Monday, February 13, 2017
Tuesday, October 4, 2016
OCTAVE Stands for Operationally Critical Threat Asset and Vulnerability Evaluation.
- It is by the organisation itself- using in-house domain experts and IT security resources.
- Can be quick, flexible and focuses on critical risks.
- Its main focus is on operational risk
- Collaborative effort- using workshops, questionnaires, walk through, scenarios and so on.
- It basically has three steps:
- Organisation wide view. This step has multiple processes
- Identification of organisation assets at all levels(management, operations)
- Understanding threat to these assets and creation of threat profiles.
- Technological view. Identification of critical assets and Infrastructure vulnerabilities.
- Vulnerability assessment and risk analysis using above generated threat profiles.
- Evaluation of risk based on a criteria
- Risk treatment strategy
- Categorisation of risk and deciding its mitigation plan
- OCTAVE has two variants
- OCTAVE-S : A leaner version.
- Allergo: Has a focus on Information systems. It has 8 steps categorised into 4 phases.
Saturday, January 23, 2016
MDA Mail Delivery Agent
MSA Mail Submission Agent
SASL Simple Authentication Security Layer
GSSAPI Generic Security Services Application Program Interface
CRAM Challenge Response Authentication Mechanism
Mechanisms for SMTP AUTH
- PLAIN : A single string from client to server is sent which is a Base64 representation of the credentials. RFC 4954 use of TLS for using this machanism.
- LOGIN : Again uses Base64 encoding however, credentials are exchanged in a set of client - server dialog.
- GSSAPI : For use with mechanisms like kerberos.
- CRAM-MD5 : Better than PLAIN and LOGIN mechanisms. Plaintext attacks possible and does not authenticate the server(refer RFC 4954). Also requires that password be stored in plain text in many implementations.
- DIGEST-MD5 : MOre secure than CRAM-MD5 as it uses nounce. This mechanism also requires that password be stored in plain text in many implementations.
- SCRAM family (SCRAM-SHA-1 was a replacement for DIGEST-MD5).
- EXTERNAL : for external authentication.
Wednesday, October 21, 2015
- Application or system oriented. May be asset oriented. Extrapolated from characteristics of systems, their interfaces, connections and flow of data between them. Threat modeling is the general term used in such cases and uses DFDs. This process is also termed as Tool assisted code review.
- Primarily used for risk management during application or system development by enumerating attack surfaces.
- Attacks and attacker oriented. Extrapolated from predicted behavior of attackers and the multiple paths they can follow. Attacker will focus on Intended and unintended behavior of the system. Attack trees, Threat trees or Misuse case or Abuse trees are generally used. In an Attack tree the whole attack process is synthesized and shown as set of possible steps. Attack trees have tree structure with child nodes using AND and OR operators and the parent node being a attackers ultimate goal.
- Primarily used for risk management of a already deployed and in use application or a system. This can be done on periodical basis whenever there is a significant change in technology or threat landscape.
- STRIDE - Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege (high level categorisation)
- DREAD - Damage, Reproducibility, Exploitability, Affected users and Discoverability (Attacker's point of view)
- ASF - Application Security Frame
- CAPEC - Common Attack Pattern Enumeration Classification
- Trike framework and tool for risk management
- Microsoft Threat Modeling Tool 2014
- SecurITree by Amenaza
- ThreatModeler by MyAppSecurity
Monday, September 28, 2015
SCADA (supervisory control and data acquisition) is a system operating with coded signals over communication channels so as to provide control of remote equipment (using typically one communication channel per remote station) en.wikipedia.org/wiki/SCADA
Industrial control systems (ICS) are computer-based systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from ICS systems by being large-scale processes that can include multiple sites, and large distances. SCADA can be considered class of ICS.
Originally, SCADA systems were not connected to the Internet. Security was traditionally not an issue in SCADA systems. However the same is not true now.
Where is SCADA used?
