InfoSec Musings: zero trust

Showing posts with label zero trust. Show all posts

Friday, 25 September 2015

From Blueline to BlueZone - PCI Tokenization Matures

Last year, I wrote about a new Canadian company that had entered the Compliance Appliance market space. Blueline Data had developed a tokenization gateway that would help you define and isolate your PCI compliance scope boundary. This isolation was not only for Point Of Sale and Web Merchant portals (Shopping portal), but for Telephony and Unified Communications traffic as well! This was a revolutionary step in this industry. Several other companies had tokenization systems available for structured and/or unstructured data, however no one had a viable solution that would also cover voice and unified communications.

A lot has gone on in the past year, and I decided to revisit them, to see where their technology has progressed...

Read my Tokenization as a companion to Encryption

Last year, Forrester issued a paper defining the requirements necessary to secure data into the future, and discussing the technologies that will get us there. The Document titled "TechRadar™: Data Security, Q2 2014", states clearly that you need to:

Restrict and strictly enforce access control to data. This includes denying access to unauthorized persons or blocking their attempts to gain access.
Monitor and identify abnormal patterns of network or user behavior. This includes tools that analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (e.g., improper or excessive use of entitlements such as bulk downloads of sensitive customer information).
Block exfiltration of sensitive data. These are tools or features of tools that detect, and optionally prevent, violations to policies regarding the use, storage, and transmission of sensitive data.
Render successful theft of data harmless. Once you’ve identified your most sensitive data, the best way to protect it is to “kill” it.6 “Killing” data through encryption, tokenization, and other means renders the data unreadable and useless to would-be cybercriminals who want to sell it on the underground market.

The first three have been the bread and butter of the Information Security industry for the past 20 years or so. From firewalls and both signature and heuristics based Intrusion Detection/Prevention, to Data Loss Prevention systems, the industry has been diligently protecting our perimeters.

It's that fourth one that I'm interested in here. "Render successful theft of data harmless." In other words, replace any valuable data such as Payment Card Info, Personal Health Info, Social Insurance Numbers, etc... with a "token" that has no value to would be thieves. These tokens can be made to preserve the format requirements of the original data, so as not to break backend processing, as well as including search/index criteria.

To properly provide security through tokenization, one must be able to implement it not only on the server side for data at rest, but also for data in transit, as well as at the client side, such that the relevant sensitive data never even leaves the client's network.

What if, there was a service... APIs that could provide tokenization either at the client browser, or as data is passed to cloud apps?

I know that I'm not new to this train-of-thought, but the cost of non-compliance is growing exponentially.

Financial Damage can be insured against... Reputational damage cannot.

As I said... a lot has gone on in the past year. Blueline has matured from just providing on-premise gateway appliances, to hosting Compliance Services in the cloud.

Blueline is about to introduce several hosting options. You can still get on-premise control if that is what you desire, but that has been augmented with co-located gateway services as well as true Cloud based "Compliance as a Service" Tokenization/Encryption through APIs.

Another move that Blueline has made it to provide "Diskless Tokenization". Typically, tokenization services keep a very secure database in a cryptographic vault. This database would include a table of sensitive data to token pairs that are used to index and manage the tokens. Across the industry, customers have expressed concern over having this database, even though it is protected in a vault. Complaints from too much residual risk, to database latency in very large token pair tables (tens or hundreds of millions of pairs) have driven out an alternate solution.

Blueline has introduce a diskless solution that creates a "derived" token using a one time pad, without the need for the data/token pairs to be stored. These derived tokens, can be recalculated from some secret value that do not need to be stored in a database.

Blueline has created two new offerings:

bluegrid™ is a turnkey solution for "Compliance in a Box". It is a standard 19" cabinet, consisting of a series of redundant "bluenodes™" that provide the various security, and compliance services required for a self contained Compliance DMZ. It can be installed in your own data center, or hosted externally for you. Applying the "Zero Trust" model, bluegrid™ encapsulates your sensitive application environment and provides a full security stack to protect that environment, from firewall, IPS, authentication store, tokenization, encryption, logging and storage.

