Sunday 31 December 2006

Computer Crime, UK Laws

Here in the UK computer crime is covered by The Computer Misuse Act of 1990. You can read the details here.

As of November 2006 an update to this law has been passed that makes it illegal to launch a DOS (Denial of Service) attack within the UK. Details of the update can be found here.

Further interesting details on UK Computer Law can be found by following this link.

The Data Protection Act of 1998 and the Regulation of Investigative Powers Act 2000 may also be of interest.

"It is not giving children more that spoils them; it is giving them more to avoid confrontation." - John Gray

Pen Testing Methodologies

There are three methodologies that are used by Penetration Testers. The methodology is usually selected by the client depending on their requirements. The three methodologies are:

White Box Model
Black Box Model
Grey Box Model

With the White Box Model the Pen Tester is given details of the technology in use by the company, the network topology etc. and given permission to interview and liaise with the employees and IT staff.

The Black Box Model is the exact opposite, the tester is usually given no information other than the name of the company, and the staff of the company are not even told that the Pen Tests are being conducted.

The Grey Box Model is a hybrid of the two previous models, some information will be given to the Pen Tester but not a lot. This will depend on the client as to what information they wish to give.

"So, let us not be blind to our differences - but let us also direct attention to our common interests and to the means by which those differences can be resolved." - John F Kennedy

Friday 22 December 2006

OOP Classes and Inheritance

A Class is a user defined reference type that encapsulates data and is controlled through programming constructs called Properties, Constructors, Methods and Events. The Class encapsulates data such as Constants and Fields.

To work with a Class you create an *Instance* of a Class called an *Object*. An Object can be thought of as a ‘live’, ‘active’ version of a Class. A Class can effectively be thought of as the blueprint of an Object.

Generally you work with members of the Object, Methods, Events etc. you can however work with some members of the Class itself, these are called Static Members.

From the one Class many Objects can be created, each is totally self contained and has it’s own values. The members of an object are:
        Properties
        Methods
        Fields
        Events

The members are stored on the *Heap* and a pointer within the Object contains a *Reference* ,the memory location of that particular piece of data.

Inheritance allows you to create a new Class using an existing Class as a template. The inherited Class is called the Derived Class and the original Class is called the Base Class. The Derived Class can then be extended to include additional functionality that was not available within the Base Class.

Inheritance is one of the cornerstones of Object Oriented Programming.

"The shoe that fits one person pinches another; there is no recipe for living that suits all cases." - Carl Jung

Friday 15 December 2006

SSCP: Quantitative Risk Analysis

Here are some terms and calculations for Quantitative Risk Analysis as used with the Risk, Response and Recovery Domain of the SSCP CBK.

EXPOSURE FACTOR
(EF)
(% Percentage)
Harm or Loss by Presumed Successful Attack/Threat

SINGLE LOSS EXPECTANCY
(SLE)
(£ Monetary Value)
ASSET VALUE * EF

ANNUAL RATE OF OCCURRENCE
(ARO)
(Probability)
Probability of Risk, 1.0 = Guaranteed to Happen

ANNUAL LOSS EXPECTANCY
(ALE)
(£ Monetary Value)
ALE = ARO*SLE

RETURN ON INVESTMENT
(ROI)
(*100 = ROI %)
Annualised Cost of Countermeasures (Risk Mitigation) / ALE

"The best way to keep one's word is not to give it." - Napoleon Bonaparte

Tuesday 12 December 2006

Some Notes on IP Addressing ...

I have cobbled together these notes that explain some of the finer points regarding IP Addressing.

IP Addresses

An IP Address is split into a Network Portion and a Host Portion

Host Numbers cannot be Zero or 255. All Zeros in the Host Area refers to the network itself: 54.0.0.0. All Host bits to 255 is the Broadcast Address. For Network 203.176 the Broadcast Address is 203.176.255.255.

A Class A Network allows 16,777,216 Hosts
A Class B Network allows 16,384 Hosts
A Class C Network allows 254 Hosts

Looking at the first octet of the 32 bit address you can determine what class of address it is: A value of 126 or less means that you are looking at a Class A address, 127 is the loopback address, 128 through 191 is a Class B address and 192 through 223 is a Class C address. Numbers above 223 are reserved.

The chart below shows this in an easily digestible format:

1 > 126 Class A
128 > 191 Class B
192 > 223 Class C

RFC 1918 gives the address range 192.168.XXX.XXX as available to anybody to use for private LAN networking. In addition the 10.XXX.XXX.XXX network and 172.16.XXX.XXX networks are also available for private use. These addresses will not work on the internet as they are non routable.

