PISA Journal · and data can be managed and locked down without impact-ing personal content on the...

www.pisa.org.hk

Professional Information Security Association SEP-2012

PISA Journal PISA Journal

BYOD Dilemma and Tactics

Securing Amazon Linux AMI

Book Review: “IT Security Metrics”

Targeted Attack Analysis

「域」見未來

Issue 1616

Page 2 of 32 An Organization for Information Security Professionals

Mobile Security 05 BYOD Dilemma and Tactics

Cloud Security

11 Securing Amazon Linux AMI

Book Review

17 Book Review : “IT Security Metrics”

Editor: [email protected]

Copyright 2012

Professional Information Security Association

Page 3 of 32 A Publication of Professional Information Security Association

IntranetIntranet

04 Message from the Chair

29 Event Snapshot

32 Joining PISA

Royalty free images used from www.sxc.hu: p.05: #152864 by Alenq of Croatia, p.11: #1195576 by Lusi of Croatia, p.13: #1395342 by puffin2006 of Netherlands, #1341228 by yan81 of Russia, p.17: #640488 by iwanbeijes of Netherlands, p.21: #49702 by annaOMline of Spain, p.23: #637512 by bjearwicke of USA, p.28: #180450 by OzRock79 of Australia.

Emerging Attacks and Defenses

21 「域」見未來

23 Targeted Attack Analysis

P I S A J o u r n a l




I t is my honour and greatest pleasure to serve in the Chairperson’s role of PISA after join-ing the executive committee for three years.

Message from the

Chair

trust. Through this platform, members can address the impacts and challenges of emerg-ing information security threats.

PISA needs your involvement and commit-ment to keep going forward. Let us work to-gether to bring PISA a successful year.

Frank Chow CISSP-ISSAP-ISSMP CSSLP

CISA CISM CBCP

In Hong Kong, PISA plays a prominent role in various areas relevant to information secu-rity such as establishing the (ISC)2 Hong Kong Chapter, providing advisory supports to the IT professions, setting different SIGs for the members, and promoting awareness edu-cation to the general public. These could not be accomplished without your dedication and efforts.

PISA is a platform for our members to net-work, to share knowledge and to build up

The Executive Committee 2012-2013

(from left) Andy Ho, WS Lam, Mike Lo, Frank Chow, Alan Ho, Jim Shek and Raymond Tang


P I S A J o u r n a l SEP-2012


Alan Ho CISSP CISA CISM CGEIT

B ring your own device (BYOD) involves various challenges related to security, privacy, infrastruc-

ture, etc. There is no one-size-fit-all solution to address BYOD and will be subject to business environments in order to find a right mix of the solutions.

BYOD DILEMMA AND TACTICS





With the advancement of enabling technologies (in smart devices and mobile networks) and the maturity of social media in changing the ways people do businesses, "mobility" is becoming the key trend moving forward. We are seeing better hardware and user interfaces in smart de-vice technologies as well as improved bandwidth, speed and coverage in mobile/wireless technologies.

For convenience, mobility and productivity, employees are eager to bring their own smart phones, tablets and note-books into the work environments. On the other hand, employee-owned notebooks or low-cost smart devices give cost-incentive to companies to lower the cost of ownership. All these give rise to new requirements of network access policies and capabilities to allow users to "bring your own device" (BYOD).

BYOD involves various challenges related to security, pri-vacy, infrastructure, etc. There is no one-size-fit-all solu-tion to address BYOD and will be subject to business envi-ronments in order to find a right mix of the solutions.

1. Challenges

Under BYOD, while employees have flexibility to choose and bring their devices to office environments, these "foreign" unmanaged devices could be a nightmare to com-panies. The challenges can be classified from a company's or employee's perspective.

Company's perspective

● Compatibility -- There may be compatibility issues to run company's applications on the devices that in-volve various operating system platforms and soft-ware in the devices

● System security -- As company does not have much or even no control on the device, the software in-stalled in the device may be outdated or security patches are not properly managed or applied. Also, anti-virus/anti-malware software and personal fire-wall may not be properly managed or in place. This

could be a threat to run company's applications or even store company's data on the devices.

● Data security -- There may be difficulties to enforce data/storage encryption (e.g. via BitLocker) due to device ownership or technical platform issues.

● Support burden & expertise -- Given the limited IT support resources in the company, there may be is-sues to support or troubleshoot problems of company applications or data in these devices of different tech-nologies.

● Liabilities -- There may be liability issues if the de-vices are physically damaged or the employee's soft-ware/data is damaged/lost.

● Control and compliance

● Since company has limited or no control of the software and system configurations of these devices, it may be a challenge to manage or track the company related activities on these devices.

● Businesses that fall under compliancy rules (e.g. PCI DSS (Payment Card Industry Data Security Standard)) must still comply when BYOD is implemented. It may be a concern of how to define and enforce an acceptable use policy for devices that are not owned and (completely) managed by the company.

