Inverting Risk Management for Ethical Hacking SecureWorld Expo 09
Agenda Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A 2
Introductions Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA Senior Staff, Electronic Security Governance Seagate Technology LLC Co-Speaker Brian Shura, PCI-QSA Director of Penetration Testing AppSec Consulting 3
Audience Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff Risk Managers Company Officers Ethical Hackers Recommended knowledge... Familiar with Security Best Practices Understand Risk Management Concepts Experience with Penetration Testing 4
Learning Objectives Understand the advantage of validating your security measures through ethical hacking Recognize the benefits of applying Risk Management and Risk Exploitation methods Understand your control options to mitigate risks Balance your enterprise security using FoRMA 5
FoRMA Overview
Benefits of FoRMA Big Picture Holistic relationship of related security models. Technology Independent Universal Risk Management concepts. Business Focused Minimize risk, instead of maximizing security. 7
Overview A Framework for integrating industry standard models, such as CIA*, STRIDE* and others Addresses Risk and Control elements: Risk Threat Vulnerability Control Technology Process *: See references at the end of the presentation material 8
Goal of FoRMA: Risk Mitigation I.e. Control risks within acceptable limits to support business objectives Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance 9
Building your foundation Start from the ground level and work your way up! Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices. A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance). 10
Building your foundation Methodology Model Subject Threat Management Security Architecture Security Management Asset/Resource Management STRIDE* APAIN* RIVET* CIA* Threat Technology Process Vulnerability Use Methodology with Sub-Model to evaluate Subject *: See references at the end of the presentation material 11
Building your foundation This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified. Physical Network System Application Data 12
Risk Mitigation Life Cycle Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the appropriate security resolution. Identify Source Threat Discovery Target Asset Valuation Result Business Survey Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain Threat Management Asset Management Managed Risk 13
Risk Mitigation Life Cycle: Identify Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered. Valuating the business importance of the asset will drive the prioritization of the remedation. Identify Threat Discovery Asset Valuation Business Survey Analyze Control Maintain 14
Risk Mitigation Cycle: Analyze To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk. Identify Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Maintain 15
Risk Mitigation Life Cycle: Control Once you have assessed the risk, you can apply controlmechanisms in the form of technology to mitigate the threat or reduce the vulnerability. Identify Analyze Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain 16
Risk Mitigation Life Cycle: Maintain Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments). Implement change control and regular audit processes to verify when an aspect of the formula has changed. Identify Analyze Control Maintain Threat Management Asset/Resource Management Managed Risk 17
FoRMA Model Overview Awareness Risk Threat Process Technology Vulnerability Protection Control Assurance Detection 18
Implementation: Phases 1 2 Awareness Protection Assurance 4 Detection 3 19
Risk Mitigation Phases & Life Cycle Awareness Protection IACM IACM IACM IACM Assurance Detection 20
Duality of Risk
Risk Prevention vs Risk Exploitation Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage. Discover Identify Reconnaissance Evaluate Risks Analyze Evaluate Risks Mitigate Risks Control Exploit Risks Balance Risk/Control Maintain Risk/Control Divergence 22
Risk Analysis Strategies The Blue Team s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed. Risk = Control (+/- acceptable residual control/risk) The Red Team s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor. Risk > Control Both teams need to analyze the risks and the controls to be able to execute their strategies. 23
FoRMA Model for Ethical Hacking Red Team Strategy Awareness Deception Threats Process Technology Vulnerabilities Protection Intrusion Blue Team Strategy Assurance Corruption Kris Kahn, 2009 http://www.cybernetix.com/forma Detection Evasion 24
Risk Exploitation Phases & Life Cycle Deception Intrusion IACM IACM IACM IACM Corruption Evasion 25
Information Warfare Scenario: Red Team/Blue Team Demonstration
Objectives Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test Blue Team - Operations Support the business by identifying and reducing risk Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data, administrative functions, and financial transactions 27
Penetration and Defense Life-Cycles Blue Team 1. Awareness 2. Protection 3. Detection 4. Assurance Red Team 1. Deception 2. Intrusion 3. Evasion 4. Corruption Background: The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server). 28
Target Free Penetration Testing platform Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities. 09/16/2009 Kris Kahn, 2009 29
Red Team: Phase 1 Deception Intrusion I: Target Web Server Corruption IACM Evasion A: Manual JavaScript vulnerability test on Webbased forum C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse M: Elevate privileges of own account to admin status 30
Analyze Risk Level: High Enter into forum to test: Result: Conclusion: Vulnerability exists to allow XSS attack that may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn, 2009 31
Control & Maintain XSS code to steal and reuse cookie to gain access: Risk Level: High Maintain: Set attacker account privilege to Admin type 09/16/2009 Kris Kahn, 2009 32
Blue Team: Phase 1 I: Focus on accounts and authorized access Awareness Protection A: Validate user accounts and appropriate privileges Assurance Detection C: Repair access/accounts as necessary M: Improve coding practices IACM 33
Analyze Risk Level: High Validate Accounts through Database Conclusion: Admin privileges inappropriate for user account, may be due to error, root cause analysis in progress Remove unauthorized admin privileges for user account 09/16/2009 Kris Kahn, 2009 34
