Saturday, September 28, 2013

Trying to do my lab

This week is a lab week, specifically learning cryptography with CryptTool. This is a cross-platform tool which is also available on the school lab VMs so that we don't have to install strange software on our own systems. Not being a big fan of installing strange software, I opted for using the VMs.

First off, the instructions are posted in docx files. I use Google Drive for as my office suite, interacting with docx files is irritating. Okay, head over to to get a compatible office suite. Two files, one with instructions on accessing the VPN and the other with instructions on accessing the VMs once you are on the VPN.

Next I head to the site to use their Cisco SSL VPN Service. Lots of instructions to the side, but a link in front that says "Start". Click it. First thing I notice is a checkbox by "Java Detection", then I see that Chrome is informing me that Java is required to display the page, including a helpful "Install plug-in" button. What? No. No. No, no, no!

After the attempt to use Java times out the window presents a download link followed by the message: Alternatively, retry the automatic installation. Really? Not only did you want me to have and allow Java, but you expected me to let it auto install software? Pretty sure that is exactly why I don't have Java!

Fine. I'll download the VPN client myself and run it. Once I'm connected to the VPN, I have a new site to go to. Step 1, ignore the untrusted SSL certificate. Step 2, click past the "Warning: This browser will not work with vCloud Director. The vCloud Director Console requires Microsoft Internet Explorer 7 or higher or Firefox 3 or higher" message since I'm in Chrome. Which doesn't work, the site requires a VMWare plugin that is only compatible with IE and Firefox. Uggh.

Honestly, I have not had any real complaints about IE 10 (other than I haven't given it a real chance since it is IE) so I kick that up... and get the same warning. Wait a sec, I'm not a math major (actually, I was), but I'm pretty sure 10 is higher than 7. Maybe the IE version display is showing the version number in binary? Once again I clicked past the warning and tried to continue. 0 for 2, just like the Steelers!

Fire up Firefox. Download plugin, install. Amazingly... still doesn't work. Probably not compatible with 64 bit Windows 8. Strike three, I'm out.

Time to look into putting a VM onto my Ubuntu server. The CryptTool instructions say it is available for Linux, so that will be my first attempt. Install VirtualBox, download an Ubuntu workstation iso. That download took 2 hours and just finished while I was writing this up. Since that two hours was far longer than I wanted to wait, I tried other solutions first. Set up my Ubuntu laptop to accept an ssh connection from the server. Tunnel into the laptop and make a limited, throwaway user account for running this test.

Download the Linux package of CryptTool. cat INSTALL to get instructions. Oh! Turns out I don't have cmake installed. Apt-get cmake. Try again, nope. No Qt. Right now the Qt SDK is downloading, thank you wikiHow.

Looks like the lab will get done tomorrow night. Who has two thumbs and a soon to be irritated wife once she finds out about another night dedicated to schoolwork? This guy.

UPDATE: has an online version. Time to try and just do it in Chrome.

Friday, September 27, 2013

Restricting and allowing access by work function

How would you organize your information resources so that only authorized individuals, both internal and external, have access to the information they need, in order to carry out their job responsibilities?

This is a situation especially well suited to role based access controls. Individuals that need access to resources can often be categorized by their set of required accesses, the set of which is their role. (Anderson, 2008) Roles can be defined as the sets of accesses that are needed by all likely groups, from both internal employees or contractors and external vendors or consultants.

By utilizing roles instead of assigning permissions individually, handling changes is easy and easily auditable. (Sandhu, 1998) If an employee moves to a different work position then they just need to have their role changed to match the new unit. One change and they have lost access they no longer require and gained all the newly required accesses. One addition allows a new vendor access to, and only to, the predetermined accesses associated with the role they are assigned.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. New York: Wiley.

Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.

Thursday, September 19, 2013

Limiting insider damage

How would you limit the damage that one person could cause, by making sure that they have access only to what they need?

There are two prime methods of limiting the damage a single person can cause, limiting access to data and limiting impact to data.

Limiting access to data is most strictly implemented through mandatory access control, in which every piece of data is given a classification of value. An individual is rated for access up to a specific classification and only may read data at or below it. The most common example cited for this is the United States Government’s use of the Unclassified, Confidential, Secret, and Top Secret national security classifications. (Anderson, 2008) This example is cited so often it is nearly a cliche, yet it is done so because it is effective. A person intent on causing damage has difficulty damaging data they never can read.