● Consideration also needs to accommodate reasonable personal use of the BYOD devices

● Data privacy -- These devices may contain com-pany's data. There may be a risk of data leakage to the outsiders via the employee's devices.

Employee's perspective

● Data privacy -- These devices contain employee's own data. There may be a risk of data leakage to the





SEP-2012

IssueIssue 16

company when the devices are connected to the of-fice environments.

● Device seizure -- Under certain circumstances, judi-cial or legal authorities may warrant the seizure of the hardware for investigations

2. Considerations

BYOD is a complex issue not only involving technical is-sues but also involving management, privacy issues, etc. The BYOD issues are not just about the devices and also the business applications that run on the devices and also the business data that may be resided on the devices.

There are different areas of considerations for the solutions. These different areas of considerations or approaches may be adopted in different combinations that best fit the need of a company.

2.1 Device-Centric vs Data-Centric

To manage BYOD, some may focus on controlling the de-vice, some may focus on controlling the data, or a hybrid of both.

● Device-centric approach: By controlling the device (or hardware), IT can attain a level of control and security over who's on the network and what that user is accessing.

● Data-centric approach: Rather than controlling so much on the devices, the focus is to control the data the devices are accessing. This will require security measures to make sure the data is password-protected at multiple levels. One technique is to set up a mo-bile-oriented password policy that require more often changing of passwords. The data-centric approach will not address the problem of malware on the de-vice that sniffs the data.

2.2 Agent-Based vs Agentless

Technical solutions can be generally classified agent-based or agentless.

● Agent-based solutions -- Require installing an agent on client devices

● Can have more granular or in-depth configura-tions/capabilities for auditing, monitoring, security and reporting. Can ensure connected devices have the right software, permissions, and security settings before allowing them to connect to the network. Can also enforce the use of encryption.

● The agent running on the client device may cause impacts of performance or resources

● More effort to implement since installation of agents is required

● Agent-based solutions -- No agent is needed on client devices

● No installation effort is required on client de-vices

● May classify the devices based on user iden-tity, device type, location and time

● Does not have in-depth analysis or statistical capabilities

2.3 Hardware- vs Software-Based

Some solutions leverage the use of hardware-based technol-ogy for more robust security and also with better perform-ance. However, this will require the devices to have the required hardware or parts. Software-based solutions will have comparatively lesser restrictions on the device hard-ware/platforms, however, they are comparatively less ro-bust.





2.4 Open Standards

The use of open or industry standards can allow better com-patibility to different devices & platforms and is more ro-bust.

Trusted Computing Group (TCG) has developed security solutions for computers and servers based on a Trusted Platform Module (TPM), for mobile devices through the Mobile Trusted Module (MTM), for data integrity and pri-vacy based on Self-encrypting Drives (SEDs), and for enter-prise networks based on the Trusted Network Connect (TNC) specifications.

2.5 Policies and Processes

Apart from the technical solutions, a successful BYOD implementation will require complimenting policies and sustainable processes.

2.5.1 Policies regarding term of use and liabilities

Due to different ownerships of the physical hardware and data, it is important to pre-define the policies regarding the term of use and liabilities. Also, it is necessary to accom-modate a reasonable level of personal use for the devices.

2.5.2 Ongoing review and monitoring processes

BYOD implementation should not be considered an one-time exercise. There should be ongoing review and moni-toring processes to ensure the effectiveness of the solutions and upgrade the solutions according to the changing busi-ness and technical environments.

TCG recommended the following strategies:

● Continuous assessment of the user, device, network, physical location, etc.

● Reducing risk by provisioning countermea-sures

● Controlling access to sensitive resources based on established corporate policies

● Monitoring and responding using standards-based techniques, automatic or manual

2.5.3 Compliance

Especially for businesses that fall under compliancy rules (e.g. PCI DSS), companies must review and ensure compli-ance when BYOD is implemented.

2.6 Other Technology Solutions

2.6.1 Partitioning

Partitioning allows a clean separation of personal and busi-ness applications and data. Hence, business applications and data can be managed and locked down without impact-ing personal content on the device.

2.6.2 Virtualization

2.6.2.1 VDI (Virtual Desktop Infrastructure)

VDI solutions eliminate most of the mobile device manage-ment issues because the solution is essentially secure termi-nal emulators and data are not stored on the mobile devices but on the remove VDI servers. This provide a more secure approach from enterprise perspective.

2.6.2.2 DaaS (Desktop as a Service)

There are solutions (e.g. Desktone) to virtualize users' desk-top computers and deliver them as a service so that they can be configured to access from physical desktop, notebook computer, tablet or smart phones. DaaS allows companies to set policies for how the desktop service can be accessed and with which devices.

2.6.2.3 Run a second virtual phone

There are solutions to allow a company to deploy its own secure virtual phone images to employee-owned smart phones.

