You Can’t Buy Security

Building an Open Source Information Security Program

By: Boris Sverdlik aka @JadedSecurity

Who am I?

Your friendly neighborhood security guy

That Jaded asshole who runs a blog and is on that DAILY podcast.. You know.. ISDPodcast.com

I’m That Guy on Twitter….

Coming up on almost 15 years in the Industry.

I started on the Offense Side, got sucked into Defense, now it’s a little bit of both…

I’m Not an “Evangelist” but I have stayed at a

Disclaimer

No Animals, Unicorns, Memes, Evangelists were hurt during the production of this talk.

Do not go back to your organization and say “Boris, compared this to X”

This presentation has been tailored for consumption by the awesome “DerbyCon Audience”. A made for RSA presentation will be available for all of your corporate Needs

Finally: Rape Is Never Funny.. Except when..

It is “Legitimate” !!!

Or when you happen to scream out on a conference call…

“We Raped all of your

Shit!!!”@lizborden

Enough about Rape..

Why are we here?

At Security Zone 2011, some very smart people came up with the idea that Defense should be Sexy

Sexy Defense

So a bunch of us put in a CFP for a panel at ShmooCon and somehow it got hijacked and turned into a “You’re Doing it Wrong, Read The Manual” discussion.

“We need more Data”

“We need better tools”

“We need to know how to use the tools we have”

Focused on “IT Security” which is Doing it Wrong

“IT Security” is an oxymoron

IT is in the business of keeping the business running

Security is there to enable the business to be continue being successful

The Pyramid is missing a key component. Know Your Business!

IT Managers Focus on

Availability - Redundancy

Resource Utilization

Operational Reporting

Ease of Implementation

Ease of Support

Limit production issues

Cost of Ownership

Security Managers focus on

Ensuring that security is tightly integrated into the business

Identifying weaknesses in process and technical controls

Ensuring that new initiatives do not impact current controls

Reducing the risk posture of the entire organization as a whole (Physical, Technical and Administrative)

Recommend and/or Implement controls that potentially conflict with IT Focus!

CIO vs. CISO

I hate this term! Thanks Big 4!

“People, Processes Technology!”

Truth of the matter is!

People, Process Technology is the only way to build an Information Security program properly.

We fail at Security because we focus too much on Technology and let “Analysts” drive our security decisions

There is no Magic Bullet! There never will be!

Obligatory Repurposed Image

• You Can’t Buy Security!• Despite what $Vendor

claims!

Regulations don’t really make you secure

The Cloud is not Secure!

100% PCI CompliantFine Print: We have our own QSA!!! You’re Secure!

Are we doomed???

You’ll never win the war

Is Defense Sexy?

Do you think this is Sexy????

Does this make you hot?

Defense is NOT Sexy!

Unless you’re into this

So without further adieu <Fancy speak>

Let’s Start with People!!!

Hire the Right People to run your security program.

You Guys are the right People!!!! So let’s ignore the next couple of slides that are directed towards the other Hiring Managers.

You wouldn’t hire an auditor to

So why hire them to run Security?

Your Security Program is not a checklist…

It requires an individual who has experience and can learn and adapt to your environment

Don’t Hire the guy/gal who wants to “Secure Everything”

We all know that security guy who has a fit every time the firewall is probed.

The Sky is not falling!!! The Planet is not under attack!!!

China is not after all your Data!!! If they are, they already have it…

So let’s say you’ve hired the right Person!!!

The right person will be someone who understands you’re business model

He/She is not driven by the latest Gartner Analyst report

Doesn’t play buzzword Bingo

Has been in the industry long enough to Get It.

Has the right combination of Technical, Business and Soft skills.

You are the Right Person!<for the sake of argument, you aren’t hungover this Sunday Morning>

You have just been hired as the new CISO for ABC Condom Company!!! You Start Monday!!! Yay!!!

What’s the first thing you do?

Use the Googlez obviously!!!

Oops.. Forgot to turn on safe search.. BRB

I’m going to assume you already scouted before you got hired!

So what are we going to search?You want to learn everything you can about the business aspects

How are Condoms Made

How does ABC Condom make money

Do they sell direct?

What’s this??? 4Chan??

/b has a post saying ABC Condom Company is making a new product.. Now with a 100% more @#$^!(

Monday Morning Comes!

The First thing your going to do is use all of your 1337 social engineering skills to meet with as many individuals that you can.

Don’t focus just on the Management team… You really want to get a feel for the organization

You’re an Employee… Did you sign an NDA as part of your hiring package? If not, that can give you some insight on the organizations stance on privacy

You might have your work cut out for you.. But hey, you’re

Into Pain, right??

OK,We got the formalities out of the way.. What’s first?

You can’t have a security Program without understanding what you are going to protect? Right?

