PCI DSS v3.2 – The One Year Countdown has begun! Again?

I am sure many of you are reading this title thinking “what is he talking about, v3.2 went live ages ago” and you would be correct, however version 3.2 of the PCI DSS continues with the concept of future requirements, meaning the one year countdown to the 31st January 2018 has begun.

Save the date

The PCI Security Standards Council introduced nine requirements in PCI DSS v3.2 which are best practice until 31st January 2018, after which time they become mandatory.

Now let’s be realistic, the majority of merchants and service providers are going to treat ‘best practice’ as ‘optional’ until they undergo an assessment after 31st January 2018; but please don’t wait. Compliance is not just the assessment with the Qualified Security Assessor (QSA); we should be striving to meet every requirement, at all times and they must be in place by the 31st January 2018 even if your assessment is not until after that date.

Do I need to do something now?

YES! The majority of these future dated requirements are for Service Providers, so if you choose to postpone doing something about them now, this is going to be highlighted in your Attestation of Compliance.

In this hyper-competitive world, can you afford to show this to your clients and the payment brands? Will it make the difference when touting your wares? If I was looking for a service provider, part of my due diligence requirement (12.8.3) would be to see how you’re doing with your future dated requirements.

Don’t forget, you have not only got these requirements going mandatory, you may also have the GDPR on the horizon too. So let’s get planning.

What are the requirements?

The table below was compiled from the PCI DSS v3.2, so be sure to get the full requirements from there:

Requirement Details Service Provider only?
3.5.1 Maintain a documented description of the cryptographic architecture. Yes
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. No
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. No
10.8 Implement a process for the timely detection and reporting of failures of critical security control systems. Yes
10.8.1 Respond to failures of any critical security controls in a timely manner. Yes
11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Yes
12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. Yes
12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Yes
12.11.1 Maintain documentation of quarterly review process to include: – Documenting results of the reviews – Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Yes

…and that means I have to do what?

Some of these requirements are nothing but forcing you to employ good practice. On first look this seems cheeky perhaps, but if it is good practice you can hopefully already demonstrate this either within your self-assessment or to your QSA.

3.5.1 – Documenting your cryptography

This is not a daunting as you might think. It is only going to apply to your organisation if you are storing encrypted cardholder data, and if you are a service provider; so you might be off the hook already. Pragmatically, this is only an extension of 3.6 so review that documentation and add details accordingly.

6.4.6 – This is an extension of change control

Possibly the EASIEST of the future dated requirements. Why you say? Because it is just good change management. If you are achieving a good change management posture, this goes without saying that you will be ensuring that PCI DSS compliance is being maintained on all changes, let alone those deemed ‘significant’.

Review the process, insert a reminder/action/decision point to say “Is this significant? Was all affected documentation from this change updated appropriately” and record.

8.3.1 – Multi-factor Authentication for Non-Console Administration

This could be an awkward one. Here’s the problem for Admin’s – sitting at the machine in the CDE, don’t need MFA to logon (but I won’t complain if you have it!). Sitting elsewhere and connecting to the CDE to administrate it, you will need something. Start planning now if this is not in place as it will affect a number of requirements and likely to attract the attention of 6.4.6 above.

10.8 & 10.8.1 – Find out that it is broken, why it happened and fix it without delay

This one is for service providers only – but once again I will not object to Merchants doing it too! You need to show how you are monitoring the monitoring systems for failure. This can go hand in hand with testing your incident management processes, particularly for things which do not get tested on a daily basis. Work out a control test to apply to each of those system where appropriate. If the monitoring processes do their job, you will not only be giving yourself evidence of testing the incident management plan, but you have checked the monitoring systems itself is working

11.3.4.1 – Segmentation Testing

This is a recurring activity to test your segmentation, only for service providers too. Check the requirements in the standards and have it done, either by an independent qualified resource, or engage the services of a penetration testing company.

12.4.1 – Executive Management and a PCI Charter

This is new, and not entirely unfamiliar. If you are running an ISO 27001 ISMS, you will know about Top Level Management needing to be part and parcel of the programme. A RACI matrix here will help, along with keeping top management in the loop; this requirement is a good place to start if you have not already.

