Wednesday, September 26, 2018

Comsec's Josh Grossman presenting at AppSec USA 2018

Come and meet Josh Grossman, one of our Application Division team leaders, at AppSec USA 2018 being held in San Jose, California in October!

What is AppSec USA?

AppSec USA is organised by OWASP, the Open Web Application Security Project as one of their two, annual, global conferences. It brings application security professionals from across the world together to hear about cutting edge topics and ideas in the industry through three, two day tracks of lectures. Talks are evaluated through a competitive Call for Papers process to ensure that the highest quality talks are presented at the conferences.

What will the talk be about?

Josh will be giving a talk entitled "How to get the best AppSec test of your life". In this talk, he uses his experience of delivering hundreds of application security testing projects to provide insights into how companies can get the maximum value from this process. The insights come from all stages of the testing process from scoping all the way to actioning the report and assessing next steps and can be applicable whether companies are doing these tests by choice or based on regulation, company policy or customer demands. 

The talk begins by explaining how you can "Hack your test" by choosing the assessment that makes the most sense for your organisation and then customizing the assessment for your needs. The talk covers discuss, what should you consider when choosing a provider? What should you request and expect from them up front? How should the scope should be defined to best use the time available and how should the time available be split across different stages of the assessment? How to balance realism and practicality?

The talk continues with ideas to ensure you are prepared for the test. If you are well prepared, the tester gets to spend the maximum of time working on your app rather than getting distracted with questions or logistics issues. The talk discusses recommended testing setups and which elements you should discuss with the tester up front. It also discusses classic errors and misconceptions that can lead to time wastage and inadequate results.

Finally, the most important part of the whole exercise: getting high quality, actionable output from the assessment. Many of the points discussed above will automatically lead to better assessment results by better tailoring the assessment but you still need an actionable report. This section starts with how to decide on the reporting process that is best for your organisation. It then discusses what you should expect from recommendations, what you should do when you receive them and how you can utilize your tester to decide on next steps.

What are the key takeaways?

Developers and others involved in a company's software development lifecycle will leave this talk with ideas that you can apply today, tomorrow and in the future to ensure that application security tests aren’t just a compliance tick-box but rather deliver real value and make an application more secure.

Monday, September 3, 2018

ISO 27001 Review- an inner view from comsec advisor

 Tiennot van Dilst- Principal Consultant / Delivery Manager – Comsec Benelux
During my career as a CSO and Security Consultant, I have worked with the ISO 27001 standard on various occasions. 
As a consultant I have helped various medium and large organizations in assessing and implementing the standard, whereas as a CSO I have been on the other side of the coin, being fully in charge of implementing the standard within the organization in which was working for.
I have also encountered the different pitfalls associated with implementing the standard and getting (part of) the organization certified.
I am writing this article in the hope that I can ease the mind of people in the Information Security field wanting to start to work with the standard, or who are looking to work with an external organization to support their implementation process.

So what is the ISO27001 Standard?

First of all, let me try to explain to you what the ISO 27001 standard (formally known as ISO/IEC 27001:2013) is all about. Many people are under the impression that when an organization is certified, it must be a secure organization…. I’m sorry to destroy that illusion for you but it is unfortunately not true. Being certified means that the organization has an information security management system (ISMS) implemented that, if maintained correctly, will enable the organization to manage their risks, implement and consolidate the selected and approved measurements and controls to mitigate those risks, and bring the risks down to an acceptable level.
The ISO 27001 standard does not provide a golden ticket showing you which controls you should implement. However, it does provide you with a management system which enables you to implement those controls. When implemented correctly, the management system will deliver continuous improvement of these implemented controls. The measures and controls themselves can differ from organization to organization, however the majority of organization conform to a standard control set, which is supplied as an annex to the standard, and which is fully described in the ISO 27002 guide, which focuses on the actual security controls.
Nevertheless, there are some controls in every ISMS that keep the management system operational which we cannot go without. For example, having a formal policy in place, a security organization, periodic reviews/audits and having an improvement process in place.
So two organizations can both be ISO 27001 certified, but have completely different control sets. In the Netherlands I have encountered this several times. Specifically, I have seen organizations where they are ISO 27001 certified but using the controls supplied by the Dutch health care standard NEN7510. 
In short: “ISO 27001 describes the requirements of the ISMS and you can certify parts of your organization or processes if they are working according to this management system, whereas ISO 27002 provides you with an implementation guide on how to implement the commonly used controls. (ISO 27002 is not a standard to which you can certify). 