A standard bluegrid™ rack would consist of a mix of the following bluenode™ appliances:

bluenode tx - Traffic Manager (zero-impact deployment)
bluenode dx - Data Gateway (financial network integration)
bluenode cx - Cyber Vault (diskless tokenization, encryption)
bluenode ix - Identity Manager (device and service access)
bluenode ex - Event Manager (logging and event analytics)
bluenode sx - Storage Block (low-latency shared storage)

bluegrid™ can centralize and limit most of your PCI compliance scope to a single rack in the data center. (Point-of-Sale systems excluded)

bluezone™ takes this one step further, providing a Cloud based Security Infrastructure - leveraging APIs to isolate the sensitive data outside of your IT environment and enabling secure financial or other confidential data processing and exposing the following security services:

Tokenization–replacement of the original sensitive data with a risk-free replica for secure transmission, processing or storage

Encryption–military-grade cryptographic protection of digital content

Key Management–cryptographic key storage and lifecycle control

Payment Gateway–secure real-time and offline merchant acquirer processing of tokenized e-commerce and m-commerce transactions

Credit Scoring–secure personal or commercial credit check against a credit bureau, reference agency or central bank

Address Verification–secure cardholder address validation

Issuer Reconciliation–transaction batch transfer to issuer bank

Digital Wallet–secure checkout for merchant commerce sites and mobile applications with the e-wallet payment method

bluezone™ can effectively remove most of your PCI compliance scope from your environment altogether.(Point-of-Sale systems excluded)

Forrester TechRadar report on Data Security Q2 2014 clearly shows Tokenization having "Significant Success" in securing sensitive data.

Resources:

http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html
http://www.itworldcanada.com/blog/toronto-upstart-brings-tokenization-protection-to-uc-web-pos/98109
https://www.forrester.com/TechRadar+Data+Security+Q2+2014/fulltext/-/E-res61547
http://www.mashery.com/blog/tokenization-and-api-gateways-future-mobile-commerce
http://www.mastercard.com/gateway/payment-processing/tokenization.html
https://www.pcicomplianceguide.org/how-you-can-use-tokenization-to-reduce-pci-scope/
http://www.protegrity.com/2012/02/differences-between-vault-based-tokenization-and-vaultless-tokenization/
http://www.protegrity.com/wp-content/uploads/2013/04/Protegrity-Vaultless-Tokenization-Fact-Sheet.pdf
https://securosis.com/blog/token-vaults-and-token-storage-tradeoffs
https://en.wikipedia.org/wiki/One-time_pad
https://en.wikipedia.org/wiki/Tokenization_(data_security)
https://www.voltage.com/technology/tokenization-and-key-management/hp-secure-stateless-tokenization/
http://www.trendmicro.co.uk/media/wp/kill-your-data-to-protect-whitepaper-en.pdf
http://www.bluelinex.com/trends.html
http://www.bluelinex.com/resources/blp204_osfi_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_pci_compliance_sheet.pdf
http://www.bluelinex.com/resources/blp204_hipaa_compliance_sheet.pdf
http://searchcloudsecurity.techtarget.com/tutorial/PCI-and-cloud-computing-Cloud-computing-compliance-guide
http://www.crn.com/news/managed-services/300075263/2015s-big-opportunity-for-msps-compliance-as-a-service.htm
http://www.infoworld.com/article/2622986/risk-management/the-case-for-compliance-as-a-cloud-service.html

Wednesday, 11 June 2014

What if Target had followed a Zero Trust model?

Yes, I agree that I'm late to the table on yet another Target Breach Blog, but I want to throw a twist on the story..

A fantastic "WHAT IF?"

I want to transport you momentarily, to a utopian world where Large Corporations understand that firewalls and segmentation do not provide complete security anymore (probably never did), and that to truly protect your Infrastructure, Applications, and Customer Data, you need to do so at the host!

The very servers upon which your intellectual property resides need to be your front line of defense.

First, lets spend a minute reviewing what we know...

Brian Krebs, of Krebs On Security has meticulously documented and unraveled the timeline and events that led up to the actual Breach. I will not reiterate all the gory details here, but will refer to his findings along this journey...

Of specific note: As of this date (June 13rd, 2014) We still do not *know* for certain how the attackers got into Target's internal network, nor how they escalated privileges to install their malware.

Krebs, Dell SecureWorks, and Malcovery have collected strong evidence to support a hypothesis. We do not need to fully understand the mechanics of the breach to conjecture a remediation strategy for those who have not identified their breaches as of yet.

In a nutshell, the attackers launched a phishing attack some time in October 2013, and managed to compromise one of Targets vendors. The credentials for this vendor most likely gave the attackers access to Target's Online Billing system. Coupled with a large amount of publicly available documentation intended to assist vendors in accessing the system, the attackers were able to capture enough detail of the Target network and Active Directory Infrastructure to launch a SQL injection attack. It is believed that they used this SQL injection attack to install tools used in the remainder of their exercise.

