Search This Blog
Showing posts with label data loss prevention. Show all posts
Showing posts with label data loss prevention. Show all posts

Monday, 7 July 2014

FTP, SFTP, FTPS? What's the difference, and how the !@#$ do I secure them?

File Transfer (FTP) may be the single most insecure piece of infrastructure that any corporation has.  It's roots date back to the early 70's before encryption and transport security were of great concern. 

 Many common malware attacks rely on unsecured FTP services within a company to stage and exfiltrate sensitive corporate data to unknown third parties.
There is little excuse for a company to be running vanilla FTP either inside their data center or especially over the Internet.  Secure file transfer protocols and standards have been around and fully supported SINCE THE TURN OF THE CENTURY!!!
 From the Tibco report: Understanding the Impact an FTP Data Breach Can Have on Your Business
"...what about the threat information contained on an unsecured
FTP server could pose to a business like yours? Consider a few other recent FTP
exposures:
  • CardSystems, who processed credit card transactions for nearly 120,000 merchants totaling more than $18 billion annually, were essentially forced out of business after 40 million identities were exposed. Amex and Visa told CardSystems that they would no longer do business with the company.
  • 54,000 records were stolen from Newcastle City Council
  • An unsecured document was exposed on the New Mexico Administrative Office of the Courts FTP server; it contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees.
  • The Hacker Webzine reports that Fox News had an exposed FTP connection linking out to Ziff Davis.
  • The personal information of uniformed service members and their family members were exposed on an FTP server while being processed by major Department of Defense (DoD) contractor SAIC. As many as 867,000 individuals may have been affected."

 
Lets take a minute to discuss the legacy FTP system, it's derivative FTPS, and the completely different SFTP.

FTP  (Do not use this EVER!)
The FTP (File Transfer Protocol) protocol was documented in 1971 as  RFC 114 and eventually evolved into RFC 959 , the FTP standard that all systems use today. It has been the workhorse of most corporate file transfer systems in production.

 All current Server Operating Systems, whether Windows, Unix, Linux, MAC, or Mainframe come with a variant of an FTP service following RFC 959.
There are VERY many FTP client applications available for each and every Desktop, Laptop, Tablet and smartphone in existence, also complaint with RFC 959.    
(Did I mention that there is no reason in this day and age to use vanilla FTP, EVER?)

FTPS
Once companies and security consultants  realized the great risk that FTP exhibits by sending corporate data "in the clear" over the network, they proposed RFC 2228 (in 1997) to protect FTP data in transit using SSL encryption.  Aside from transport encryption the service is identical to FTP.  

 FTPS transport encryption comes in two flavors Implicit, and ExplicitImplicit FTPS (Now pretty much obsolete) establishes an SSL or TLS session prior to exchanging data, over TCP ports 989(data)/990(control).  Explicit FTPS, the more common of the two, can use a single port for both encrypted and unencrypted data transfer.  The client initially establishes an unencrypted session, and if SSL/TLS is required, an AUTH TLS or AUTH SSL command is issued by the client to secure the control channel before sending credentials.

And then there's....

 SFTP
Although regularly  confused with FTPS, SFTP is actually an application in the  SSH  protocol suite.  RFC4253 "The Secure Shell (SSH) Transport Layer Protocol"  defines the security model of this Secure File Transfer Protocol.   Whereas FTPS relies on SSL (X.509) Certificates with their associated PKI requirements to secure the session, SFTP uses Diffie-Hellman Key Exchange to manage an asymmetric pair of keys to secure the session. All UNIX based systems (Including MAC, Linux, and Mainframe) come with SSH preinstalled.   There are many variants available for Windows as well.



Both SFTP and FTPS are fully scriptable (ie: support automation). Either one is acceptable, depending on the application, and Operating System at hand.

Up to this point, we've discussed securing the Data Transport, or "Data in Motion", but what about securing the "Data at Rest"?  How do we secure the file transfer directory structure?

In simplest terms, strong user/group access controls are required on FTP service directory structure.  I'm going to link to some vendor recommendation sites here:

Disable Anonymous FTP!  Sorry, but you should know who is connecting to your file server.