It’s all about scope…
Especially (however not exclusively) in the IT department, when a company is looking for a service provider and requesting information, the suppling organization will try to baffle you with all the certifications they have. You will see that they say, almost by default “we are ISO27001 certified, so you should not worry about security”. In the meantime, they won’t tell you what is the exact scope of their certification. Lesson number one in this case should be to always ask them to explain to you exactly which part of the organization is certified, or even better ask them for their “statement of applicability”, which will show you the scope of the certificate and which controls have been implemented. 
On the other hand, when you looking to implement the standard in your own organization, make sure you find out exactly which part of your organization you want to be certified. In many cases, certifying your complete organization will overshoot the goal. Always keep in mind the additional value of having a certification and make sure that the important processes and assets (including their supporting processes) are in scope. 
While other processes might not be in scope for the certification, they can work according to your ISMS.

From unknowingly being at risk to willingly taking a risk….
So here we are, we are aware that the standard is about having a management system in place, and we know now what is important enough is to have in scope, what’s next? First of all, we need to consolidate the management system, meaning that we have to make sure that the right environment is set to create and maintain an ISMS. In many cases you will see in this phase that companies will create a security role or organization, describe the strategic policies (based upon the mission and vision of the company, local law and legislation and in some cases other factors like the position of the organization in the society, public interest, physical location etc.), and make sure we know what the important risks to the organization are. From these high level risks, we can filter operational risks, asset risks and process risks and think of (and document, and approve), measurements to bring the risk level down to an acceptable level.  
After implementation, the organization should check if the controls and measures are implemented correctly (Internal audits, technical reviews etc.), and management should be informed about the process on a regular basis. This cycle usually takes 3 months to a year and repeats itself annually.
Again, it’s not about fully mitigating the risks, it’s about knowing what your risks are and bringing them to an acceptable level.

Part of a normal schedule for activities within an ISMS could be: 

  •  Risk analysis 
  • Review and update of policies
  • Review of the ISMS by management
  • Internal audits
  • External audits
  • Annually 
  • Annually 
  • At least once a year 
  • Depends on what being audited:  Controls which consolidate the management system - annuallyControls which are part of the ISMS will depend on the importance of the measurement and the process or asset it is protecting. Can vary from once every 3 months to once every 3 years. Most controls should be reviewed at least once a year 
  • Every three years, a thorough ISMS review should be carried out, although every year the auditor will check if the ISMS is working correctly

You should always try to do better…
As I said before, every ISMS is created to guarantee a continuous improvement cycle. Points to improve are detected by doing the audits and reviews. Alongside that, it is important to have a process in place to detect and mitigate incidents. The main goals of the incident management process are to:  To detect and address breaches and or vulnerabilities in a timely manner;  To pinpoint the root cause of the incident; To learn from the incident.

Some tips based upon my experience: 
  • Certification is not the goal: In my career I have encountered organizations for which being certified was the goal. Even though I can see why, I would strongly suggest against it and especially not communicate it like that within the organization. My experience is that a lot of money, time and effort is spent in these cases and then, when the first certification audit is passed successfully, attention drops again, old habits reappear and, by the next cycle, most things need to be urgently redone right before the audit. Better to have the focus on the continuous improvement process so that the ISMS will start to work for you and not just guarantee a certification but rather also improve and streamline your organization and processes
  • Make use of the knowledge of your employees during internal audits: No need to have an internal auditor check every measure in every process or system. One of the tactics I used was to have the system administrator of system A periodically check the implementation of the controls on system B (not administered by him) and document the status. In that case, an internal auditor only has to check the reports and see if the controls have been checked correctly  
  • Stay away from disciplinary procedures: If an incident occurs by mistake, make sure that whoever caused the incident is not punished. Try to learn from it as an organization without placing someone on the wall of shame. 
  •  Start with the People: To implement an ISMS you will need the cooperation of everybody in the organization. Raising awareness throughout the organization is a great way to get everybody on board so start with that as soon as possible. 
  • Controls not in place: Do not panic, if it is not one of the controls designed to keep the ISMS working, you won’t fail an audit over it. Make sure it is well documented and in most cases I would advise to document it as a security incident and go through the incident management process to determine why it was not correctly implemented and what is the best course of action to correct it. Use the knowledge to learn from so that next time it won’t happen so easily. 
  • Make use of an external consultant: Usually implementing an ISMS is not the primary business of an organization and in most organizations, especially when starting the implementation, there is not much experience available. Hiring a professional consultant can immediately provide you with the experience you need, taking away a lot of the headaches you will encounter.  When hiring a consultant make sure they understand your business and speak the language of your company.

Of course the points described above only scratch the surface. In subsequent articles I will dive deeper into the material. However, if you have any questions, do not hesitate to contact myself or my Colleagues at Comsec.

Tiennot van Dilst CISSP CEH


Thursday, August 23, 2018

Comsec sponsoring OWASP AppSec Israel 2018

AppSec Israel 2018

Comsec is proud to be a sponsor of OWASP’s AppSec Israel 2018 conference which is being hosted at Tel Aviv University at the start of September. This is the biggest Application Security conference in the region with speakers from both Israel and overseas presenting on cutting edge application security topics. This year’s conference will also include keynotes from internationally acclaimed experts, Jim Manico and Julie Baker.