From the Dell SecureWorks documentation:

They were able to install three different sets of malware to enact their scheme: First, they added a variant of a previously known Point Of Sale memory Scraper. This application would monitor the active processes memory on the Embedded Windows POS endpoints, and capture anything resembling Credit Card information. The application would then periodically ftp that information to another server that was compromised through a privilege escalation in Active Directory. Yet another compromised system would pick the data from that ftp service, and deliver it to several external ftp sites.

All of this happened right under the noses of the very people employed to protect the network and it's data.

(trust me... you want to read that link!)

The immediate questions being:

How did they compromise a public facing application to get "inside" the Corporate Network?
Why were 3rd party credentials on an external facing application associated within an Internal Directory?
Where was Intrusion Prevention between their DMZ and the Corporate Network?
How did an Admin Account on a single server get privilege escalated to the Active Directory?
Once in the Production Environment, how did they get to the POS network? I mean they are PCI compliant, aren't they? There should be no direct path between the two...
Where was Intrusion Prevention between the corporate network and the POS network?
How was an FTP service allowed to communicate from the Data Center out to the Internet?
Where was Intrusion Prevention between the Corporate Network and the Internet?
If IPS was in fact in place (I have to believe it was...) was it detuned or ignored?

Target isn't talking, so....

Lets assume for the sake of the remainder of this posting, that they had put a Zero Trust security model in place. How would this scenario have played out? What are the points of contact that would have raised alerts/sounded alarms?

In a true Zero Trust model, there would not only be network segmentation between zones of trust (production, dev, test), but between the tiers of an application stack (presentation, application, data). Applications, and Lines of Business would be segregated from one another as well.

Where there were zones containing or processing sensitive data, the demarcation between such segments would be augmented with addition controls such as Intrusion Prevention, Data Loss Prevention, Network AntiMalware. Privilege Password Vaults would be used to manage any level of administrative access required across the board - Windows/UNIX/Mainframe/Network...

Seems like an impossible task? Too late to retrofit into an existing production infrastructure! It will never work!!! Or... Can it?

The cost, both financially and in time, would be extremely prohibitive to retrofit an existing corporate network. VLAN segmentation, layer 2 and layer 3 firewalls, as well as a myriad of network security appliances are needed to inspect and enforce traffic moving between hosts...

But what if you could make the the servers themselves complicit in the overall security?

Symantec: Protecting PoS Environments Against Multi-Stage Attacks

By having a properly configured and managed host based security suite in place, applications residing on those hosts would only allow traffic communications from known sources, on known ports, using known protocols. Attempts to brute force passwords, scan ports, or escalate privileges would not only be immediately blocked at the server being attacked, but all other systems within the management policy. Alerts would be sent to the Corporate SIEM, and multiple layers of alarms would be generated. If a server were actually compromised, the incident could be contained to that one host.

You could gradually integrate the Zero Trust model into your environment, one host at a time, by creating Virtual Zones of Trust. Start with low hanging fruit, by grouping systems belonging to a common application, and applying a policy that rejects traffic from other applications, essentially "sandboxing" the application.

From my previous article:

A Host Protection Service must:

•Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware

•Protect against Zero-Day malware and malicious actor attacks.

•Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.

•Enable demonstrable change control on mission-critical systems.

•Centralize configuration protection across the enterprise, reducing administrative burden.

•Support a library of pre-defined rules that recognize common security events.

•Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.

•Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.

•Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.

•Record the event in a centralized corporate SEIM.

How could Host Based Protection have helped Target?

With Host Protection installed on the Point of Sale Embedded Windows OS terminals, a policy would restrict the system from accepting patches/updates, or installing software/executables from anywhere other than the official SECURED software distribution infrastructure. This would have eliminated the potential of an attacker installing anything, unless they had already compromised your software distribution infrastructure. The POS application would run in a "sandbox", basically a separate secured process that does not expose it's memory or connectivity to other processes on the host. This would have eliminated the potential for memory scrapers. Essentially, phase1 of the attack would not have been achieved.

With Host protection running in the core data center servers (both physical and virtual), there would be no way to install the data transfer software... even if you had the credentials to an administrative service account on the server. The Host Protection would only allow software updates, patches, or executables to be pushed from
the official SECURED software distribution infrastructure. If the data transfer software were already installed, then any change to the configuration of this software, even with a compromised administrative service account, would raise an alert, and log all activity to the console. If the alert was not responded to within a period of time, the configuration could be rolled back automatically. Essentially, phase2 of the attack would not have been achieved.

With no Phase1, and no Phase2... Exfiltration of the customer data through this methodology would not have happened, and CEO Gregg Steinhafel and CIO Beth Jacob would still have their jobs...

