Archive for the ‘Technology’ Category

How to address Master Data Management (MDM) challenges for security management?

Sunday, October 16th, 2011

Master data management (MDM) has been very challenging for enterprises, especially for large organizations who have many existing data warehouses, data marts, and operational data stores, with constantly integration or divesture of business, applications, and network environments.  Without effective MDM solution, same data may be collected in different format in different way from different systems, and later distributed to many different operation units, which in turn complicates the data inconsistency and reconciliation issue with data being used in variety of systems, and causes issue of inconsistent management reporting and decision-making.

MDM makes the whole organization able to identify reliable data sources, collect and store data with consistency, distribute and share the master data with integrity through the enterprise systems.    For enterprise security management, the most important aspects include asset management, vulnerability management, configuration management, identify and authentication management, information governance, among the others.   An effective MDM requires enterprise architecture to enable and enforce the consistent data for all the enterprise applications and environment.  It requires the logic data model to be defined and maintained through the information life cycle and distributed consistently for any change.  Logic data models need to define data dimensions, and each dimension defines required attributes with consistent data definition.   For distribution, systems can provide SOAP web service or REST SOA interface through enterprise service bus (ESB) to provide real-time data distribution, but in many cases, data dump is commonly used due to its simplicity.

Asset inventory should include static assets inventory system that serves as standard control list, and dynamic assets discovery to verify the discrepancy of live environment and rogue devices.   Considering the inventory tools may be limited to collect certain data fields in vendor specific format, it is preferable to normalize the data with NIST common platform enumeration (CPE) for system and application representation, or at least normalize the application name, product name, OS and application version and patch notation.  Same concept goes for business, organization, location, and people contact info.  It needs to be noted that hosts may be multi-homes, with one host having multiple interface and potentially have multiple DNS hostnames if registered with DNS.  This requires one more layer of modeling for multi-homed network devices.  A well maintained DNS system will also help identify single host for multiple interface IPs.  Countermeasure modeling is an important aspect of vulnerability and risk management, as it will help prioritize the risk remediation effort, and reduce un-necessary resource-intensive patching instances so that true risk can be remediated first. 

Logical data model design tools help with modeling process, most known products are Sybase PowerDesigner, CA data modeler, and E/R data architect.  I personally found PowerDesigner and E/R data architect is easier to use, and E/R data architect license cost is the lowest.  The normalized data can be stored in Oracle database, which provides multi-dimensional analytical processing (OLAP) capability. 

In all, effective MDM starts with understanding of corporate master data requirement and modeling, followed by effective system architecture, tools, and process for DNS management, inventory collection, data transformation and normalization, interoperable schema and data redistribution.  Ensuring consistency and correlation among corporate data vaults (warehouses, marts, stores) using standard are key to the reusability of those master data sets, as any new operation process or system can aggregate necessary data sets and meaningfully correlate them for specific purpose.   For this purpose, NIST security content automation protocol (SCAP) should be adopted by vendors and industries so that the security data can be standardized and interoperable among external feeds and internal systems.

Posted in Technology | No Comments »

Most commonly used Netscreen firewall commands

Sunday, June 26th, 2011

Netscreen firewalls are very popular firewalls with many features, but it lacks auto command completion like that in JUNOS.  Below is the reference card for the most commonly used commands, which will be handy when working with Netscreen firewalls.

Common usage Commands Comment
Show what command is available at current path (level) -> ? This is your best friend if you want to find what commands are available to you
Show complete configuration for the system -> get config This is all you need for reviewing the configuration
Show system OS version, interfaces, manager-ips -> get system  
Show all the zones -> get zone  
Show configured firewall rules -> get policy  
Show traffic log including denied traffic log -> get log traffic You can find denial logs here
Show currently active sessions -> get session  
Show BGP config -> get vrouter trust-vr protocol bgp config  
Show BGP neighbors -> get vrouter trust-vr protocol bgp neig  
Enable BGP -> set vrouter trust-vr protocol bgp enable To disable, use “unset”
Update or restore system configuration from tftp server -> save config from tftp <ip> <config.file> to flash  
Patch kernel from tftp server -> save software from tftp <ip> image to flash  
Backup configuration to tftp server -> save cofig from flash to tftp <ip> <backupfilename> Handy for restoring configuration
Backup system image remotely -> save software from flash to tftp <ip> <backupimagefilename>  
Make firewalls manageable by NSM -> set nsmgmt server <primary|secondary> <nsm_ip> This setup the NSM manageability for the firewall
Show NSM manageability info -> get nsmgmt  
Setup a read only user -> set admin user <userid> password <pwd> priv read-only  
Find out CPU usage -> set performance cpu  
Find out memory usage -> set memory  
Show various counters -> get count statistics|flow|policy|screen  
Show cluster setup info -> get nsrp  
How to setup debug? -> debug bgp-> debug flow basic-> get ffilter-> set ffilter src-ip <sip> dst-ip <dip> ip-prot 6

