach to security, assuming that servers, workstations and data not in the production environment don’t require the same level of trustworthiness.

Research commissioned by enterprise applications vendor Micro Focus and carried out by the Ponemon Institute surveyed 1,350 application development staff at UK and US firms with turnover between $10m (£6.1m) and $20bn-plus.

The past 12 months have seen data breaches at 79 per cent of respondents, with the same amount using live production data in application development and testing. But just 30 per cent of firms mask this data during the process.

Application testing takes place on at least a weekly basis at 64 per cent of companies, with 90 per cent claiming it happens once a month or more. A mere seven per cent of respondents said data protection procedures were more rigorous during development and testing than during normal production.

Source: Lax data masking hits four in five firms, Sam Trendall, CRN, 18 August 2009

Granted, the purpose of the study was ostensibly to promote a data masking solution.  But it demonstrates the need for better focus on non-production data stores.  In other words, data in QA and development systems must be managed with the same rigor as that residing in production.  And if extending security controls to these systems is not feasible, then data masking is necessary.

I have never thought of this.  After a breach, just blame the auditors.  Wait.  The reason I hadn’t thought of it is because passing a compliance audit IS NOT ASSURANCE OF SECURITY.  But some still don’t get it.

In an interview with CSO’s Bill Brenner, Heartland Payment Systems’ CEO, Robert Carr, blamed his QSA auditors for a recent (huge) breach.  Because they said his organization was PCI compliant, he felt secure.  Wow.  Security by checklist once again.

Rich Mogull, in an open letter to Carr, makes several excellent points about reliance on compliance instead of solid security practices.  He concludes his letter with,

But, based on your prior public statements and this interview, you appear to be shifting the blame to the card companies, your QSA, and the PCI Council. From what’s been released, your organization was breached using known attack techniques that were preventable using well-understood security controls.

As the senior corporate officer for Heartland, that responsibility was yours.

Source: An Open Letter to Robert Carr, CEO or Heartland Payment Systems, Rich Mogull, 12 August 2009

Rich’s letter is a good read, and it should be circulated widely among security professionals and senior executives. 

Among other things, this is another case where an organization is falling back on a completed checklist representing compliance with the PCI standard, a bare minimum set of security requirements.  But whether you are HIPAA, GLBA, or PCI compliant, checking off on recommended practices doesn’t equal security.

Each of us is responsible for placing compliance activities within the proper context: guidelines within a broader security program.  No regulatory or industry standards can protect our critical infrastructure or sensitive data.  Only an aware, thinking human who actually cares about security—and understands how standards apply within his or her unique environment—can do that.

I’ve been sort of stuck in the land of physical security lately.  The reason I can’t seem to extricate my brain relates to the dismal facility security many organizations employ.  It’s the lack of good physical security, including employee resistance to challenging strangers browsing the work area, which makes implementation of hardware hacks a real possibility.

Unlike software keystroke loggers and other nasty malware typically obtained via poor user habits—combined with a lack of Web browsing controls—hardware hacks are virtually invisible to AV software.  (See the vendor agnostic whitepaper, Keystroke Logging at http://ow.ly/jaeU.)  For example, a firmware hack for Apple keyboards was demonstrated at DEFCON 2009.  A related video (http://ow.ly/jahK) shows security researcher K. Chen gathering keystrokes from a laptop via a compromised keyboard.  The main difference with this hack is the ability to take over the hardware without taking the keyboard apart to install a logging component.  However, implementation of the hack is similar to other logging issues—physical access to hardware by an attacker means game over.

This hack, and others like it, require physical access to your computers.  How do you keep bad people away from your information resources?