An example (e.g. Red Bend Software) is to use type 1 Hy-pervisors on particular Android handsets to create essen-





SEP-2012

IssueIssue 16

tially 2 virtual phones running simultaneously on the same physical hardware, one for personal use and one for busi-ness use. Similar solution can also be found with VMware.

2.6.3 Authentication and authorization

To authenticate and authorize mobile BYOD devices, it is recommended to configure company's wireless network with WPA2-Enterprise (802.1X) with individual username/password and acceptance of a server certificate for authenti-cation. User identity can tie back to Active Directory (or other directory server).

Regarding the access policies, Trusted Computing Group's Mobile Security Architects Guide recommends that differ-ent users are given different levels of access to corporate resources based on how much the enterprise trusts them. (Figure 1)

2.6.4 Remote data wiping

Some solutions can remotely wipe corporate data from de-vices when employees leave the company or change job roles, as well as when devices are lost or stolen.

2.7 CYOD (Choose Your Own Device)

BYOD may involve a vast number of devices and platforms that is hard to manage (in terms of workload and risks). CYOD will limit the range of devices and thus limiting the range of hardware & platforms for support. CYOD is comparatively more manageable than BYOD and can give employee some flexibility to choose the devices.

Figure 1. "Architect’s Guide: BYOD Security Using TCG Technology", by Trusted Computing Group (www.trustedcomputinggroup.org), June 2012



An Organization for Information Security Professionals


Page 10 of 32

Copyright & Disclaimer

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

3. Conclusion

An effective BYOD implementation can probably improve employee satisfaction and productivity. How trust can be built with adequate levels of controls to avoid data breaches and ensure compliance will be the core issue.

There are numerous solutions and options. As there is no one-size-fit-all solution, it will be subject to the business nature/ environments, technical infrastructure (e.g. terminal service solutions, RADIUS, active directory/LDAP, etc), the support resources/structure in order to decide the best mix for a company. CYOD may be an viable option to BYOD implementation as it is comparatively more manage-able and employee can enjoy some flexibility to choose the devices.

I hope this article can provide a good highlight of concerns/approaches for decision makers/implementers to consider the right mix of solutions.

Alan Ho ■

References

● Architect’s Guide: BYOD Security Using TCG Tech-nology, Trusted Computing Group, June 2012

● Bring your own device, Wikipedia http://en.wikipedia.org/wiki/Bring_your_own_device

● For BYOD Best Practices, Secure Data, Not Devices, Thor Olavsrud, CIO, July 17, 2012 http://www.cio.com/article/print/711258

● Navigating the “Bring Your Own Device” Policy: An IT Manager’s Guide, Brian Proffitt, Feb 15, 2012 h t tp : / /h30565.www3.hp.com/ t5/Feature-Art ic les /Navigating-the-Bring-Your-Own-Device-Policy-An-IT-Manager-s/ba-p/1664

● From BYOD to CYOD, Rebecca Merrett, August 7, 2012 http://cw.com.hk/news/byod-cyod

Contribution toContribution to PISAPISA Journal Journal

SC Leung, Chief Editor [email protected]

• To contribute to the next issue and make your publication public

• To join the Editorial Committee of this professional publication

Next Issue:

Issue 17 (Mar‐2013)





George Chung CISSP CISM CISA Program Committee

A mazon cloud services are very popular. The Amazon Elas-tic Compute Cloud (Amazon EC2) provides a virtual com-

puting environment which Amazon customers could quickly launch virtual machines for different purposes.

The virtual machines provided in Amazon EC2 are mainly Linux servers






Among the Linux servers, Amazon provides its own Linux distribution, Amazon Linux AMI (Amazon Machine Image). Amazon Linux AMI is derived from CentOS which is a recompilation of Ret Hat enterprise Linux (RHEL). So it is very handy for RHEL/CentOS system administrator to use Amazon Linux AMI. It comes with AWS API tools which could be used for scripting Amazon cloud services. The package repository is within Amazon cloud, so the traffic for updating of the server will not be counted in data transfer fee. Amazon also provides package updates for bug fix and security updates. The most impor-tantly, it is free!

An Amazon Linux AMI EBS instance is started from Amazon Management console. The version is “Amazon Linux AMI release 2012.03” by reading /etc/system-release.

The default EBS instance is about 8G in disk space and it consumes about 900M disk space when it is launched at the first time. This is a default minimum installation by Amazon.

Only openssh (22/TCP) and ntpd (123/TCP) are run by default.

There is no firewall rules setup by default.

SELinux is not enabled. IPv6 is enabled by default. Only a normal user, ec2-user, can be logged in to the host via ssh with public key authentication.





SEP-2012

IssueIssue 16

Since the virtual machine uses private IP address, Amazon use a security group to port forward the desired public ports to virtual machines. The security group looks like a public firewall to the virtual machine. It gives a false sense of security to the Amazon customers. Since there is no host firewall enabled in Amazon Linux AMI by default, running services are exposed to other Amazon cloud virtual machines. The following screen capture shows the result of nmap scanning to the hosts in the same subnet. Services like MySQL and tomcat could be identified in others’ virtual machines.





