Search This Blog

Tuesday 12 September 2017

Cloud Access Security Broker (CASB) - The purpose of a forward proxy

First of several short articles on the feature sets of a typical Cloud Access Security Broker (CASB)

The Forward Proxy:

In a Cloud Access Security Broker (CASB)forward proxy is an in-line real time protection gateway service configured to handle network requests for a group of known clients (users and devices) to any external website and/or cloud service.  These users and devices can be connecting from anywhere, either on the corporate network, or across the Internet.  The destination services are typically cloud based.

The CASB forward proxy is primarily a policy control, and in it's most basic un-authenticated form, would simply apply policy enforcement to allow or deny access to specific sites and services on the internet.  This form of the service could be used to police the corporate "Code of Conduct"  ie:  "No corporate device is allowed to browse Pornography, Violence/Hate, Drugs, Gambling, etc... "  or to block access to Cloud Storage sites to reduce risk of Data Loss.

This however, is a very limited use case, and easily subverted.  

Typically, you would configure the Forward proxy to authenticate the endpoint (Either User, or Device, or both) to your corporate directory.  This can be done through Microsoft's ADFS (Active Directory Federation Service) or better through a Cloud Identity Provider such as Okta, Ping, OneLogin, or Centrify.

For sites that are Corporately Sanctioned,  you can manage/report/alert on the context of Who visited the website or service, from where, on what device, and at what time.  Any or all of these attributes can be used to modify access. IE:  If going to a specific service from an unknown device over public WIFI, you may want to enforce Two Factor Authentication, and restrict file transfer. 

For sites and services that are unknown or not Corporately Sanctioned (Shadow IT), you may want to validate the type of service through URL/Content filtering, and then allow access, while logging verbosely.  

Scenario:   With authenticated forward proxy, you can say: 

  • This user is from accounting - these are the apps they should potentially be able to access.
  • This user is on a corporate laptop from within the corporate network, allow full access.
  • This user is on a corporate laptop on a public network. (Starbucks or Hotel)
    • Enforce two factor auth to these apps, and deny access to these apps.
  • This user is on a personal device on a public network. 
    • Enforce two factor auth to these apps, and deny access to these apps
    • Deny file transfer. 
  • etc...

And of course the Cloud Identity Provider would manage credentials on the end service, therefore direct connection would be prohibited. 

Typical Forward Proxy use cases:

  1. Inspect content between Endpoint device (user) and Website/Service for Malicious Activity.
  2. Inspect content between Endpoint device (user) and Website/Service for Data Leakage.
  3. Enforce Corporate "Code of Conduct" via URL filtering.
  4. Provide granular access control based on "context" of user's source device/network/time.
  5. Provide list of "un-sanctioned apps" for security review.
  6. Encrypt Field level/table level data on the fly. 
  7. Tokenize Field level/table level data on the fly. 

As an inline implementation, the forward proxy requires a method to direct/enforce traffic from the endpoint device through the proxy, to the destination service.  For legacy on-premise proxy, we had a few options for redirecting traffic to the proxy:

  • Typically, PAC  (Proxy Auto Config) files would be used. This was an intrusive configuration of the endpoint, that could be easily bypassed by the user.  
  • DNS "URL redirect" was also a good choice for redirecting "sanctioned applications" through the proxy to control/monitor that traffic.
  • Finally, an endpoint agent on the device could be used to control/redirect traffic.  (Do not do this!  Please!) 

Most CASB providers today rely on the Single Sign On Identity Provider (IdP) that authenticated the end user to provide a SAML redirect to the CASB forward proxy service.  This also allows the Identity provider to add "context" to the interaction.  "Michael is authenticating after standard work hours with his corporate credentials, on a valid certificated corporate device, from what appears to be a home network".

Next up: Cloud Access Security Broker (CASB)  -  The purpose of a reverse proxy 


Thursday 24 August 2017

Can our Managed SIEM providers please get their heads out of the 90's?

rant mode on   

(I had tried standard <> tags, and the CMS tried to process them!  LOL)
I've been a customer of SIEM (Security Incident and Event Monitoring) for about 30 years (cough), and have never had a "good" customer experience.  

SIEM are complex (and expensive) systems that closely integrate with every server/appliance/network device on the floor, and try to make sense of the data flowing through to identify security concerns.   This data is typically formatted  proprietary to the vendor of the source product.