But, for the best level of security
run SFTP (ok, even FTPS) inside a chroot jail or sandbox

In the UNIX world (Including MAC, Linux, Mainframe), a chroot is a virtual filesystem that can be associated with a specific service, in this case SFTP.  A new protected replica of the OS folders and files relevant to running that service are created, and all files uploaded/downloaded via this service reside inside the protection of the "jail"

In Windows, the practice is typically called "Sandboxing" or Application Virtualization:
    (excerpt from Microsoft: Transform applications into managed services )
"In a physical environment, every application depends on its OS for a range of services, including memory allocation, device drivers, and much more. Incompatibilities between an application and its operating system can be addressed by either server virtualization or presentation virtualization; but for incompatibilities between two applications installed on the same instance of an OS, you need Application Virtualization.  "



And last but CERTAINLY not least:   Scan your network for rogue FTP services (Both Data Center as well as Workstation space) regularly (FREQUENTLY), find them physically, and shut them down!

References:
EITF.ORG: RFC913 - Simple File Transfer Protocol
EITF.ORG: RFC914 - A File Transfer Protocol
EITF.ORG: RFC959 - FILE TRANSFER PROTOCOL (FTP)
EITF.ORG: RFC2228 - FTP Security Extensions
IETF.ORG: secsh-filexfer (SFTP)
IETF.ORG: How to Use Anonymous FTP   -- DON'T!

IANA.ORG: Service Name and Transport Protocol Port Number Registry

 TIBCO: Understanding the Impact an FTP Data Breach Can Have on Your Business
Understanding Key Differences Between FTP, FTPS and SFTP
SFTP versus FTPS – What is the best protocol for secure FTP? 
What’s the Difference? FTP, SFTP, and FTP/S 
Filezilla: SFTP specifications
http://winscp.net/eng/docs/ftps 
Using FTP? Know the Risks
wikipedia.org: Public key infrastructure 
SANS: Clear Text Password Risk Assessment Documentation
SFTP chroot 
https://wiki.archlinux.org/index.php/Change_Root
http://www.unixwiz.net/techtips/chroot-practices.html 
Oracle: Configuring and Using Chroot Jails
Winquota: Winjail 
Microsoft: Application Virtualization 
Posted by at 2 comments:
Labels: , , , , , , , , , , , ,

Wednesday, 11 June 2014

What if Target had followed a Zero Trust model?

Yes, I agree that I'm late to the table on yet another Target Breach Blog, but I want to throw a twist on the story..   

A fantastic "WHAT IF?"

I want to transport you momentarily, to a utopian world where Large Corporations understand that firewalls and segmentation do not provide complete security anymore (probably never did), and that to truly protect your Infrastructure, Applications, and Customer Data, you need to do so at the host!   
First, lets spend a minute reviewing what we know... 

Brian Krebs, of Krebs On Security has meticulously documented and unraveled the timeline and events that led up to the actual Breach.   I will not reiterate all the gory details here, but will refer to his findings along this journey...

Of specific note:   As of this date (June 13rd, 2014)  We still do not *know* for certain how the attackers got into Target's internal network, nor how they escalated privileges to install their malware. 

Krebs, Dell SecureWorks, and Malcovery have collected strong evidence to support a hypothesis. We do not need to fully understand the mechanics of the breach to conjecture a remediation strategy for those who have not identified their breaches as of yet.


In a nutshell, the attackers launched a phishing attack some time in October 2013, and managed to compromise one of Targets vendors.  The credentials for this vendor most likely gave the attackers access to Target's Online Billing system.    Coupled with a large amount of publicly available documentation intended to assist vendors in accessing the system, the attackers were able to capture enough detail of the Target network and Active Directory Infrastructure to launch a SQL injection attack.  It is believed that they used this SQL injection attack to install tools used in the remainder of their exercise.  

From the Dell SecureWorks documentation:

They were able to install three different sets of malware to enact their scheme:  First, they added a variant of a previously known   Point Of Sale memory Scraper.  This application would monitor the active processes memory on the Embedded Windows POS endpoints, and capture anything resembling Credit Card information.  The application would then periodically ftp that information to another server that was compromised through a privilege escalation in Active Directory.  Yet another compromised system would pick the data from that ftp service, and deliver it to several external ftp sites.



 
(trust me... you want to read that link!)