• Lock your doors.  Only authorized personnel should have access to your business office.  (If you aren’t securing your datacenter, this bullet is meaningless…)
• Train your employees to notify security—or management if on-site security personnel aren’t available—when someone they don’t recognize is in the office area without a guest badge.  (This assumes your organization actually makes real employees wear employee badges and guests to wear guest badges.)
• Make sure your employee training includes social engineering issues.  For example, an employee should know that when a stranger tells him or her that they are replacing the widget control on the computer’s frazzilator, there may be something amiss.  In any case, strangers unaccompanied by regular employees—even if carrying a tool bag—are to be considered suspicious and reportable.
• Even if a person has a guest badge, unexplained lingering around cubicles or use of an employee system should be reported. If unexplained access was gained to a workstation, consider replacing it.  At least ensure,
  • The keyboard is standard company issue.  (You might consider marking keyboards so they are identifiable as yours.)
  • There are no unusual components connected to the keyboard cable.
  • There is no unexplained hardware anywhere in the cubicle.
  • The Event Logs show no trace of an attack.  (Any attacker worth his or her fees will eradicate any traces of unusual activity–if they have enough time.)
  • Your intrusion detection/prevention logs don’t indicate the PC is sending/receiving unusual traffic.

This is interesting, but changing keyboard function to gather sensitive information is not new. 

Thrilling question whether “All Predictive Models Are Wrong?” has already second page of proposed answers in the LinkedIn, and probably will be continued for a long time. However, the other question seems to be equally important: “What to do if the predictions are not sufficiently accurate?”

Standard answer is seductive and well known in the security management – it is necessary to built a strategy to cope with uncertainty and following risk. For example, contemporary military strategies for such cases fulfil the goal “to preserve the ability to continue operations”. Narrow-minded business often develops strategy “to minimize loss”, and open-minded business develops organisation able “to benefit most of opportunities and optimize the measures against threat”.

Discussed is the case of hurricanes. No one can predict the loss due to the hurricanes with satisfactory accuracy. Uncertainty is costly. If the risk is overestimated, people and companies bear excessive cost to protect or insure themselves. If the risk is underestimated, the insurers bankrupt…

It is not possible to predict loss of disasters accurately. It does not mean, however, that data analytics has not to do much in this field. Probably instead of tilt with windmills better is to analyse strategies of the response to uncertainty, and to build the models of optimum strategies. Moreover, the variance of strategies can explain a part of the variance of total loss, and contribute to the accuracy of total loss prediction.

The idea of modelling the strategies of reinsurance is not new. It requires some knowledge and models of the behaviour of open dynamic systems. It seems to be reasonable to build a general model of the reinsurance strategy securing insurers against bankruptcy – the strategy “to preserve the ability to continue operations”.

From Market Overview: Firewall Auditing Tools by John Kindervag

The remarkable story of one Bellevue University student and employee showcases the perseverance that allowed him to serve our University, his educational goals, and first and foremost, our country.

After a one year deployment in Iraq, Mike Damato has returned to his position as Safety Administrator at Bellevue University. The deployment was Damato’s second during his nearly five years with the University. Damato’s relationship with the University began as a student in the Security Management bachelor’s degree completion program.

Following the events of 9/11, Damato learned from instructor Greg Allen that the University had created a new position dedicated to protecting the University, its students, and employees.

In 2003, Damato joined the Navy Reserves after a 17-year break in service (he was active duty Navy from 1976-85). “It was a call to do something,” he said. “If I was in the reserves, it would free someone else to go fight the war.” He was shocked when called to action, not just once, but twice. Damato is grateful that he works for an organization where he can also do his part serving his country. “The University has been extremely supportive,” he said. “My wife was able to complete her master’s degree during my first deployment, and I was able to complete mine during this last deployment.”

While already successful in his career and service, Damato began the online master’s program in Security Management before learning he would be deployed a second time. After a short break while preparing for the deployment, he was able to complete the degree while in Iraq utilizing the University’s exceptional online learning platform.

The University is proud of its commitment to those serving in the Armed Forces and their families,  here in Bellevue and worldwide.  Bellevue University was recently named a Top 10 Military-Friendly College/University, and was selected as a participating school in the MyCAA program.