When a vendor wants to implement SIEM in your infrastructure, for each server they enroll, the vendor asks about "use cases", or the set of rules that define what types of security events you should care about. 
"Mr Customer, how many failed login attempts to you want to capture before we alert you?"

As a customer, how the hell should I know?  What's the industry norm?  You're the SIEM expert, tell me what your other customers are doing!  This approach has stiffled progress/uptake in the industry.  SIEM is typically implemented grudgingly as an audit checkbox.  
"Ok, yes, we have SIEM, and things are reporting to it... CHECK... Next..."
 This is a very expensive and time consuming effort to acquire a check box, but this is also how the vendors are selling it.  Compliance sells products.

There is so much more that SIEM can and should do, like correlating firewall sessions with EndPoint Protection alerts.  Identifying patterns (anomalies) in VPN users activities, alerting on movement of data between rogue cloud applications (shadow IT)...  but those tasks take planning and scripting skills. Time and budget that an average Information Security team does not have.  So the tools get put in to fill the checkbox, and all of the capabilities they have sits idle.   (I hear you out there... prove me wrong, tell me YOUR good news story!)

Another typical issue with implementing SIEM is scaling/sizing of the SIEM infrastructure itself.  The vendors usually define the size of your SIEM based on incoming "events per second".  There are many calculators out there to help you determine size, but they don't tell you that a) this is a best case scenario, or b) EPS depends entirely on what you CHOSE TO LOG!

It's a rare event that you buy too much SIEM for your requirements.  SIEM is expensive, and most of us will err on the side of budget.... and then find out we spec'ed  3-4 times smaller than required.

rant mode off

So let me tell you a little story now of my most recent experience that turned all this on it's head:

There's a little "Managed Detection and Response" company, eSentire out of Cambridge Ontario, that I had seen at several trade shows. Fatigued by vendors proclaiming that their product/service was better than the next coming of Christ, I had watched them warily.  But heard good news from all sources.

I had an opportunity at one of my clients to replace an very non-functional implementation of Arcsight that one of Toronto's finest  managed security providers had failed to deliver appropriately. (I'll just leave that there)

We looked at possible opportunities for bringing SIEM back in-house, as well as talked to about a dozen Managed Security Service Providers, and the daunting conversation of use cases kept coming up time after time.  Vendor would ask us what we wanted to monitor, how many, how long, what's the alerting criteria, blah blah blah...  (insert Charlie Brown adults talking here)

In the mix, we had eSentire come in and present.  I had prepared my VP of IT and director of Security Operations as to the types of questions we would encounter, and typical responses regarding EPS per logging device, and use cases based upon product.

eSentire took the conversation in a completely new direction:

Us:  "Ok, tell us what we need to provide for use cases, and possibly some guidance on what makes sense...."

eSentire:   "We looked at your company, it's size, and market space.  We have dozens of similar customers as you.  Do you think your use cases might differ much from theirs?"

Us: "Ummm... no... probably not."

eSentire:  "Good, we can start there as a baseline, and monitor,  next?"

Us:  "Ok, what about Events Per Second, and storage?" 

eSentire:  "Based on existing customers, and the list of systems you want to integrate, we'll put a log collector in your infrastructure and monitor and manage it's capacity. "

That was nine months ago.  We signed up almost immediately, and the full implementation was a few weeks (not the typical 12-18 months I'm used to with those other systems).  We were getting reports daily, weekly, monthly, that made sense, and had executive presentations that I could actually take to my management.

We've also signed up for and are very happy with their Network Interceptor (Managed Intrusion Prevention) and Continuous Vulnerability Assessment services.


Gartner: SIEM Use Cases

Alienvault: What kind of logs do you need for an effective SIEM?

Gartner: Managed Detection and Response Companies
eSentire: Managed Detection and Response

SANS: Benchmarking SIEM
Why and How to calulate Events per Second
Solarwinds: Estimating Log Generation
Qradar: Sizing, Determining Events Per Second
A good EPS sizing chart and writeup from Buzzcircuit

Arcsight: Enterprise Security Manager

Thursday 29 June 2017

Canada 150, and Canadian Innovation.

Canada has a long legacy of innovation and prosperity. We have blazed technology trails in every aspect of life, from agriculture to medicine and health care, communications to manufacturing, transportation to space travel, finance to renewable energy.