Enable Host Firewall

Without host firewall, the services running within Amazon cloud could be easily attacked. So the first thing to do is to enable host firewall. Since Amazon Linux is derived from CentOS, copy CentOS iptables configuration to

/etc/sysconfig/iptables

could be good starting point.

Only ports that are enabled in security group should be enabled in the host firewall. Reboot the machine or run “service iptables restart” to make it effective.

Enable SELinux

The second thing to do is to enable SELinux. SELinux provides a mandatory access control in the Linux kernel. It is very good to confine some popular services like apache and mysql server. Even if the confined services are compromised, the damage can be limited to only those files permitted to access by SELinux policy. To enable SELinux, add “security=SELinux enforcing=1” in kernel line of /etc/grub.conf and touch a file .autorelabel in root directory.

Some SELinux packages may not be installed by default. Install the required packages by issuing this command:

“yum –y install policycoreutils selinux-policy selinux-policy-targeted libselinux libselinux-utils libselinux-python setools-console mcstrans policycoreutils-python”

After rebooting the virtual machine, SELinux will be enabled and all files will be relabeled. The enabling method of SELinux is different from CentOS. Configuring /etc/sysconfig/selinux doesn’t work for Amazon Linux.





SEP-2012

IssueIssue 16

Run “sestatus” to make sure SELinux is running.

Run “getsebool –a” to check required Boolean value is turned on or off. If some values are needed to change, run “setsebool –P boolean_variable on/off”

Disable IPv6

The third thing is to disable IPv6. Amazon EC2 doesn’t support IPv6. Disabling IPv6 reduces the attack surface. To do that, edit /etc/sysctl.conf and add the following line at the end of the file.

After reboot, the IPv6 address will disappear.

Install Packages

The fourth thing to do is to update installed package by “yum –y update”. Amazon Linux AMI bundles cloud-init script which will install security update automatically when it boots. Running the command will update all packages including non-security fixes. Setting up yum-updatesd to email-notify the availability of package updates will be a good idea.





Page 16 of 32



Make Partition for /tmp

The fifth thing to do is to make separate partition for /tmp and separate partition for /var. Amazon Linux AMI comes with only one partition. Without separate /tmp, hackers could consume all disk space by writing files in /tmp and make the system stop running. An EBS volume could be created in AWS management console and attach to the instance. Use fdisk to parti-tion the volume and make filesystem on it. Edit /etc/fstab and make the partition mount in appropriate mount point.

After reboot, the mount point will be mounted automatically.

Secure AWS Management Console

The last thing is to secure AWS management console. The virtual machine is secure only when AWS management console is secure. If AWS management console is hacked, all virtual machines run by the account could be compromised. To secure the AWS management console, two-factor authentication is recommended for AWS management console login. Google authenticator could be used to act as a second factor in authentication. It is freely available for iOS, Android and Blackberry OS. The setup is very simple. Use Google authenticator to capture a QR code in the two-factor authentication registration page and input two authentication codes. The following capture is the login page for authentication code using google au-thenticator.

Security Hardening Other Services

Other service security hardening should be done if other services like httpd and mysql are run. They are out of scope in this discussion. NSA security configuration guide and CIS security benchmark could be used a reference to further enhance the hardening process.

George Chung ■





I n the consulting field, I often meet and discuss with customers on secu-rity related matters. One of the most

frequently asked questions from customers is “how good or how bad is our security?”, “how is our security compared with similar organiza-tions of our size and business nature?”

Henry Ng CISSP-ISSAP CISA Program Committee

IssueIssue 16

Book Review:

IT Security

Metrics





CISO and security managers want a way to measure security and present to management to show the effectiveness of the security technologies and programs they put in place. Un-fortunately, there doesn’t seem to be any recognizable framework to measure and compare the effectiveness of information security.

Lance Hayden is a solution architect and information scien-tist with Cisco System’s worldwide security practice. He is also a trained social scientist, holding a Ph.D. in Information Science from the University of Texas, where he teaches courses on information security and surveillance in society.

He composed this book to contribute to the ongoing conver-sation about security measurement and explain how to put metrics to effective use within an organization.

This book has 396 pages, separated into 12 chapters. 4 case studies about security measurement are included (real exam-ples of how organizations apply security metrics which I find

very intuitive). The 12 chapters are logically arranged in 4 parts:

1) introducing security metrics

2) implementing security metrics

3) exploring security measurement projects

4) beyond security metrics

Because of the vast amount of content covered by the book, this book review article will cover the first half of the book, i.e. the first 6 chapters about introducing security metrics and implementing security metrics.