Limiting impact to data involves preventing data from being modified or otherwise manipulated by a malicious actor. Embezzlement is an effective example of damage that is caused through data impact. A person with the ability to modify the audit trail concerning monetary funds can make it appear that money went where it was intended when the actual destination was someplace that they profited from. A common solution to these type of threats is to utilize two-person integrity controls. (Humphreys, 2008) When data modification actions require two individuals to occur, it guarantees that single person cannot overtly damage the data. When data modification notifies a separate reviewer of an action that may be carried out by an individual then damaging changes will be detected in short order, which reduces the time available to cause damage, limiting the overall damage that can be accomplished.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. New York: Wiley.

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255. doi:10.1016/j.istr.2008.10.010

Honeypots: When and when not

Under what conditions should you consider implementing a honeypot? And, under what conditions should you not operate a honeypot?

Honeypots make excellent research tools for tracking spam and worm propagation. Tang and Chen suggest a worm detection strategy of using two honeypots, one that receives data from the network and one that only can receive data from the first. They first hypothesize, then support, that such a setup can be used to automate the detection and collection of even unknown worms. By limiting the traffic seen on the second machine to being 100% malicious, traffic signatures can be developed automatically. (2005)

A situation where a honeypot should not be used is one where you are unable to control outgoing packets. Since the purpose of the honeypot is to allow attackers to exploit it, the server can be re-purposed as an attack platform if not properly controlled. Hallberg et al describe how poorly protected honeypots pose a serious vulnerability to your network. They discuss the vulnerability being so severe that re-purposed honeypots could likely be seen as making the operator liable for downstream damages launched utilizing the platform. (2009)

Hallberg, C., Kabay, M. E., Robertson, B., & Hutt, A. E. (2009). Management Responsibilities and Liabilities. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Tang, Y., & Chen, S. (2005, March). Defending against internet worms: A signature-based approach. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE (Vol. 2, pp. 1384-1394). IEEE.

Wednesday, September 18, 2013

Getting Started on Intrusion Detection

If someone asked you for advice on what he or she should do first to get started on Intrusion Detection, what would you recommend?

Honestly, I would meet the question with another. What is meant by “to get started on intrusion detection”? I read this as a set of distinct scenarios, all of which need to be addressed separately. When I first read the sentence, the image brought to mind was a home user first looking to secure their own network.

  • When I first read the sentence, the image brought to mind was a home user first looking to secure their own network. Technical experience is very little, maybe a help desk job; existing host based software consisting of just operating system software firewalls, possibly an assortment of pre-loaded trial personal security products; network size limited to a small handful of consumer out-of-box operating systems.
  • Not too different of a use case is an IT professional looking to add intrusion detection to their existing small business network. More machines, likely with pro OS licenses, but similar a similar basic starting point.
  • My final use case is a significant direction away from the other two. It focuses not on the network just gaining intrusion detection, but rather the asker attempting to break into the field of intrusion detection. They will be, or aspiring to, joining a mature network with entrenched intrusion detection components.

Given that the significant aspects of intrusion detection boil down to host-based monitoring, traffic monitoring, signature-based detection, and behavior anomalies, each of the above use cases need to focus on specific cases. The new home user needs to select and install off-the-shelf monitoring components, as detection cannot be done without the pieces in place. Host based logging should be enabled and a file scanning security product can catch the low-hanging fruit of intrusion detection: recognizing known malicious code on disc. Installing Snort with its default configuration should be sufficient to get the network side started for the small home network, harnessing its preloaded rules for signature detection. (Vacca, 2009, pp 64-65)

The new network admin will want to build up all the components like the home user, while also including behavior anomaly detection in the traffic and host logs. Unlike the home network, the administrator cannot personally vouch for all of the legitimate actions; thus, it is important to have assistance in locating which actions are anomalous.

Even though this write up has gotten far longer than I had intended, there is the third, and far different interpretation of the question: how to get started effectively utilizing the existing, mature intrusion detection setup. As stated by Kemmerer and Vigna, “Auditing your system is useless if you don’t analyze the resulting information.” (2002) Get comfortable with logs and traffic dumps, automating as much of automation as you can. In a large network with a mature set of intrusion detection tools running you will have all the data you can handle to analyze. Learn the protocols of the traffic you are scanning so that your comments about the traffic can be more than just “it’s all greek to me”, to use a Shakespearean idiom.

Kemmerer, R. A., & Vigna, G. (2002). Intrusion detection: a brief history and overview. Computer, 35(4), 27-30.

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Tuesday, September 3, 2013

Another semester

New school year, new class.

Prevention and Protection Strategies in Cybersecurity, starts next Monday. Should be fun, the first week will be all about Enterprise Network Intrusion Prevention Systems.

Objective: Analyze the strengths and weaknesses of firewall technologies and methodologies in protecting enterprise networks.

Can't wait.