(ISC)² Links

CATEGORIES

Archives

More...

(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    Enter your email address:

    Delivered by FeedBurner

    13 posts categorized "Cezar"

    23 June 2010

    New SSL Inspection Solutions: Are they helping us or not?

    I saw some presentations and papers about a new technology that is able to decrypts SSL traffic and sends it to existing security and network appliances on high speed networks. This technology enables existing IPS solutions to identify risks normally hidden by SSL such as regulatory compliance violations, viruses, malware, data loss, intrusion attempts, etc.
    This is a very good approach to detect/block those attacks (there are reports showing a increase on attacks using SSL traffic) but I see some risks related.

    • If someone uses this technology to decrypt the traffic and get the info? What are the mitigation actions in place to avoid this?
    • How this technology will handle DDOS attacks? It'll be overloaded?
    • What is the latency that this technology will add on the network?
    • How browsers handle this "man-in-the middle" like security solution?

    There are obvious advantages to adopt such technology but a careful analysis must be in place earlier the adoption to address these risks. This will be a case-by-case study and (at least I believe) that not all companies will be able to deploy such technology due to regulations or compliance.

    Best Regards

    Posted by Alexandre Cezar on 23 June 2010 in Cezar, encryption, Hacking, Insider Risk, IT Security, Network Security | | Comments (1)

    27 April 2010

    Next Generation Firewalls: What's coming?

    I joined some seminars, conferences, read some articles and studies about ongoing developments of new firewall technologies and I would like to mention my thoughts about it. Some of those technologies are already on the market but they're starting to be accepted by.

    Features:
    The next generation firewalls will:

    • Have superior performance (up to 100Gbps);
    • Be deployed on more complex network traffic (MPLS, VPLS);
    • Recognize applications (P2P, Video, Productivity, Web, IM, Skype, Games, etc, even "encrypted/obfuscated ones") for control purposes;
    • Be part of complete security Ecosystems (FW, IPS, Anti-Spam, Anti-Malware, Parental Control, VPN, DPI, Lawful Interception) on a single Blade system;
    • Support Denial of Service attacks detection and mitigation on a cleaning center architecture rather than a simple blind shape;
    • Handle on-line traffic scanning for threat detection with zero delay;
    • Understand traffic patterns and build a intelligent filtering network rather than simple allow/deny rules;
    • Allow more "user oriented rules"than ip oriented rules;

    As network threats evolve, I understand that our protection mechanisms can not remain the same and for firewalls we do not see a "slips forward" for a time.

    I see this "all-in-one" features or "Ecosystem" as a natural evolution of the existing UTM devices. Makes investment cheaper. Management and troubleshooting easier. And are greener than the actual approach to combine multiple security devices to protect a network.

    I'm excited with the possibility to evaluate one of those devices. This shall happen soon.

    I'll post the tests results here in the future.

    A good point here is that the security market is moving forward and for me, it's pointing to the right direction.

    Regards

    Posted by Alexandre Cezar on 27 April 2010 in Cezar, InfoSecurity Sales & Marketing, IT Security, Network Security, Telecom, Web/Tech | | Comments (1)

    29 March 2010

    Why people are not concerned about security on Internet Social tools?

    I'm scared!!!

    With one subject!

    Why people are not concerned about exposing their lives on the Internet? On a way that can put in danger not only themselves but their family and friends.

    I'm writing below some info I collected just looking ramdomly for profiles on some social network websites.

    Phones, credit card numbers, full address, if they have children, how many are they and their names, where they study, where they work, etc.

    You can just find everything about everyone. They're really not concerned with someone they don't know looking their profile searching for something (possible with bad intentions).

    We all read stories about people that met online "friends" and many of them ended very badly.

    So, why does this happen?

    It's because our society lives to deify celebrities and everybody is triyng desperately to get a space on the sun and they expect that somehow they'll get it using these tools?

    Or it's just because they are not aware of the risks?

    What can we (Security Professionals) do about it?

    One sugestion I have is to ISC2 launch some web trainning for regular people teaching about online risks related to social network tools. It might be handy.