The immediate questions being:
  1. How did they compromise a public facing application to get "inside" the Corporate Network?
  2. Why were 3rd party credentials on an external facing application associated within an Internal Directory?
  3. Where was Intrusion Prevention between their DMZ and the Corporate Network?  
  4. How did an Admin Account on a single server get privilege escalated to the Active Directory? 
  5. Once in the Production Environment, how did they get to the POS network?  I mean they are PCI compliant, aren't they?  There should be no direct path between the two...
  6. Where was Intrusion Prevention between the corporate network and the POS network? 
  7. How was an FTP service allowed to communicate from the Data Center out to the Internet?
  8. Where was Intrusion Prevention between the Corporate Network and the Internet?  
  9. If IPS was in fact in place (I have to believe it was...)  was it detuned or ignored?
Target isn't talking, so.... 



Lets assume for the sake of the remainder of this posting, that they had put a Zero Trust security model in place.  How would this scenario have played out?  What are the points of contact that would have raised alerts/sounded alarms?



In a true Zero Trust model, there would not only be network segmentation between zones of trust (production, dev, test), but between the tiers of an application stack (presentation, application, data). Applications, and Lines of Business would be segregated from one another as well. 

 Where there were zones containing or processing sensitive data, the demarcation between such segments would be augmented with addition controls such as Intrusion Prevention, Data Loss Prevention, Network AntiMalwarePrivilege Password Vaults would be used to manage any level of administrative access required across the board - Windows/UNIX/Mainframe/Network...

Seems like an impossible task?  Too late to retrofit into an existing production infrastructure!  It will never work!!!  Or... Can it?

The cost, both financially and in time, would be extremely prohibitive to retrofit an existing corporate network.  VLAN segmentation, layer 2 and layer 3 firewalls, as well as a myriad of network security appliances are needed to inspect and enforce traffic moving between hosts...

But what if you could make the the servers themselves complicit in the overall security 


By having a properly configured and managed host based security suite in place, applications residing on those hosts would only allow traffic communications from known sources, on known ports, using known protocols.  Attempts to brute force passwords, scan ports, or escalate privileges would not only be immediately blocked at the server being attacked, but all other systems within the management policy.  Alerts would be sent to the Corporate SIEM, and multiple layers of alarms would be generated.  If a server were actually compromised, the incident could be contained to that one host.

You could gradually integrate the Zero Trust model into your environment, one host at a time, by creating Virtual Zones of Trust.  Start with low hanging fruit, by grouping systems belonging to a common application, and applying a policy that rejects traffic from other applications, essentially "sandboxing" the application.  


From my previous article:
A Host Protection Service must:

Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware
Protect against Zero-Day malware and malicious actor attacks.
Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.
Enable demonstrable change control on mission-critical systems.
Centralize configuration protection across the enterprise, reducing administrative burden.
Support a library of pre-defined rules that recognize common security events.
Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.
Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.
Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.
Record the event in a centralized corporate SEIM.

How could Host Based Protection have helped Target?

With Host Protection installed on the Point of Sale Embedded Windows OS terminals, a policy would restrict the system from accepting patches/updates, or installing software/executables from anywhere other than the official SECURED software distribution infrastructure.  This would have eliminated the potential of an attacker installing anything, unless they had already compromised your software distribution infrastructure.  The POS application would run in a "sandbox", basically a separate secured process that does not expose it's memory or connectivity to other processes on the host. This would have eliminated the potential for memory scrapers.  Essentially, phase1 of the attack would not have been achieved.

 With Host protection running in the core data center servers (both physical and virtual), there would be no way to install the data transfer software... even if you had the credentials to an administrative service account on the server. The Host Protection would only allow software updates, patches, or executables to be pushed from 
the official SECURED software distribution infrastructure.  If the data transfer software were already installed, then any change to the configuration of this software, even with a compromised administrative service account, would raise an alert, and log all activity to the console.   If the alert was not responded to within a period of time, the configuration could be rolled back automatically. Essentially, phase2 of the attack would not have been achieved.






With no Phase1, and no Phase2... Exfiltration of the customer data through this methodology would not have happened, and CEO Gregg Steinhafel and CIO Beth Jacob would still have their jobs...







Additional controls to consider, beyond those provided by Host Based Server Protection:
  • Segment POS network from the corporately accessed network
  • Segment Database network from the corporately accessed network 
  • Encrypt all transactions between POS network and servers outside POS network
  • Employ a Privilege Access Management Strategy
  • Enforce scheduled maintenance windows for software updates/installations
  • Enforce specific hosts/accounts allowed to deploy software updates/installations
  • Patch Applications as well as Operating System as patches become available
  • Use Heuristic Analysis as well as Signature based AntiMalware. 
  • Subscribe to and USE live Threat Analysis Feeds
  • Do not log locally, but rather stream log events to a SIEM 
  • Remove - not just disable - all not pertinent applications/executables
  • Run AntiMalware at your Internet Egress point, as well as on your hosts
  • Run Data Loss Protection on your hosts as well as at ALL egress points






References:





Posted by at No comments:
Labels: , , , , , , , , , ,

Tuesday, 15 January 2013

Data Loss Prevention: A Layered Aproach is Best.