-> undebug all

-> unset ffilter

 This useful debug option will show you the policy processing sequences, and indicating possible issue such as missing routes or missing rules.Don’t forget to unset the filters and debug flag.
How to setup traffic snoop? -> snoop info-> snoop filter ip ?-> clear db-> snoop

-> get db str

-> snoop off

 This provides snoop/tcpdump like traffic for packet analysis.  Do not forget to delete the filters when done.

Tags: , , ,
Posted in Firewall, Netscreen, Technology | 1 Comment »

How to integrate security into SDLC?

Friday, February 18th, 2011

With the headline of recent hacking of Facebook owner Mark Zuckerberg’s Facebook account and NASDAQ breach, it reminds us the ultimate importance of information security especially the web application security. In today’s web central world, pretty much every company has branded web sites up on the Internet. Internet websites have provided great benefit to the end-user and customers, but in the same time also opens the door to the hackers or other malicious users. Hackers know that firewalls are open for web traffic and that is a quick and easy tunnel to the corporate web servers, database, and even internal systems and applications, and that makes attacks on web applications accounts for more than half of overall attacks from the most recent report by Verizon and US Secrete Service.
To avoid the embarrassment and financial loss, every company nowadays has put tremendous effort and budget into secure applications especially web applications. One most frequent question is how (web) application security can be improved from the start of SDLC? With years’ experience in design and implementing applications using half dozen programming languages, and experience in the Vulnerability Analysis and Intrusion Detection, I cannot agree more that security has to be integrated in all phases of application development life cycle (SDLC) as below. We will delve into how security measures can be accomplished in each phase.

- Security Requirement Collection
- Security Architecture Design and modeling
- Security Implementation
- Security Testing
- Deployment and Operation

Security Requirement Collection
In this phase, the controls have to be designed for the most common vulnerabilities and attacks, such as input validation mechanism, exception error handling, and AAA mechanism including password strength and protection in transit and storage, and session management. It is important to consider things like the classification of data in transit and storage, and then decide the required encryption strength. Defense against buffer-overflow and DOS is a must as they are the most common attacks for C/C++ based applications. Availability is also important so that application is resilient to attacks such as DDOS or unexpected component failure. For web applications, it should be standard to prevent attacks such as SQL-injection, cross-site scripting, cross-frame hijacking. One can refer to the more complete list of vulnerabilities on OWASP and SANS web site, among the others.

Security Architecture Design and Modeling
A secure application should have the security architecture built-in rather than patch-and-fix. The one that just has business logic in mind is most likely subjected to the security issue and attacks. The security of the applications lies on the designed security architecture. The security has to be integrated into application business logic, data flow, and use-cases. An objected-oriented design (OOD) tool using unified modeling language (UML) will help identify, model, and document the security measures required based on the business requirement.
Note that for the best security, besides application itself, the networking deployment and related database components are also need to be in the best secure posture, even though they are typically handled in the different context by different teams.
The increased adoption of cloud computing has present some challenge to the application security, as it is not as clear as traditional layered application architecture with distinguished front-end, application server, and database tiers. As design has evolved to service-oriented architecture (SaaS), it will be subjected to a different discussion for cloud security.