    Another thing that must be done is to include basic security concepts as a basic school subject.

    I would like to hear about initiatives related to prevent people about these risks on your countries

    Best Regards

    Posted by Alexandre Cezar on 29 March 2010 in Cezar, Online safety, Privacy, Weblogs | | Comments (4) | TrackBack (0)

    31 January 2010

    What will be the next generation of security tools?

    I was reading a interesting discussion on Linked-In days ago about security technologies tendencies and I became happy to read about some very interesting solutions/technologies that I never heard about it and some others I'm more familiar but with a new approach.

    I will spend some time in the near future to study more some of them and blog the results here but my objective now is to promote a health discussion.

    On the opinion of the ISC2 folks, what will be the next generation of security solutions? And by "next generation" I mean a technology that will evolve or be invented.

    My opinion to start it:

    - Application White-list;
    - More sophisticated financial/regulatory fraud detection tools;
    - Data Encryption 

    Happy 2010 for all

    Posted by Alexandre Cezar on 31 January 2010 in Cezar | | Comments (1) | TrackBack (0)

    30 October 2009

    Another "Cat and Mouse fight" or... Tracking down a botnet

    A while ago the company I work for was hired for a Telecom company to secure their data centers.

    During the initial gap analysis phase, the backbone was hit by a DDos attack and of course we were assigned to try to help.

    The interesting about this case is that we act on a "happening now" scenario instead of the regular "post mortem" case.

    The Evidence: This is a botnet!!!

    Just to baseline everyone

    Whats is a botnet?

    From Wikipedia:
    Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

    While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

    Continuing...

    We deployed a traffic analysis tool to Monitor all traffic at one BRAS aggregation; we could see hundreds of requests going to  http://www.cvsr.ru .

    We checked the DNS server responses (A records) and we saw several different DNS servers answering the requests. We checked some of those and we realized they were all non updated BIND servers and all of them were poisoned.

    Checking the website www.cvsr.ru using a Virtual Machine, we verified that a javascript redirects the user to  http://kodj.ru/cgi-bin/index.cgi?add were finally a client-side exploit was executed.

    Then, we saw that the now zombie machine started to send UDP traffic (port 3074) to different servers (round robin) with a specific payload and finally when a response was issued the infected machine started to send http traffic to a website in Europe. We saw (I repeat) thousands of requests of this type on the backbone only at one aggregation point so if we estrapolate this data and imagine a entire backbone with millions of subscribers connect...How may of them were zombies? And in the entire world....?

    "This tought really scared me..."

    Conclusion

    With this information we could be able to deploy apropriated ACL's in their distribution/border routers to block the UDP traffic and also to block the botnet master servers network. This action reduced a lot the amount of malicious traffic on the backbone.

    Finally we coded a signature to be deployed on their IPS to block the server-zombie payload to at least avoid this botnet to continue spreading itself on this network.

    We also recomended the purchase of a specific Denial of Service Detection/Mitigation solution that can help a lot administrators in this tough task.

    I'll talk further about DDOS Mitigation Devices on a future post

    Best Regards


     

    Posted by Alexandre Cezar on 30 October 2009 in (ISC)2, Availability, Cezar, Network Security | | Comments (0) | TrackBack (0)

    24 September 2009

    Cloud Computing - My concerns

    After a long absence due to long and stressful project "46 hours working straight was common" I'm back

    Sure, I missed to blog here!!!

    I'm reading a lot about Cloud Computing and how fantastic it is, but I have to wonder...

    What about the security aspects????

    Well, no rush...Let's start from the basics

    What's Cloud Computing?

    Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them.

    The concept generally incorporates combinations of the following:

    • Infrastructure as a service (IaaS).
    • Platform as a service (PaaS).
    • Software as a service (SaaS).
    • Other recent (ca. 2007–09) technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.

    The term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams and is an abstraction for the complex infrastructure it conceals

    Now, that we all know the very basics about it let's focus on security aspects.

    Cloud Computing Weakness

    A concern I have is related to the 3rd party services in a cloud environment. If we're using this kind of service how do we can assure that this 3rd party provider is securing the data in a apropriated way?

