InfoSecNirvana

Twitter account

noreply@blogger.com (InfoSecNirvana) — Fri, 29 Jan 2016 08:50:00 +0000

I plan to do more updates on my Twitter feed @nairsaj. When I have more content to write about, I will post it here.

More artifacts through PowerShell - Part 6

noreply@blogger.com (InfoSecNirvana) — Sat, 26 Sep 2015 16:06:00 +0000

MsiInstaller events.

Applications that use Windows Installer logs both installation and removal events; these are available on the 'application' event log. These are extremely useful in identifying malicious application installs.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11707} | select TimeCreated,ID,Message |ft -auto -wrap

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11724} | select TimeCreated,ID,Message |ft -auto -wrap

There are many other events related to MsiInstaller; if you need to see all, filter the application log for event source of MsiInstaller.

Get-EventLog -LogName application -Source MsiInstaller

Service start and state change events.

If you want track the services when they started, here is a one liner:

Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7045} | select TimeCreated,ID,Message |ft -auto -wrap

Note that configuration changes and state changes for a service is tracked by event ID 7036; this is already part of the LRUP code.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7036} | select TimeCreated,ID,Message |ft -auto -wrap

Symantec Risk log.

Symantec logs the risks identified in application event log; to get the specific log, issue this one liner:

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=51} | select TimeCreated,ID,Message |ft -auto -wrap

Volume Shadow Copy shutdown events.

Some of the malware may shutdown the VSS; the below one liner will give you more information on this log.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=8224} | select TimeCreated,ID,Message |ft -auto -wrap

LRUP code has a one liner to show the shadow copies created in a system; it's given below as well.

Gwmi -ea 0 Win32_ShadowCopy | select DeviceObject,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.InstallDate)}}

More artifacts through PowerShell - Part 5

noreply@blogger.com (InfoSecNirvana) — Mon, 03 Aug 2015 11:54:00 +0000

MS Office Trust Records.

When documents are downloaded from untrusted sources, a "trust" prompt is shown to the user when the user wants to edit the document. The full path of the document is saved under the below registry key when this happens.

Software\Microsoft\Office\*\PowerPoint\Security\Trusted Documents\TrustRecords (* should be replaced with the version of the MS Office installed in the system but for PowerShell gathering, we can still use the * as shown below:)

gp hkcu:'\Software\Microsoft\Office\*\Excel\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*

gp hkcu:'\Software\Microsoft\Office\*\PowerPoint\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*

gp hkcu:'\Software\Microsoft\Office\*\Word\Security\Trusted Documents\TrustRecords' | select * -ExcludeProperty PS*

Want to see all with one command?

gci -r hkcu:'\Software\Microsoft\Office\*\*\Security\Trusted Documents' | select -ExpandProperty Property

References:

http://blogs.technet.com/b/office2010/archive/2009/09/28/trusted-documents.aspx

http://forensicartifacts.com/2012/07/ntuser-trust-records/

Decrypting UserAssist key entries.

Forensic use of UserAssist keys are well known. It primarily stores information about actions the user took with the Shell; actions such as starting applications, double clicking shortcuts, etc. Entries in the UserAssist keys are ROT13 encrypted, the encrypted entries can be viewed by issuing the following one liner.

gp "hkcu:\Software\Microsoft\Windows\Currentversion\Explorer\Userassist\*\Count" | ft -auto -wrap

In order to decrypt the entries, we can use the function provided in this blog.

References:

http://forensicartifacts.com/2010/07/userassist/

http://blog.didierstevens.com/programs/userassist/

Chrome Local Storage entries.

Local storage in Chrome browser is part of HTML5 specification; it is designed to store persistent data (even after the browser is closed) local to the system such as the cookies. This is in SQLite format but can be accessed through PowerShell to get a rough idea about the web sites visited.