Chapter 1

Lance starts off by defining metrics as records of our obser-vations, whereas measurement is the activity of making observations and collecting data in an effort to gain practical


Title: IT Security Metrics Author: Lance Hayden, PhD CISSP CISM Publisher: McGraw-Hill Osborne Media Publishing Date: 1 edition (June 21, 2010) ISBN-13: 978-0071713405




insight into whatever it is that we are attempting to under-stand. Lance goes on describing five common security met-rics used today as well as their shortcomings:

Risk – based on expert judgments which are a set of opinions about risk. It don’t measure actual risk but rather human judgments about security risk

Security vulnerability and incident statistics – Lance how-ever points out a fallacy that more reported Internet vulner-abilities doesn’t necessarily mean Internet security getting worse because there can be hundreds of new technology products every year

Annualized loss expectancy – ALE = ARO x SLE (CISSP should recognize this formula right?) ALE measures what people think rather than objective reality. IT security doesn’t have the data necessary to define actual probabilities, hence ALE primarily deals in opinions and expectations. Also, ALE cannot measure losses involving productivity, effi-ciency or competitiveness.

Return on investment – IT security has to do with loss pres-entation and not undertaken as profit center

Total cost of ownership – many costs remain hidden; like ROI, it has been co-opted by vendors that recognize it as a purchase decision supporting metric

Lance wraps up this chapter by referring how metrics are used in Insurance, Manufacturing, Design industries and that security decision will improve as we improve our capabilities to collect, analyze, and understand data regarding security operations.

Chapter 2

Lance drills in what metrics and measurement are, and how to choose good metrics for measurement. If you are setting metrics without really understanding how you want to use the metrics to gain insights, the metrics schemes won’t work well.

After Lance elaborates with examples of the who, what, when, where, how and why aspects in relation to defining metrics for a security program, he introduces the Goal-Question-Metric (GQM) method - a simple three-step proc-ess which can be used for developing security metrics. First of all, you will set a goal (leverage the SMART goal-setting rules). Then ask relevant questions to enable components of the goal to be achieved or evaluated for success. After ques-tions have been developed to define the goal operationally, metrics can be assigned. Lance illustrates a number of ex-amples using GQM which I find practical. For instance, a goal can be to improve user compliance with corporate security policies that are not effectively disseminated or enforced (aren’t we too familiar with this situation?). Rele-vant question can be “what is the current level of enforce-ment of corporate security policy” and corresponding metrics is “number of reported security policy violation in the previ-ous 12 months” and “number of enforcement actions taken against policy violation in the previous 12 months”. Another question can be “is enforcement of the security policy in-creasing?” and metrics can be defined as “increase in security policy enforcement actions over baseline”, “increase in awareness of corporate security policy”, “increase in effi-ciency of the security policy process” and “improved re-sponse from surveyed users on policy familiarity and usabil-ity”. Although GQM seems straight forward, I believe the trick is to ask the right questions in order to achieve the goal. This requires experience and knowledge of your corporate IT environment how security should fit into it.

Chapter 3

This is a short but academic chapter with Lance describing types of quantitative data versus qualitative data. I think it is still worthwhile to understand because you will need to know what types of data you can collect in order to fulfill the defined metrics. I find the DIKW hierarchy informative which I haven’t come across in the past. This model actually





Page 20 of 32



exists for over 20 years and is used to describe a 4-tier rela-tionship of how context and experience allow data to be transformed to information and to knowledge and eventually to wisdom. I believe the concept is important to explain to senior management how we can gain wisdom of making prudent and succinct security decisions based on the raw data collected from security metrics.

Chapter 4

Why do we want to collect data for security metrics? What do we want to achieve by measuring security? Ultimately, we want to improve security right? So how can IT security metrics convert into security improvement? Lance intro-duces a security process management (SPM) framework tying security metrics, security measurement projects, secu-rity improvement program and security process management together. If you ever want to engage a project to establish security process management framework, Lance advises that you will need to 1) analyze how to buy-in by knowing the business drivers, stakeholders, and resources required to be spent on SPM, 2) set expectations of the end goal of SPM, and most important of all, 3) show tangible results to meet the set expectations. All very true, but actually also applica-ble to other information security initiatives, in my opinion.

Chapter 5

Another academic chapter by Lance explaining how data can be analyzed. If you have statistics background or strong in mathematics, you can easily skim through this chapter be-cause Lance merely introduces various generic data analysis models. For instance, descriptive statistics shows what is present in the actual data collected using mathematical for-mulas such as mode, mean, median, range, variance, standard deviation. Inference statistics on the other hand seeks to use a sample set of data to infer things about the larger population from which the sample is drawn. Good examples are sam-pling and hypothesis testing.

Chapter 6

Lance describes how to embark the security measurement project (SMP) in this chapter. To prepare for SMP, one should conduct GQM analysis, review what has been done before, and get the buy-in from stakeholders and sponsors. SMP can be executed in five phases. Phase one is to build a project plan and assemble the team. Phase two is to gather the metrics data. Phase three is to analyze the metrics data and build conclusions. Next phase is to present the results, and the final phase is to reuse the results. Although this chapter is pretty straight forward and easy to read, the crown jewels of IT security metrics are not covered yet. In fact, I view the first six chapters as more of background and preparation materials to prep the readers for the next six chapters which will cover more practical advices on usage of IT security metrics.