About the conference

The conference starts on 5th September with a day of hands-on application security training aimed at helping developers, QA people and newcomers to the Application Security field to develop their skills in the field. That evening there will be special “Women In AppSec” session for women (and female-identifying) only.

The conference then continues on 6th of September with three parallel, full-day tracks of talks selected from a competitive submission process aimed at people at all levels of involvement in the software lifecycle. The conference talks have been at a consistently high level of quality year after year and this year looks like it will be no exception!

All events are free of charge and registration is already open at this link.

Meet us there

Comsec will have a booth in the sponsors area with both technical and HR staff on-hand and we would be delighted to see you there and talk to you about your Application and Cyber Security challenges as well as life working for Comsec and our current vacancies.

See below some photos from our booth last year:

Thursday, March 15, 2018

Cyber Updates - 15th March 2018

Commercial  Disagreement leads to mass TLS certificate revocation

In a somewhat baffling story, 23,000 certificates sold by certificate reseller Trustico were suddenly revoked. It appears that Trustico wanted to move their customers to new certificates and saw this as a quick way of doing so.

Trustico requested that Digicert, the certificate issuer, revoke 50,000 certificates, citing some unspecified compromise. DigiCert refused without evidence of compromise so Trustico effectively created a compromise by emailing 23,000 private keys to DigiCert. At this point, DigiCert had no alternative under Certificate Authority rules other than to revoke these certificates meaning that visitors to these sites would potentially start receiving secure connection errors within 24 hours.

Key takeaways:

  • It is important to monitor the trustworthiness of your certificate provider. Let's Encrypt is a well respected, free and easy to automate certificate provider.
  • Never allow a certificate provider to generate or get access to your private key. You should always generate a Certificate Signing Request (CSR) and send that to the provider, see example instructions here.

Crypto-mining malware on UK and US government sites

Scott Helme, a UK based security researcher, discovered that various UK government sites were serving up JavaScript which used the browser to mine cryptocurrency, therefore causing significant CPU utilisation for the the end user. Further investigation indicated that a 3rd party called BrowseAloud who provide a script to read website content for blind/partially sited people, had been compromised. Their script had been altered to insert this crypto-mining script meaning that any site using their script would be infected by this.

Key takeaways:

  • If enterprises or consumers use anti-malware protection on web browsing, it would hopefully detect and block this script.
  • Web Site administrators can use Sub-Resource Integrity to monitor and block unexpected script changes.

Record DDoS attacks using memcached

A number of record-breaking DDoS attacks were seen in the last few weeks which utilised a service called memcached as an amplification vector. This occurs because when an attacker sends packets with a source spoofed to be the target's IP address to this particular service, it responds with a much larger response than the initial request leading to an amplification of up to 51,000x the size of the original request.

One high-profile victim was GitHub although they were able to continue operations with minimal disruption with help from their DDoS protection provider.

Key takeaways:

  • DDoS is a scenario you have to plan for in advance, if you don't have a plan by the time it starts, it is likely to take you offline.
  • DDoS protection for such a large attack will require the assistance of your upstream Internet provider and potentially a specialist service.
  • Comsec offers a DDoS readiness service where you can assess the ability of your systems to withstand this type of attack.

Josh Grossman
Senior Information Security Consultant and Team Leader

Tuesday, February 6, 2018

Cyber Updates - 6th February 2018

CPU vulnerabilities revealed 

After several days of intense speculation, an embargo was lifted on the disclosure of two classes of processor vulnerabilities, dubbed "Meltdown" (affecting Intel specifically) and "Spectre" (affecting multiple processor manufacturers). These vulnerabilities allow one process to read sensitive data from another process including passwords, session tokens and more. Three of the discovers presented a talk on the vulnerabilities at the BlueHatIL conference here in Israel a few weeks ago. 

As the vulnerabilities reside in the processors themselves, for now all that can be done is to apply patches to mitigate the issues however this process has not proceeded smoothly with Microsoft having to hold off on deploying patches until users updated their anti-virus software and culminating in Intel advising users to stop applying their patches until further notice.

Key takeaways:

  • Apply patches based on vendor advice and be sure to test patches in a staging environment before a mass deployment to production systems. This should be standard practice in any case.
  • These vulnerabilities have gathered a large amount of attention due to their branding and novelty although the CVSS scores of the vulnerabilities are a modest 5.6 due to the need to execute code locally. As such, this should be taken into account when prioritising efforts and there may be more serious issues which should be addressed first (see other items in this post).
  • If you are using antivirus software which no longer updates or a system without any antivirus software at all, it may no longer install any Windows updates due to the issue with antivirus noted above!