I started my career as an electronics technician under the Industrial Research Assistance Program at the Canadian National ResearchCouncil.   My role was to go in to young startup companies, and provide technical assistance getting their technology dreams built, tested, and ready for market.
Today, this program actively helps Canadian entrepreneurs innovate through grants, advisory services, networking, youth employment, staff augmentation, while providing technical assistance in various fields.

Looking backwards to see forward, Canada has great opportunity remain a global leader in innovation and technology. There is a wealth of diverse companies, both entrenched and new, taking on the challenge of automating, managing, and accommodating all aspects of our lives.  I’ll outline just a few of those technologies here.

The Canadian Healthcare System is respected worldwide, both for its ability to efficiently and effectively care for individuals as well as its history of innovations.  Leveraging the rapid advances in “Internet of Things (IoT)” technology and infrastructure, Canadian health research facilities have become world leaders in the innovation of wearable devices to help track and monitor patient outcomes.  With these devices monitoring vital aspects of a patient’s health and recovery, a physician can both be better informed upon arrival of the patient, reducing wait and visitation times, as well as analyzing appropriate remediation strategies.  Canadian made wearable devices will become a normal part of our standard healthcare regime.   

As well as the wearable monitoring devices, IoT technology has spurred a number of Canadian Innovators to launch “assistive device” products.  These range from smart technology for wheelchairs, to adaptive prosthetics, to GPS tracking and guidance for the blind.  The Canadian imagination is boundless, and as our population ages, these devices will become more prevalent.

Blockchain Technology may be new to most of us, but is revolutionizing the way the banking industry works.  In fact ANY industry that relies on transactional integrity could find benefit in Blockchain’s ledger based technology.  Many of us are familiar with, or at least have heard of “bitcoin”, which is the grandfather of blockchain currencies. Ethereum is another blockchain up-and-coming currency taking international interest.  Recently, the Enterprise Ethereum Alliance included the National Bank of Canada as one of 86 new members that will work together to develop business applications on the Ethereum blockchain.

Renewable Energy:
There are more than a thousand Canadian companies currently innovating in the Clean or Renewable Energy Market, employing more than 50,000 people across the country.  From the staples of Solar and Wind, to deep water stores of compressed air, geothermal heating and electricity, and the manufacture of Lithium Ion batteries, we are making our mark on the global stage.  Much of this is thanks to “Sustainable Technology Development Canada” , which is the largest single clean-tech fund in the world. It has seeded more than 200 clean-tech projects through grant funding of more than $600-million. Renewable Energy is a cultural shift that is well under way within Canadian homes and businesses, and we are going to continue to be at the forefront for decades to come.

Over the past two decades, Canada has taken a strong lead in Modernizing and Automating Agriculture. With the prevalence and low cost of Industrial sensors for things like moisture level, sunlight, ph level, soil nutrients, etc.. Canadian researchers have been able to greatly increase crop yields across the industry. This technology has been transferred down to the hands of local farmers who are able to automate aspects of their farm such that they not only increase yield, but can direct and reduce water consumption and cost.  Crops are able to be grown in areas previously unmanageable through monitoring and automation.  Canada is also setting examples of how to use industrial sensors to monitor and manage Livestock health and food consumption. This is an area in which we will continue to be world leaders.

Smart Cities:
Continuing on the Industrial Internet of Things theme, Canada is also a leader in Innovation in monitoring and managing all aspects of transportation and buildings in today’s Smart Cities. Cities across Canada are collaborating on means to provide cleaner more efficient home and work spaces for their inhabitants.  We are researching ways to use Industrial sensors to monitor and more efficiently manage heating and cooling within residential and commercial buildings.  We are also developing ways to monitor and reduce emissions from these buildings.

Through the use of sensors under the pavement, on lamp posts, and cameras at intersections, we are researching ways to better identify traffic patterns across the city, and adjust intersection lights for more efficient travel times and greater safety for both vehicles and pedestrians. 
There are also Canadian innovations being developed in street lighting to greatly reduce power consumption, and reduce environmental impact on wildlife.

Space Exploration:
We are all too familiar with the Canada Arm that had assisted the NASA space shuttle program for two decades, and now currently works diligently on the International Space Station. Did you know that Canada has a burgeoning Space program too?  In 2016, the Canadian Government committed to extend Canada’s participation in the ISS program, and provide opportunities to develop leading-edge space technologies. Up to $379 million will be earmarked for this program over the next eight years.
Six Canadian Astronauts have served eight missions aboard the International Space Station, and in 2018, David Saint-Jacques will become the next Canadian astronaut to take part in a long-duration mission aboard the ISS.