Subnet Masks:

255.0.0.0 Class A
255.255.0.0 Class B
255.255.255.0 Class C


Classless Internetwork Domain Routing (CIDR)

CIDR Networks are described as Slash X Networks. X is the number of bits in the IP Address range that ICANN controls, you get what's left. For example a Class C is known as a Slash 24 Network since ICANN has the left most 24 Bits and you have the right most 8 Bits. See examples below:

ICANN Subnet Mask
Slash 8         255.0.0.0
Slash 16 255.255.0.0
Slash 24 255.255.255.0
Slash 28 255.255.255.248

"Do not trust all men, but trust men of worth; the former course is silly, the latter a mark of prudence." - Democritus

Monday 11 December 2006

Securing the Network: 14

Securing The Network
The Final Post on Corporate Security Issues for the Non Technical

This post covers:
                Employee Education
                Security Testing
                Summary

Employee Education
Good security is impossible to implement without the cooperation of the users and employees.

To this end investment in security training and briefings is likely to pay dividends. Posters should be placed around the working area highlighting key information relating to security threats and reminding users of their responsibilities.

Security cannot be delegated to one department and each and every user should understand that they have a part to play. Training and education for the users in basic security threats should be mandatory.

A lot of excellent material including leaflets and posters are available from the Department of Trade and Industry (DTI) website.

Security Testing
To ensure that your security policies are enforced it will be necessary to implement Security Testing. Security Testing can be carried out in any and all of the following ways:

Drills
Penetration Testing
Query Employees
Review the Procedures

In many cases the only way to adequately test you security is through the use of a third part company.

Summary
In this series of posts I have attempted to explain many of the Network Security concepts in layman’s terms, and to cover the majority of relevant topics.

I hope the information presented in this series of posts is of benefit to someone.

"If you can find a path with no obstacles, it probably doesn't lead anywhere." - Frank A Clark

Sunday 10 December 2006

Securing the Network: 13

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Disposal and Destruction
                Employee Exit Procedures

Disposal and Destruction
It is a little known fact that even following a format, data can be recovered from your computers hard disk by a determined hacker. This makes it essential that when disposing of old computers, unless you physically destroy them, you must go to some lengths to make sure that the data that was contained on the computer cannot be recovered.

There are various methods that can be used to securely wipe the data from a hard disk. It is important that you select a method that offers the level of protection you require and then use it. Always.

Employee Exit Procedures
When an employee leaves the company, or announces their intention to leave, this should trigger a sequence of documented events that are related to the job they do or did. For example the series of steps to be taken when the IT Manager leaves are different to the series of steps to be taken when a Production Operative leaves.

This series of steps should incorporate the removal of their access card, token, key or any other device they have that can be used to gain physical access to your premises.

Their access to the computer network via remote means should also be removed and any access to confidential data prior to their departure should be logged.

Each and every employee should have an exit interview where their responsibilities to the company are discussed as are any restrictions that are placed upon them contractually.

"You're only given a little spark of madness. You mustn't lose it." - Robin Williams

Securing the Network: 12

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Social Engineering
                Disaster Recovery and Business Continuity

Social Engineering

‘The art and science of getting people to comply to your wishes’ (Source: Bernz 2), ‘an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system’ (Source: Palumbo), or ‘getting needed information (for example, a password) from a person rather than breaking into a system’ (Source: Berg).

In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (Source: Sarah Granger)

Social Engineering is probably one of the biggest threats we face in security and the one we can protect against the least. We have to rely on our employees to question and be vigilant. To do that we need to make them aware of security and the issues surrounding it. See the section on Employee Education.

Reverse Social Engineering.
This is where the attacker assumes a position of authority and gets the victim to freely offer information and ask advice. This requires a high level of skill, preparation and research.

Disaster Recovery and Business Continuity

A Disaster Recovery and Business Continuity plan is essential. If the worst happens you want to be able to refer to a document that covers the steps to take to enable you to be back up and running without delay.

The scope of DR and BS could encompass everything from a server crashing and data being lost, to the building going up in flames.

Many companies have a ‘cold’, ‘warm’ or ‘hot’ site standing by to be used in the eventuality of the main place of work being destroyed through fire, flood, terrorist activity or something similar.

A Cold Site generally refers to an empty building, a Warm Site refers to a building with maybe desks and networking and a Hot Site refers to a building that is fully fitted with everything including computer systems, ready to have the backups loaded and be up and running in a very short space of time.


Definitions

Disaster Recovery Plan: Provides procedures for recovering from a disaster after it occurs and also documents how to return the normal IT functions back to the business.

Business Recovery Plan: Addresses how business functions will resume after a disaster, preferable at an alternate site.

Business Resumption Plan: This addresses how critical systems and the functions of the business will be maintained.

Contingency Plan: This addresses what actions can be performed with regard to the normal business activities after a disaster.

"Live neither in the past nor in the future, but let each day's work absorb your entire energies, and satisfy your widest ambition." - Sir William Osler

Wednesday 6 December 2006

Securing the Network: 11

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                IDS (Intrusion Detection Systems)
                Encryption

IDS (Intrusion Detection Systems)

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.

Sometimes, a distinction is made between misuse and intrusion detection. The term intrusion is used to describe attacks from the outside, whereas, misuse is used to describe an attack that originates from the internal network. However, most people don't draw such distinctions.

The most common approaches to ID are statistical anomaly detection and pattern-matching detection.

Intrusion Prevention Systems
Quite often discussed in the same context are IPS (Intrusion Prevention Systems). Intrusion prevention systems were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of Intrusion Detection Systems, they continue to be related.