Security Implementation
Implementation phase is typically where the application vulnerabilities get introduced. It could be logic implementation error, such as not catch all error conditions, or not all use cases are caught and handled; or it could be simple mistake of forgetting to close the open connections upon session closure. The most dangerous may be that programmer has no sufficient security knowledge and unwilling to implement additional coding for the security, and cut corner to just have business logic implemented.
For the implementation, it will be very important to choose the right programming language. Programming languages have evolved a lot over the past twenty years. At my high school, it was procedure “Basic” (grandpa of Visual Basic), then came “Fortran” and “C/C++” language. After that came the object-oriented languages such as object-oriented C++ and Visual programming.
Needless to say, procedure C programs are most likely to be exploited, as it can directly address memory space, and very difficult to prevent the loopholes by programmer himself. I confess that I did crash the machines some times with my buggy procedure C/C++ programs in my early period of C/C++ programming. With the ability to manipulate the memory addresses (stack and heap pointers), C/C++ has been popular language to produce exploits and hacking tools.
After sometime of procedure C/C++ programming, I came across object-oriented design and programming with C++. I was so much into it as it is so elegant and easier to debug and extend with objects than procedures. As Java picked up steam in middle 1990s, it was no-brainer that Java is the best to go for security as it has common objects, memory protection, design-patterns, and security framework built in the language itself. Why should one prefer to write C/C++ code to re-invent the wheels unless he needs the performance or address manipulation of the C/C++?
That means: Go, Java, Go! (not ‘Diego’!)
Given the security features provided by Java, there are still some more security needs to be implemented for the application. Java has buffer-overflow defense built-in, however, input validation and logics still need to be implemented properly. Client-server application model so far is still be the most popular design, it is best to validate both on the client side as well as server side, because client side validation could be circumvented easily, especially with web browser hacking. In my implementation, I have the XSS JavaScript and SQL injection defense code built into library. In most cases, building a white list for the input is more secure than a black list, as black list may not be complete.

Security Testing
In this phase, it is time to put every previous design and implement into examination for testing business logic as well as security and vulnerabilities. For security, vulnerability scanning and penetration can be performed with automated tools or manually done. Code review will be the best way to find the back-door that is planted by the programmer (intentionally or just for self-convenience).

Deployment and Operation
After the applications are ready for production, they are deployed into operational mode. At this phase, another layer of security will rely on the security awareness of the operation staff. Despite the most strict password protection in the application, the operation persons could be triggered into leaking confidential information from Social Engineering or impersonation. At this stage, operation security will need to be implemented.
Another risk at this phase would be that application was used in an un-intended way and the use case is not handled or handled improperly. This is typically hard to be detected by the vulnerability scanning as there is no way to tell all the potential uses of the application beforehand. This has to rely on the design and proper logic implementation to catch all the exceptions. However with the security considered and integrated in SDLC, one can expect that the chance of this type of vulnerability is slim.
In this phase, it is also important to harden the components supporting the applications, such as OS, web server, and database servers, and networking components. As it says, security is as good as the weakest link. It will be a good time to exam the overall security posture for the application with external hacking, fail-safe testing, availability testing, and disaster discovery.

Tags: , , ,
Posted in App Development, Technology | No Comments »

Thoughts on Verizon 2010 Data Breach Investigations Report

Sunday, August 1st, 2010

On July 28th, 2010, Verizon Investigative Response Team (Verizon IR) and United States Secret Service (USSS) released 64-page “Verizon 2010 Data Breach Investigations Report”. After reading the report, I feel that this is a very informative report, and would like to highlight and comment on a few top findings that of especially interesting to me. Obviously my comments will only represent my own opinion and based on my personal experience in the info sec field, and could be biased.

Here are my highlight and comments on the report.

1. Data collection and aggregation

According to the report, the data used in this report is aggregated from Verizon 2004-2009 paid forensic investigation for the confirmed breaches, and 2008-2009 USSS cases involving confirmed organizational data breaches. While the report provides valuable insight into the data breach landscape for the recent years, it will be even better for the report to aggregate the same period of 2004-2009 USSS cases so that the report is more reflective of five-year data breach landscape, or if only using 2008-2009 data, the report would be more accurate for the one-year span. Nevertheless, the report is still an excellent mining of aggregated data by the collaboration of both organizations.

2. Top findings on the attacking vectors

The report finds that 70% of data breach is resulted from external agents, and 48% are from insiders. One interesting point to note that is insider attack has increased by 26%. The significant increases of inside threat indicates that internal control should get more attention, due to the enormous inside information that insider can obtain and use for the attack. Internal information asset and employee is suppose to be “trust-worth” and any suspicious act can easily be “justified”, making internal control and monitoring is more challenging than for external systems or people.