    We need to know where data is stored, how securely it is stored, if supplier employees are security checked, and if the data is properly disposed of.

    Another point that pains me is how robust a cloud can be against a DDOS attack. Some can say "It's a cloud, so by definition it's immune against this type of attacks" but going to real scenarios if a DataCenter that is handling my data is out due this type of attack it doesn't matter if the cloud is still up. My data is unavailable.

    According to Gartner (interesting article), there's more risks that us as security professionals must be aware of:

    Privileged user access - Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.

    Regulatory compliance - Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions."

    Data location - When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in.

    Data segregation - Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability."

    Recovery - Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure is vulnerable to a total failure."

    Investigative support - Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers.

     Long-term viability - Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.

    There's other articles and comments all over the Internet where we can get more information.

    Conclusion

    Cloud Computing is happening now, soon or later you will need to handle it so it's wyse to get familiar with it now. Understand the benefits and risks involved so you can be better prepared to mitigate or control them.

    Best Regards!

    Useful Links

    http://en.wikipedia.org/wiki/Cloud_computing

    http://www.computerweekly.com/Articles/2009/03/27/235439/security-concerns-for-cloud-computing.htm

    http://cloudsecurity.org/

    http://www.infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_risks_1.html

    Posted by Alexandre Cezar on 24 September 2009 in (ISC)2, Cezar, Confidentiality, InfoSecurity Sales & Marketing, Integrity, IT Security, Network Security, Operations Security, Secure Software | | Comments (2) | TrackBack (0)

    13 April 2009

    Telefônica Brasil hit by a massive DNS attack

    Last week, Telefônica Brasil was victim of a large DNS attack that shut down all their DNS farms affecting millions of broadband users for 3 days.

    Additional info can be found at the following locations (portuguese):
    http://tecnologia.uol.com.br/ultnot/2009/04/09/ult4213u703.jhtm
    http://g1.globo.com/Noticias/Tecnologia/0,,MUL1079950-6174,00.html

    6 months ago I wrote a post called "Securing DNS Servers" describing how to implement some security layers to increase the DNS farm performance and overall security.

    It's important for us, Security Professionals to show to companies (Telco, Gov or Enterprises) the risk involved with critical services (like DNS, but not only) and the value of implementing procedures like BCDR. Not forgetting the technologies and services needed to secure the infrastructures.

    The DNS post is located here:
    http://blog.isc2.org/isc2_blog/2008/08/securing-dns-se.html

    Best Regards

    Posted by Alexandre Cezar on 13 April 2009 in (ISC)2, Cezar, Network Security, Operations Security, Telecom | | Comments (0) | TrackBack (0)

    21 January 2009

    Using SIEM tools for Fraud Detection

    Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure.

    The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.

    I meet the audit team and then I got able to understand where their main frauds happen, some examples were:

    • ADSL and Dial users sharing username/password;
    • ADSL Subscribers connecting with higher speeds than they had hired;
    • Operators accessing the system outside of their working hours;

    We decided to use the same SIEM Tool acquired to do the network security events correlation instead of using a dedicated Fraud Detection System for several reasons;

    • Saves investment;
    • Improves ROI;
    • More freedom to create behavioral rules than using a statistic Fraud system;
    All logs to make these correlations were available but were scattered among several existing systems ( electronic turnstile, access control systems, Radius and Ldap databases, Provisioning System, CRM, etc.) so the first task was to create the proper collectors and apropriate parsings.

    After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.

    This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.

    For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.

    Best Regards and a Happy New Year

    Posted by Alexandre Cezar on 21 January 2009 in (ISC)2, Cezar, Confidentiality, ID theft, Insider Risk, IT Security | | Comments (1) | TrackBack (0)

    19 November 2008

    Data Loss Prevention: Is really necessary to record all IP Traffic?

    Due to Data Loss Prevention (aka DLP) some companies are requested to keep records of the traffic that enters and leaves his networks. The main issue nowdays is that is almost impossible to store all this traffic, per example lets assume a scenario of a 1Gigabit of inbound/outbound traffic link. This will generate something like 6.000 Terabytes of data. Obviously a very expensive storage is necessary.