You’re first step is Information Classification!

Do not use some Arbitrary Value that you learned in CISSP class.. Quantitative Risk assessment is a myth! AV(Asset Value)*EF(Exposure Factor)=SLE. MEH!!!

The Business does not understand Asset Values of intangible assets. It’s a futile process and will bring you nothing but Grief!

First steps

At this point you’ve identified from a high level how your business operates

What are the different Business Units

What if any Legal/Regulatory Obligations you have

What the Collective Organization values.

When you perform a Business Impact Analysis every BU (Business Unit) will claim that their process/product is the most valuable to the organization. This usually causes the process to fall apart and will eventually become a show stopper!

Where do I start

So if /b is an indicator we know we might have an R&D initiative. Let’s put this in our spank bank for later..

How do we perform classification without using arbitrary values? Easy.. You have spent the last couple of days learning your business right?

You know that you make money from Manufacturing and Direct to wholesalers.

You know you have HIPAA, SOX and PCI obligations

First Things first

You’ve done your OSINT Searches and have identified a couple of Web Servers and look what we have here.. A customer support forum…

Let’s do some skid testing first…

Run your scripts… put your leet SQLMap skills to the test.

NOTE: This isn’t a pen test! Just to see if you can withstand the kiddies..

Can you stand up to him???

YES!!!! At least there is no SQLi

So let’s get

So if /b is an indicator we know we might have an R&D initiative. Let’s put this in our spank bank for later..

How do we perform classification without using arbitrary values? Easy.. You have spent the last couple of days learning your business right?

You know that you make money from Manufacturing and Direct to wholesalers.

You know you have HIPAA, SOX and PCI obligations

Information Classification

Start Broad and put availability aside for a second.

Start with three Categories

Public, For Internal Use Only, Sensitive

Sensitive

• Intellectual Property (Secret Condom Formula, Research Data)

• Books & Records

• PII and PHI

• Employee Information

• Business Strategy Documents

For Internal Use Only

• Phone Directories

• Policies and Some Procedures (Depending on the sensitivity of the system)

• Interoffice communications & General Memos

• Calendars

• HR Procedures

• Non Application Specific Intranet Sites

Public

• Financials already disclosed

• Anything the business would be cool with showing up on

Start with Low Hanging Fruit

You sell rubbers… I’m sure you have a customer service organization? Right???

They more than likely have access to a good chunk of your sensitive data

They are also most likely the ones who click all the Shit

Your organization may differ! This is not a one size fits all!

Step#1 Face to Face• Set up some “Getting to know you time” with the

manager of the group and use your 1337 social engineering skills to convey “How can I help you” ***IMPORTANT!!!

• Elicit as much information as possible:• Roles: How many groups do you have• What are their responsibilities• What applications do they use *** Important• How do you get new employees set up• What frustrates you about IT?

Findings• You’ve identified that the

customer service group uses a proprietary app web app called Magnum for most of their functions.. Let’s consider this system CRITICAL

• You’ve identified several different roles within the group

• You've identified that IT manages account administration

• You’ve also identified things you weren’t expecting..

Lol. Wut?.. No Really.. • Anyone can request and

get access

• Whoever wrote the app quit years ago

• Nobody really knows who maintains the application

• Code hasn’t been touched in years..

Still Think Defense is Sexy?

Guaranteed Tangent #1• Now it’s time for some real sexy time!!!• Meet with IT and position yourself as “Hey, I know

you’re busy but $BusinessManager has asked me to look into who has access to Magnum..

• Build rapport with IT, don’t come off as Me Vs. You!!

IT: Oh we just add them to $Group(s)

You: Cool, what do $Groups have access to?

IT: I dunno.... Before my time…

You: Great.. Thanks…

Are you stuck?? • No.. Now it’s time to put

your leet skillz to use

• Identify the nodes the application is running on.

• Identify the authentication/authorization mechanism

• Identify Change Management procedures

• Review the code for any additional connections made by the application

Ha! Now we have Data• You’ve learned that the App is running on a Tomcat

server with AD Authentication using Roles.. YAY!!

• You know it uses a $ServiceAccount to access $Database

• Now we go back to IT and ask for acl dumps for:• The individual nodes

• TomCat

• $Database

Now comes the hard part

• You have to sort through all this crap!

• Put together an access control Matrix based on job functions and True access lists

• Document the entire PROCESS!!!

• Draft an Application Specific Policy / Run Book

Follow up with the Business Unit!

• Present the document to $Manager now enabling them to take responsibility for ownership of the application and assign a delegate

• Have them review the current entitlements and have them agree on a review process in line with the criticality of the application

• You should know each of their processes intimately, The Run Book should be a good baseline for a BCP

• Establish a partnership that will prove beneficial to them

Rinse & RepeatFOR EVERY APPLICATION

Wow.. That took a lot of work

• We haven’t implemented a single bullshit policy yet!