3. Top findings on how the breach happened

The report finds that 48% data breach involved privilege misuse (+26%), and 40% resulted from hacking (-24%). The use of stolen credentials was the number one hacking type in both the Verizon and USSS datasets. Next comes the backdoor exploitation and SQL injection. Recall that in 2005-2006 Wal-Mart breach, attackers used stolen ex-employee VPN login credentials to get the access, and not only one ID but one ID after another, indicating that company’s access control policy was not in place or not executed well enough. As an analyst who has supported various authentication systems and database systems and applications, I would say access control and authorization is simple in principle but difficult to implement and maintain, especially for the big companies. The issue is not that people do not know how authentication or authorization works, but because the company may have many different systems, different organizations, and different level of access requirement, not only it is difficult to design and implement fit-all solution, but even after the solution is in place, as time goes on, the requirement changes, but it is difficult to change the design, and as a result, the authentication Ids may stay forever, and authorization could be beyond what is needed and not updated or deleted in time. Once attackers have some way knowing about these Ids, it is an easy game for the attackers. The report highlighted that the importance of proper maintenance of authentication system and access control. User credential and authorization is always the first door to secure for any information asset.

Not surprisingly, the report also finds web applications hacking and database server attack has the highest percent of breaches and percent of records in term of attack pathway. Due to universal accessibility of web applications and its connection to the backend database, it remains to be critical to secure web application and databases and implement monitoring to contain the web attacks and database hacking such as SQL injection.

4. How the breach is detected

The report finds that 61% were discovered by a third party, and 86% of victims had evidence of breach in their log files, with 96% of breaches were avoidable through simple or intermediate controls. This may have indicated that for the entities involved in the data breach, the effectiveness of the breach monitoring and detection still yet to be improved, may be by allocating more resources, enhance employee event analysis skills, and improve the monitoring processes.

5. Two interesting points from the report

I found two points from the report are especially interesting. One is that the report finds that “encryption is useless”, because “Attackers are adept at maneuvering around a strong control (like encryption) to exploit other points of weakness”. I’m not into this finding, because even though given enough skill and time, any encryption system can be broken into, nevertheless encryption remains one layer of defense in protecting valuable asset. In some cases, hacker may get around the encryption, but in most cases it is still one effective countermeasure to the attackers, especially for those hacking relying on sniffing the data. Like what happened in the WWW-II novel “Top Secret”, encryption may not be strong enough forever but the time to break the system sometimes is more critical than encryption itself, the time to get around the encryption is dependent on the links outside of encryption itself. The breach through other weak links has no correlation with the effectiveness of the encryption. It simply means that breach can happen through non-encrypted links.

Another interesting point is that cyber gang has been increasingly using Digital Currency. Since money is simply a token of exchange, I’m impressed by the creativity of the hacking community. After all, they need to find an innovative way to make a living too.

6. Summary

Overall I find Verizon 2010 data breach report is excellent, it has highlighted the importance of protecting user credential and control the access privilege, and protecting the web applications and databases. It emphasized the importance of effective monitoring and log analysis and PCI compliance, and has a good point of filtering outbound traffic for data protection.

With all the numbers and points in the report, prevention of data breach still relies on the overall company security posture. As always, the security is as strong as the weakest link. To me, the strongest and weakest link is the people who protect the information asset. People can use or misuse technology, and can develop robust process or fail to follow the best process. The security of the information asset is ultimately dependent on the skill and ability of the team on the job to implement technology and process, and diligently follow through the processes. Best employees are always the best security for the company.

p.s.

For readers who have not had chance to read the report, the original full report is available with below link:
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf



Tags: , , , ,
Posted in Data Protection, Database, Technology | 39 Comments »

Enterprise Infrastructure Defense In Depth

Saturday, April 17th, 2010

With the evolution of TCP/IP internetworking, Enterprise infrastructure has been connected to the Internet cloud more than ever, which enables tremendous business opportunities and data communication for the enterprise, but in the same time also exposes enterprise to the various threats and attacks. To protect enterprise infrastructure from known and zero-day attack, design and implement a defense in depth strategy is very important.