An IPS is very similar to an Application Layer Firewall.

Encryption
IPSec
IPSec (IP Security) is based on the concept of a shared secret. The encoding and decoding of the information can only be done if the two devices share a piece of key information. This means that the data can be captured but not understood unless the third party shares the secret.

IPSec was designed to support the secure exchange of packets at the IP Layer. IPSec supports two modes of operation, Transport and Tunnel. Tunnel is the most secure and is the one we are most likely to be familiar with as it is widely used in the VPN (Virtual Private Network) domain.

The primary protocol used by IPSec for exchanging the secret is called Internet Key Exchange (IKE). Most of the IKE exchange process is based on a mechanism called OAKLEY, which works with assorted key exchange modes. Another similar mechanism also used by IKE is SKEME, this supplies IKE with the method of Public Key Encryption and its fast re-keying facility.

RSA
RSA was developed by three mathematicians, Ron Rivest, Adi Shamir and Lee Adleman. This system used a Public and Private Key. It is probably the most popular method for Public Key Encryption, and digital signatures, in use today.
RC4
RC4 was also invented by Ron Rivest and is used in certain commercial systems such as Netscape and Lotus Notes. It has a bit size of 2048 which makes it a fast and strong cypher.
AES
AES (Advanced Encryption Standard) is a block cipher that has been adopted by the US Government. Two Belgian cryptographers Joan Daeman and Vincent Rijden developed AES as Rijndael. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

In June 2003, the US Government announced that AES may be used for classified information:
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."

"You can't turn back the clock. But you can wind it up again." - Bonnie Prudden

Saturday 2 December 2006

Securing the Network: 10

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Malware
                Pod Slurping
                Instant Messaging

Malware
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words ‘malicious’ and ‘software’. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, ‘Virus’ is used in common parlance and often in the general media to describe all kinds of Malware.

Software is considered Malware based on the perceived intent of the creator rather than any particular features. It includes computer Viruses, Worms, Trojan horses, Spyware, Adware, and other malicious and unwanted software.

(Source: WikiPedia)

Pod Slurping
The most popular MP3 player, the Apple iPOD has sold 60 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, (possibly confidential data) onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. These portable devices are getting smaller and their capacity is increasing.

Instant Messaging
Instant Messaging using tools such as MSN Messenger, Windows Live Messenger, Skype, AOL IM and ICQ, have become standard applications for many of us. They do however have their risks.

It is important that a policy is in place that covers the use of Instant Messaging within your organisation, a policy that should be rigorously enforced by the IT Department.

Content sent through to your employees via IM tools completely bypass your perimeter network defenses and due to the ignorance of most people where these matters are concerned, they pose a very real threat.

"He who promises more than he is able to perform, is false to himself; and he who does not perform what he has promised, is a traitor to his friend." - George Shelley

Friday 1 December 2006

Securing the Network: 9

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Penetration Testing

Penetration Testing is an attempt to break the security of a computer system or network, under instruction from the owners or maintainers of that facility. It is an attempt to simulate an attempted break in by a computer savvy criminal. A Penetration Test gives a snapshot of the security at a moment in time, and is not a full security audit.

If a criminal attempts to breach your computer network they will generally follow a sequence of five steps:
        Reconnaissance
        Scanning
        Gain Access
        Maintain Access
        Cover Tracks

It therefore makes sense that a Penetration Test follows a similar, although obviously not identical, sequence of events.

Planning and Preparation
This stage involves a meeting between the Penetration Tester and the Client. Key areas to be covered are: Scope, Objective, Timing and Duration. In addition documents must be signed to cover the Penetration Tester and the Client, generally in the form of a Non Disclosure Agreement (NDA).

Information Gathering and Analysis
This next stage involves the Penetration Tester finding as much information as possible about the company he will be asked to target. His first stop will probably be the companies own website, from there he may consult services such as www.netcraft.com. The information he is looking for is Domain Names, Server Names, ISP Information, Host Addresses and anything else that will help him build a picture of the target. The second part of this process involves Port Scanning and OS (Operating System) Fingerprinting.

Vulnerability Detection
If Stage 2 has been successful then the Penetration Tester now has all the information he needs to make the decision as to what hosts to target, and with what vulnerabilities. Some techniques he may use at this stage include Password Cracking, SQL Injection, Rootkit, Social Engineering and Physical Security.

Analysis and Reporting
This is where the Penetration Tester reports back to his Client. The information he is going to present to the client, includes the following:
        An Overview of the work done
        Detailed Analysis of all Vulnerabilities
        Summary of Successful Penetration Attempts
        Suggestions for the next step

Finish Up
This is where the Penetration Tester makes sure that anything he has done in the course of his work will have no effect when he has finished. For example he will remove any backdoors and additional user accounts that he has created, leaving the system how he found it.

The above is a quick overview only of the procedures that may be followed by a Penetration Tester while undertaking their assignment.

"There are no secrets to success. It is the result of preparation, hard work, and learning from failure." - Colin Powell