12.11 & 12.11.1 – Perform reviews

Again, this is not a new idea but a real boost for maintaining compliance. Thinking again about ISO 27001, you are doing internal auditing as that is mandatory, then it is a control to go into your management system and you are covered. It is about assessing that you are performing BAU activities and can evidence this, so some evidence that change controls and BAU activities were observed in place and effective and that documentation evidence exists of such a review.

So it is all quite straightforward?

Yes – a general review of your day to day activities is going to ‘smash these out of the park’. And if you are struggling with where to start, contact your QSA Company for assistance; they will be happy to help.

If you have done nothing yet, please try and minimise your delay. Also, remember that these are all requirements designed to minimise risks, so pop an entry into your risk log (requirement 12.2) and as you work through them, drop them off; the assessment process will love you for it!

P.S. Save the Date – 31st January 2018, not only is it a significant day for PCI DSS, it is also a total lunar eclipse and in the UK we sadly don’t get to see too much of it.

 

To contact Nettitude’s editor, please email media@nettitude.com.

Soldier to Cyber

As an ex-serviceman myself, I’m often approached by numerous service leavers who’ve asked how they can best prepare themselves for a career as an IT Security Consultant (AKA Penetration Tester / Ethical Hacker).

I’ve created this post based entirely on my personal experience. The aim is to provide guidance to those, who like myself, intend entering this exciting and fast evolving industry as a complete beginner.

It was two years after leaving the Armed forces when I realised the career path that I wanted to take, and this realisation came after much deliberation into what actually motivates me. Unfortunately, as a result of this delayed realisation and lack of calculated direction, I didn’t effectively utilise my time in resettlement. Of which, I’d strongly recommend using the whole year to get the very most out of it! Resettlement is one of the most joined up processes the military offers, providing you apply thought to what you want out of it. I would encourage anyone in resettlement seeking a career as a Security Consultant to utilise all available opportunities and look into the training programs explained below.

  1. Sign up to the CTP (Career Transition Partnership) website and enrol on the CompTIA A+ course (10 days). Now I know what you may be thinking “A+ is primarily hardware related” and you would be right. But A+ also covers a lot of the basics such as virtualisation, networking and security practices – These “basics” will become part of your everyday working life as a Security Consultant. Besides, you’ll also become a competent IT Technician, armed with the skills and knowledge to repair your own PCs/laptops; saving yourself £££’s in the future. It will also prepare you for course number 2, outlined below.
  2. CompTIA’s Network+ and Security+ course (15 days). This course is designed to look into networks and then security best practices (both topics are vitally important as a Consultant, because you will need to advise your clients on how to remediate their security failures). It is during this course where you will begin to learn about testing network security with pen testing tools. I would also take the time to invest in attending the exams for any courses to gain your formal certification. This will impress any potential employer, whilst also demonstrating your commitment and aptitude. CTP receive a preferential discount on CompTIA exams to encourage ex-servicemen and women. Consider using your annual SLC to fund these exams.
  3. Sign up to Cybrary.it and study the Linux+ course. This is VITALLY important because the tools you will be using in the future as a Consultant are likely on the Operating System (OS) Kali Linux. Before you start to use Kali Linux, you really need to understand how a Linux OS works. Cybrary’s Linux+ course does just that. Don’t just give the course lip service, it’s so important to get used to the functionality of a Linux OS – You really need to understand exactly what you are running. Practice, practice, practice; this will save you so much pain in the long run.
  4. The allocated resettlement/GRT shouldn’t be viewed as “buckshee holiday”; you should be using this time to apply your technical knowledge in a practical way and applying to potential employers for work placements. Things like accommodation and travel, as well as food are all covered when you are using GRT for a work placement (I will caveat that with, this was the case 3 years ago).
  5. Using the whole year, this would take you into roughly 6 months of resettlement and you’d have gained the basic skills to further your development. It is now you should consider using one of your resettlement grants towards a course provider who offers CREST training in Penetration Testing / Ethical Hacking in order to work towards the CRT (CREST Registered Tester) exam. The fact you are leaving the military most likely with SC, or DV and a CRT qualification will make you highly desirable.
  6. You will now be armed with plenty of skills and certificates to be considered for a Junior Tester position. Whilst you’re applying for jobs or just seeing out the end of your time in the Armed Forces, download vulnerable Virtual Machines; Metasploitable2 is a great start. It’s purposely designed with plenty of security flaws to exploit and test your newly learned skills. Alternatively, there are plenty more vulnerable VMs.
  7. Should you want to excel and go above and beyond it would be worth considering studying for the OSCP (Offensive Security Certified Professional) exam. The OSCP certification is regarded as the best within the Pen Test industry. By successfully completing the OSCP certification, the holder will have clearly demonstrated their proficiency as a Penetration Tester. This course costs around £1200 and is a difficult course that requires 100% commitment.

