Daniel Schatz: It is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisationPosted: April 3, 2014
Interview with Daniel Schatz – Director for Threat & Vulnerability Management
Let’s first discuss how you ended up doing threat and vulnerability management. What is your story?
I actually started off as a Banker at Deutsche Bank in Germany but was looking for a more technical role so I hired on with Thomson Reuters as Senior Support Engineer. I continued on to other roles in the enterprise support and architecture space with increasing focus on information security (as that was one of my strong interests) so it was just logical for me to move into that area. I particularly liked to spend my time understanding the developing threat landscape and existing vulnerabilities with the potential to impact the organisation which naturally led me to be a part of that team.
What are you working on at the moment and what challenges are you facing?
On a day to day basis I’m busy trying to optimise the way vulnerability management is done and provide advice on current and potential threats relevant to the organisation. I think one of the challenges in my space is to find a balance between getting the attention of the right people to be able to notify them of concerning developments/situations while doing so in a non-alarmist way. It is very easy to deplete the security goodwill of people especially if they have many other things to worry about (like budgets, project deadlines, customer expectations, etc.). On the other hand they may be worried about things that they picked up on the news which they shouldn’t waste time on; so providing guidance on what they can put aside for now is also important. Other than that there are the usual issues that any security professional will face – limited resources, competing priorities with other initiatives, etc.
Can you share your opinion on the current security trends?
I think it is less valuable to look at current security trends as they tend to be defined by media/press and reinforced by vendors to suit their own strategy. If you look at e.g. Nation state cyber activities; this has been ongoing for a decade at least yet we now perceive it as a trend because we see massive reporting on it. I believe it is more sensible to spend time anticipating where the relevant threat landscape will be in a few months or years’ time and plan against that instead of trying to catch up with today’s threats by buying the latest gadget. Initiatives like the ISF Threat Horizon are good ways to start with this; or follow a DIY approach like I describe in my article
What is the role of the users in security?
I think this is the wrong approach to ask this question to be honest. Culture and mind-set are two of the most important factors when looking at security so the question should emphasise the relationship of user and security in the right way. To borrow a phrase from JFK – Do not ask what users can do for security, ask what security can do for your users.
How does the good security culture look like?
One description of culture I like defines it as ‘an emotional environment shared by members of the organisation; It reflects how staff feels about themselves, about the people for whom and with whom they work and about their jobs.’ In this context it implies that security is part of the fabric of an organisation naturally weaved in every process and interaction without being perceived to be a burden. We see this at work within the Health & Safety area, but this didn’t happen overnight either.
How one can develop it in his/her company?
There is no cookie cutter approach but talking to the Health & Safety colleagues would not be the worst idea. I also think it is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisation and recognise how their piece of the puzzle fits in. Pushing for security measures that would drive the firm out of the competitive market due to increased cost or lost flexibility is not a good way to go about it.
What are the main reasons of users’ non-secure behaviour?
Inconvenience is probably the main driver for certain behaviour. Everyone is unconsciously constantly doing a cost/benefit calculation; if an users expected utility of opening the ‘Cute bunnies’ attachment exceeds the inconvenience of ignoring all those warning messages a reasonable decision was made, albeit an insecure one.
What is the solution?
Either raise the cost or lower the benefit. While it will be difficult to teach your staff to dislike cute bunnies, raising the cost may work. To stick with the previous example, this could be done by imposing draconian punishment for opening malicious attachments or deploying technology solutions to aid the user in being compliant. There is an operational and economic perspective to this of course. If employees are scared to open attachments because of the potential for punishment it will likely have a depressing consequence for your business communications.
Some will probably look for ‘security awareness training’ as answer here; while I think there is a place for such training the direct impact is low in my view. If security awareness training aims to change an organisations culture you’re on the right track but trying to train users utility decisions away will fail.
Thank you Daniel!
Interview with Konrads Smelkovs – Incident Response
Could you please tell us a little bit about your background?
