DIGITAL SECURITY AND INFORMATION ASSURANCE


This blog is created to stimulate academic discussion in partial fulfillment of the degree of Doctorate of Computer Science in DIGITAL SECURITY AND INFORMATION ASSURANCE for the Colorado Technical University, Colorado Springs, Colorado.

Courses includes - EM835 Information Accountability and Web Privacy Strategies; SC862 Digital Security; Quantitative Analysis; Software Architecture and Design - CS854;















Friday, February 18, 2011

Beautiful Security Metrics - Is Beautiful


Beautiful Security Metrics
Review          






Security metrics is a critical methodology that facilitates better system security awareness, decision making and implementation. It helps in the analysis of complex system and application processes and summarized them in a more easily understandable forms. Although security metric usage is still at its infancy, conceited efforts must be made to employ it in IT security management. The author of beautiful security metrics drew a parallel between the system security profession and their medical counterparts.


           The author mentioned the importance of security metric and includes:
- Good for monitoring and performance measurement for controls
- Used for detecting absence of critical controls
- For measuring efficiency and effectiveness.
- Formation of up to date security policies and procedures
- Identity management process for managing user access and entitlements.
- Separation of duties to authorize IT access must be well defined and separated from those that enabled such access.
- Mandatory review should be conducted after an employee’s responsibilities are changed.
- System and application access and processes must be logged in log files.
- Activity log files must be analyzed regularly.
- Regulation, best practices and standards must be thoroughly vetted and complied with.
- Security metrics improves control for identity and access management.
            


                 According to Nichols E (2009), “metric have clearly helped medical practitioners by providing both a framework for quantifying the health of an individual or population and a collection of guidelines to communicate that state to non experts”. The author therefore advised that IT security professionals should use metrics to analysis system vital signs and encourage the sharing of security data across the board. Good security metrics have the following features:
                  
              Cases for acceptable system security metrics and vital signs
- Can be relative
- Subjective
- Measurable
- Probable values could be positive or negative
- Allow for Sharing of data



              The beautiful security metrics shows how two major security breaches could have been prevented if security metric processes have been fully implemented by Barings Bank in UK and TJX group in USA. The lack of security control mechanisms due to internal breaches lead to the demise of the Barings Bank. The identity and access management at Baring was nil and contributed to its failure. TJX lost close to $1 billion because the security breaches. It was perpetrated by outside attackers taking advantages of security vulnerabilities in network and system management protocols used by the company.

                    Beautiful security metrics summarized the events that lead to the system security breaches at Barings bank and attributed them to the followings:
- No clearly defined role for the company personnel
- No separation of duties
- No review process in place
- System controls are lacking


For TJX group, the failures of security lapses are direct results of:
- Inadequate network configuration control
- Inadequate network usage surveillance
- Inadequate server configuration and usage monitoring
- Lack of data protection mechanism
- Access points to connect to the wireless router was not rightly configured and protected. To further worsen the situations, the routers were put in broadcast mode. By using WARDRIVING technique, criminals are able to uncover open wireless networks with a view of stealing customer data and information.
- WEP does not offer adequate protection for wireless network.

Some notable system metrics include but not limited to:
- Comparing two values, one from the authoritative system and the other from the configuration and activity logs can provide the much needed information about secret accounts in the environment.
- Percentage of login accounts that cannot be genuinely accounted for could represent account used for unauthorized access
- Percentage of accounts that have never be justifiable review in the recent past.
- Group of accounts should be well defined and overlap must be prevented



 Conclusion:
There is need to embark on the re-education of system managers and end users on the importance of security metrics in promoting safe computing. Security products should contain manuals about recommended usage, diagnosis and the ways to monitor significant events on systems. Anything out of the ordinary should be analyzed and reported. Auditing of system files, logs, access metrics, and identity management should be part of everyday system management. The interpretation of security anomalies should be simple and devoid of anything complex. Lastly, security metrics facilitates in its entirety, better system awareness, well being and decision making on the part of system managers and support personnel because security metrics improves control for identity and access management




Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 33-61). Beijing: O’Reilly Media  
Posted by at No comments:

Thursday, February 10, 2011

Open Source Honeyclient: Proactive Detection of Client-Side Exploits

This is review of Chapter 8 "Open Source Honeyclient: Proactive Detection of Client-Side Exploits" from book "Beautiful Security" . Course:  EM835 "Information Accountability and Web Privacy Strategies.