The University of Guelph’s Mike Dixon and his team are working on “biological life support” systems. Research that will help sustain long-term human exploration to distant planets by finding ways to grow plants inside greenhouses with techniques that could one day allow us to grow crops on the moon or Mars.

Canada had long partnered with the US on development of Satellite Communications technology.  Our first Canadian Satellite, Alouette 1,  was launched by Nasa on September 29 1962. Companies such as DeHavilland, Spar Aerospace, and Telesat Canada spurred on the innovation across the past several decades. Now, the torch has been picked up by several Canadian startups that are developing very small format satellites for such purposes as monitoring forestation and environmental changes, or providing imaging services for commercial planning.

We Canadians are a country of dreamers, and we dream big. The future of Canadian Innovation will not dull.

Tuesday 27 September 2016

6 steps to protect yourself from the Yahoo email breach!

Last Thursday (09'22'16), Yahoo admitted to the largest email provider breach in history. The breach, which happened in 2014,  consisted of the account information of at least 500 million users and included names, email addresses, encrypted password and even security questions.   

 According to reports, as many as 2.1 million Rogers Communications customers could be affected, as Rogers uses Yahoo as their underlying email provider.

Even though the breach itself happened in 2014, We urge you to take the time to protect yourself from this event.  Since 2013, 360million MySpace accounts, 167 million LinkedIn accounts, And 145 million eBayaccounts have also been compromised.  

Human nature has us using the same or similar passwords across all of our various online sites, whether they be social media, retail, email, or banking.  Much as this is convenient, it opens us up to fraud and theft by these hackers. 


Take these six simple steps to protect yourself now:

 Change your online passwords now! 
  • Remember that length and complexity are the easiest protection.  Use at least 8 characters, and mix numbers and letters.
Use different passwords for your banking, email, and social media sites.
  • Hackers use automated tools to see if your stolen credentials work in thousands of other sites.
Enable 2-step verification.
  • Most online email, banking, and social media sites provide 2-step verification.  Ie: when you log onto a new device or from a new location, they will send you an SMS text message with a validation code before you can enter.  This protects you from having others logging in pretending to be you.
Enable transaction notification on your banking!
  • Online Banking sites have the option of sending you a text or email every time a transaction passes through your account. Turn this on!
Beware phishing attacks related to this breach.
  • Do not respond to, click on, or open emails and attachments that say they are going to help you with this breach.  A number of malicious attacks have already begun to lure innocent people into providing credentials based on the fear and uncertainty around this breach.   Your banks and email providers will NOT be sending messages related to this.
Finally, use a password management app to protect your online credentials.
  • Whether your preferred device is Windows, Mac, Linux, iOS, or Android, there are free apps out there that can help you organize and protect your online passwords.
  • Lastpass, 1password, and keepass are the most popular and cover a range of devices. 



Tuesday 12 July 2016

Turmoil in the CASB market - 2016 the year of Big Business Acceptance

In April of last year, I wrote a technical comparison of the various players in the CASB (Cloud Access Security Broker) space, and had such incredible response and discussion, that I felt I had to provide an update this year. Should be easy, right?  WRONG!

(Read the above article if you are new to CASB and want an understanding of the space)

The CASB market has seen a lot of turmoil over the past year, in the form of mergers and acquisitions.  Early on we all thought Cisco was going to acquire Elastica as they had become quite cozy, but in a screeching left turn, BlueCoat came from the sidelines, and snapped Elastica up. The surprise here is that earlier in June of 2015, BlueCoat had just acquired CASB player Perspecsys.  Fast forward to June of this year, when BlueCoat announced their intent to IPO, then only days later agrees to be acquired by Symantec for $4.65B.  Whew...

In a similar roller coaster,  Adallom cozies up with HP in April 2015, only to get bought by Microsoft in September.  Then just last week, Cisco, not to be left out of the CASB market announced their intent to acquire Cloudlock for $293Million.

Also in recent news, Skyhigh Networks obtained a patent to use reverse proxies for cloud access security broker services, and Netskope obtains a patent for routing client traffic securely to Cloud Services. I'm not sure how this is going to change how the others model their business.

So to recap...