Fairhaven International LLC has started a new program, the Chief R-SEC Officer Program, which is a position that can be contracted by an organization, or Fairhaven International LLC can train an organization how to develop the program for themselves. The concept of the Chief R- SEC Officer Program is that in todays world it takes more than individual stove pipes of information contained in different departments across the enterprise.  A Chief R-SEC Officer brings all the disperate players and organizations from within an enterprise together as a sustainable network to address all of the risks, security threats, emergencies and crisis situations that the enterprise faces.

I wanted to cover some WAF topics I haven’t seen covered much. Most WAF vendors talk about the security their product provides in terms of blocking attacks. I would like to delve into these WAF Blockings as well as mention some ideas for alternative uses for your WAF through it’s interactions with web clients.

Web Application Firewalls are interesting bits of technology. Depending on the product and deployment method you chose, they can transparently protect your web infrastructure using various protections by generating blocks when threats are identified. Depending on the product, they can Vulcan mind meld with your Apache instance, live as another F5 device in your network, take over a slotin your XBeam, or live life as a network appliance inside your datacenters.

This intelligent device COULD interact with the client in additional ways outside generating BLOCKs. For example: developers could leverage a WAF to provide additional protections, send notices to connect clients under specific conditions, or even prompt a client for confirmation before performing a specific function if certain criteria are met. After all the BLOCK a WAF generates doesn’t have to be a BLOCK at all, at least not in the context of traditional firewalls or even active-response IPS devices.

If WAF interaction with the client is a concern because you’re trying to keep your WAF invisible to the bad guys, you should know that that’s not a realistic expectation.

WAF’s block threats to your web applications identified through various security methods, but what does that mean?

There are a few options, largely dependent on the vendor and deployment method (transparent bridge, proxy, router, offline sniffing): TCP Reset, Request/Response DROP, out of band Reset via 3rd party. There’s no hard-fast requirement to only use a TCP Reset that’s sent to client and server, like IPS or active-response causing the TCP session/connection to be terminated, but this is controlled by deployment method.
The DROP method is like a virtual trapdoor inside the WAF where malicious traffic falls into a dark pit, never to be seen again.

Some WAF products can send a web coded response back to the web user inside their active session indicating their request could not be completed, some WAF can be configured to quarantine an IP Address or terminate a web session, in addition to dropping the client request or server response. The use of WAF generated error pages to interrupt and/or stop the web session alongside Request/Response dropping is more graceful than TCP Reset. Depending on your environment, TCP Resetting could create unexpected results on your web servers and typically this requires your WAF to be operating in Proxy mode.

In traditional transparent WAF deployments, these BLOCKs generated by a WAF are typically nothing more than a standard error page or a redirect to a logout sequence coded within the web application being protected.  Some WAF’s allow you to customize the page, insert scripting, and push it seamlessly to the end-user inside the existing SSL session. Alternatively, the client could be redirected to a destination within the protected application to log out their session, collect additional information, or open a support ticket (although the last one of those I saw, was more for looks than functionality).

If the WAF can generate web pages in response to client interactions inside an existing SSL session, the client would be interacting with the WAF. The Imperva Application Defence Center (ADC) has an interesting web fraud paper on enabling clients to interact with what I would describe as a security control panel, to help with CRSF/XRSF attacks and web fraud. I have played around with this a little and found some interesting uses – sorry saving that info for my next contracting gig!

The idea of using policies to trigger BLOCKs takes on a new meaning, if the WAF can be leveraged to a generate unique or controlled web pages when a specific policy is triggered or even redirect a user to a specific function inside an application if certain criteria are met, before continuing on inside an application. Don’t get me wrong, TCP Resets are good too – but this path offers much more robust options for a company from multiple perspectives.

Now the WAF can be used to not only BLOCK pure security-centric threats but also control the application behavior and client interaction if something fraudulent, abusive, or irregular is detected. For example you could leverage the behavior deviation capabilities of your WAF (profile violations) and construct a temporary input validation error handling process inside your WAF while your coders developed the handling inside the application. This would be a straight forward use of the acquired knowledge of the WAF, a simple error page containing the prohibited characters, and a method for the client to have a “do over” on the prior page.