Henry Ng ■

Please state tuned for my next book review article covering the remaining six chapters in the next issue of PISA journal.





互聯網現時除地區頂級域名(如「.hk」、「.cn」、「.tw」等) 以外，通用頂

級域名共有 22 個，最為人熟識的有「.com」、「.net」、「.org」等。時

至今日，互聯網服務遍及至每個行業，現有的 22 個通用頂級域名已不能滿足

各行各業的需求，而且缺乏選擇。ICANN 預期新增的通用頂級域名可以為互

聯網帶來更多創新、選擇和競爭，最終為用戶提供更優質的服務。舉例說，

銀行業可申請使用「.bank」、唱片業可用「.music」、酒店業可用「.hotel」

等頂級域名。世界各地企業也可以公司的註冊名稱或品牌申請頂級域名，如

「.ibm」、「.microsoft」、「.skype」、「.android」等。

申請新通用頂級域名所涉費用令人咋舌，申請人先要付出 18.5 萬美元 (約

「域」見未來

二零一二年六月十三日，互聯網名稱與數字地

址分配機構 ( Internet Corporation for

Assigned Names and Numbers，簡稱ICANN ) 公

布申請營運新通用頂級域名的名單，共有 1930 份，

其中香港的企業共提交了 42 份申請，佔全球申請百

分之二，令香港 IT 業界喜出望外。

郭榮興先生 CISSP

活動項目委員





Page 22 of 32



145 萬港元) 首次申請費，日後每年還要繳交 2.5 萬美元

(約 20 萬港元) 的行政費。ICANN 在審批每個域名時還

會考慮申請人的背景，包括技術支援、財政及營運能力，

要有足夠實力才能獲批。保守估計，平均每個新通用頂

級域名的成本，可能超過百萬美元。

香港的兩家電訊服務商，分

別是電訊盈科有限公司和

中信國際電訊（信息技術）

有限公司，合共申請了八個

頂級域名作日後業務之用，

包括「.pccw」、「.hkt」、

「.電訊盈科」、「.香港電

訊」、「.now」、「.nowtv」、

「.中信」及「.citic」。筆者

發現有多達六家公司申請

「.now」，而只有電訊盈科有限公司申請「.nowtv」，

至此筆者不得不佩服該公司的部署和策略，他們早已估

計「.now」會引發一場爭奪戰，一旦競投「.now」失手，

還有「.nowtv」可即時補上。

在眾多申請中，最觸目的是「.app」，共有 13 家公司爭

奪，包括亞馬遜 (Amazon) 和谷歌 (Google)。業界估計，

谷歌對「.app」是志在必得的，谷歌會不惜動用過千萬

美元，擊敗其他對手，最終奪得「.app」的擁有權。

網絡保安方面，新通用頂級域名將有助阻止釣魚網站的

猖獗。舉一個例，現時電訊盈科所有網站都依賴「.com」

頂級域名，不法份子可利用如 pccw--hk.com 或

pccw1.com 等近似域名建立釣魚網站，企圖瞞騙。假若

電訊盈科以「.pccw」作為唯一的互聯網域名標識，則可

將每家子公司及各經銷商的網站都統一在「.pccw」之

下，用戶只要分辨網址後綴是

不是「.pccw」，就能分辨網

站的真偽。可見新通用頂級域

名能有效地保護大企業的域

名及商譽。

另一項網絡保安的優點是新

通用頂級域名在運作時必須

啟動域名系统安全擴展協議

(DNSSEC)，在各層域區作信

息交換時，以數碼簽證來確認資料真確，防止用戶被轉

到詐騙網站，提高網絡安全。

總的來說，這次盛事是互聯網的一次重大改革，預期新

一批通用頂級域名最快在二零一三年年中投入服務，屆

時互聯網將會出現一番新景象。

郭榮興 ■

「域」見未來




Targeted Attack Analysis

Know Your Enemy

Anthony Lai SANS GREM (Gold)

Founder and Security Researcher, Valkyrie-X Security Research Group (VXRL)

Frankie Li SANS GREM (Gold)

Security Researcher, Valkyrie-X Security Re-search Group (VXRL)





My Recent Move

In the past few years, other than working on penetration test, I started my another research interest on malware analysis and connected to various top researchers to analyze some samples together. One of my fellows, Frankie Li, and DDL (i.e. He don't want to disclose his name) have worked together and published a targeted attack (a.k.a. APT (Advanced Persistent Threat)) research paper [1] in IEEE Malware 2011 conference. Meanwhile, our works are recognized by one of the top mal-ware researcher, Nart Villeneuve [2].

