I'm giving this talk live at 11:00 PT, Today. Please attend live, or watch it anytime.
--Michael
Grok Computer Security
One hacker's odyssey to understand computer security
Wednesday, October 17, 2012
Monday, October 8, 2012
Key Properties of Security Virtualization for Virtualization Infrastructure
Independence from security hardware
This is an extension of the everything is software model inherent within virtualization. This creates several operational advantages:
- Simplifies data center resiliency and failover
- Reduces upgrade costs
- Enables "designed-in" security across data center fabric
- Scaling enhanced due to elimination of architectural constraints
- Hardware refresh cycle and technology advance is accelerated due to shortened engineering cycle
- CPU resource pool remains uniform
Faithful reproduction of the physical network security model in the virtual space, including security for both physical and virtual workloads
There's a lot of room for argument here, mainly because we don't necessarily have broad agreement on the physical network security model. I'll assert the following requirements:
- Defense in depth
- Segmentation of data
- Access control
- Separation of duties
- Deliver at least the top five controls from the SANS top-20:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Malware Defenses
Additionally, these must all be applied to the network, software objects, management tools, and APIs within the virtualized data center
Follow the operational model of compute virtualization
Security Virtualization must enable scaling, elasticity, mobility, and seamless disaster recovery. It also requires the conversion of security tools into software objects and the creation of new tools and capabilities for deployment, automation, and recovery of security capabilities. These are obvious capabilities for virtualization architects but rather new for security. Until recently we could not have a conversation about the auto-deployment or orchestration of security tools, now there are COTS products ready to do this. This operational model challenges the "security way" of doing things and impacts the culture of security within IT. This requires the transition of security professionals into new operational roles that are more flexible than existing silos within typical large IT organizations.
Compatible with any hypervisor platform
Security virtualization must be platform independent and ultimately it must be capable of protecting virtualized workloads in any data center. While it's not clear how many platforms will be in common use, I assert that there will be at least four:
- VMware
- RHEV (KVM)
- HyperV
- Mobile (ultimately there will be more than one here)
Therefore as workloads are established on multiple platforms in multiple locations by any given entity, security virtualization must support a single security policy model across these platforms.
Logical isolation of virtualized workloads, audit and security for control plane elements
At the hypervisor layer or above, everything is software. Logical isolation, rather than some form of physical segmentation, enables diverse workloads of differing sensitivity to run anywhere. Workloads will then run most efficiently when allowed to be run within common resource pools for CPU, Memory, Storage, and Networking. For example, fire walling must control access at the virtual NIC and be configured by policies that are not required to identify layer 3 or 4 attributes. This allows network segmentation of systems that share a single software switch, VLAN, or Host. In addition to isolation, security virtualization must also audit and protect the management objects, tools, and APIs that are utilized to provision, modify, or delete workloads, objects, and resources. In the ideal case, logical isolation enables multi-compartment zoning of workloads with the requisite capabilities for cross-domain security in both private or public clouds. This requires sophisticated capabilities for delineating a zone of trust that both isolates systems and applies common security policies within each specific trust zone, even when this zone spans multiple data centers.
Cloud performance and scale
Large-scale compute clouds are composed of thousands to millions of hypervisor instances. Security virtualization must enable resilient and protected operations at this scale. Security management tools, incident response, control automation, and event analysis must all be modified. This will require new security management architectures, analytics, and closed-loop controls that operate across millions of security objects in multiple locations. Additionally, cloud performance is not just IOPS or CPU cycles, it is also the capability to provision, modify, and decommissions hundreds or more systems with minutes or seconds. Security virtualization also enables security to accelerate operationally.