Last year, in the CASB space, we had: 
Adallom, BitGlass, Ciphercloud, Cloudlock, Elastica, Imperva, Netskope, Perspecsys, and SkyHigh

This year, the landscape looks to be:
Bitglass, Symantec/BlueCoat, Cisco/CloudlockCiphercloudImperva, Microsoft/Adallom, Netskope, and SkyHigh.

I closed last year's report with the statement:
"Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service. I'm interested to see what happens to this space over the next three years.   My money is on convergence of CASB, SSO, and Mobile Security providers."
I still hold to this: Cloud SSO is what gives CASB the ability to understand context, and Mobile Security (Device Security, Application Security, Data Security)  is required to manage endpoints outside of the corporate perimeter.  Yet I'm not seeing those acquisitions as yet.

I think it's going to be an interesting challenge to to update last year's report. Stay tuned. 


I am currently in the process of evaluating the technical controls published by the current players in this space and will be re-publishing this report in the near future. 

If you are a current CASB provider that I have missed here, and want to be included in the upcoming report, please comment below or email me at  unix_guru at hotmail dot com, and I will contact you for validation.

CASB References:

Gartner: The Growing Importance of Cloud Access Security Brokers
Gartner: Emerging Technology Analysis: Cloud Access Security Brokers
Bitglass: The Definitive Guide to Cloud Access Security Brokers
CipherCloud looks to stay at the head of the cloud security class 
Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways
Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends

NetworkWorld: How the cloud is changing the security game
Adallom: The Case For A Cloud Access Security Broker
Adallom: Cloud Risk Report Nov 2014
Check Point Capsule and Adallom Integration 
HP - Adallom: Proven Cloud Access Security Protection Platform 
Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP 
PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager
ManagedMethods: Role of Enterprise Cloud Access Security Broker
Standing at the Crossroads: Employee Use of Cloud Storage. 
Cloud Computing: Security Threats and Tools 
SC Magazine: Most cloud applications in use are not sanctioned
Elastica And Cisco Move To Product Integration Of Cloud Web Security And Elastica CloudSOC
Blue Coat Acquires Perspecsys to Effectively Make Public Cloud Applications Private
Blue Coat acquires Elastica in $280 million CASB deal
Fortune: Bain Wants To Take Cybersecurity Firm Public Despite Weak IPO Market
Fortune: Blue Coat Abandons IPO Plans, Sells To Symantec for $4.65 Billion

Cloud security vendor Adallom secures $30m from HP, Rembrandt Venture Partners
Hewlett Packard Ventures and Adallom: Partnering to Protect the Enterprise Cloud
Microsoft acquires Adallom to advance identity and security in the cloud

Cisco Announces Intent to Acquire CloudLock for $293M

Stratokey: Cloud Access Security Broker (CASB)

Netskope awarded patent for cloud visibility, governance

Big Tech’s Entry into the CASB Market Is Evolutionary
Microsoft acquires Adallom to advance identity and security in the cloud

Gartner: Market Guide for Cloud Access Security Brokers
Gartner: How to Evaluate and Operate a Cloud Access Security Broker

Tuesday 21 June 2016

Threat Modeling a Mobile Application

The purpose of this article is to provide security guidance in the development of mobile applications.  The following application threat-model (ATM) is an example, created to help developers identify potential threats that a malicious attacker could use to exploit a custom developed Mobile Application.

This threat model
 example is based on Industry Best Practices and observations across the Mobile Application Development space, and is not based upon any one particular mobile application.  The scenario presented here assumes an application in the Banking and Finance space, but could be any industry.

From a Security and Privacy perspective, a mobile application must:

  • Prevent the un-authorized use of web service API associated to the related application
  • Prevent the accessibility of information or operational control of a user’s account
  • Prevent the ability for a third party to gain identification and authentication details
  • Reduce the opportunity or intention of a malicious user from accessing confidential information

Threat Profile:

A "Threat Profile" is the concept of identifying the complete set of security threats that could be used to compromise a given application or system.

The following Business Criteria and assumptions were used when assessing the threat profile for this example Mobile Application:
  • Industry Categorization                        Financial Institution 
  • Organizational Audience                       Business Users 
  • Level of Potential Threat to Audience   Moderate-threat Audience 
  • Degree of Confidential Data                  Moderate 
  • Likelihood of Exploitation                     Low to Moderate 
  • Delivery Platform                                 Mobile devices with Secured Sandboxes 
  • Level of User Interaction                      Minimal 
SANS: Threat Profiling

Threat Agents:

A threat agent categorizes the types of intentional and unintentional users associated to the system. This can include, but does not require, the intended roles of the application.