What is the difference between targeted attack and routine malware? Let me try to highlight a few areas:

Skills required

The technical analysis skills required include:

● Compare any state change in registry, process and files in infected system(s)

Targeted Attack Routine Malware

Level of target under-standing

High: They are made and sent ac-cording to target's background, profile, human connections and applications

Low: It should be more general, not spe-cific targeting an individual or enterprise regardless of the system/applications they used.

Delivery Channel Email attachment Email, drive by download

Payload characteristics The payload will be deployed to the victim on need basis.

Most of the time, a single payload is up-loaded to the victim instead of making multiple staged payloads

Delivery carrier Documents including PDF, DOC, DOCX, XLS, PPT. The most fre-quent used carrier is RTF formatted file.

Other than documents, they could send off JPEG, compressed files (.rar and .zip).

Targets ● Research Institutes ● Political Bodies ● Militaries ● Governments ● Multinational Organizations ● Financial Institutions ● Business Organizations

Individuals or group of unrelated indi-viduals but owns the similar digital assets (such as credit card information and online banking passwords)

Actors State actors or a group of sophisti-cated, determined and coordinated attackers for the purposes of collect-ing of national secrets, political espionage or industrial/business espionage.

Hackers or organized crime groups mainly for the purposes of financial mo-tive

Targeted Attack Analysis : Know Your Enemy




SEP-2012

IssueIssue 16

● Looking for any interesting strings in the malware sample like connecting to Command and Control Server (CnC or C2 server)

● Debugging the process with Windows Debugger and OllyDbg

● Reverse engineering with IDA Pro software [3]

Understand our enemy

Recently, I also have monitored the traffic of the infected system(s) and wait for the attacker coming in and learn their activities. For example:

1. Searching all the files with .doc/.xls/.ppt/.pdf/.rtf

2. Planting a backdoor to the machine

3. Modify and replace some critical systems files and applications like cmd.exe

4. Piping out the valuable information and files to their remote C2 server(s).

5. Remove their activities logs and change back the time stamp of their accessed files

Habit and Tradition doesn't work any-more

I have already asked many practitioners and security offi-

cers in this planet, whether he/she gets to know whether they are targeted or not once they received a malicious at-tachment of email. Most of them said they have no idea and even just uploaded the suspicious sample to Virustotal so as to finish their incident response “homework” and close the file.

Be frank, the battlefield is changing and typical anti-virus software could not deal with a targeted attack. Attacker is smart enough that all of those targeted samples have been scanned with typical AV software in prior for the basic quality assurance, could you still believe in those sandbox engine?

Developed an APT analysis engine

I have worked with Taiwanese researchers and formed a Xecure Lab and developed an engine called Xecscan [4]. It is used to analyse your uploaded document file so that it could help to analyze the sample in details and understand its behavior, resident process and calling sequence of mal-ware as well as identifiable C2 server(s). This engine is public as well as recognized by many top APT researchers and malware analyst.

Case Study

Let us pick a Microsoft Excel sample as an example (shown as a second entry in Figure(1)). From Figure 1, we could find our the date of analysis and the MD5 hash value of the sample. There are columns showing the identified IP ad-

Figure 1. Submitted samples





dress(es) of CnC server(s)

The analysis (see Figure 2) shows that once we execute the .xls file, a dmadmin.exe file is created in %UserProfile%\Local Settings\dmadmin.exe with hash value fb850b70f45494b47020272c6bf72e94. The file is executed in the process of svchost.exe. It spoofs as an Adobe application executable.

Meanwhile, a registry entry

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\dmadmin

is added for autorun purpose after reboot the operating sys-tem.

From Figure 3, we could identify the exploit used by the .xls is CVE-2012-0754, which attacks against the Adobe Flash Player vulnerability. The affected platforms are not just limited to Windows only but MacOS and Andorid OS as well.

From Figures 1 to 3, it looks like we could make a complete analysis work. However, the story does not end yet, could you tell whether an individual and enterprise are targeted or not?

We have analyzed all the submitted samples (and it is around 15,000 up to August 2012) and extract various pieces of information among them and become our signa-ture database. We applies Rough set theory [5] on the ex-tracted data fro the samples so as to ensure representative information/strings/data are sufficient to match any existing APT attacker group or simply a new group indeed.

From Figure 4, an APT group map is provided and we could check out whether the submitted suspicious document be-longs to any APT attacker group. It looks like the victim company and individual is targeted by a large-scale APT attacker group). Figure 3: Identified Exploit


Figure 2: Detailed Technical Analysis



A Publication of Professional Information Security Association

SEP-2012

IssueIssue 16

Page 27 of 32



Summary

We need to revolute our attack detection and incident response into a new phases instead of just depending on the AV engine in the gateway and mail server. I could say APT target attack and routine malware are two different animals and we need different way and strategy to deal with them.

Once you get the findings and analysis from above sections, if you were the target, what will you do next?