Honeyclient technologies are being developed to focus on the different ways to detect and analyze Web sites hosting malicious code.  Honeyclients are used for detecting and characterizing malicious sites by driving a system in a way that mimics human users (Robert Danford 2006). Among the major reasons and purpose of using honeyclients is to stop attacks that use web servers to exploit unpatched browser vulnerabilities thereby installing unsolicited malware and adware of the computer of unsuspecting web surfers.
According to the author, the first generation of honeyclient development in the open source community was followed by the launched of the Microsoft’s honeyclients called honeymonkeys.

The Open source honeyclient has been developed to proactively detect the client-side exploits.
Most client softwares e.g. web browser and mail client are not protected by firewalls and also most client software applications are not properly developed. They often lack up to date anti-virus software. As part of ongoing efforts to make the web safer, the honeyclient technology also tend to address the problem of using unsuspecting computer or machine as a bot networks and become a part of DOS attack.

The business of software and application vulnerabilities exploits has grown over the years because of financial gains and inducement by organized crime. There is need to develop both server side- Honeypot and client side Honeyclient technologies to curtail the menace of both malware and spyware.

The client-side exploit are important because
1. Security threats are triggered by end-user behavior
2. Web criminal mostly focus on soft targets.
3. Ordinary Web surfers tend to ignore security warnings.

Honeypot: They provide a wide variety of benefits:
·         Traditional honeypots are passive and server-side.
·         Worm detection
·          Insider-abuse detection (also honeytokens)
·          Malware capture (medium-interaction honeypots such as nepenthes are particularly good at this)
·         Security research
·         New exploit detection

Honeyclients: The following are notable characteristics of honeyclients
·         Use advanced and preexisting knowledge to develop tool that proactively protect against vulnerabilities because the way the client was infected or exploited is known.
·         Specialized systems that are used as intended target for attacks so that we can learn detail information about the attack.
·         Monitor the Honeyclients behavior to see if it deviates from the norm e.g. writing an executable file.
·         Abnormal behavior of the Honeyclients is an indication of an infection.
·         Honeyclients are capable of seeking out malicious remote systems
·         Two types of Honeyclients are known – server-side and client-side exploits


Analysis of exploits:
The author discovered that most malware attacks are financially motivated and the following are common:
-          Gaming Trojans
-          Banking Trojans: Able to access victims online banking/account credentials.
-          Politically motivated malware: for propagating political ideologies by using HTML files.

-          From Honeyclients analysis, malware attacks the VMware (virtual platform infrastructures) and proceeds to shutdown the guest operating system.
-         Full packet capture analysis between honeyclient and the remote web server at the time of compromise.



Variants of honeyclients:

·         Capture – A high interactive form of honeyclient that has real-time integrity checking capability.
·         Spybye is a low-interaction honeyclient.
·         Google safe Browsing API is an operational honeyclient that seeks out bad sites and thus create blacklists based on the bad URLs.
·         PhoneyC focuses on the automatic browser script deobfuscation and analysis.
·         MS Strider HoneyMonkey (Microsoft Research)
·         Mitre Honeyclient Project (Mitre)
·         Client-side Honeypots (Univ. of Mannheim)
·         Collapsar/Reverse Honeyfarm (Purdue Univ.)
·         Phileas (Webroot)
·         Websense (Hubbard)
·         SiteAdvisor (McAfee)

Limitations of the Honeyclients Implementation.
·         The insertion of delays by web browser client silent the way the honeyclient detect an attack
·         Honeyclients have difficulties in detecting malware embedded in banner ads on different web sites.
·         Honeyclient works only limited to drive-by malware attacks or downloads and not to interactive executions that need user permission such as clicking on a link or clicking on executables.

Conclusion:
·              Malware mostly targets Microsoft’s IE 6 and other unpatched browsers.
·              Anti-virus products are signature-based.
·              Honeyclient uses traffic analysis to track malware attacks
·              Snapshot comparisons of files and filesystems give an indication of malicious attacks.
·              Integrity checks e.g. Registry key changes provide useful information of malware  
     attacks.
·              Malware often triggered processes execution


Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 131-146). Beijing: O’Reilly Media

Robert Danford (2006). 2nd Generation Honeyclients. Retrieved February 10, 2011, from
http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf

Strider HoneyMonkey Exploit Detection. Retrieved February 10, 2011, from
http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/

Posted by at No comments:
Subscribe to: Posts (Atom)