Here is the one liner for this:

dir $env:LOCALAPPDATA\'Google\Chrome\User Data\Default\Local Storage' | Sort-Object LastWriteTime -desc

Reference:
http://www.html5rocks.com/en/tutorials/offline/storage/

More artifacts through PowerShell - Part 4

noreply@blogger.com (InfoSecNirvana) — Sat, 04 Jul 2015 12:18:00 +0000

Typed URLs - alternate location.

The main script LRUP already contain many IE related artifacts; here is one more that we can add to the list.
Under APPDATA, the system keeps a log of the URLs typed into the address bar to provide auto suggestion of the URLs that are being typed in. This log can be viewed using the Get-Content CmdLet.
gc $env:LOCALAPPDATA\temp\structuredquery.log

DLLs and vendor information.

If you need to filter out the DLLs identified in the system that are non-Microsoft related, use the below one liner. For more information, check Trevor Sullivan's article.

$ProcExes = Get-WmiObject -Class CIM_ProcessExecutable; foreach ($item in $ProcExes) {[wmi]"$($item.Antecedent)" | ? { $_.Manufacturer -ne 'Microsoft Corporation' } | select FileName,Extension,Manufacturer,Version |ft -auto -wrap}

Application Compatibility related.

Application compatibility is a feature that can make older programs that have compatibility problems work better in Windows 7 and Windows 2008 operating systems.

System tracks the programs installed under the below registry key. Note that it "stores the list of all programs for which it came up under the following key for each user, even if no compatibility modes were applied (e.g. in the case where the user reported that the program worked correctly)" - MSDN link

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

In PowerShell, this can be gathered through the following one liner:

gp hkcu:'\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted' | select * -ExcludeProperty PS*

Since it is taken from HKCU location, it is an indication that the particular user ran these programs.

References:

https://msdn.microsoft.com/en-us/library/bb756937.aspx

http://journeyintoir.blogspot.in/2013/12/revealing-program-compatibility.html

More artifacts through PowerShell - Part 3

noreply@blogger.com (InfoSecNirvana) — Sun, 28 Jun 2015 08:29:00 +0000

The main LRUP code lists many event logs that are useful in an incident response scenario. In this section, let's look some additional event logs that are going to be useful to collect.

Firewall related.

The below log shows the firewall rule changes and other actions such as profile changes.

Get-winevent -logname "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | ft -auto -wrap

Network related.

The below log shows the time when a network is changed from a home network to office network.

Get-winevent -logname Microsoft-Windows-BranchCache/Operational | ft -auto -wrap

The below log shows when a network connection was made.

Get-winevent -logname Microsoft-Windows-NetworkProfile/Operational | ft -auto -wrap

Below log should be checked to see the RDP logins. More information on the event IDs is available at this MS link.

Get-winevent -logname Microsoft-Windows-TerminalServices-LocalSessionManager | ft -auto -wrap

Driver related.

Looking at the below log helps identify code integrity issues related to bad drivers or unsigned drivers. More information is available at this MSDN link.

Get-winevent -logname Microsoft-Windows-CodeIntegrity/Operational | ft -auto -wrap

Speaking of drivers, we can use the below command to get a listing of PnP related driver information.

Get-WmiObject -Class Win32_PnPEntity | select Caption,Name,Service

When a device is attached the computer, Windows attempts to detect the device type and install the appropriate driver so that it can communicate and control the device.

Completion of a device driver installation attempt gets recorded as an event ID 20001 message in the 'System' event log. The message provides device identification information and a status code for the device installation process. Devices that install successfully log an Event ID 20001 message with a status code of 0. To see this event, we can use the below one liner.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=20001} | select TimeCreated,ID,Message |ft -auto -wrap

More artifacts through PowerShell - Part 2

noreply@blogger.com (InfoSecNirvana) — Sun, 21 Jun 2015 10:14:00 +0000

Quickly identify a login event.

Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | ft -auto -wrap

Quickly identify a login event for a particular user.

Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify a login event for multiple users.

Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ -or $_.message -like ‘*jane*’} | ft -auto –wrap

Quickly identify login events between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/1/15";EndTime="5/31/15"} | ft -auto –wrap

Login events for a particular user between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/25/15";EndTime="5/30/15"} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify error events for previous day.

  Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap

Error events for a specific source such as NETLOGON

Get-EventLog -LogName System -EntryType error -Source NETLOGON -After (Get-Date).AddDays(-1) | ft -auto -wrap

As a reminder, you can export any of these into a text file with the 'out-file' option; an example:

Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap | out-file c:\event.txt

More artifacts through PowerShell - Part 1

noreply@blogger.com (InfoSecNirvana) — Sat, 20 Jun 2015 12:07:00 +0000

Identify currently logged in user.

If the requirement is to get only the logged in user along with the time of login then use "whoami' or "quser".

To see the privileges assigned for the currently logged in user.

whoami /priv /fo csv | convertfrom-csv | ft -auto -wrap

To identify the user profiles created.

User profiles can be checked by looking at the below registry location using Get-ItemProperty CmdLet.

Get-ItemProperty hklm:'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' |Select-Object PSChildName, ProfileImagePath | ft -auto -wrap

To identify users and processes that were started.

There are multiple commands that can be used but the builtin command 'qprocess' is the optimal one. It is similar to tasklist, but produces better output. It shows username, session id, pid, and image name.

Another useful command is 'qwinsta'. This builtin command shows RDP sessions as well.

'quser' is another useful command; this shows the logged in users, session name, time, etc. This command is extremely useful in a server environment.

To see if the user is part of administrator group.

net localgroup administrators .This command will show all the users that are part of the group 'administrators'.

PowerShell updates

noreply@blogger.com (InfoSecNirvana) — Sun, 07 Jun 2015 12:31:00 +0000

Have received many questions offline on the use of PowerShell and how we can get the desired artifacts from Windows system. While I have responded to most of those, I haven't gotten opportunity to update them here. I will try and update them here in a series of posts in the coming days.

The commands and options I will be posting are to be used in addition to the already published commands in the LRUP code and the SANS paper.

LRUP code is available here.

Howto - Creating a ZIP file of LRUP outputs

noreply@blogger.com (InfoSecNirvana) — Mon, 30 Sep 2013 12:31:00 +0000

One of the requests I got was to combine the output of all the text files and compress it so that a single file can be sent by the user from their machine to the IR analyst.

If you want to use an external tool like 7-Zip that can be processed from the command line, it is easy to implement. However, if you want to use an in-built tool or script then there are multiple options.

There is a CodePlex project for this, check out http://powershellzip.codeplex.com/

As an another option, take a look at David Aiken's post from MSDN.

Relevant portions of the code along with the option to combine the various text files is listed below:

function New-Zip
{
param([string]$zipfilename)
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

new-zip $UserDirectory\desktop\$CompName-$User-$Date.zip

function Add-Zip
{
param([string]$zipfilename)

if(-not (test-path($zipfilename)))
{
set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
(dir $zipfilename).IsReadOnly = $false
}

$shellApplication = new-object -com shell.application
$zipPackage = $shellApplication.NameSpace($zipfilename)

foreach($file in $input)
{
$zipPackage.CopyHere($file.FullName)
Start-sleep -milliseconds 500
}
}

gci $UserDirectory\desktop\$CompName-$User-$Date-Level1.html | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-HostsFile.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-OpenFiles.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-AuditPolicy.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

gci $UserDirectory\desktop\$CompName-$User-$Date-FirewallConfig.txt | add-Zip $UserDirectory\desktop\$CompName-$User-$Date.zip

#Clean-up routine

rm $UserDirectory\desktop\$CompName-$User-$Date-Level*.html

rm $UserDirectory\desktop\$CompName-$User-$Date-*.txt

LRUP Code published

noreply@blogger.com (InfoSecNirvana) — Sat, 31 Aug 2013 05:29:00 +0000

Code used in the paper is now available from the CodePlex site.

https://infosecnirvana.codeplex.com/

This is a version 2.0, which is optimized for PowerShell V2. All new updates will be available at the CodePlex site from now on.