Embrace learning! The industry is constantly evolving and I haven’t stopped learning and I don’t think I ever will. Ensure you utilise your resettlement package wisely and invest the time and effort to prepare for your future.

I wish you all the success in your future. Please feel free to drop me a message should you need further guidance.

To contact Nettitude’s editor, please email media@nettitude.com.

The Big Freeze Is Coming – PCI DSS and change freezes

With the festive period rapidly approaching, many people will no doubt be looking forward to an extended break and some well-earned time away from work. The run-in to Christmas can be a relatively peaceful time of the year for many people, with organisations reluctant to kick-off large projects, or make significant change at a time when their employees are taking leave.

Many businesses will implement, what is referred to as, a change freeze over this period; completely stopping all but the absolutely unavoidable, hoping to minimise the risk of unexpected downtime. After all, nobody wants to be rolling back a system upgrade on Christmas Eve, or recovering backups on Boxing Day.

Probably the most common justification for a change freeze is found in the retail sector. With the Black Friday madness now behind us, the busiest shopping day of the year is predicted to be December 23rd. Crowds of hopeful last minute shoppers are expected to rush to the high-street, and possibly even more will go online and put their trust in next day delivery.

It’s at this time of year, where the impact from any technical glitches will likely cost more than at any other time. Last year, over a third of all shoppers waited until the final week before Christmas to complete their shopping, resulting in a significant loss for any retailer whose website or shops are unable to satisfy their customers desire to spend.

It’s easy to see why those tasks, considered not to be “absolutely unavoidable”, are delayed. Updates, upgrades, migrations, new installations – they’ll have to wait until January. But this can prove to be problematic, especially if your business is trying to comply with PCI DSS.

There are many ongoing requirements that must be met to maintain PCI DSS compliance, and some of them could fall victim to the change freeze. The most significant issue is applying critical security updates within one month of their release. In my opinion, PCI DSS is already very forgiving on this requirement, arguably one month is an overly long window in which to apply a critical security update. However if your business runs a change freeze from mid-December until January, failing to install updates could leave you (and your Qualified Security Assessor (QSA)) with a problem, come the time of your next on-site assessment.

Any organisation which enforces a change freeze that might impact on security (never mind compliance) should complete a comprehensive risk assessment. Consider what additional risks exist as a result of the freeze, and any mitigation work required (wherever possible). Make sure that you assess the risks of both making and not making changes, and use the same risk assessment process for a consistent result.

Keeping with the example of not installing security patches, you should consider the exposure of each system affected (a public-facing server versus an internal server), as well as the time immediately before and after the change freeze. It should go without saying that your ‘house’ should be in order prior to the change freeze, and that all patches should be applied and verified. Another recommendation is to complete additional vulnerability scanning to provide extra visibility and assurance.

While the change freeze is in place, your teams should be actively monitoring any alerting systems you have, as well as the security bulletins provided by vendors. If critical updates are released, assess whether they justify breaching the change freeze. If they don’t, then at the very least you should consider applying them to any test environments.

Schedule in any required maintenance windows in advance, and when the change freeze lifts, apply any critical updates to the most exposed systems first, and work back from there.
As for your PCI DSS and compliance, it’s important to “show your working”. Don’t simply hope your QSA won’t notice that some tasks haven’t been completed. Each QSA’s approach and expectations may vary, so work with them on an ongoing basis and at the time of your assessment, and show that you’ve acted appropriately.

Performing a risk assessment doesn’t have to mean pages and pages of documentation, but you should be able to demonstrate that you considered the risk and acted appropriately. You may also need to complete a compensating controls worksheet, but again this is something to discuss with your QSA. PCI DSS should never stand in the way of your organisation achieving its goals, and taking a pragmatic and open approach to this should help to ensure that the change freeze doesn’t leave you out in the cold.