I work at KPMG as a manager, and I started working with security when I was around thirteen years old. I used to go to my mother’s work, because there was nobody to look after me. There used to be an admin there who used to run early versions of Linux, which I found to be rather exciting. I begged him to give me an account on his Linux box, but I didn’t know much about that, so I started searching for information in Altavista. The only things you could find there was how to hack into Unix, and there were no books at the time I could buy. I downloaded some scripts off the internet and started running them. Some university then complained that my scripts were hacking them, though I didn’t really understand much of what I was doing. So my account got suspended for about half a year, but I got hooked and found it rather interesting and exciting, and developed an aspiration in this direction. I then did all sorts of jobs, but I wanted a job in this field. So I saw an add in the newspaper and applied for a job at KPMG back in Latvia, 6 or 7 years ago. I was asked what it is I could do, and I explained to them the sort of things I had done in terms of programming: “a little bit of this, a little bit of that…”, I did some reading about security before the interview, and they then asked me if I could do penetration testing. I had a vague idea of what it entailed, because I understood web applications quite well. So I said, “yeah, sure. I can go ahead and do that because I understand these things quite well.”
What are you working on at the moment?
In the past I used to focus mainly on break-ins. Now people resort to me for advice on how to detect on-going intrusions, which takes up a large portion of my time at the moment, but more at a senior level. I do threat modelling for a corporation. I have to know how to break-in in order to give them reasonable advice, but it’s mainly in the form of PowerPoint presentations and meetings.
When you develop threat models for corporations, how do you factor in insider threats as well as the human aspect of security?
I believe the industry oscillates from one extreme to the other. People spoke a lot about “risk” but they understood very little about what this risk entailed. They then spoke about IT risks, but it was more of a blank message. Then it all became very entangled, and there was talk about vulnerability thinking: “you have to patch everything.” But then people realised that there is no way to patch everything, and then started talking about defence strategies, which pretty much everybody misunderstands, and so they started ignoring vulnerabilities. This especially happened because we all had firewalls, but we know that those don’t help either. So what we are trying to do here is to spread common sense in one go. When we talk about threat models, we have to talk about who is attacking, what they are after, and how they will do it. So the “who” will obviously have a lot of different industry properties, why they are doing it, what their restrictions and their actions are and so on. Despite the popular belief in the press, in The Financial Times, CNN, and so on, everybody talks about the APT, these amazing hackers hacking everything. They don’t realise that the day-to-day reality is quite different. There are two main things people are concerned about. One of them is insider threats, because insiders have legitimate access, and just want to elevate that access by copying or destroying information. The second is malware, which is such a prevalent thing. Most malware is uploaded by criminals who are not specifically after you, but are after some of your resources: you are not special to them. There are very few industries where there is nation-state hacking or where competitive hacking is current. So when we talk about threat models, we mainly talk about insider threats within specific business units and how they work. This is what I think people are most afraid of: the exploitation of trust.
How do you normally advice executives in organisations about proper information security? Do you focus on building a proper security culture, on awareness training, technological/architectural means, or what do you consider is the most important thing they should keep in mind?
We need to implement lots of things. I believe that a lot of the information security awareness training is misguided. It is not about teaching people how to recognise phishing or these sort of things. It is about explaining to them why security is important and how they play a part in it.
Very few insiders develop overnight and I believe that there is a pattern, and even then, insiders are rare. Most of the time you have admins who are trying to make themselves important, or, who out of vengeance, try to destroy things. So whenever you have destruction of information, you have to look at what kind of privileged access there is. Sometimes people copy things in bulk when they leave the company, to distribute it to the company’s competitors.
So lets say you develop a threat model and present it to the company, who’s executives accepted and use to develop a policy which they then implement and enforce. Sometimes, these policies my clash with the end-users’ performance and affect the way business within the company is done. Sometimes they might resist new controls because privileges get taken away. How would you factor in this human aspect, in order to avoid this unwanted result?
Many companies impose new restrictions on their employees without analysing the unwanted result it may lead to. So for example, if companies don’t facilitate a method for sharing large files, the employees might resort to Dropbox which could represent a potential threat. Smart companies learn that it is important to offer alternatives to the privileges they remove from their employees.
How do you go by identifying what the users need?
They will often tell you what it is they need and they might even have a solution in mind. It’s really about offering their solutions securely. Rarely is the case when you have to tell them that what they want is very stupid and that they simply should not do it.
Finally, apart from sharp technical skills, what other skills would you say security professionals need in order to qualify for a job?
