Thursday, March 26, 2009

Proposal of Web Application Security Metric Framework to Compliance/Configuration Management Vendors (Altiris, BMC, Rational, et al)
Ron Charette, CISSP

In March 2009, OWASP took a survey of 50 companies and found 61% of those surveyed had an independent third-party security review of software code to find flaws before web applications were used live
[1]. This was a new kind of a survey, which attempted to derive benchmarks from software development and how it is associated with spending. Earlier in the month, Jeremiah Grossman of WhiteHat Security Inc. put a call out for metrics on twitter: "Impossible to know what works without outcome based metrics. Limited data on what happened, less on how, and neither is tied[3]." Grossman is on a tear, and we the security community (and ironically also the user community), support him.

It is for the above reasons that this methodology and schema are proposed, which may be built on and used to capture metrics (at this point I'd call them estimates, but it is a beginning) for quantifying costs against the effect of the software cycle. Dare I call it "cost and effect?"


*Which Beans are we Counting?*
In order to capture vital data used to tie back through the software development and security testing cycles, metrics need to be captured, which involve the following phases:
     - Baseline (optional at this time)
     - Configuration Changes
     - Vulnerabilities Found
     - Remediation
     - Mitigation
     - Incident Response
     - Budgeting

Within the above phases, it would then be necessary to capture the following attributes (more to follow):
     - Type/Category
     - Date Completed
     - Severity (phase specific)
     - Rationale (phase specific)
     - Itemized Cost


*What problems does having this data solve?*
Through the collection of the above, it is felt that a historical record will be conceived to provide the information holder with strongly typed information, which then may be transformed into reports or decision points for future budgetary, software, and security-based concerns.

In its present form, thinking a little more data can be captured to add much more value cannot be helped. The benefit of this methodology is that it can be used to scale to virtually any organization or data set. The complement would be to design a schema with the flexibility to use multiple revisions (interoperability) on a technology able to fully harness the information, such as a web service (accessibility). Having this data readily available and interoperable in a universal form could potentially provide a very powerful platform.


*Factoring Budget Considerations*
The most important function of this exercise is also one of the most complex. In the development of software, acquisition cycles are often specialized, and as a result intrinsically laden with processes that do not lend well to providing a single itemized cost. For this reason, a schema is provided to address these accounting functions and to (hopefully) assist in assignment of cost to the metric model.

Worthy of note, the Budgeting schema is not for the already itemized costs placed within the phases, but a roll-up of the organizational or programmatic costs. The intent is to capture these costs and distribute them over the remaining phases once they are sufficiently known and isolated.


*In Support of an XML Schema*
After considering the above, it is then naturally deduced by the author that the typing and scalabilty of XML lend well to the type of data collected and harnessed in this manner. Exact schema to follow.


*Bibliography*
[1] http://www.owasp.org/images/b/b2/OWASP_SSB_Project_Report_March_2009.pdf
[2] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html?track=sy160
[3] http://twitter.com/jeremiahg/statuses/1263037965


Acknowledgment to
Jason Oliver for providing the fire to work this through.


Creative Commons License

Proposal of Web Application Security Metric Framework to Compliance/Configuration Management Vendors (Altiris, BMC, Rational, et al) by Ron Charette is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License

Friday, July 25, 2008

Smart Cards, Common Access Card (CAC), HSPD-12 and you...

I was searching the Internets for a sensible article, post, anything on the practical application of smart cards and came up with a lot of technical jargon and solutions but not much practical information for the everyday Joe security guy or admin.  Why should I care?  Well, as logical and physical security technologies evolve, the use of a smart card (and a RFID or GPS one at that) seems quite useful as an access replacement to current technologies.  It would only follow that governments and big business will be soon to follow suit in implementing this technology... so why not start making it simple to understand?  

What are smart cards?

OS Insecurity:  How does your favorite OS deal with these scenarios when CAC authentication is enabled?
  • Remote administration
  • Non-Kerberos or non-PKI authentication
  • Services running as users instead of system
  • Emergency root-level access

Microsoft Windows and Smart Cards
  • A user receives an "Unable to log you on because it is required that you use a smart card" message when the user tries to log on to your Windows XP-based computer by using Remote Assistance
    http://support.microsoft.com/kb/893226

  • How to access a network resource that requires username and password authentication when your user account requires a smart card for interactive logon
    http://support.microsoft.com/kb/834432

  • After you use a smart card to unlock a Windows XP-based computer, you are prompted for authentication when you access resources that require NTLM authentication
    http://support.microsoft.com/kb/939850

  • "Local Policy of This System Requires You to Logon Using a Smart Card" Message Appears When You Try to Log On to the Server
    http://support.microsoft.com/kb/832026

  • A scheduled task that is running under a specific account cannot access a shared network resource in Windows XP
    http://support.microsoft.com/kb/887572

  • Services and scheduled tasks cannot log on if a smart card is not present in Windows Server 2003
    http://support.microsoft.com/kb/889505

  • Dell Identity Management Solutions
    http://www.dell.com/downloads/global/power/ps4q06-20070155-IdentiPHI.pdf

These are some initial thoughts... more to follow...
 
Dan Kaminsky's DNS In-Bailiwick Spoofing Vulnerability Find

First off, good on Dan for finding yet another way to break DNS.  By combining previously known loopholes with a new twist, a truly lethal and rather trivial exploit has been found to attack the soft underbelly of recursive DNS servers.  More information on the find below:

Dan's Black Hat Talk (Archived)

US-CERT - Multiple DNS implementations vulnerable to cache poisoning

The Workaround:
There really isn't one.  Non-Internet facing DNS servers talking to non-recursive (authoritative) DNS servers is the closest thing you got to being anywhere near a safe situation.  In simple terms... you are screwed if you use a large ISP to connect to the Internet from home; if you are at a small company that has sharp administrators you might have a fighting chance.

The Problem:
Sure cache poisoning is bad.  However, I'm more interested in what can be done with this exploit... I mean what really can be done.  If I was going to change a DNS server entry, the last thing I would do would be direct www.Google.com to my own website saying, "PWN'T!"  If I were really evil, I would take a DNS entry for a bank and proxy the traffic through a botnet.  In other words, real-world information gathering (and subsequent use) would be my main goal.  Actually, if I were pure evil, this exploit would be used to ends having to do more with the Estonian hack than for my own purposes.  Whatever the case, these scenarios are something I think is fundamental to the problem (improper browser use, email insecurity, and shabby OS and application configuration holes so large you could drive a truck through).

The Fix:
There is a fine line between full-disclosure and stomping on a story.  Here again I would commend Dan.  He kept the problem under wraps so the fix could get organized.  In the end, the cat got out anyway (some say it was 6 months, some say 13 days).  Regardless, this exploit is fundamental to the function of DNS and any suggested fix to the problem only leads to slowing down an attack (days instead of seconds) and does not actually stop it.  To date the only true fix proposed has been DNSSEC.  If I know anything about the Internet, implementing a new protocol only takes... (cough: IPv6) forever.  Anyway, hell if I know what that DNSSEC does.  Sadly, I just know the name... and there in lies my final point.  


Thursday, May 22, 2008

FDCC XP Nessus Compliance Check AUDIT File

If you are interested in performing Nessus compliance checks that produce an 800-53 report for NIST's FDCC XP Baseline; you've come to the right spot... Download Here.  If you don't have any clue what I just said, might as well save your sanity and enjoy this.