Open, programmatic security provisioning and control
Security virtualization must be integrated with provisioning, management, and operations of the data center. This must be a set of APIs that will fit into the management stacks developed and developing for each hypervisor platform. Security virtualization vendors will be able to differentiate on performance, complexity, completeness of solution, etc. However, each vendor must be able to interoperate with a common protocol like SCAP and must support their own orchestration by 3rd party or platform tools and management platforms. Specifically the API must, at minimum, support
- create/modify/delete for security policy elements
- create/modify/delete of security zones
- bidirectional updates of inventory attributes
- bidirectional event communication
- integration with workflow and incident escalation systems
In closing
Security virtualization has the potential to drastically improve the protection of sensitive data while at the same time simplifying the application of these protective capabilities. As with hardware virtualization, the most effective use of security virtualization will require changes to IT staffing, processes, and procedures. This will be disruptive to the way security "has always been doing it" -- something that is both necessary and good because the way we have been doing it has not been effective.
Wednesday, June 6, 2012
Interesting Flame News
It's my understanding, Flame made use of a cryptographic weakness in the certificate generation algorithm to create fraudulent certificates and then execute a MITM attack. This is discussed here.
A few thoughts:
A few thoughts:
- The NSA deserves their reputation.
- Further, they were willing to let the world know about this weakness. This denies them further use but also denies it to an adversary
- This weakness would have allowed them to plant software on just about any Windows system
- Makes you wonder what else they have up their sleeve (this is deterrence)
Saturday, June 2, 2012
The Cyber Cold War has Started
We are engaged in a cyber cold-war. The primary adversaries are the US, China, and Russia. China has directed attacks at the US, Russia has targeted former republics, and the US striking at Iran. With respect to the great powers, Mutual Assured Destruction (MAD) is in everyone's mind. The 5th wave nations are all incredibly vulnerable to cyber-attack and as Anonymous and others have shown, no one has even a modestly effective defense.
IMHO, the MAD risk of cyber will keep the major powers in-line, just like it has done with nuclear. However, the cyber-weapon genie is 100 times more difficult to keep in the bottle. We are fast approaching an era where a cult or perhaps even a lone gunman could use Stuxnet or perhaps now Flame as the blue print for a devastating attack on critical infrastructure.
Lastly, these weapons often effect more than their target. Collateral damage, friendly-fire, and blowback are more likely with a cyber-weapon due to the nature of cyberspace and the difficulty of distinguishing friendly systems and networks from those of the adversary.
More here.
IMHO, the MAD risk of cyber will keep the major powers in-line, just like it has done with nuclear. However, the cyber-weapon genie is 100 times more difficult to keep in the bottle. We are fast approaching an era where a cult or perhaps even a lone gunman could use Stuxnet or perhaps now Flame as the blue print for a devastating attack on critical infrastructure.
Lastly, these weapons often effect more than their target. Collateral damage, friendly-fire, and blowback are more likely with a cyber-weapon due to the nature of cyberspace and the difficulty of distinguishing friendly systems and networks from those of the adversary.
More here.
Tuesday, April 17, 2012
Today’s Phish
Like everyone on the planet, I am sent free phish every day. Since I can’t turn these into loaves or wine, I usually don’t waste time on them. Today’s phish caused me to reminisce, and when I reminisce, I get curious, so I looked further.
First, here is the phish:
According to wepawet the payload contains two vulnerabilities first reported in 2010, here, and here. The Adobe Reader vulnerability applies up to 9.3 and the Microsoft applies to Win2003sp2. So that's a decent target space.
What did I learn today?
A good day.
(updated 4/23)
This phish is harder to detect on my phone, see image :
A document was scanned and sent to you using a Hewlett-Packard JET ON4412867SSent to you by: KRYSTINReally, I think it's been years since I last saw this type of phish. The initial URL runs through three secondary URLs (a .com, .ro, and .ir) that in turn point to a single host (173.44.136.197). At the time of this phish all three secondaries and the host were alive and serving the scam. The payload when I research the .ro link, the payload (using curl) at 16:43 PDT. The payload reported by another blogger dynamoo. The payload now on .ir link -- note that the folks in IR appear to have now blocked the scam, or are running something else, I am leaving their CGI alone.