Stolen Device User: A user who obtained unauthorized access to the device aiming to get hold of the memory related sensitive information belonging to the owner of the device.
  • Access to account information to perform unauthorized transactions 
  • Access to account information to perform transactions from a different account 
  • Attempt to garner information about the banks overall security structure 
  • Denial of service attack against back-end systems based on gathered information

Owner of the Device: A user who has unwittingly installed a malicious application on their phone which gains access to the device application memory.

  • Capturing of credentials associated to the account for use by third party

Common WiFi Network User: This agent is aimed at any adversary intentionally or unintentionally sniffing the WiFi network used by a victim. This agent stumbles upon all the data transmitted by the victim device and may re-use it to launch further attacks.

  • Capturing of credentials associated to the account for use by third party 
  • Ability to perform unauthorized transactions

Key Scenarios:

The following scenarios or activities have been identified as key to the success of the application's security profile:

User Authentication - to gain access to post-sign-on functionality and content on the Mobile application.

Get Portfolio and Rates, and Execute Trades 
- User being presented with the list of transactions associated with specific Rates (Wire Payments, Cross-currency Account Transfers). The User could retrieve, view and accept the rate presented for selected payment. The User could view Beneficiary Details and the Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.

Payment Approvals - User being presented with the list of payments (Wires, Account Transfers, EFT, Bill Payments) that qualify to be approved/released by the user. The User could view payment details and approve/reject selected payment. The User must be re-authenticated as a part of each payment approval operation. The User could view Audit History Page of the selected payments. The User could manage Contacts and make phone calls using the Audit History information.

Accounts Module - User being presented with the list of accounts he is entitled to. The User could add/delete/change order of Favourites Accounts in the list. The User could query and view account balances and transaction history information.

Mobile Application Architectural Elements:

The following items are associated to the application architecture specific to mobile devices. This listing mechanism is intended to provide additional input and consideration into the overall threat model.

1.Carrier Elements
  1. Data
  2. SMS
  1. iOS
  2. Android
  3. Blackberry
2. Web Services using RESTFUL agents over SOAP 6.Common applicable hardware components
  1. Wireless Interfaces
  2. USB Ports
3. App Store
  1. Apple App Store
  2. Android Play Store
  3. Blackberry World 
7. Authentication
  1. Token Based
  2. Certificate Based
  3. Keyboard Based
  4. Touchscreen Based
  5. Biometric Based
4.Wireless Interfaces
  1. 802.11
  2. Bluetooth
  3. NFC

Planned Application Security Mechanisms:

Planned application security mechanisms are technologies and threat-management measures that are included in part of application architecture and design. The model ignores these when defining the potential threats associated to the system but references them as solutions to identified problems.

The following application security mechanisms have been identified as part of application security design:
  • HTTPS secure transportation protocol using TLS 1.2 or above 
  • Two-phase authentication 
  • Input and data validation 
  • Exception handling 
  • Auditing and logging 
  • Minimization of operations

Trust Boundaries:

An organization and its application define a series of perimeter that define different levels of security-oriented trust. The following information defines the trust boundaries associated with systems, sub-systems, and identities.

App Container Boundary
within secure devices including iPhone and BlackBerry
Internet Trust Boundary is the connector between the device and internal banking systems
DMZ Trust Boundary including perimeter firewall where core services are located
Data Center Trust Boundary in which direct hosted systems and services are located.
Data Flows:

Data flow diagrams help document the flow of information across trust boundaries.

Understanding how data is communicated across boundaries help identify potential issues within communication protocols and mechanisms.

The following diagram represents the data flow of the application under investigation

Entry and Exit Points:

Entry Points

Entry points define the positions in your application where a user, cross-component communication or external application supply data and call operations associated to the back-end systems.
  • Mobile Application access to back-end API through JSON services.
  • Unintentional direct access to back-end API through JSON services. 

Exit Points

Exit points are relationships to entry points and define the positions in which data is sent to the client. Exit points are prioritized to identify where information is transmitted in a trusted manner but the source is untrusted.