Remotely exploitable Cisco vulnerabilities

A much more serious vulnerability was reported in Cisco ASA and Firepower edge devices which could allow a remote authenticated, attacker to execute code on the devices. As these devices are designed to be exposed to the Internet, this merited a CVSS score of 10. As with the previous story, patching was not straightforward with Cisco having to issue an updated patch as the first patch was incomplete as well as complaints that it took Cisco too long to inform customers.

Key takeaways:

  • This issue should be patched as soon as possible on all affected edge devices. 
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of network edge protection, were suddenly disabled or bypassed.

Further Weaponisation of MS17-010 vulnerabilities

We have previously spoken about the increased risks of vulnerabilities of easily available exploits. We therefore wanted to highlight the news that a security researcher has ported some of the NSA exploits (EternalRomance/EternalSynergy/EternalChampion) which previously worked on certain Windows versions to run on any version since Windows 2000. These

Key takeaways:

  • If you have any version of Windows (server or desktop) from Windows 2000 onwards and it has not been patched with MS17-010, it can be remotely compromised wherever SMB is enabled.
  • Whilst it appears that MS17-010 can potentially be applied to Windows Server 2003 and Windows XP, it appears that Windows Server 2000 is not patchable.

The potential dangers of package managers  

A well written blog post called "I’m harvesting credit card numbers and passwords from your site. Here’s how." went viral a few weeks back which explained how it is possible to exploit the reliance on package managers in software development to insert malicious code into an application.

Liran Tal wrote an interesting rebuttal to the post where he points out that the premise of the post relies on blindly adding packages without consideration.

Key takeaways:

  • Clearly the scenario in the original post is possible although, as Liran says, this is more of an issue of developer awareness and due diligence with open source code.
  • R&D teams should be aware of the risk and have an inventory of what code libraries they are using and how they can verify where they have come from.

Josh Grossman
Senior Information Security Consultant and Team Leader

Tuesday, January 2, 2018

Cyber Updates - 2nd January 2018

Breach at PayPal subsidiary

PayPal disclosed at the start of December that the personal information of 1.6 million individuals may have been exposed when a subsidiary, TIO Networks which had been acquired in July 2017, was breached. It is not clear whether the breach occurred before or after the acquisition but TIO's systems had not yet been integrated into PayPal’s environment which was therefore not at risk. TIO had already suspended operations in November 2017.

Key takeaways:

  • Acquisitions are very and can expose a well-controlled technology environment to new and unknown security risks if the new subsidiary's network is less well controlled.
  • Security due diligence should be part of the pre-acquisition process and the new environment should be carefully reviewed before integration into the main environment (as appears to have happened in this case).

Serious Privilege Escalation bug in macOS

A very serious security flaw was discovered in High Sierra, the latest macOS. Specifically, if a user tried to authenticate as root (highest privileged user) with a blank password in certain situations, the first time it would not accept it but would silently set the root password to blank and therefore the second time it would allow the user to login as root. Apple subsequently release a patch to address this. A detailed technical write-up of this is here.

Key takeaways:

  • It is important to keep on top of patch management at all levels of the business including endpoints.
  • All security controls should be considered to be layers and it would be a worthwhile exercise to consider what would happen if certain controls, e.g. use of low privilege endpoint users, were suddenly disabled or bypassed.

Top Secret data left exposed in Amazon S3 buckets

A couple of examples recently of top secret US Department of Defense materials (including an entire virtual machine image) being found in unsecured Amazon S3 (Simple Storage Service) locations allowing anyone on the Internet who discovered the locations to download them.

Key takeaways:

  • Use of cloud services is becoming ubiquitous but each cloud service needs someone who is skilled with using the service to act as "security administrator" to ensure these types of error do not occur.
  • Part of this should be frequent technical audits of the cloud environment to look for security issues or misconfigurations.

Critical Vulnerability in Keeper password manager 

Tavis Ormandy discovered a critical flaw in the Keeper password manager (which comes bundled with Windows 10) which could allow an attacker to gain access to passwords stored using the tool. Whilst this was not a good situation, Keeper managed to make it worse by suing a news organisation which reported on it therefore guaranteeing themselves a flood of negative publicity in the Information Security world.

Key takeaways:

  • Whilst having a critical vulnerability reported in your software is not ideal, if reported responsibly then you have effectively received valuable assistance for free.
  • Be wary of the "Streisand Effect" when responding to any actual or perceived issue.

Bonus link - Empathy in Incident Response 

I wanted to put in this excellent blogpost from Tracy Z. Maleeff (@InfoSecSherpa) as well as it talks about a very important concept. If the security team wants users to help them and give them warning when something has happened, it is important that the user doesn’t feel scared to do so.

Josh Grossman
Senior Information Security Consultant and Team Leader