Comments and suggestions can be posted here.

SANS Gold paper on PowerShell

noreply@blogger.com (InfoSecNirvana) — Sat, 24 Aug 2013 05:25:00 +0000

I have been working on a paper for the SANS Gold certification. The topic I chose was Live Response using PowerShell.

It was a great experience writing it and learning a great deal of stuff on Windows operating system and PowerShell.

Finally, early this week I got the confirmation from SANS that it has been approved and published.

Paper is available on SANS reading room web site and direct download is available here.

Look for more details on the code and other developments in later posts.

Programming knowledge in the field of DFIR

noreply@blogger.com (InfoSecNirvana) — Sun, 28 Jul 2013 01:48:00 +0000

Harlan recently blogged about programming knowledge in DFIR field, link is here. It made me realize my own experience in scripting and how it helped gain more knowledge.

I started learning Unix shell scripting when I was working as a system administrator. For sysadmins it is an invaluable tool to automate both simple and complex tasks. Later, as a network administrator, scripting knowledge came handy in automating tasks such as device monitoring using SNMP, configuration backup, making simple configuration changes, log analysis, etc.

When I moved to the DFIR field many years ago, scripting knowledge came handy particularly in log analysis. When you have month's of apache, proxy and firewall logs to sift through, knowledge of scripting becomes extremely handy. Other areas it is useful include PCAP analysis, Snort device management, manipulating outputs from scanning tools such as NMAP, getting system statistics, doing quick analysis of a system during or after an incident, forensic analysis, etc.

In order to make a script or program to work, you need more understanding of the system and in that process you seek more knowledge. In my view it helps you immensely in any area of work as technology professionals. As Harlan pointed out, you don't need to be an expert programmer, you just need to know the fundamentals and an aptitude for learning. With that basic knowledge, when there is a need to do something that is not currently supported or offered by existing tools you can create your own steps to achieve that task. It may not look pretty in the eyes of an expert programmer but as long as it can satisfy your requirement, you are good to go.

If you are a Unix person, start with shell scripting and then learn Perl and/or Python. If you are a Windows person, PowerShell is an extremely useful tool or scripting language to automate multitude of tasks. It is getting more popular as Microsoft bundles it with most of their new products. If you are from a Unix shell scripting background, it would be real easy to learn PowerShell as they use the similar concepts. Even otherwise, it's a simple language to learn.

As scripting and automation is a subject of immense interest to me, I started learning PowerShell a while ago. I hope to show some of the usefulness of PowerShell in coming weeks.

New NIST draft document - Computer Security Incident Handling Guide

noreply@blogger.com (InfoSecNirvana) — Sun, 12 Feb 2012 07:16:00 +0000

NIST released a new draft document on Computer Security Incident Handling. This is the second version of the original document that was released in 2008.

This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents.

It is a great reference document for folks trying to implement a new program and for folks to tweak their existing program.

Here is a list of major recommendations:

Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security.
Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications.
Organizations should document their guidelines for interactions with other organizations regarding incidents.
Organizations should prepare generally to handle any type of incident and more specifically to handle common incident types.
Organizations should create written guidelines for prioritizing incidents.
Organizations should use the lessons learned process to gain value from incidents.

The document is available from the following link

http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

NIST requests comments on this document by March 16th, 2012. If you would like to submit comments, submit it to "800-61rev2-comments@nist.gov" with "Comments SP 800-61" in the subject line.

Registry Decoder - A new registry analysis tool

noreply@blogger.com (InfoSecNirvana) — Sun, 29 Jan 2012 10:47:00 +0000

Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

It is much similar to Harlan's RegRipper. It can perform the analysis on the live system as well as the saved hive files. To acquire the currently in-use registry files, Registry Decoder creates a System Restore Point on the target machine. This ‘freezes’ and generates a read-only backup of the current registry files.