DLP, or Data Loss Prevention is the practise (some say art) of identifying and remediating the loss or leakage of "sensitive data" from the Corporate network.  Sensitive data can be anything that is not classified as "Public Information", from Corporate Financials, to customer Personally Identifiable Information.

Data loss can be through theft, accident, negligence, or ignorance.  There are a ton of articles available on Data Theft. Whether it be disgruntled employees, external hackers, or botnet installation, data is stolen becasue it has value. Period.
According to a 2012 Verison Business report on Data Theft, we see the following:

          WHO IS BEHIND DATA BREACHES?
  • 98%      stemmed from external agents (+6%)
  • 4%        implicated internal employees (-13%)
  • <1%     committed by business partners (<>)
  • 58%     of all data theft tied to activist groups

HOW DO BREACHES OCCUR?
  • 81%     utilized some form of hacking (+31%)
  • 69%     incorporated malware (+20%)
  • 10%     involved physical attacks (-19%)
  • 7%      employed social tactics (-4%)
  • 5%      resulted from privilege misuse (-12%)

 
A good starting point for any Data Loss discussion, is to Assume that you have already been breached, and plan your management and containment strategy.


Lets dispel a bit of fantasy here...
No Data Loss Prevention system on the planet can or will stop all data leakage.  

If that's what they're selling you, turn and run.  The only way to stop all data leakage is to NEVER STORE ANYTHING, and Certainly DO NOT TRANSMIT ANYTHING.   You know...
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one.—Dennis Hughes, FBI


All existing DLP solutions use one of two methods to identify sensitive data.  The "Precise" method relies on some type of tagging of the data in question.  Now this can be as easy as "Anything coming from this database",  or "This column in this table", "this field in this record type", "this folder on this share", or "this LUN on the SAN".  

The "Precise" method of DLP will stop data from inappropriately leaving it's known source.  And more sophisticated systems *may* actually have signatures (hash files) of all the data on those known stores to match against data in flight, to ensure a copy of the data doesn't leave.  Neither would stop a legitimate request for the data being screen captured and sent off separately or the data being repackaged in a different format and sent out.

The "Imprecise" method relies on signatures, meta-data, regular expressions, statistical analysis, or heuristics to watch the network egress points and make educated decisions on whether to allow traffic to pass, challenge the sender, or just block the traffic.


Data exists in three states "At Rest", "In Use", and "In Motion":

To implement an appropriate level of Data Loss Protection, you must tackle all aspects of data at rest, in use, and in motion. 

Data At Rest:
Typically data at rest (static data stored or archived on a file share, in a database table, or in an email system, for example) is protected from innapropriate access by Operating System level access controls. This type of control relies on group or role memberships.  You may be given the ability to read a file, read and update, or no access at all.  Most files within a folder share the same permissions, so the permissions folders themselves dictate the level of access per role. 
Additional to this, depending on the type of sensitive data in question, you may want to actually encrypt the data or the container it's stored in. In the case of Corporate Removeable Media, Laptops, or Mobile devices these MUST be encrypted as part of the standard build process.  Laptop theft or loss of a USB Memory stick without such encryption could cause your company considerable reputational, financial or legal damage.

Data in Use:
Data in use, shares much of the same features of data at rest, except that it most commonly refers to dynamic data that is changing frequently, and potentially residing on end point systems as well as in the data center systems.

Data in use can be protected through the use of End Point DLP solutions as well as those controls in place for Data At Rest.

Data in Motion:
Once data has been accessed by a user, and is "sent" somewhere via email, file transfer, uploaded to a website (Cloud Storage) it is considered to be "in motion".

At this point we need to heavility lean on "Perimeter  Data Loss Prevention".  Your perimeter is typically considered the edge of your network, protected by a firewall which connects your network to the Internet. Here, you will typically see data leaving via email, Instant Messaging, ftp, and web transfer.  A perimeter solution must account for these plus any other method that data may leak outside of your network.   There are many strong point solutions out there that tackle one or more of these Perimeter Data Loss vectors by such reputable security providers as Symantec, WebSense, Cisco, Fortinet, McAfee, Sophos, etc...          