    The point is:

    Is really necessary to store all IP Traffic? I don't think so.

    The main point here is to extract only the valuable information from the traffic and then storage it. Some techonogies available today (all DPI based) uses complex data filtering algorithms to instead of store all layers of info, extract the necessary content and associate it with the Metadata needed. This will reduce storage and also will reduce processing.

    Let's  take by example the HTTP Traffic

    HTTP is supported by many different applications (browsers, editors, generators, etc). But what really interests is the content itself and not all the data that comes togueter. So to reduce storage is necessary to extract this content, separating it from the application-level information that is of lesser interest, along with just the necessary meta-data (ip source, ip dest, time, etc.).

    More than finantial and military institutions, all companies that deals with high confidential data or classified customers info will be requested to be compliant with Data Loss Prevention requirements.

    Conclusion

    In a DLP project it's always very important to understant wich type of traffic is being generated in the newtork. Understand exactly what needs to be stored (don't forget that you need to remain compliant with regulations), for how long this data need to be stored and them finaly start to specify the solution you need. This can solve time, problems and money.

    Posted by Alexandre Cezar on 19 November 2008 in Cezar, Fraud, IT Security | | Comments (3) | TrackBack (0)

    30 September 2008

    The most vulnerable device in the network

    During a conversation with some folks last week we wondered about what is the most vulnerable device in a network today.

    The answer of almost everyone in the table was:

    Routers...

    So we start talking about risks, how to protect a border router, which hardening actions can be taken in order to improve security, etc. A important point that I noticed is that event nowadays many companies does not implement controls to improve routers security.

    Based on it I decided to write a few notes mentioning risks and hardening actions that can prevent a attacker to be successful.

    Main Risks

    The most obvious risk associate with a compromised or disabled router is that all communications that are forwarded by this router will be disabled  but there are others not so obvious:

    • Use routers to attack internal systems:

    Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.

    • Use routers to attack external sites:

    Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.

    • Reroute all traffic entering and leaving the network:

    An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.

    Some important actions that can harder a router and increase security:

    • Implement Access Control

    Every person that access a router must use his own user/pass and the pass cannot be easy to guess.
    Also is important to enforce password encryption.

    • Implement Authorization Control

    Every person shall execute only a limited set of commands related with his activity

    • Secure Remote Administration:

    Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.
    Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway
    and then jump to the router.

    • Configure Warning Banners:

    It's important to use banners in order to show that the IT department monitors all activities execute.
    This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.

    • Disable Unnecessary protocols (if they're not used):

    Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...

    • Improve SNMP Security:

    It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.
    Many routers are just opened due to SNMP default configurations.
    Try to implement SNMPv3 or at least v2c

    • NTP

    Configure NTP for time synchronization (it's important for log analysis and event correlation).

    • Logging

    Deploy an effective logging police that allows security administrators to monitor events and track down intruders.

    • Deploy an Event Correlation Solution

    It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router.
    This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.

    • Use restrictive ACL'S

    To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).

    • Implement Routing Security

    Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it. 

    • Deploy IPS Systems

    Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.
    If it's a situation where is possible to do it and you have the budget to do it, why not?

    • Create a Incident Response Plan

    Some steps that must be considered when creating a plan:
        Determine if the incident is an attacker or an accident;
        Discover what happened;
        Preserve the evidence;
        Recover from the incident;
        Identify root causes and manage or mitigate them to prevent from happening again.

    • Enforce Physical Security

        It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).

    Conclusion

    A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly, soon or later they'll have to face themselves with a compromised router.

    Posted by Alexandre Cezar on 30 September 2008 in Cezar, Hacking, Insider Risk, IT Security | | Comments (3) | TrackBack (0)

    Next »

    The (ISC)² bloggers

    • Tipton W. Hord Tipton, CISSP-ISSEP, CAP, (ISC)² Executive Director
      Schmidt Prof. Howard A. Schmidt, CISSP, CISM (Hon.)
      Sarah E. Bohne, Director of Communications & Member Services

    Recent Contributors

    Past Contributors