In the current version, the offline component is able to process a number of evidence types including:

1. Individual registry files
2. Full disk images
3. Partition images
4. Databases created by the online acquisition component of Registry Decoder

The analysis tasks it performs include:

1. Hive Viewing
2. Hive Searching
3. Plugins. Currently has 30 plugins
4. Hive Differencing to find the differences between two registry hives
5. Reporting

The online acquisition component can be accessed at: http://code.google.com/p/regdecoderlive/ and the offline analysis component accessed at: http://code.google.com/p/registrydecoder/.

Some of the screen shots from my system are below:

Club Penguin data loss

noreply@blogger.com (InfoSecNirvana) — Sun, 04 Dec 2011 08:28:00 +0000

Club Penguin is an online gaming site that offers a virtual gaming world for kids. It also offers the players an option to kind of social network, which made it very popular among the kids.

Dataloss DB recently published a data loss involving this gaming site, where 309 usernames, e-mail addresses, passwords and IP dumped on the pastebin site by hacker(s).

The links to the dataloss db and the pastebin sites are below. If your kids have accounts in Club Penguin, I highly recommend changing the passwords immediately.

http://datalossdb.org/incidents/5050-309-usernames-e-mail-addresses-passwords-and-ip-dumped-on-web-by-hacker

http://pastebin.com/Bzxpc1RF

InfoSec - Weekly Roundup

noreply@blogger.com (InfoSecNirvana) — Sun, 04 Dec 2011 01:16:00 +0000

Mandiant released a new version of their popular memory analysis tool, Redline. Redline accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Read the related blog post below

https://blog.mandiant.com/archives/1996

NSRL database is being updated. "The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. Link for the NSRL database is below.

http://www.nsrl.nist.gov/

FTC recently reported that Facebook has agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. Check the below link from FTC for more information.

http://www.ftc.gov/opa/2011/11/privacysettlement.shtm

The big risk item people are talking about is the Carrier IQ key logging software installed on many phones, which allows the carriers to gather many details of you browsing habits. More information is available at the below links.

https://threatpost.com/en_us/blogs/demo-carrier-iq-agent-android-120111

http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/?mod=snippet

Impact of malware - Scientific American magazine article

noreply@blogger.com (InfoSecNirvana) — Sun, 30 Oct 2011 07:03:00 +0000

Scientific American magazine published an article on the impact of malware and what we can do about it.

Here are some of the comments from the article.

"We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it."
"Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options."

This is a very interesting article and if nothing else, it helps spread awareness. I have reported in my blog multiple times how the main stream media is covering the new way of attacks and privacy issues. Now, other types of media started covering these issues as well. The more aware general Internet users about these issues, better prepared they would be.

The article link is below:

http://www.scientificamerican.com/article.cfm?id=a-cybersecurity-nightmare

Vulnerable web applications

noreply@blogger.com (InfoSecNirvana) — Wed, 26 Oct 2011 10:20:00 +0000

One of the readers asked about vulnerable web applications pre configured for research and testing purpose. Here is the list I have used in the past:

Moth http://www.bonsai-sec.com/en/research/moth.php

Stanford SecuriBench http://suif.stanford.edu/~livshits/securibench/

OWASP WebGoat http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

Consumer reports - Companies to spend $130 billion on cybersecurity in 2011

noreply@blogger.com (InfoSecNirvana) — Sun, 09 Oct 2011 02:33:00 +0000

A recent new item in Consumer Reports caught my eye.

"U.S. companies will spend more than $130 billion dealing with data breaches this year, according to a study by the cybersecurity research firm the Ponemon Institute."