Anthony Lai ■

Figure 4: The pointing arrow illustrates the sample submitted is from a large-scale APT attacker group





REFERENCES

[1] Evidence of Advanced Persistent Threat: A Case Study of Malware of Political Espionage:

https://sites.google.com/site/valkyriexsecurityresearch/announcements/aptpaperacceptedbymalware2011conference

[2] Top APT Research of 2011

http://blog.trendmicro.com/trendlabs-security-intelligence/top-apt-research-of-2011-that-you-probably-havent-heard-about/

[3] IDA Pro Disassembler Software:

http://www.hex-rays.com/products/ida/index.shtml

[4] Xecscan – APT Document Scan Engine:

http://scan.xecure-lab.com

[5] Rough Sets: A Tutorial:

http://secs.ceas.uc.edu/~mazlack/dbm.w2011/Komorowski.RoughSets.tutor.pdf





SEP-2012

IssueIssue 16 Event

Snapshot We Share. We Progress.

Talk Delivery @ 3rd Asia Pacific Telecommunity Cybersecurity Forum (27-Sep-2012)

The Forum was organized by Asia Pacific Telecommunity and hosted by the Bureau of Telecommunications Regulation (DSRT) of Macao Special Administrative Region

Frank Chow, our Chairperson delivered a talk on "Build Cybersecurity Management System."

http://www.apt.int/2012-CSF3

Talk Delivery @ DNSSEC.Asia Summit 2012 (29-Aug-2012)

DNSSEC.Asia was organized by ISOC-HK and Cyberport.

Warren Kwok represented PISA to share “DNSSEC Deployment - from a Network Administrator's Perspective”.

(from left) Richard Lamb (ICANN) Phil Regnauld (NSRC), Hervey Allan (NSRC), SC Leung (ISOC-HK, moderator), Warren Kowk (PISA) and Ben Lee (HKIRC).





Event

Snapshot We Contribute. We Achieve.

PISA AGM, Election and Theme Seminar (25-Aug-2012)

Andy Ho, Chairperson (left), Frank Chow, Vice Chairperson of PISA (right)

took a photo with Professor Eric Tsui.

Founding of ISC2 Hong Kong Chapter The ISC2 Hong Kong Chapter was established under PISA and an SIG. The Founding Members of the SIG had a photo in the AGM.

Prof. Eric TSUI, Associate Director (Business Development), Knowledge Management and Innovation Research Centre (KMIRC) at the Hong Kong Polytechnic University delivered a theme talk with topic “Evolution of Knowledge Management Systems”.




SEP-2012

IssueIssue 16 Event

Snapshot We Share. We Progress.

PISA and ISC2 Lunch Meeting (16-Aug-2012)

Hord Tipton, Executive Director and Elise Yaco-bellis, Director of Corporate Development of

ISC2 visited Hong Kong. PISA was invited to a lunch meeting with them.

Talk Delivery @ Macao Clean PC Day (25-Jul-2012)

Seminar: Data Loss Protection (DLP) Strategy and Technology (26-Jun-2012)

The Data Management and Social Networking Risks seminar of Clean PC Day Macau was organized by Macau CERT and Manetic.

Mike Lo delivered a talk "NFC Security on Mobile Application" . It aroused a lot of attention.

Gareth Bridges, Business Manager, Security and Information Management of Syman-tec Hong Kong Limited delivered a talk on Data Loss Protection Strategy and Technology.





Enquiry email:

[email protected]

Membership

Application Form:

http://www.pisa.org.hk/membership/member.htm

Code of Ethics:

http://www.pisa.org.hk/ethics/ethics.htm

to be the prominent body of professional information security practitioners, and utilize expertise and

Vision

Many Ways

Successful Career Networking

Enjoy networking and collabo-ration opportunities with other in-the-field security profession-als and exchange technical in-formation and ideas for keeping your knowledge up to date

Professional Recognition

You Can Benefit

Continued Education

Enjoy the discounted or free admissions to association ac-tivities - including seminars, discussions, open forum, IT related seminars and confer-ences organized or supported by the Association.

Sharing of Information Find out the solution to your tech-nical problems from our email groups and connections with our experienced members and advi-sors.

Realize Your Potential

Develop your potentials and cap-abilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honey-net, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials

Membership Requirements

• Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee.

• All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association

Qualifications Relevant ExperienceFull 500 Recognized Degree in Computing

discipline, OR other appropriateeducational / professional qual.

3 years Info-Sec working experience

Associate 300 Tertiary Education Info-Sec related experience

Affiliate 300 Interested in furthering any of theobjects of the society

Nil

Student 100 Full-time student over 18 years old Nil

MembershipType

AnnualFee (HK$)

Requirements

Benefit from the immediate access to professional recognition by using post-nominal designation

Check out job listings informa-tion provided by members. Get information on continuing edu-cation and professional certifica-tion

Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move for-ward towards a more suc-cessful career.


Membership Information

Date post:	16-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times