To contact Nettitude’s editor, please email media@nettitude.com.

Drive My Information Security Car

Maintaining your vehicle

Modern day information security can be likened to vehicle maintenance; with a business being the vehicle and the various lubricants and fluids being the different forms of data and regulations. The Payment Card Industry Data Security Standard (PCI DSS), is just one example of these data types.

Figure 1: VW Beetle Cutaway

Figure 1: VW Beetle Cutaway

What happens if these different types of data are not maintained?

A simple ball exercise, with the different coloured balls represents different types of data, and the people represent the different processes required to move this data around a business. No rules = ANARCHY!

Figure 2: Data Flow exercise (Red=PCI; Blue=PII, etc.)

Figure 2: Data Flow exercise (Red=PCI; Blue=PII, etc.)

Okay, so PCI DSS v3.2 is much like your annual MOT (roadworthiness) test, with specific terminology for their testing criteria, for example:

1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all:

• Network connections
• Changes to firewall and router configurations

Identify the document(s) reviewed to verify procedures define the formal processes for:

• Testing and approval of all network connections
• Testing and approval of all changes to firewall and router configurations

This is all somewhat confusing….

It is a given that most QSAs would expect every organisation that processes, stores or transmits cardholder data (or who it might impact) will fully understand the intent of all these specific controls.

However, the Information Security Consultancy (ISC) team at Nettitude takes a slightly different viewpoint and understands that not all companies can afford to employ the expertise of a master mechanic and may have more inexperienced apprentices who are running their information security departments. However, no matter what their expertise, the thing that these information security professionals have in common, is that ‘want’ to do their jobs to the best of their abilities and to ensure that the environments they support are as secure as possible.

Hence, Nettitude’s ISC team has been forged from members with wide-ranging skills and experience but that also have a commonality:

“To meet and maintain a minimum standard of skills, experience and expertise and the pursue excellence as standard”

In order to achieve these goals, the team is consistently scouring the web, white papers, industry standards and more to ensure that all of our knowledge is current and accurate.
As a result, we are able to impart this knowledge and provide myriad supporting references, enabling our clients to attempt to safely service and maintain their own motor vehicles.
More importantly, clients are empowered with the knowledge and can deal with regulators, auditors and their banks with confidence.

Creating your own service manual

Much like the motor industry today, there are resources available to assist you in creating your own ‘Haynes Manual’. For example, if I were needing to create a chapter, in support of 1.1.1.a, where might someone look?

Figure 3: VW Beetle Haynes Manual

Figure 3: VW Beetle Haynes Manual

How about in para 5.3, page 5-6, of NIST SP-800 ‘Guidelines on Firewalls and Firewalls Policy’?

“5.3 Test
New firewalls should be tested and evaluated before deployment to ensure that they are working properly. Testing should be completed on a test network without connectivity to the production network. This test network should attempt to replicate the production network as faithfully as possible, including the network topology and network traffic that would travel through the firewall. Aspects of the solution to evaluate include the following:”

How easy might it be to turn that paragraph into a policy statement, just through the use of the words MUST or SHALL?

Remember, PCI DSS is designed to provide a minimum baseline (defense in depth) for the protection of your card payment (or supporting) operations and uses industry guidance, such as NIST.

Conclusion

If you are struggling to understand the specifics of PCI DSS v3.2 (brake fluid) and how to effectively and efficiently maintain it within your company (VW Beetle, Porsche 911, etc.), why not have a professional come in and give your vehicle a well-earned service, by seasoned professionals?

Imagine the scene:

“You’re driving down the highway, at 70 mph, and you see the traffic in front is stopped. You apply the brake and NOTHING HAPPENS! At the time you need the brake fluid to operate as it is intended, it has been contaminated (integrity) or the brake reservoir is empty (availability)”.

It may turn out to be one of your best information security investments of 2017.

Authored by Jim Seaman, CISM, CRISC, QSA – Security Consultants Team Lead, Nettitude.

To contact Nettitude’s editor, please email media@nettitude.com.