Over the last few years, there has been a steady increase in cyber attacks and breaches. Organizations have started to admit the fact that they are being attacked on a regular basis. Newspapers carry regular news items that show how vulnerable organizations and individuals are to such attacks.

So, apart from the people who did the bad thing, who else benefits from this?

Obviously, it benefits a whole group of people who helps these companies and individuals do the clean-up work. From the people specializing in the corporate communications, people involved in providing legal advice, people involved in forensic investigations, people involved in fighting these cases in court, and people involved in making sure that such incidents don't happen again.

Now, for folks looking for jobs and looking to enter these fields, it is a great opportunity to master these skills.

Some of the hot skills, companies in US and other parts of the world looking for are:

E-Discovery
Forensic investigation
Incident Response
Malware Analysis
Incident Monitoring
Security Operations

Risk Management - two new standards

noreply@blogger.com (InfoSecNirvana) — Tue, 27 Sep 2011 05:14:00 +0000

ISO 27005:2011

The newly released international information security risk management standard, is now available for everyone.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001, it is designed to assist the satisfactory implementation of information security based on a risk management approach.
The standard is now fully aligned with the International Standard for risk management, ISO 31000. ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization, generally known as enterprise risk management.

ISO 27005:2011 ISRM, can be downloaded from the IT Governance web site.

www.itgovernance.co.uk/products/1852 .

NIST Special Publication 800-30

NIST relesed a draft guide for conducting risk assessments.

"The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action to take
in response to identified risks. In particular, this document provides practitioners with practical
guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other."

This standard is in a public comment stage, all are welcome to comment on this standard.

The standard can be downloaded from the below NIST web site.

http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

New PCI Document - Identifying and Detecting Security Breaches

noreply@blogger.com (InfoSecNirvana) — Fri, 02 Sep 2011 00:01:00 +0000

PCI council has published a new document titiled "Identifying and Detecting Security Breaches". The topics include:

Common Vulnerabilities and Malware
Signs of an Incident
How to Detect a Security Incident
Implementing and Reviewing Logs
Logs and PCI DSS Compliance
Basics of Incident Management
Top Challenges
Visa’s “What To Do If Compromised” Procedures

The document link is below:

http://usa.visa.com/download/merchants/webinar-identifying-and-detecting-breaches-08172011.pdf?Aug202011

Google Code University - Learn Application Security fundamentals

noreply@blogger.com (InfoSecNirvana) — Tue, 30 Aug 2011 23:11:00 +0000

Google Code University publishes many online materials, where you can learn about programming and application security. You can find topics in the area of programming languages, web programming, web security, databases, Linux, etc.

They have also released many tools in this area, the latest being web application named Gruyere. This is similar to OWASP WebGoat or Mutillidae.

The tool shows how web application vulnerabilities can be exploited and how to defend against these attacks. Some of the vulnerabilities that you will be exposed to include Cross-site scripting (XSS), Cross-Site Request Forgery (XSRF), Cookie Manipulation, Cross Site Script Inclusion (XSSI), Path Traversal, Denial of Service, Configuration Vulnerabilities, and specific vulnerabilities affecting AJAX.

It is a great tool to learn application security.

Links:

Google Code University : http://code.google.com/edu/

Gruyere web application : http://google-gruyere.appspot.com/#0__hackers

A Guide to Facebook Security

noreply@blogger.com (InfoSecNirvana) — Mon, 29 Aug 2011 23:34:00 +0000

Last week Facebook released a document titled "A Guide to Facebook Security".

It is a must read for every facebook user. It lists some essential tools that helps protect your account against various threats.

Some of the items detailed in the document include:

How to protect your account
How to avoid the scammers
How to enable advanced security settings
How to recover a hacked account
How to stop imposters

Here are the top tips to protect your accounts.