• We haven’t bought a single Blinky Box

• We haven’t bitched about budget.

• We haven’t once talked about CHINA!

We’re not even close to done!

• The classification exercise is the very minimum every CISO/CSO/Head of Security/Whatever needs to ensure is done before building their security program!

• We’ll call that Step#1

Step #2?• So now you can go ahead and snag some

templates off of SANS for your “Security” Policies

Policies and Procedures• Now that you know your business you can draft

your policies so that they align with the business

• Keep them short and concise and RELEVANT!• Don’t forget the basics• Acceptable Use• Data USAGE!• Communications• Physical• ETC!!!

Now comes the “Fun” part

• You know exactly what assets you need to protect

• You know where your assets are

• You know what they are worth to the success of your business

• You have the support of the business

Step #3 Implementation• We don’t need to buy $Product to lower your

risk of exposure

• Cover your BASICS (Not what the CISSP Taught You)• Access Controls• Application Security• Network Security• Operational Controls• Physical Security• Business Continuity• User Awareness Training!

OPEN SOURCE • OPEN SOURCE IS NOT FREE!!!

• Always weigh the cost of implementation against purchasing a solution if you do not have the resources available to build.

Access Controls• Authentication & Authorization• You need to be able to map the classification

process back to a system that can enforce controls and provide accountability

• Remote Access should follow this access control mechanism as well.

• If you aren’t on Windows there are options!!!• OpenLDAP• OpenIAM• And much More!!!

Application Security• Work with your development teams to ensure that secure

functions are documented and available for reuse across the organization

• While code review for ever app will never be possible, make sure that major revisions for high risk applications are at reviewed.

• Use static analysis tools to test your development efforts for potential bugs

• Don’t run applications of different risk levels on the same logical/physical systems

• Always assume the host/client has been compromised as such ensure application security controls are at the application layer

Network Security• VLAN does not mean segregated!

• Firewall rules should be very explicit

• The End User environment should not have unfettered access to your production environment

• For God Sakes do not allow direct internet access through a PAT!!

• Group Systems logically by the data that they house

• SSL != SAFE!

• Certificates != Good 2FA

• NAC is a wet dream you will never fully attain

• Use Active and Passive Network Monitoring

Operational Controls• Develop Processes

for:• Change

Management• Patch Management• Build Standards• Asset Management• Vulnerability

Management• Blah Blah Blah

Change Management!• WTF does Change

Management have to do with Security???

• Security is always a snapshot in time

• When you roll code out you need to be confident that you don’t add new risks!

Patch Management!

Logging• Ensure you have centralized logging from your

business critical systems

• Ensure that you can maintain the integrity of the logs.

• Logging mechanism should provide administrative monitoring!!

Monitoring• You do not need to spend $$$ on a commercial

SIEM

• Open source Solutions such as OSSIM can provide all that you need to build your monitoring program.

• The Solution must provide real time Alerting

• You do need to build a process to address alerts and fine tune the system.

• Resources are Key!

Intrusion Detection• Once you’ve identified your critical resources

during Step 1, you now know where to focus your resources.

• Network Intrusion Detection should never be implemented to fulfill a checkbox! You need to spend the time to trend the environment and build your rules from a white list perspective. Snort is FREE!

• Host Based Intrusion Detection provided by OSSEC can provide real value when implemented on critical resources. It can maintain your compliance checking as well..

Vulnerability Management

• Vulnerability Management is a place where a lot of organizations get stuck in an endless loop of exceptions and acceptances and blah blah blah.

• An authenticated scan should be your validation that patches are being applied and that new applications aren’t being introduced without going through the process

• It’s a QA function when done right

• Again.. OpenVas and Seccubus are FREE!

BYOD???• Have you noticed I haven’t nitpicked endpoint

controls???

• Once you build out your classification you can use criticality/sensitivity of the data to apply additional controls as required

• There are plenty of ways to provide access to data in a hostile environment

Security Awareness• You’re users will never stop

clicking shit

• Compliance driven security awareness does not work

• It must be reinforced and integrated into the culture

• Defense in depth and treating the endpoint as hostile is the only way to go.

Now go find a Red Team• A Penetration test by a 3rd party is the only way to

validate your program is effective. They hold no bias…

• If you have external facing infrastructure, then crowd source the external pen test! Often times a bug bounty will be more cost effective than a full dynamic analysis

At this point you’re not even close to done!!

• The Security Program is just that a program!

• It is a living, breathing animal and must be continually fine tuned

What’s Next?• This is why I love the Community apparently

Dennis Kuntz @denniskuntz has already started working on a framework! http://www.cossp.org