To defend in depth, enterprise infrastructure can be subjectively segregated into two zones: perimeter zone and internal networks/systems. Enterprise typically deploys DMZ Internet web servers, external routers, firewall, proxy, Internet DNS servers in the perimeter zone, and perimeter zone is typically the attacking point for the external threat and attacks. The defense of the critical perimeter should include routing security, which includes well-designed ACL, routing redundancy, and routing design. Firewall/proxy/DNS servers need to be hardened with system security principals to prevent attacks like DDOS and DNS poisoning.

To most enterprise large or small, web application security is probably the most critical aspect, as web applications are the most convenient and easiest attack target. Http is open through the firewall and there are many known vulnerabilities for pretty much all web servers. The most common attacks include the SQL injection, cross-site scripting (XSS), buffer overflow. OWASP (http://www.owasp.org) is a good resource for web application security.

As equally important perimeter security, VPN security and wireless perimeter is often overlooked. In today’s mobile world, companies deploy more and more VPN solution and wireless networks. If not properly secured, enterprise infrastructure could be easily attacked through VPN client and VPN tunnel, or through wireless hotspots. Because of the distributed and mobile nature of the VPN and wireless devices, protecting VPN and wireless perimeter from attacks makes it even more important to have defense strategy in place before deploying them.

Even with perimeter defense in place, internal networks and systems still need to be properly secured so that penetration of perimeter won’t leave enterprise’s critical internal infrastructure wide open to attacker. This requires implement system security, application security, and database security to all internal infrastructure components. Inside threat is one particular vector to consider for the internal security, especially upon impending lay off, firing, or spin off. Appropriate access control, authorization, and auditing logging are necessity as part of the defense.

Defense in depth depends not only physically segregation of the infrastructure as above zones for protection, but also logically depends on integrating security in the networks design, application design and secure coding, database design, and continuous system hardening. Besides defense through technology, employee security awareness training and bulletproof operation procedure should be included as part of defense in depth, along with process for security monitoring and breach detection.


Tags: , , , , , , , ,
Posted in Technology | 12 Comments »

What’s the latest technology trend to watch?

Thursday, January 7th, 2010

As technology evolves, innovation never stops, as busy as we are as technologist, we cannot afford to be blind of where the latest technology is headed.  So what’s the latest trend for the technology development that you see worth keeping an eye on?

I believe following technology will have big impact to our technical work and daily life:

1. Unified communication networks and device

Long gone the days people have to carry several devices for paging, calling, or entertaining.  Companies such as Apple and Google have been rushing to offer unified communication devices to integrate voice, messaging, music, and web into one single device.  VOIP has been widely adopted for a while.  I think it is really cool to carry one single device anywhere to make calls, play music, watch video (or movie, or even TV), check email, viewing web pages, doing conference call, among the other things. 

2. Social Networking

Social networking sites such as Twitter, Linkedin, Facebook, Myspace offers convenient channel for like-minded people and business to connect to each other.  These sites I believe are especially useful to the marketer, and offered terrific sale channel for the business.  Even though sometimes I think there are just too many social networking sites, they are still useful to everyone if used appropriately and responsibly.

3. Cloud Computing

With the expansion of the Internet and evolution of web applications, cloud computing enables people and business to use Software-as-a-service (Saas) primarily for cost saving and convenience.  Company with tight budget no longer needs to buy hardware or software itself, but instead can buy usage of hardware or software through cloud computing providers.  Because application, infrastructure, and service are shared, there is legitimate data security concerns for the cloud computing, but it’s still a technology trend that is gaining momentum.

4. Server and Storage Virtualization

With company strives to consolidate data centers, reduce the number of servers and storage space, server and storage virtualization technology is aggressively developed and adopted by more and more companies.  Just wait to see what the extreme virtualization can be.

5. Localized Service

Even a company as big as Google, it only has a limited market share in some countries such as China and Russsia, where localized search company like Baidu dominates.  World is too big, and people and places are too diversified on the earth, it demands localized service for shopping guiding, searching, or positioning, of course, through Internet web service.  This is an interesting niche and trend to watch.

Custom Search


Tags: , , , ,
Posted in Technology | 13 Comments »

Welcome page

Sunday, January 3rd, 2010

Welcome.  I hope that my blogs will provide some insight in the IT technology that I’m most experienced with:  firewall, IDS, VA, database, and application development.  I will share my knowledge, experience, thoughts, feeling, and hope you will share yours too with the comments.

Life is short, let blog keep it long alive!

Posted in Technology | 21 Comments »