Once again, the WAF is providing additional capabilities that an IDS/IPS cannot!

Criston posted record high results for the first five months of 2009 with sales up 30% from the same period in 2009. Company profits were also up after year-on-year sales of licenses jumped 50% and over 20 new major contracts were signed in France and in international markets!

These results “demonstrate how we can supply our customers with innovative technologies that drive productivity and deliver major cost savings as well as higher ROI (return on investment) than our competitors. In addition our IT and security management solutions are often selected as part of companies’ long-term strategies, which suffer less in the current economic climate*,” noted Criston Chairman and CEO, Marc Vaillant.

Criston, which was established in Sophia Antipolis in 1997, recorded sales of €4.3 million in 2008. The company, which also has a site in Paris and one in Tokyo, has a network of over 20 partners in more than 20 countries.

* as quoted in the PACA Informations Economiques.

http://www.investincotedazur.com/en/newsletter/index.php?txt=act8761

The traditional network security approach to securing your web servers and database servers is more than likely going to get you in trouble some day. Think about it. Network Security preaches deny everything and permit only what you need. Great, open up port 443 and send encrypted traffic to your web server. KaBOOM gotcha!

Think about your Web Application Firewall and the reasons for your investment in web application security.
Regardless of the technology you have selected, here are four protections your WAF investment needs to be providing:

#1 Enforce decryptable web communications.
This might seem counter-intuitive but first and foremost, if your WAF can’t see it – then the WAF can’t intelligently PROTECT your assets! You need to disable any encryption not supportedby your WAF. It’s a long-standing double-edge sword securing web communications but still being able to inspect the communications. No more pre-shared or temporary key SSL sessions, sorry Diffe-Hellman, most WAF’s only support pure RSA. In addition, this is a good time to make sure your servers negotiate at a respectable bit length.

#2 Enable Correlation.
Attack signatures are great, but correlation is better. If your WAF doesn’t offer some form of correlation of multiple signatures and security events before triggering an alert, you might consider picking one up that does. Web Intelligence is a good product, but it’s not an F5, Breach, or Imperva WAF, and that difference could cost you.

#3 Serve & Protect, becomes Learn & Protect.
The best offense is a good defense. If your WAF knows what the application it’s protecting looks like or even better, how it behaves, then the application’s very own structure, coding, and URL/parameter make-up becomes it’s shield against malicious attacks. You don’t need to wait for a signature to protect your web application from new SQL Injection or XSS or Fuzzing attacks, if the WAF is stopping anything that doesn’t conform to expected behavior!

#4 Assess THEN Customize.
When you build a new house, you might expect to have certain things done specific to your requirements before you ever set foot inside the house but you’ve at least looked at the blueprints and seen sketches of the final product. For a WAF guarding a Web Application, custom rules really should be the last thing you do, and ideally AFTER you validate existing protections aren’t enough through penetration testing or code scanning. The major WAF vendors support the inclusion of vulnerability assessments in their products for custom policy creation.

Obviously enabling any of these are subject to your risk exposure / tolerance, but I wouldn’t advocate running for any length of time without these protections regardless of the organization or the other protections you may in place to guard your web applications.

Consider what every online entity is up against, there is more money to be made hacking your protected assets by nefarious (hopefully external) sources than you have resources or funding – short of government entities. If that wasn’t bad enough there are newly coded applications and updates released every minute than there are security fixes going in. If you’re not fully leveraging what you have and not securing as you go, then your company is leaving something undone for the bad guys to come along and exploit.

How is your WAF being used? Is it being used? Need help getting more out of your WAF?

It’s easy to blame business users and management for data breaches, by-passed security controls, or other risky behavior.  Often the blame is properly directed, but most employees want to do the right thing.  Often doing the right thing isn’t easy, because security controls are too restrictive, preventing users from doing their jobs.  In these cases, the responsibility for insecure behavior may rest on the shoulders of the control design and implementation teams. 