Control & Maintain Find XSS attack in forum and cleanup: Risk Level: Low Maintain: Patch to prevent special characters entered in forum using input validation, improve coding practices to anticipate this vulnerability 09/16/2009 Kris Kahn, 2009 35
Red Team: Phase 2 Deception Intrusion I: Target data flow A: Test for SQL injection vulnerabilities Corruption Evasion C: Exploit SQL injection flaws to bypass authentication and access admin account IACM M: Gather sensitive information from back-end database 36
Analyze Risk Level: Medium Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection Conclusion: SQL injection is possible and may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn, 2009 37
Control Risk Level: High Use SQL injection attack on password field 09/16/2009 Kris Kahn, 2009 38
Control Risk Level: High Successfully bypassed the authentication logic 09/16/2009 Kris Kahn, 2009 39
Maintain Risk Level: High Leverage admin function to gather additional data 09/16/2009 Kris Kahn, 2009 40
Blue Team: Phase 2 I: Focus on database server SQL activity Awareness Protection A: Assess potential unauthorized access to backend database through application Assurance Detection C: Install web application firewall for SQL injection protection M: Update application code to use parameterized queries to prevent SQL injection IACM 41
Analyze Risk Level: High Unauthorized SQL activity discovered Conclusion: Unauthorized access to database through application exposed user records with passwords 09/16/2009 Kris Kahn, 2009 42
Control & Maintain Risk Level: Low Install WebKnight to mitigate risk of SQL injection attacks Maintain: Update application code to use parameterized queries to prevent SQL injection Encrypt passwords in database 09/16/2009 Kris Kahn, 2009 43
Red Team: Phase 3 Deception Intrusion I: Target hidden directories and files Corruption Evasion A: Evade detection from using attack signatures and scan for application backdoors IACM C: Access the test admin functionality without authenticating M: Create ghost account for system owner 44
Analyze Use SensePost Wikto to identify backdoors Risk Level: Medium Conclusion: Back-door may lead to admin functionality 09/16/2009 Kris Kahn, 2009 45
Control & Maintain Exploit discovered development access to admin functionality Risk Level: High Maintain: Create ghost account similar to owner s name 09/16/2009 Kris Kahn, 2009 46
Blue Team: Phase 3 I: Focus on web activity Awareness Protection A: Review logs for problems or malicious activity C: Cleanup production environment and disable ghost account Assurance Detection M: Prevent external access to all admin functionality and only access admin functions locally IACM 47
Analyze Web Server log files, increased file size and activity Risk Level: High Conclusion: Web server scanning discovered a back-door exposing admin functionality (again) 09/16/2009 Kris Kahn, 2009 48
Control & Maintain Remove development back-door and ghost account Maintain: Prevent unauthorized access to admin tools use WebKnight to filter on the URL Risk Level: Low 09/16/2009 Kris Kahn, 2009 49
Maintain Risk Level: Low...and retain local admin functionality 09/16/2009 Kris Kahn, 2009 50
Red Team: Phase 4 Deception Intrusion I: Identify other opportunities to access back-end data by reviewing details of previous error messages Corruption Evasion A: Test access to XML forms C: Use WebService to transfer funds IACM M: Re-enable attacker account 51
Analyze Risk Level: Low Identify other non-application opportunities to access the data (captured previously) 09/16/2009 Kris Kahn, 2009 52
Analyze Test available methods Risk Level: Medium Conclusion: Lookup by userid method is not restricted 09/16/2009 Kris Kahn, 2009 53
Control Use the soapui tool to generate a request Risk Level: Medium 09/16/2009 Kris Kahn, 2009 54
Control Risk Level: Medium Acquire account number using the GetUserAccounts method 09/16/2009 Kris Kahn, 2009 55
Control Risk Level: Medium Determine system owner s account balance 09/16/2009 Kris Kahn, 2009 56
Control & Maintain Risk Level: High Transfer funds Maintain: Use WebService to re-enable attacker account 09/16/2009 Kris Kahn, 2009 57
Blue Team: Phase 4 I: Focus on transaction activity Awareness Protection A: Identify significant banking activity and look for errors C: Correct unauthorized account transfers, remove offending account Assurance Detection M: Implement authorization between the web application and the WebService IACM 58
Analyze Risk Level: High Identify significant banking activity and account balance discrepancy Conclusion: Internal WebService exposed externally is allowing unauthorized and unauthenticated access 09/16/2009 Kris Kahn, 2009 59
Control & Maintain Risk Level: Low Audit of all account activity and reverse unauthorized transactions. Implement manual approval control for large on-line transfers. Restrict the WebService to internal IP addresses only. Maintain: Implement authentication between the calling application (HackMe Bank) and the web service. 09/16/2009 Kris Kahn, 2009 60
Wrap-Up 61
Wrap-Up Design security controls with attacker perspective in mind (and visa-versa). Be proactive in the implementation of phased controls. Validate your controls through Ethical Hacking to ensure effectiveness. Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives. 62
Questions? Feedback & Comments are welcome Contact information: Kris.Kahn@mac.com 831-419-1256 63
Tools (downloadable, non-commercial) Foundstone HacmeBank http://www.foundstone.com/us/resources/proddesc/ Paros hacmebank.htm http://www.parosproxy.org/ SensePost Wikto http://www.sensepost.com/research/wikto/ SoapUI http://www.soapui.org/ SQL Express Profiler http://code.google.com/p/sqlexpressprofiler/downloads/list WebKnight http://aqtronix.com/?pageid=99 09/16/2009 Kris Kahn, 2009 64
References (*) Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI) Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications. STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in Writing Secure Code, 2nd Ed (ISBN 0-7356-1722-8), pages 83-86. CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum. APAIN Acronym for Security Architecture, developed by Curtis Coleman in 2001. RIVET Acronym for Security Management, developed by Kris Kahn 2004. Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the United States military as early as 1949 and is currently part of the SixSigma curriculum. Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University. 65