Only Friend people you know.
Create a good password and use it only for Facebook.
Don’t share your password.
Change your password on a regular basis.
Share your personal information only with people and companies that need it.
Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type www.facebook.com into your browser address bar.
Use a one-time password when using someone else’s computer.
Log out of Facebook after using someone else’s computer.
Use secure browsing whenever possible.
Only download Apps from sites you trust.
Keep your anti-virus software updated.
Keep your browser and other applications up to date.
Don’t paste script (code) in your browser address bar.
Use browser add-ons like Web of Trust and Firefox’s NoScript to keep your account from being hijacked.
Beware of “goofy” posts from anyone—even Friends. If it looks like something your Friend wouldn’t post, don’t click on it.
Scammers might hack your Friends’ accounts and send links from their accounts. Beware of enticing links coming from your Friends.

The document link is below:

https://www.facebook.com/safety/attachment/Guide%20to%20Facebook%20Security.pdf

PCI - Information supplement on virtualization

noreply@blogger.com (InfoSecNirvana) — Sun, 19 Jun 2011 01:35:00 +0000

PCI Council has released a new information supplement on virtualization. This is definitive guide for organizations looking to implement virtualization in their card holder data environment. Some of the highlights from the document:

There are four simple principles associated with the use of virtualization in cardholder data
environments:
a. If virtualization technologies are used in a cardholder data environment, PCI DSS
requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies,
and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a
thorough discovery to identify and document the unique characteristics of their particular
virtualized implementation, including all interactions with payment transaction processes and
payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.

The document lists the general recommendations as follows:

General Recommendations

Evaluate risks associated with virtual technologies
Understand impact of virtualization to scope of the CDE
Restrict physical access
Implement defense in depth
Isolate security functions
Enforce least privilege and separation of duties
Evaluate hypervisor technologies
Harden the hypervisor
Harden virtual machines and other components
Define appropriate use of management tools
Recognize the dynamic nature of VM’s
Evaluate virtualized network security features
Clearly define all hosted virtual services
Understand the technology

The document can be downloaded from here.

Another wave of attacks and breaches

noreply@blogger.com (InfoSecNirvana) — Sun, 19 Jun 2011 00:45:00 +0000

Back in April, I wrote about a wave of attacks and breaches (you can read it here). This month we are seeing a whole new wave of attacks and breaches, some of which include Citigroup, Sony, IMF, Lockheed Martin, etc.

2011 definitely brought many high profile breaches, one interesting development is that, these breaches not only benefit the adversaries but people who are involved in the investigations as well. WSJ reports that an “industry of experts”—from lawyers to forensic investigators—have emerged to help companies deal with the painful job of informing customers that their data has been hacked.

We also started to see the re-emergence of so called hacking groups. Some of the new groups such as Anonymous and LulzSec, are reported to be active participants. This is definitely a concern for information security practitioners as suddenly we have a much stronger and a determined opponent to deal with.

US lawmakers are getting busy as well. Congresswoman Mary Bono Mac, Chairman of the House Subcommittee on Commerce, Manufacturing and Trade,early this week released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification. A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed. The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner.

So, what can we as corporate information security professionals do? As I have mentioned in this blog many times, there is nothing new to be done here, follow the simple steps and go back to the basics - identify what and where your sensitive data is, apply minimum controls to thwart simple attacks, monitor the sensitive information, both at the asset level and network level and finally keep up with the new threats and learn how to defend against these new threats.

Sophistication of information threats are only going to increase, adversaries looking to steal sensitive information are only going to increase, and the market for such sensitive information are only going to increase. Better preparation and bringing in capabilities to defend, and recover from these attacks should be primary concern for information security departments. Many organizations concentrate on a compliance and check-list centric methodology, which will only lead to more such attacks and breaches. The time has come for organizations to develop capabilities and talent within the organization.

States and local governments also have a bigger role to play. Organizations need help from government agencies in the form of intelligence and investigations, and more importantly working with foreign governments in identifying and containing the threats and threat agents. Announcement such as this from NSA is promising and they should start developing tools and processes to share intelligence with private sector as well.