Laptop encryption is a good example.  No one denies laptop encryption is a good idea.  It’s just about the only way to ensure sensitive information is inaccessible when one of these mobile devices is lost or stolen.  However, given the means and the excuse to turn off encryption, users may do just that.  Users who don’t or can’t turn off encryption may instead lapse into other unsafe behavior, assuming that encryption will protect them from everything. 

For example, users may use weak passwords when strong passwords were the pre-encryption norm.  Other misconceptions and insecure behavior include:

• Fifty-nine percent of business managers surveyed “strongly agree” and “agree” that encryption stops cyber criminals from stealing data on laptops versus 46% of IT security practitioners who “strongly agree” or “agree.”
• Sixty-five percent of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT security practitioners record their password on a private document or share it with another person.
• Fifty percent of business managers have disengaged their laptop’s encryption solution and 40% admit this is in violation of their company’s security policy.
• Fifty-two percent of business managers sometimes or often leave their laptop with a stranger when traveling.

Source: The Human Factor in Laptop Encryption: UK Study, Ponemon Institute, December 2008

There are many reasons why non-technical users behave in this way, including:

• Poor security design.  If you impose a security control on users without looking at what it looks like from the perspective of the user experience, you will often fail to meet your outcomes.  Users have a job to do.  They’re often under time constraints and pressure from management.  If a security control makes it impossible to achieve business outcomes it will be bypassed if possible.  And no, the answer is not necessarily to lock everything down.  Remember it’s all about balance.
• Poor user awareness efforts.  When you introduce a new control, like encryption, be sure to accompany it with the right message.  Tell users that encryption is an add-on, not a replacement for existing controls.  If a user changes his password from “JYxgCg7d0AzVpg” to “Victoria” because he believes encryption is a “magic bullet”—and prefers to use his daughter’s name anyway—you may have actually weakened your security. 

The best way to avoid these pitfalls is to begin with a series of business use cases.  Use cases help identify scenarios in which users will find themselves up against your controls.  In each case, you should ensure the controls do not stop the user from working.  Explore safe workarounds which enable without opening the wrong door.  Will there be exceptions?  Of course.  But at least you’ve identified them, discussed the consequences with business management, and obtained their support.

I had an email asking what placeholders I usefor logging platform integration. Rather than reply in a comment or email, I thought I’d just make a post out of the response.

Looking at placeholders, here are some of the ones I use the most:

• ${Alert.dn}  this is the alert id
• ${Alert.createTime} this is the time the ALERT was created (note this can be misleading)
• ${Alert.description} this is bound to the alert, so you may see “Distributed” or “Multiple” appended due to aggregation of events
• ${Event.dn} this is the event (violation) id
• ${Event.createTime} this is the time the EVENT was created (this is when the event happened}
• ${Event.struct.user.user} this is the username from a web or database action
• ${Event.sourceInfo.sourceIP}
• ${Event.sourceInfo.sourcePort}
• ${Event.sourceInfo.ipProtocol}
• ${Event.destInfo.serverIP}
• ${Event.destInfo.serverPort}
• ${Event.struct.networkDirection} which way is the traffic flowing that triggered the event?
• ${Rule.parent.displayName} this is the name of the Policy that was triggered

There are other placeholders you can leverage, but these are the core I start with. I like these because they’re used on the web gateway AND the database gateway. This lets me have a consistent intelligence feed to my log monitoring platform and my SIEM product.

The trick here is that I can see how may events roll up underneath a single Alert. In the syslog feed, I can track the duration of an attack as well as tell you when I last saw the activity, because I track Alert.createTime and Event.createTime.

There are lots of options for how you build your syslog feed:

• You may be interested in the response time of the query or web page
• Perhaps the response size is of concern to you
• You may treat threats differently depending on where they occur in a database table or URL
• You may be interested in the SOAP action or request

Last but not least, in addition to security events you can also push system level events in the same manner using different placeholders.

• Configuration events can be syslog’d on complete with the user making the change
• Gateway disconnect messages can be sent via syslog (snmp might be better, but you need to load the custom OIDs)
• Excessive CPU or traffic levels can be sent via syslog

How are you using placeholders?