Electric power generation, transmission and distribution
Water and Sewage network systems
Environment and facility monitoring and management
Functions of SCADA
DATA ACQUSITION- Furnishes status information & measures to operator
CONTROL - Allows the operator to control the devices e.g. circuit breakers, transformers, tap changer etc from a remote centralised location.
DATA PROCESSING - Includes data quality & integrity check, limit check, analog value processing etc.
TAGGING - Operator can identifies any specific device & subjects to specific operating restrictions to prevent from unauthorized operation
ALARMS - Alerts the operator of unplanned events & undesirable operating conditions in the order their severity & criticality
LOGGING- Logs all operator entries, alarms &selected entries
TRENDING- Plots measurements on selected scale to give information on the trends e.g. one minute, one hour etc.
HISTORICAL REPORTING - To save & analyze the historical data for reporting, typically for a period of 2 or more years & to archive.
SCADA Components and Subsystems
SCADA has following components:
1. Operating equipment: pumps, valves, conveyors, and substation breakers that can be controlled by energizing actuators or relays.
2. Local processors: communicate with the site’s instruments and operating equipment. This includes the Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), Intelligent Electronic Device (IED), and Process Automation Controller (PAC). A single local processor may be responsible for dozens of inputs from instruments and outputs to operating equipment.
3. Instruments: in the field or in a facility that sense conditions such as pH, temperature, pressure, power level, and flow rate.
4. Short-range communications: between local processors, instruments, and operating equipment. These relatively short cables or wireless connections carry analog and discrete signals using electrical characteristics such as voltage and current, or using other established industrial communications protocols.
5. Long-range communications: between local processors and host computers. This communication typically covers miles using methods such as leased phone lines, satellite, microwave, frame relay, and cellular packet data.
6. Host computers Human–Machine Interface or HMI: act as the central point of monitoring and control. The host computer is where a human operator can supervise the process, as well as receive alarms, review data, and exercise control.
• Supervisory system
• Communication Interface
• SCADA programming
Some SCADA vendors are Asea Brown Boveri(ABB), Siemens, Alstom ESCA, Telegyr Systems, Advanced Control Systems(ACS), Harris and Bailey.
SCADA protocols are communications standards to pass control information on industrial networks. There are many of these protocols but prominent ones are MODBUS, DNP3, EtherNET/IP, PROFIBUS, IEC 61850 and Foundation Fieldbus. The choice of protocol is based on operating requirements, industry preference, vendor and the design of the system. In an oil refinery an operator workstation might use the MODBUS/TCP protocol to communicate with a control device such as a Programmable Logic Controller (PLC). Alternatively, in power utility’s SCADA system, a master located in a central facility could use the DNP3 protocol to query and control slave Remote Terminal Units (RTU) distributed in remote sub-stations. Some other protocols are: ICCP, ZigBee, C37.118, and C12.22
1. In a SCADA system, the programmable logic controllers (PLCs) are directly connected to infield sensors that provide data to control critical components (e.g. Centrifugal or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use. Those cards funnel commands into devices, allowing administrators to remotely log into the machinery. Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Hardcoded or saved passwords are also found in windows registry of various host machines. PLCs and RTUs are web enabled for remote access and this creates a window of opportunity for attackers.
2. Lack of Authentication and medium control in SCADA systems is another major issue. Investigation of past SCADA incidents demonstrated that mobile storage mediums are the main vectors used to infect control systems, despite that host networks being isolated from the Internet. Establishing strong controls on every medium used could prevent serious incidents. Strong authentication must be implemented to ensure secure communication, and to allow personnel to access main functionalities provided by systems. The administration console for any network appliance must be protected. Wireless and wired connections to the SCADA network and remote sites must be properly defended.
Steps to perform an audit
1. Identify all connections to SCADA networks. Evaluate security of connections. Identify systems that serve critical functions.