Potential Attack Tree:

An attack tree is a hierarchal diagram (or outline) that represents the attacks a malicious individual might perform against the application. This information is based on the development of an attack profile organized around the industry and type of threats associated to your application and end users

Gain authentication information to be used in other applications, systems or services 
  • Authentication and access control attacks to determine applied security measure 
  • Determine the depth of breach and fraud preventive controls 
  • Access account to be used on other systems

Monitoring of transactions to record communication patterns

  • Obtain confidential information about the system 
  • Gain details on how transactions are processed in the system 
  • Discovery of weaknesses associated to the back-end system

General financial fraud

  • Perform unauthorized financial transactions to correct associated bank accounts 
  • Determine clients and size of transactions for social engineering attempts

Data Collection by running application in a non-trusted environment (jail-broken)

  • Ability to access the application in a jail-broken device or development platform 
  • Ability to apply memory forensics on the application at runtime to gain confidential information 
  • Ability to apply memory forensics on the application to determine run-time details

Unmanaged JSON attacks over encrypted or unencrypted channels

  • Ability to perform data theft through cross-site references 
  • Ability to perform a denial of service attack using cross-site references

Threat Tree:

A Threat Tree describes specific threats that can be applied to the application. Information in this section is defined in a threat-based tree for reference and specific descriptive afterwards. Please note that a single threat can be related to one or more common or uncommon vulnerabilities.  
  • Authentication / Authorization 
  • Input and Data Validation 
  • Relying exclusively on client-side validation 
  • Writing data you did not validate out to trusted source 
  • Using input you did not validate to generate SQL queries 
  • Configuration Management 
  • Sensitive Data 
  • Basic Man-in-the-Middle Attack 
  • Request Forgery 
  • Session Management / Cryptography 
  • Parameter Manipulation 
  • Failing to validate all input parameters. 
  • Exception Management 
  • Failing to validate all input parameters 
  • Audit and Logging 
  • Missing Security Auditing Features 
  • Unsecured Audit Logs 
  • Mobile Specific Threats 
  • Method aimed to read the local application memory 
  • Malware on the device 
  • Transactions performed from non-localized location

Rating Potential Threats:

Relying Exclusively on Client Side Validation:

Threat Description By relying on client-side validation the system allows for exposure of the back-end services through compromised client systems as well as communication protocols. This issue includes common assaults results including “Writing data you did not validate out to trusted source” and “Using input you did not validate to generate SQL queries”
Category Input and Data Validation
Threat Target
  1. Capturing of credentials associated to the account for use by third party.
  2. Ability to perform unauthorized transactions.
  3. Denial of service attack against back-end systems
  4. Attempt to garner information about the banks overall security structure
  5. Access to account information to perform unauthorized transactions
Risk High
Attack Techniques A malicious attacker compromises the mobile application by installing it on a jail-broken device or reviews data communication though a proxy service. Unintended information (pre or post authentication) is sent through the communication protocol to the back end server containing injection data or unintentional information.
  1. Use of SSL with trusted certificates to encrypt communication.
  2. Validation of data at all trust boundaries to manage tampered data.

Basic Man-In-The-Middle Attack:

Threat Description User is able to monitor the data being communicated from the mobile application to the associated server in order to determine the URL, formats and identity of back-end services for direct access to the service.
Category Sensitive Data
Threat Target
  1. Capturing of credentials associated to the account for use by third party.
  2. Attempt to garner information about the banks overall security structure
  3. Access to account information to perform unauthorized transactions
Risk Medium
Attack Techniques Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.
  1. Use of SSL with trusted certificates to encrypt communication.
  2. Validation of data at all trust boundaries to manage tampered data.
  3. Source checking of communication using CSRF-token based concepts

Request Forgery:

Threat Description An unauthenticated user sends requests through HTTP protocols in an attempt to (1)subvert authentication mechanisms, (2) perform destructive activities against a system, (3) gain information around exception handling mechanisms, or to (4) garner information about the system and its transactions
Category Sensitive Data
Threat Target
  1. Capturing of credentials associated to the account for use by third party.
  2. Ability to perform unauthorized transactions.
Risk Medium
Attack Techniques Use of data monitoring tools including BURP Scanner or WireShark as proxies to view data being transmitted from the mobile application to the server.
Use of a secure token (similar to a CSRF token) to acknowledge authorized transactions to the system and to take appropriate measures including alerts and logging when un-authorized transactions are performed. The same mechanism used in a CSRF token can be used in this circumstance.