You have to know the difference between imposing security and learning how to make others collaborate with security. Having good interpersonal skills is very important: you need to know how to convince people to change their behaviour.
Thank you Konrads.
In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.
Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:
- Modicon Momentum PLC
- Rockwell Automation MicroLogix 1100 PLC
- Siemens S7 1200 PLC
- Small embedded RTU device
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.
If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.
Conducting an awareness training or explaining complex information security concepts can be simplified and made fun through gamification. It is possible to learn more about information security simply by playing card games. Please see below for the three games you can download for free, print and start playing today.
1. Playing with application vulnerabilities
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
2. Playing with threat modelling
Elevation of Privilege (EoP) is the easy way to get started threat modelling, which is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
The EoP card game helps clarify the details of threat modelling and examines possible threats to software and computer systems.
The EoP game focuses on the following threats:
- Information Disclosure
- Denial of Service
- Elevation of Privilege
An academic-style paper explains the rules motivation and lessons learned in creating the game
The VOME project created a card game to support the discussion and teaching of issues of online privacy and consent. Players make decisions about what information characters might reveal to others and what they keep to themselves.
According to the authors, the main idea behind the game is to use the rules to model the way that information flows around the online environment. In real life, these flows are complex and often hidden. In the game it is possible simplify the relationships and decisions, and provide immediate feedback on the effects of those decisions
In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing . This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.
The identified threats are listed in accordance to their severity:
1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].
2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].
3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].
4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs. Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].
5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].
6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].
7. Abuse of Nefarious Use: CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].
8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues .
9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud .
Vulnerabilities in the Cloud
Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.
What makes a Vulnerability cloud specific?
According to the research conducted in  there are several criteria, which can be met by a vulnerability to make it cloud specific.
- Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
- Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics . A Vulnerability is cloud specific if its root cause is in one of those characteristics.
- Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
- The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services
Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper  has identified in total 7 major vulnerabilities of cloud computing:
1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key . Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website .
2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper  give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.
3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks .
4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business .
5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker .
6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers .
7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable .
Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices .
For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as , , and  give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking . The CSA has issued a report to provide a list of best practices such as separation of duties and identity management . For the threat of data leakage for example the main countermeasure is encryption [8, 6].
Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services . The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.
We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.
 Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).
 Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.
 Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]
 Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.
 Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.
 Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.
 Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.
 Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).
 Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.
BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The manuals section provides you with simple information in order to get up and running with Back|Track and help with some additional features unique to the suite.
Nmap –free open source tool for network analysis and security audits.
nmap -A -T4 localhost
-A to identify operating system, trace and scan with scripts
-T4 configure time parameters (scale 0 to 5, higher the number – higher the speed)
localhost — target host
You can use “slow comprehensive scan” to get more detailed information pertaining target system
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO –script all localhost
For more information please refer to Nmap Reference Guide
Hydra is a flexible and fast password auditing tool which supports numerous protocols and parallelization.
Nikto – Open Source (GPL) web-scanner. This tool can help you find undeleted scripts (such as test.php, index_.php, etc), database administration utilities ((/phpmyadmin/, /pma, etc) and many more typical errors on target website.
To use simply start with:
/nikto.pl -host localhost
Acunetix – very easy to use web vulnerability scanner. Free version still has great functionality and can help checking web applications for SQL Injection, XSS & other web vulnerabilities
Nessus – very powerful free for home use web-scanner, which helps security auditors identify available running services on target system, check for potential security misconfiguration and many more
It is possible to use Nmap to analyze ports, identify services and Metasploit to exploit vulnerabilities depending on service (ssh, ftp, etc.)
Armitage – tool that can help you test network for vulnerabilities. Basically, it is a GUI for Metasploit Framework and Nmap. It visualizes targets, collects data and makes whole process of penetration testing easier
And to test all of these for those of you, who interested in vulnerability analysis, reverse engineering, debugging,, exploit development and privilege escalation, you can refer to Linux hacking challenges. This project has several virtual machines, exercises and manuals to help you improve your skills.
Here are some additional TOP lists of tools for penetration testing
Top 100 Network Security Tools
Top 10 Web Vulnerability Scanners
Top 10 Vulnerability Scanners
OWASP Top 10 Tools and Tactics
Web-based Application Security Scanners
Web Application Security Scanner List by WebAppSec
The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.