2. Conduct VA of Network Connectivity by mapping of all networked assets and the digital communication links that connect them
3. Check for default settings and configurations of all systems
4. Check for unnecessary services
5. Check if security features provided by device and system vendors are effectively activated.
6. Check authentication and medium control.
7. Check for proper network segregations.
8. Check internal and external intrusion detection systems
9. Check if 24-hour-a-day incident monitoring takes place
10. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns
11. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security
12. Identify and evaluate possible attack scenarios
13. Check if cyber security roles, responsibilities, and authorities for managers, system administrators, and users have been defined.
14. Check for ongoing risk management process
15. Check for configuration management processes
16. Scrutinise routine self-assessments reports
17. Check for system backups and disaster recovery plans and BCP
18. Check for availability of policies
19. Interview all key personnel
SamuraiSTFU, plcscan, modscan, metasploit, Nessus, nmap, wireshark, tcpdump, modlib(scapy extension), Bus-pirate, CERT NetSA Security Suite, NetWitness, Lancope, Arbor, 21CT, Checkmarx, Contrast Security, Burp Suite Professional, NTOSpider, Netsparker, Appscan, sqlmap, Zulu, GPF/EFS, PFF, ImmDbg, Sulley, gdb, MSF, RTL-SDR/HackRF plus GNURadio/RFCat, binwalk, IDA Pro etc etc
Friday, June 5, 2015
- Acceptable use policy( AUP),
- Data sharing on detachable/portable media policy,
- Data classification policy, etc
Data sanitation, using test data andData masking is also part of DLP strategy.
- · Data at rest , e.g data in databases, data on a drive of a laptop / usb storage
- · Data in transit, e.g emails or web forum postings, upload to cloud, data on network
- · Data in use, e.g file copy or print operations
- Detect and
DLP tools are good at monitoring structured data as in PII(Personally Identifiable Information) and as in PCI(Payment card industry) but they are difficult to use for unstructured data.
Before a DLP tool is deployed one should clearly define and identify the sensitive data which need protection and also all possible internal and external threats
- Policies and user awareness campaigns.
- Encryption for data at rest and in transit.
- File shares mapped with access rights.
- Consolidation of inventories.
- Control of external HDD and usb storages devices (mobile and portable storage devices)
- Disabling of all usb ports for usb storage devices.
- Disabling of all unwanted inbuilt DVD readers/writers.
- Air gap maintenance disconnected networks.
- Secure file delete policies and procedures.
- Access controls on laptops and full disk encryption.
- Use of VLANS
- Consolidation of file servers
- Strict data classification policies.
- Data retention policies. Destruction of old and unwanted data files.
- Deploying RMS/DRM/IRM solution
- PKI based email
- Effective Identity provisioning and management.
- Content and Gateway screening
Wednesday, May 27, 2015
Sunday, August 31, 2014
Personally i prefer to use my browser on my mobile to access the various web sites and web applications rather than download an App. Re-entering usernames and passwords every time you access an web application or a website should not bother you if your are worried about safety of your data and online identity.
Having written what i wanted to convey, i would like to clarify that i am not aware that the above mentioned Apps are untrustworthy in anyway. I just picked them up for an illustration.
Friday, June 20, 2014
Annex A :has 133 controls
Annex A : has 114 controls
11 new controls
Annex A: 11 control objectives
Annex A: 14 control objectives (A5 to A18)
Five implementation sections
· 5-Management responsibility
· 6-Internal ISMS audits
· 7-Management review of the ISMS
· 8-ISMS improvement
Seven implementation sections
Non standard format
Annex SL format(MS standard)
Process based approach
Non process based
Structured around PDCA deming cycle
No emphasis on PDCA cycle
Separate class of ‘Preventive’ controls
‘Preventive’ controls removed
Requires ‘Documents’ and ‘Records’
Instead requires ‘Documented Information’
Parts derived from ISO 31000:2009 Risk mgmt
‘control objectives and controls from Annex A shall be selected and implemented’
‘produce a “statement of applicability(SOA)” that contains the necessary controls’
Has Annex A, B and C
Has Annex A
New important term ‘Risk owner’
Emphasis on documentation of Internal Audits
No need to document internal audit