Global statistics: An insight in to Nettitude’s latest honeypot findings

Knowing the methods, sophistication and modus operandi of threat actors, and how this changes over time is fascinating. The Nettitude Global Honeypot network has been upgraded recently to capture more in-depth information and more interactions from attackers. This section gives you an overview of the trends and highlights from recently captured data.

Overview
Remote Desktop Protocol (RDP) was developed by Microsoft to allow users to connect to a remote system over a network connection.

The end user will deploy RDP client software whilst the remote server will run RDP server software. The client software exists for Windows, Linux, Unix, OS X, iOS and Android as well as several other operating systems.
RDP services are built into Windows and are also available for Unix and OS.

The protocol has recently been exploited by the Apocalypse ransomware group. They brute forced weak RDP server passwords, gaining access to a victim’s infrastructure and encrypting files whilst gaining first-hand knowledge of network configurations. The data below shows that RDP is still a popular protocol to explore, with attacks originating from three separate continents.

Attacking RDP
The United States accounts for the vast majority of attacks against the RDP protocol (tcp/3389), as seen in Figure 1. The protocol is commonly used by system administrators to remotely access a users’ system to assist with troubleshooting. As previously mentioned, poorly configured RDP servers can offer a staging post for attacks against a system. With millions of endpoints utilising this protocol, it is not unusual to see attacks against it.

Attacker OS
Nearly 75% of attacks against RDP originated from Windows terminals, specifically Windows 7 or 8, as seen in Figure 2. This is consistent with the popularity of the RDP protocol, its compatibility with Windows OS and the likelihood that a victim has it supported on a Windows server.

Iran
Most attackers mainly use windows 7 or 8. Unlike attacks observed from the United States and Iraq, Iranian attackers focused their efforts against port 22 which provides the Secure Shell (SSH), Secure File Transfer Protocol (SFTP) and port forwarding, as seen in Figure 3. Iran, as a nation state, has significantly improved its cyber capability since the Stuxnet and Flame attacks in 2010 and 2012. Since the election of Hassan Rouhani to President in 2013, funding for cyber security has risen by 1,200% (between 2013-2016).

Iran has sought to harden its defenses and learn from the Advanced Persistent Threats (APT) campaigns that were directed at Iran. The Internet itself is less censored which has paved the way for an increase in malicious activity originating from, or routed through, Iran. As is seen in China, Internet Service Providers are leveraged by attackers to conduct attacks, be it automated or manually crafted campaigns. These allow for a certain level of anonymity.

Iraq
Iraq has recently seen victims targeted by a group known as Operation Ghoul, a credential harvesting group that exploits victims using spear phishing emails. Interestingly, the attacks originating from Iraq, and captured by the honeypot, target port 3306 which typically hosts the MySQL database system, which can be seen in Figure 4. Databases are often a rich repository of information, with organisations often using it to store confidential material. For example, a poorly configured SQL database would afford attackers the ability to credential harvest and sell that information formonetary gain.

URL Statistics
One of the more interesting areas to investigate is Uniform Resource Locator (URL) information, specifically focused on the origins of malware. URLs themselves are the global addresses of documents and other resources on the web. They are also used as staging posts for launching malware.

Nettitude, through its global network of honeypots, has captured vast swatches of information that has helped us understand malware trends and identify the domains through which they are being hosted. Figure 5 lists the top ten worst ISPs for hosting malicious URLs. Between them they account for 79% of the total number of maliciously hosted URLs. It is difficult to ascertain the source of these campaigns, be that the actual threat actor or a compromised computer used as a bot, however it does show that ISPs are an ideal medium through which to launch malicious activity.

Nettitude has drawn on historical data and observed the creation of just over 139,000 malicious domains, as seen in Figure 6. Of those, just over 77,000 have been created since 2014, accounting for 55% of the total number observed. In 2015 alone, over 53,000 were created, a record number since data records began. This is a staggering statistic and one that is going to increase by the end of 2016.

This article has been taken from Cyber Threat Intelligence (CTI) Report produced by Nettitude’s Research and Innovation team. If you would like to request a copy of the CTI Report, you can request it here.

Authors: Phil Buck and Dr Jules Pagna Disso in Nettitude’s Research and Innovation team.

To contact Nettitude’s editor, please email media@nettitude.com.