Missing Security Audit Features:

Threat Description Attacks by an unauthorized user is not properly documented by the system reducing the opportunity for breach attempts to be discovered, hindered or prevented. From a security practice audits and logs should be applied across application layers and servers.
Category Auditing and Logging
Threat Target
  1. Denial of service attack against back-end systems
  2. Ability to perform unauthorized transactions
  3. Anti-forensic measures
Risk Low
Attack Techniques This threat does not have a direct attack; it represents an inability to detect and manage the assault in the case of a breach.
  1. Log all security oriented transactions to a “security log file”
  2. Recognize unusual number of requests to any series of accounts
  3. Critical transaction attempts are logged for fraud controls

Unsecured Audit Logs:

Threat Description Once a breach has occurred, a malicious attack will attempt to alter or remove log files that demonstrate their attempts. This is a common step for an attacker in a breach to reduce the chance of success for a forensic investigation.
Category Auditing and Logging
Threat Target
  1. Denial of service attack against back-end systems
  2. Ability to perform unauthorized transactions
  3. Anti-forensic measures
Risk Low
Attack Techniques Upon a system breach the attacker will modify or delete the associated log files so evidence of their activities are removed.
  1. Audit files are located in a protected directory for with access controls
  2. Modification, viewing and back-up of log files have specific user controls
  3. Use of frequent back-ups for security files to single-direction systems

Method to Read Local Application Memory:

Threat DescriptionIn this attack methodology, the data targeted is application specific memory and the method used is memory based analysis. The attacker steals sensitive data like passwords, userid, user account information which is stored in the application memory by reading the device memory.
CategoryMobile Specific Threats
Threat Target
  1. Access to account information to perform unauthorized transactions 
  2. Attempt to garner information about the banks overall security structure 
  3. Capturing of credentials associated to the account for use by third party
Attack TechniquesThrough development or forensic tools on the device or using a developer workstation, the system and application memory is reviewed while the application is running to determine how information is stored, communicated and its residual nature.
  1. General memory management techniques for the individual platform 
  2. Nullifying variables with confidential data as soon as they are used 
  3. Minimal storage of confidential data while in memory 
  4. The storage of confidential data in memory in an encrypted format

Malware on the Device:

Threat DescriptionAny program / mobile application which performs suspicious or unauthorized activity. It can be an application, which is copying real-time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history. On a Jail-broken phone this can include access to the applications memory, buffer overflow threats
CategoryMobile Specific Threats
Threat Target
  1. Access to account information to perform unauthorized transactions 
  2. Attempt to garner information about the banks overall security structure 
  3. Capturing of credentials associated to the account for use by third party
Attack TechniquesOften malware is installed on a device through unintentional means where the malware itself is a Trojan or worm that is embedded in a useful application. Once installed the application slowly consumes and analyzes other applications in the device. Malware is most often found on Jail-broken phones in which non-App store related applications have been installed. Malware is often not a targeted attack but attack by drawing.
  1. The use of managed devices with a white-listed applications
  2. Encrypt Data at Rest on the device
  3. Encrypt Data in Transit 

Transaction Performed from Non-Localized Location:

Threat DescriptionAn unauthorized user attempts to perform a transaction from a distributed location with the goal of applying a fraudulent action. This may include a single or multiple financial transactions
CategoryMobile Specific Threats
Threat Target
  1. Access to account information to perform unauthorized transactions 
  2. Attempt to garner information about the banks overall security structure 
  3. Denial of service attack against back-end systems
Attack TechniquesAn individual using a stolen device or perform a transaction from a distributed location (uncharacteristic of the user) is able to perform multiple transactions
  1. Use of geo-location to monitor the location of transactions for a user 
  2. The mapping of geo-location to potential fraudulent locations 
  3. The validation of transactions when listed geo-locations are not used

Threat Risk Rating:

Threats are rated into three categories (Low, Medium and High) based on their DREAD rating. The individual elements associated to this rating are as follows:
  • Damage potential: How great is the damage if the vulnerability is exploited?
  • Reproducibility: How easy is it to reproduce the attack?
  • Exploitability: How easy is it to launch an attack?
  • Affected users: As a rough percentage, how many users are affected?
  • Discoverability: How easy is it to find the vulnerability?

Basic Man-in-the-Middle Attack
Request Forgery
Relying exclusively on client-side validation
Missing Security Audit Function
Unsecured Audit Log
Method aimed to read the local memory
Malware on the Device
Malicious App
Transactions from non-localized location