Additional controls to consider, beyond those provided by Host Based Server Protection:

Segment POS network from the corporately accessed network
Segment Database network from the corporately accessed network
Encrypt all transactions between POS network and servers outside POS network
Employ a Privilege Access Management Strategy
Enforce scheduled maintenance windows for software updates/installations
Enforce specific hosts/accounts allowed to deploy software updates/installations
Patch Applications as well as Operating System as patches become available
Use Heuristic Analysis as well as Signature based AntiMalware.
Subscribe to and USE live Threat Analysis Feeds
Do not log locally, but rather stream log events to a SIEM
Remove - not just disable - all not pertinent applications/executables
Run AntiMalware at your Internet Egress point, as well as on your hosts
Run Data Loss Protection on your hosts as well as at ALL egress points

A “Kill Chain” Analysis of the 2013 Target Data Breach

References:

Target.com: The Corporate Response

Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis

KrebsOnSecurity: The Target Breach, By the Numbers

KrebsOnSecurity: Email Attack on Vendor Set Up Breach at Target

KrebsOnSecurity: New Clues in the Target Breach

Dell SecureWorks: Inside a Targeted Point - of - Sale Data Breach

A “Kill Chain” Analysis of the 2013 Target Data Breach

http://www.nytimes.com/2014/03/06/business/targets-chief-information-officer-resigns.html

What Target and Co aren't telling you: your credit card data is still out there

ThreatExpert Submission Summary: point-of-sale malware used in the Target breach

Windows Embedded for Point of Service (WEPOS)

http://faziomechanical.com/Target-Breach-Statement.pdf

CNBC: Target Chairman & CEO Gregg Steinhafel Speaks with Becky Quick Today on CNBC

VISA DATA SECURITY ALERT: Preventing Memory - Parsing Malware Attacks on Grocery Merchants

Dell SecureWorks: Security Considerations for Retail Networks

McAfee: Security Considerations for Retail System OEMs

Moneris: Data Security Alert - Retail Data Security Breaches

Malcovery: Target “Hacker Tools” Provide Breach Insight

US Court Indictment against Russian Hackers

Tripwire: Intrusion detection and the “kill chain”

https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/tech-briefs/zero-trust-solution-brief.pdf
Baseline Security Requirements for Network Security Zones in the Government of Canada
Critical System Protection and Endpoint Encryption for the PCI Data Security Standard
Symantec: Protecting PoS Environments Against Multi-Stage Attacks
Symantec: Preparing for a Cyber Attack
SANS Reading-Room: Server Security: A Reality Check
VMWare: Network Segmentation in Virtualized Environments

Wednesday, 9 October 2013

Host Protection - Standards and Reference Controls

The Concept of Zero-Trust

To allow for near-future work models, where employees can bring their own mobile devices into the workplace, where “work from home” is standard practice, and where the Data Center is being virtualized and services abstracted to external third party providers, the Security Industry is rethinking the traditional concepts of boundaries and perimeters.

The concept of Zero-Trust is an approach to network and device security that places security at the core of the network and makes it central to all network transactions.

This security centric approach advocates a number of principles to design a secure and flexible network that can protect against modern malware and threats.

Key to this design is the transformation from classical security overlay which simply inspects packets destined to and from the Internet, to ensuring every packet is securely delivered to its destination.

TheZero Trust model provides an innovative data-centric approach to security that protects against sophisticated and targeted attacks.

Regardless of the reason, your data center is expanding beyond your bricks and mortar controls. Many call this the Shrinking Perimeter. (Here, and Here, and Here,) Firewalls at the edge of your network are no longer adequate, and provide for a false sense of comfort.

Empowered users are accessing the network from a variety of devices (e.g., laptops, tablets, and smart phones) and from a variety of locations.

The expectation of anytime anywhere “workspaces” for these users enable new gains in productivity, but also leads to new security challenges in differentiating access based on user, application, device-type or access type (wired, wireless, VPN).

A typical "Data Center" is constantly under threat, both from

external sources as well as internal entities.

What is "Host Protection"?

A “Host Protection” service must ensure the integrity of all resources within the system it is protecting. This would include monitoring of and prevention against unwanted or malicious Network traffic coming in and out of the host, monitoring and management of file integrity, memory integrity, and in the case of Windows Servers, registry integrity.

Host protection will employ centrally managed rules and profiles to ensure that applications on the host behave appropriately and that user and service accounts only have appropriate access to files and applications through whitelisting and blacklisting.