So, to sum up quickly:  To reduce your risk of data loss, you must tackle the problem in a layered approach, through Policy and Awareness, at the endpoint devices,  the data center, and on the perimeter. 
  Endpoint Protection: 
Data Center Protection:
 Perimeter Protection:

Finally... Create a Breach Incident Plan.  
Have the necessary tools, policies, training, contacts, and escalation in place, and test it regularly. Make sure that you have engaged Legal, Compliance, Brand, and your Corporate Communications teams and that they all know and can follow the plan. 




 
Obligatory links:

http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
http://www.symantec.com/data-leak-prevention
http://www.rsa.com/products/DLP/ds/11668_RSA_DLP_Cisco_Integration.pdf
http://www.fortinet.com/solutions/data_loss_prevention.html
http://www.mydlp.com/
http://www.ey.com/Publication/vwLUAssets/Keeping_your_sensitive_data_out_of_the_public_domain/$FILE/Data_loss_prevention_Keeping_your_sensitive_data_out_of_the_public_domain.pdf
Posted by at 1 comment:
Labels: , , , ,

Friday, 11 January 2013

Standing at the Crossroads: Employee Use of Cloud Storage.

Is Employee Use of Cloud Storage Your Number One Data Loss Vector Today?


Lets all agree that we have entered into a time where our employees are finding it easier to use free Internet based personal Cloud Storage like Box.com or Dropbox.com so that they can use these files in a more mobile world. 

This is not a good Business Risk Scenario at all, but unless you take drastic steps to block the ability to access these sites from within the Company Network, your employees will take the path of least resistance.  It is pretty much a gaurantee that you are currently hemorrhaging potentially sensitive business data and have little or no visibility into this activity.

First things first, lets clarify the difference between "Enterprise Cloud Storage"  and "Personal Cloud Storage" .

Enterprise Cloud Storage is simply an extension of the Corporate Shared Storage Infrastructure outsourced to a Cloud Provider.  It is managed and maintained in a fashion similar to an onsite storage pool.  It can be protected through standard encryption practices.  Provisioning user access and allocating capacity are left in the hands of your IT staff.  Logging and reporting for capacity and compliance management are part of the service.

Personal Cloud Storage however, is "fairly" new market that has evolved over the past couple of years. These Storage providers have made it extremely easy for any end user to sign up and receive an allocation of personal storage anywhere from 5GB to 100GB for free!  To sweeten the pot, they provide both mobile and desktop applications to easily synchronize files/folders/pictures/music/videos between your various dissimilar devices.   Most providers of this type of storage also facilitate sending links via email directly to anyone you wish to share your data with.   Any logging or reporting is on a personal level to the requestor of the account.   Access to this storage is available anywhere in the world and the end user controls the password. 

So?  What can we do?

The first thing is make sure that you have added this scenario to your Information Security Policy. And educate your employees.  "You must not use Personal Cloud Storage for transfering or storing Corporate Information"

Next, implement measures at your perimeter to block access to this type of site.  Typically this would be accomplished in a Content filtering solution such as WebSense or BlueCoat which classify the millions of Internet sites on a regular basis and apply Corporate access rules based on these categories. This works while the end point device is connected through the coprorate network.

Better yet, would be to manage a policy on the endpoint device that restricts access to these sites. At the moment, this is a bit more onerous as you would need to identify and manage a list of known sites and apply these restrictions either through Windows Group Policy  on your browser or local Firewall Policy.  Managing in this way, depending on the size of your company, would increase your company headcount by several bodies.

Or....  Fight fire with fire! 
Use Cloud Services in the form of Cloud based Content filtering to restrict and control your employees access to these sites REGARDLESS of where they are coming from.  A policy enforced on the company managed endpoint devices will restict Internet access of that device except through the Cloud based Gateway.


There are several players in this space:
Finally, if we look at my last Blog, by restricting all end user access through an Authentication Portal, we can provision true Enterprise Cloud storage to the end user, and manage the encryption levels and potential deprovisioning of that storage if and when the time is required.

Next up.... Data Loss Prevention....



Posted by at 1 comment:
Labels: , , , , , ,
Subscribe to: Posts (Atom)