SANS Information Security Reading Room 25 Computer Security Papers added to the Reading RoomKohanaPHP2017 State of Application Security: Balancing Speed and Risk teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.Tue, 24 Oct 2017 00:00:00 +0000Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years have highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a slow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase in attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to quickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary defenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple virtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will be used to illustrate and compare normal Modbus TCP communications between the Master and PLC workstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that manipulates the Modbus TCP communications against both workstations.Fri, 20 Oct 2017 00:00:00 +0000Enhance Your Investigations with Network Data forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach. In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations. Thu, 19 Oct 2017 00:00:00 +0000 Targeted Attack Protection: A Review of Endgame's Endpoint Security Platform Analyst Dave Shackleford presents his experience reviewing Endgame's Managed Detection and Response Services under real-world threats in a simulated environment.Tue, 17 Oct 2017 00:00:00 +0000Online Safety in a Foreign Language - Connecting with Teens inescapable dangers of our increasingly connected world are likely most threatening to our young adults. Teens, especially, see social media and related online platforms as inextricable from their public and private personas. These digital natives have grown up being comfortable with sharing all aspects of their lives with the Internet - without the healthy suspicion and caution of those who have seen the technology grow over the years. The importance of protecting our teenage Internet denizens apparent, it falls to parents, teachers, and industry professionals to effectively educate this group. What follow are tested methods and associated research on relating to and informing teenagers so they might understand and properly mitigate the risks they face. Importantly, this paper explores these topics in a way that doesn't overstate the dangers or attempt to upheave the norms of communication so organic to this generation. Mon, 16 Oct 2017 00:00:00 +0000Can the "Gorilla" Deliver? Assessing the Security of Google's New "Thread" Internet of Things (IoT) Protocol incidents associated with Internet of Things (IoT) devices have recently gained high visibility, such as the Mirai botnet that exploited vulnerabilities in remote cameras and home routers. Currently, no industry standard exists to provide the right combination of security and ease-of-use in a low-power, low-bandwidth environment. In 2014, the Thread Group, Inc. released the new Thread networking protocol. Google's Nest Labs recently open-sourced their implementation of Thread in an attempt to become a market standard for the home automation environment. The Thread Group claims that Thread provides improved security for IoT devices. But in what way is this claim true, and how does Thread help address the most significant security risks associated with IoT devices? This paper assesses the new IEEE 802.15.4 "Thread" protocol for IoT devices to determine its potential contributions in mitigating the OWASP Top 10 IoT Security Concerns. It provides developers and security professionals a better understanding of what risks Thread addresses and what challenges remain. Fri, 06 Oct 2017 00:00:00 +0000AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.Wed, 04 Oct 2017 00:00:00 +0000Cyber Security and Data Integrity Problems Within the GAMP 5 Validation Process addressing the pharmaceutical industry's computerized systems risk within manufacturing, the International Society for Pharmaceutical Engineering (ISPE) has created the Good Automated Manufacturing Process (GAMP) as a leading industry standard. It is a validation process based on user requirements and product quality that applies information security through its computer systems validation (CSV) guidance. Problems arise due to information security roles, methodologies and technical controls not being clearly defined within GAMP guidance. These gaps within the CSV process are further exacerbated by cultural issues within the quality unit because they manage all aspects of information security and do not apply industry best business practices used in other industries. Finally, these gaps result in systems which do not incorporate the most basic protections for systems and data that should be expected from this industry. When compared to other industries like the Payment Card Industry (PCI), the security measures are woefully inadequate given the criticality of information processed by these life science systems. Because the production of pharmaceuticals is drastically different than other industries due the level of regulation on activities outside of computerized systems, relying on the International Standards Organization (ISO) or the United States National Institute of Science and Technology (NIST) as recommended by the ISPE is not adequate. Specialized guidance on how information security principles must be modified to fit within this model must be explored to provide relevance to the CSV process.Tue, 26 Sep 2017 00:00:00 +0000Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecture increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.Fri, 22 Sep 2017 00:00:00 +0000Botnet Resiliency via Private Blockchains operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts. Fri, 22 Sep 2017 00:00:00 +0000OSSIM: CIS Critical Security Controls Assessment in a Windows Environment. of a Security Information and Event Management (SIEM) or log management platform is a recommendation common to several of the “CIS Critical Security Controls For Effective Cyber Defense” (2016). Because the CIS Critical Security Controls (CSC) focus on automation, measurement and continuous improvement of control application, a SIEM is a valuable tool. Alienvault's Open Source SIEM (OSSIM) is free and capable, making it a popular choice for administrators seeking experience with SIEM. While there is a great deal of documentation on OSSIM, specific information that focuses on exactly what events to examine, and then