The Accelerator Scheme

It’s no secret within the cyber security industry that finding the high calibre and skilled individuals required to deliver first class security services can be problematic. Ever determined to turn problems into opportunities, the big brains at Nettitude’s HQ in Tancred Towers brainchilded the Accelerator Scheme.

The Accelerator Scheme is a seven month, hands-on training course designed to help address the current skills gap within the cyber security industry and to provide a viable entry point for individuals looking to begin or develop a career within the IT security services sector. The programme is designed to provide education and practical exposure across a wide variety of security disciplines including penetration testing, malware analysis, vulnerability research/development, threat intelligence and incident response. On successful completion of the programme all candidates will be supported into full time security consultancy roles within the business….

Problem solved?! Well almost….

Taking the idea from its conceptual state, Nettitude’s marketing and recruitment department worked tirelessly to broadcast and advertise the new initiative, we wanted to sniff out and attract the best, wannabe security consultants from around the country via Nettitude’s website, social media and by attending hacking conferences scattered across the country.  Meanwhile, back at the office, the technical bods joined forces to hammer together and fashion a rigorous agenda that would provide tailored and relevant training. The importance of hands-on experience has not been lost within the programme and a high proportion is made up of ‘real world’ delivery under the careful mentoring and guidance of some of Nettitude’s senior security consultants.

A number of dedicated recruitment days were held where prospective ‘Accelerators’ were put through their paces via a series of team building and technical challenges. Only eight survived all of which were selected. J

…and on the Monday 12th September Nettitude were happy to extend a warm welcome to the ‘Accelerators’ both to the programme and to the business. The photos below were taken on a couple of team building days. One involved elements of self-awareness, understanding others and how to work effectively together (important in a 7 month programme!)….the other involved being locked up in a room for 60 mins and solving problems to escape….. followed by pie eating/beer drinking. Fair to say, both days had their merits and the team are forging some strong relationships!

For more information around careers at Nettitude click here:

accelerator-1

Figure 1: Team Building Lying Around

 

accelerator-2

Figure 2: A particular interesting flipchart

 

accelerator-3

Figure 3: Escape live team 1

 

accelerator-4

Figure 4: Escape live winning team 2

 

To contact Nettitude’s editor, please email media@nettitude.com.

24 x 7 SOCs: The Answer to your Monitoring & Logging needs?

Monitoring & Response:

A key aspect of your cyber assurance strategy that for many organisations has been around for years, but a strategy that has never really been addressed, or even acknowledged previously as a problem.

However, the recognition that cyber-attacks and breaches could now happen to anyone, is inevitably bringing the consideration of ‘situational awareness’ to the top of the pile.

  • But what do you need from a monitoring & logging solution?
  • What should a Security Operations Centre (SOC) provide for you?
  • How can you both demonstrate the value and return of your business?
  • Can you be assured that your environment is monitored for the wide range of threat actors, types of attacks and level of sophistication that may be deployed against you?

The SOC (Security Operation Centre) is the centralised hub for organisational logging and monitoring which can either be in-house or outsourced to provide visibility over technical and security issues. Having a SOC is key to understanding your organisational security posture in order to prevent and protect key assets.

We are going to explore some of these issues in a series of blogs. The industry has made a number of attempts to define ‘good’ for this area, but there are as yet no clear standards, expectations or buying help.

This will change, but in the meantime we are going to look at a number of key issues, starting with: Do you need a 24×7 SOC service?

Asking the right questions

Most organisations believe that by simply having a SOC 24 x 7 they have enhanced security and are better protected against threats and vulnerabilities, unfortunately this leads into a false sense of security. At Nettitude, this has been the issue of many debates.

On one hand, having dedicated analysts around the clock watching your environment sounds exactly the sort of thing that is required. After all, cyber-attacks don’t just happen between 9-5 in your particular time zone!

On the other hand, is this the overriding factor that will help you both detect and react to a breach in the best possible manner? What happens if your business is 9-5, who is going to respond at 2 am within your business? How much meaningful investigation will take place at that time? What about the capability of the SOC team? If you only have SIEM/Log analysis, who is going to responsible for the Incident Response?

The reality is that a 24×7 SOC itself is not the primary indicator of success.

The real questions that need to be addressed are ‘how good is your SOC?’, and ‘how can it be measured?’.