Pages : 6
Filetype: Image (.jpeg) View
Location: NPSK1.4FL.
Device: OP218S5OD2054128Mailprint: d72e6d72-e624bbbb
A document was scanned and sent to you using a Hewlett-Packard JET ON4412867S
Sent to you by: KRYSTIN
Pages : 6
Filetype: Image (.jpeg) View http://donteverclickalinkinemail.example.com/oCzgKm43/index.html
Location: NPSK1.4FL.
Device: OP218S5OD2054128
Mailprint: d72e6d72-e624bbbb
According to wepawet the payload contains two vulnerabilities first reported in 2010, here, and here. The Adobe Reader vulnerability applies up to 9.3 and the Microsoft applies to Win2003sp2. So that's a decent target space.
What did I learn today?
A good day.
(updated 4/23)
This phish is harder to detect on my phone, see image :
Saturday, February 4, 2012
Hackers force us to make JSF more secure
There's been some commentary on the recent article, "China's Role in JSF's Spiraling Costs."
TaoSecurity (Richard Bejtlich’s) has an excellent blog on this, which
follows up on a tweet by @4n6ir.
However, I have a different take:
“Before the intrusions were discovered nearly three years
ago, Chinese hackers actually sat in on what were supposed to have been secure,
online program-progress conferences, the officials say.”
This sounds a lot like “FBI Admits Hacker Group’s Eavesdropping.”
So after at least three years we still haven’t learned how
to keep our secure conference calls, well, um, actually secure – but that’s a
digression.
The article on the Joint Strike Fighter (JSF) goes on: ”…need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.”
We were building one of the most “computerized” and “networked” fighter planes in the world. Imagine if the plane went into production with those serious software vulnerabilities and it was open to attack via it’s own aerial network? It’s not like adversaries haven’t already demonstrated their ability to hack our communications channels in the field to hijack drone telemetry, video, and perhaps to crash them.
If there is a silver lining here, it’s that when the JSF
does fly it’s systems will be better protected against software vulnerabilities
and it won’t be broadcasting a SSID, although a Mach-2 WAP would have been
pretty cool.
Tuesday, January 24, 2012
I’ll tell you what I want, what I really, really want from a Cloud Provider
If you want my
business, you better make it fast
Self-service: 7x24 add, remove, change resources, workloads, and
connectivity
Elastic: scale up or down automatically within the limits I set
Available: stand up to hurricanes, DDOS, and replication storms.
Your mistakes should never be my problem.
If you want my data,
you better make it secure
Auditing: network and management
Network – I need to audit and or inspect all the traffic between my
systems. This includes but is not limited to traffic between users, systems,
and applications even where they share the same physical host and virtual
switch.
Management – I need to see all management events that may impact
the security or configuration of my systems. This includes but is not limited
to privileged access to my systems or data through the hypervisor or cloud
management APIs.
Control: policy and assurance
Policy – I need to express and apply security policies via a method
that is both human understandable and translatable into a machine-interpreted
language.
Assurance – I need to know when an event or incident occurs that
violates a policy and I need a method for testing that controls exist and are
effective for enforcing my policies.
Metrics: continuous and interoperable
Continuous – Per our agreed standards of measurement I must be able
to quantify the security attributes of my system. This may include but is not
limited to measurements for: vulnerability, configuration, performance,
incident detection, incident response, and incident containment.
Interoperable – All security relevant data and events must be
available in a documented machine-readable format. It should either comply with
standards such as Cyberscope and SCAP or my preferred GR&C system.
If you want my money,
you better not ask for much
Value – Not just cheaper than if I do it myself. Your services
should give my organization new capabilities to meet our objectives. These
capabilities could include user experience, logistic support, and accessibility
…
No lock-in – I should be able to easily move my data and workloads back
inside my enterprise or to one of your competitors.
Subscribe to:
Posts (Atom)