how to report findings is not readily accessible. This paper uses a demo environment to provide specific examples and instructions for using OSSIM to assess a CIS Critical Security Controls implementation in a common environment: A Windows Active Directory domain. The 20 Critical Security Controls can be mapped to other controls in most compliance frameworks and guidelines; therefore, the techniques in this document should be applicable across a wide variety of control implementations. Fri, 22 Sep 2017 00:00:00 +0000Trust No One: A Gap Analysis of Moving IP-Based Network Perimeters to A Zero Trust Network Architecture IP-based access controls (e.g., firewall rules based on source and destination addresses) have defined the network perimeter for decades. Threats have evolved to evade and bypass these IP restrictions using techniques such as spear phishing, malware, credential theft, and lateral movement. As these threats evolve, so have the demands from end users for increased accessibility. Remote employees require secure access to internal resources. Cloud services have moved the perimeter outside of the enterprise network. The DevOps movement has emphasized speed and agility over up front network designs. This paper identifies gaps to implementation for organizations in the discovery phase of migrating to identity-based access controls as described by leading cloud companies. Fri, 22 Sep 2017 00:00:00 +0000A Spicy Approach to WebSockets: Enhancing Bro's WebSockets Network Analysis by Generating a Custom Protocol Parser with Spicy the Request for Comments (RFC) defining WebSockets was released in 2011, there has been little focus on using the Bro Intrusion Detection System (IDS) to analyze WebSockets traffic. However, there has been progress in exploiting the WebSockets protocol. The ability to customize and expand Bro’s capabilities to analyze new protocols is one of its chief benefits. The developers of Bro are also working on a new framework called Spicy that allows security professionals to generate new protocol parsers. This paper focuses on the development of Spicy and Bro scripts that allow visibility into WebSockets traffic. The research conducted compared the data that can be logged with existing Bro protocol analyzers to data that can be logged after writing a WebSockets protocol analyzer in Spicy. The research shows increased effectiveness in detecting malicious WebSockets traffic using Bro when the traffic is parsed with a Spicy script. Writing Bro logging scripts tailored to a particular WebSockets application further increases their effectiveness. Fri, 22 Sep 2017 00:00:00 +0000Does Network Micro-segmentation Provide Additional Security? segmentation is a concept of taking a large group of hosts and creating smaller groups of hosts that can communicate with each other without traversing a security control. The smaller groups of hosts each have defined security controls, and groups are independent of each other. Network micro-segmentation takes the smaller group of hosts by configuring controls around individual hosts. The goal of network microsegmentation is to provide more granular security and reduce an attackers capability to easily compromise an entire network. If an attacker is successful in compromising a host, he or she is limited to only the network segment on which the host resides. If the host resides in a micro-segment, then the attacker is restricted to only that host. This paper will discuss what network and network micro-segmentation is, where it applies, any additional layer of security including levels of complexity.Fri, 15 Sep 2017 00:00:00 +0000ComBAT Phishing with Email Automation analysis of organizations' email reporting processes reveals two challenges facing cyber security departments: successful administration of the managed mailbox provided for user's suspicious email reporting (automation) and effective security awareness training tailored to the business groups based on the type of email received. An effective defense requires an organization to be informed by actual attacks (knowing the enemy) and awareness of internal shortcomings (knowing yourself) so that implemented protections and training are applicable to the threats faced (strategy and tactics).Fri, 15 Sep 2017 00:00:00 +0000Tackling DoD Cyber Red Team Deficiencies Through Systems Engineering teaming is an essential capability in preparing and assessing the Department of Defense's (DoD) ability to execute their mission in a contested cyber environment. The identified deficiencies in DoD's overall red team capability resulting from their adhoc implementation creates unknown mission risk to the Combatant Commands and Services leading to a significant threat to national security. Unfortunately, many senior DoD officials are citing a lack of resources as the reason for the deficiencies and believe an increase in funding will solve the issues. However, funding alone is not scalable to address DoD's gaps in red team capability, and throwing more money to the existing adhoc process is quickly becoming a huge money pit for the DoD. This paper analyzes the deficiencies and concludes the primary cause to be a lack of a structured process needed to define, design, build, and sustain the required DoD red team capability. The solution presented is to treat the overall DoD cyber red team function as a complex system operating within a system of systems and apply the systems engineering process. Implementing a systems engineering process will eliminate some of the identified deficiencies through design and will identify feasible solutions or alternatives to the deficient areas which design cannot eliminate. The systems engineering process can help DoD build an effective and efficient red team capability which is needed to ensure the military can successfully execute its missions in the contestant cyber environment.Fri, 15 Sep 2017 00:00:00 +0000Next-Gen Protection for the Endpoint: SANS Review of Carbon Black Cb Defense today’s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of. Our review shows that Carbon Black’s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn’t otherwise see with traditional antivirus tools. Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface—through drill-down and pivot—to determine whether a threat was a false positive or real.Thu, 14 Sep 2017 00:00:00 +0000HL7 Data Interfaces in Medical Environments: Attacking and Defending the Achille's Heel of Healthcare any given day, a hospital operating room can be chaotic. The atmosphere can make one’s head spin with split-second decisions. In the same hospital environment, medical data also whizzes around, albeit virtually. Beyond the headlines involving medical device insecurities and hospital breaches, healthcare communication standards are equally as insecure. This fundamental design flaw places patient data at risk in nearly every hospital worldwide. Without protections in place, a hospital visit today could become a patient’s worst nightmare tomorrow. Could an attacker collect the data and sell it to the highest bidder for credit card or tax fraud? Or perhaps they have far more malicious plans such as causing bodily harm? Regardless of their intentions, healthcare data is under attack and it is highly vulnerable. This research focuses on attacking and defending HL7, the unencrypted and unverified data standard used in healthcare for nearly all system-to-system communications.Tue, 12 Sep 2017 00:00:00 +0000HL7 Data Interfaces in Medical Environments: Understanding the Fundamental Flaw in Healthcare healthcare IT professionals where the sensitive data resides and most will inevitably direct attention to a hardened server or database with large amounts of protected health information (PHI). The respondent might even know details about data storage, backup plans, etc. Asked the same question, a penetration tester or security expert may provide a similar answer before discussing database or operating system vulnerabilities. Fortunately, there is likely nothing wrong with the data at that point in its lifetime. It potentially sits on a fully encrypted disk protected by usernames, passwords, and it might have audit-level tracking enabled. The server may also have some level of segmentation from non-critical servers or access restrictions based on source IP addresses. But how did those bits and bytes of healthcare data get to that hardened server? Typically, in a way no one would ever expect... 100% unencrypted and unverified. HL7 is the fundamentally flawed, insecure standard used throughout healthcare for nearly all system-to-system communications. This research examines the HL7 standard, potential attacks on the standard, and why medical records require better protection than current efforts provide. Tue, 12 Sep 2017 00:00:00 +0000Securing Against the Most Common Vectors of Cyber Attacks Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit vulnerabilities either through holes in an organization's security implementation or by targeting the human element which often uses social engineering. Financially motivated actors indiscriminately send mass spam emails in credential harvesting campaigns or deploy ransomware. These attack vectors are the most common against organizations of any size, but often have a greater impact on small to medium-sized business that may not have a robust security posture. As a security practitioner, it is imperative to posture an organization to prevent and mitigate the risk posed by these attacks. The Critical Security Controls (CSC) is the industry standard for securing an environment but may be costly and time-consuming to implement; also, some of them may not be as applicable to all organizations. In this study, the controls for Email and Web Browser Protection (#7) and Security Skills Assessment and Appropriate Training to Fill Gaps (CSC #17) are examined to secure against threats seeking to take advantage of end users, the most common entry point for an attacker. This paper examines multiple real-world threats and how the CSCs can be applied to prevent compromises. The goal of this research is to inform and educate security practitioners at any stage of the business on best practices and to aid in implementing controls directly applicable to their end users. Tue, 12 Sep 2017 00:00:00 +0000Challenges to Implementing Network Access Control Access Control had always offered the hope of solving so many network security problems but has proven quite difficult to implement. NAC was to solve the issues of visibility, control, and compliance enforcement. This paper seeks to demonstrate through research and implementation an effective and practical way for small to medium- sized businesses to move to NAC and take advantage of the security benefits of a 3-6 month implementation plan. Tue, 12 Sep 2017 00:00:00 +0000IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment. Tue, 12 Sep 2017 00:00:00 +0000When a picture is worth a thousand products: Image protection in a digital age, a lack of fashion industry specific information security controls and legal protection puts fashion industry companies at significant risk of Intellectual Property theft and counterfeiting. This risk is only growing as traditional methods of manufacturing are rapidly evolving toward digital models of design and mass production, using Industrial Control System (ICS) approaches for mass production. As mass production moves to digital manufacturing, the effect of losing new product 2D and 3D imagery, as well as the speed and lack of traceability around those losses could significantly impact corporate bottom lines and risk profiles. Tue, 12 Sep 2017 00:00:00 +0000Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.Tue, 12 Sep 2017 00:00:00 +0000Security Tools for the SMB and SME Segments small and medium businesses (SMBs) operate with limited staff and budgets. Today's business environment requires businesses to do more with less. Businesses also have information that they need to protect. This protection is either mandated by law (HIPAA), industry requirements (PCI) or best practices (NIST). What are the recommended policies and tools an SMB should have in place to provide adequate and responsible information security? What tools should an SMB concentrate their time, effort and money towards? Should these tools be network-based tools, monitoring both inline and spanned traffic? Should these tools be end point tools that provide the same functionality and minimize the network tool components? Or should there be a mix of tools? Are certain tools required on end points, in the network or both? What are an SMB's regulatory requirements and how does this affect the choice in tools? These are the difficult questions that require thoughtful, concise and researched guidance.Mon, 11 Sep 2017 00:00:00 +0000