A SOC needs to be operating at the best of its ability, maturing well and constantly updating with threat intelligence, to include not just the latest emerging threats but also innovative ways of detecting new threats. A SOC needs to be able to operate at the same level as your adversary. If you are looking to provide assurance that means you can withstand a nation state or organised crime group from successfully attacking you, what capabilities and depth do you need within your SOC and IR teams? Does your SOC even have in-depth IR capability available?

A great SOC is not a standalone department, it needs full interaction with your cyber security assurance programme for optimal results.

Cyber Security Assurance

There are many areas that we can dive into, but the main areas that often get discussed are around the capability of a SOC are: Technology, People, Process and Information. To this we would add Threat Intelligence and frame this all in the context of Assurance (i.e. ultimately, confidence that you can detect and effectively deal with a breach when it happens).

Figure 1: Quality of SOC

The Financial Service sector has implemented the CBEST programme which takes the CREST STAR scheme and applies it to their industry. The foundation of this is the desire to provide a level of assurance to the UK financial services sector that they could manage a sophisticated cyber-attack. The use of threat intelligence, simulated testing and incident response maturity assessments are the key building blocks to achieving this.

Figure 2: CBEST & STAR

Within a SOC, proving that assurance must be a key objective.

So, before we dive into insisting on a 24×7 SOC, let’s look at the real issues that we should be looking for within any SOC service (in house, hybrid or fully outsourced).

Threat Intelligence (TI)

Having accurate TI is crucial when looking at detecting threat actors and activity. One of the first challenges of any monitoring & logging solution is the sheer amount of logs and data you will potentially have to deal with.

There are 3 areas this should help you with:

1. Identifying Threat Actors – Know your enemy! Who they are, but also how they operate and how likely they are to come after you. Threat Intelligence can help you identify quickly your highest priorities in terms of likely attacks to be seen, what assets they may be going after and how they may seek to attack.

2. Context of Risk – This must be understood in the context of risk. Remember your threats are a component of your overall risk, so make sure your SOC knows what your critical assets are, where they are and what vulnerabilities you may have so that they can act in an intelligent manner to help monitor them.

Figure 3: Risk Definition

3. Red Teaming – If you really want assurance then you need to simulate the very events you are trying to protect yourself from. Having a Red Team (penetration testing experts) that is integrated with training, and working alongside your SOC is vital. How will you know they will provide the capabilities you need, when you need it, if they have never experienced the right level of attacks?

If the information we base our threat on is incorrect, irrelevant or out-of-date, the chances are the high number of false positives will drown out the real threats. As threats constantly change, it can be hard to keep up and know where to look next.

Poor threat intelligence is essentially looking in the wrong direction which is the equivalent to not looking at all. It’s also an early warning sign: a little like people flashing their headlights at you to indicate an upcoming hazard, or speed camera. Use TI to help you know what is round the corner!

A good SOC must use true Threat Intelligence to inform, shape and define the service provided. This will be done at both the geographical, sector and individual level for each customer.

There are generally 3 ways in which SOC services are provided:

1. You may have/need a fully in-house provided capability including deep dive IR capabilities;
2. You may be looking at an in-house 1st/2nd line capability with an outsourced 3rd line/expert/IR extension, or
3. You may be looking for a fully outsourced model.

There are multiple components that need to be regularly monitored, tweaked, trained, educated and updated when thinking about a beneficial and reliable SOC that go a long way beyond ticking a box to say the SOC you have is 24 x 7.

SOC Maturity

There are then 4 areas that you need to look at within the core capabilities of a SOC that will help you determine if a SOC is good for you.

The SOC maturity is also crucial to the effectiveness and understanding baseline activities and anomalies. The SOC should also have a maturity plan assessing its current state, where it aims to be and how it intends to bridge that gap.

1. Information – All SIEM platforms correlate and take in data from log sources. How these are tuned, which ones are used, how effective they are to detect the type of activity you’re trying to detect, are all important. Incorporating information about the environment (key assets, vulnerabilities, threats, etc) is also key.

2. People – When looking at personnel within the SOC, it is important to recruit based on experience and certification, but also to assess capability. Although it may be tempting to employ graduates for all your roles, you will not gain the depth of experience needed to deal with the potential level of threat you need to monitor for.

What in fact you probably need is an experienced team with a variety of skill sets and experience to be able to address a wide variety of issues and concerns. Members of the team should also support the maturity process by helping to develop processes with regards to environmental tuning, be regularly trained and assessed to support the day to day running of the SOC.

SOC

Figure 4: Nettitude SOC

3. Tools/systems – The SOC tool set should be far more than just a SIEM platform (although this is a key element). The addition of host based agents, network captures, TI products, honeypots, etc is as important.

How effective and intelligent your SOC toolset is and how efficiently it is used will directly impact its utilisation. The SOC platform should not be considered a single or standalone SIEM product that will protect your entire organisational security. The initiative should be taken to see what other tools can be used in conjunction to generate more intelligent alarms and events for example, IDS/IPS as well as other state of the art cyber intelligence tools to work cohesively with the SIEM solution.

4. Processes – So what happens when you detect a threat? Is there panic and mayhem or is there a set process in place with an efficient escalation process specifically for that process? If they exist, how regularly are these processes reviewed? Processes in this context are a means of regulating different scenarios and the need to be reviewed, created, deleted or amended as required to ensure maximum efficiency. They do not apply just to alarm escalation but also day to day tasks which will allow regulate duties among team members.

So, what about 24×7?

So before you insist on 24×7 being the key factor in a SOC service, bear in mind that there may be some significant hurdles to cross to achieve this, and that the rewards vs the costs may not be the right decision for you. Staffing a 24×7 SOC is significant. Evenings, weekends and holidays all need to be covered. Finding enough work for the team throughout the night can be a challenge and remote working can be very demoralising. Managing staff handovers, conducting training and knowledge sharing between shifts all can be problematic.

Many SOC’s will operate their IR and deep dive capabilities during the day and on a call out basis.

The far more important first questions to ask are the ones outlined above. Ultimately, if these can be achieved then your assurance levels will be much greater. 24×7 on its own is no guarantee that you will have a high level of assurance.

If a SOC is working to optimal standards in the areas as outlined above, then there may be little need to have an eyes on screen service 24×7, as genuine threats would be correctly detected, classified and acted upon.

 

To contact Nettitude’s editor, please email media@nettitude.com

QNAP Android: Don’t Over Provide

TL;DR

The QNAP Android applications Qnotes 1.1.8.0128 and Qget 2.0.1.1029 suffer from OWASP M4 (2014), Unintended Data Leakage. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the backend NAS device.

Additionally, both applications suffer from OWASP M7 (2014), Client Side Injection. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the backend NAS device.

Introduction

Notes Station is a QNAP authored application that runs on a wide range of QNAP NAS storage appliances. It is an online note taking application that lets you create notes on a QNAP NAS. You can save and edit your notes from a PC or mobile device, its offered as a free install via the QNAP App Center, and at the time of writing has been installed by approximately 195K users.

Notes Station 2.0

Figure 1: QNAP Notes Station Website

The QNAP android application Qnotes acts as client to the NAS based system, is hosted on the Google Play Store, and at the time of writing has been installed by 10,000-50,000 users.

Qnotes

Figure 2: Qnotes Google Play Store

 

Download Station is a QNAP authored application that runs on a wide range of QNAP NAS storage appliances. It is designed to download remote files via numerous protocols/peer-to-peer networks. It is offered as a free install via the QNAP App Center, and at the time of writing has been installed by approximately 950K users.

QNAP Download Station

Figure 3: QNAP Download Station App Center

The QNAP Android application Qget acts as a client to the NAS based system, is hosted on the Google Play Store, and at the time of writing has been installed by 50,000-100,000 users.

Qget

Figure 4: Qget Goggle Play Store

Vulnerability – OWASP M4 (2014) Unintended Data Leakage

In order to improve security Android implements an application sandbox, which isolates each application’s data and code execution. It is however recognised that there will be times when data exchange is required and interfaces are provided. Thus when Android applications want to share data they “publish” a content provider, a standard interface for data exchange. They use insert(), query(), update(), and delete() methods to access the data and have a URI starting with “content://”. Any application that knows this URI can insert, update, delete, and query data from the database of the provider app if it is exported and not suitably protected.

Using the open-source tool drozer, the applications were audited for content providers. One was identified for each application.

Qnotes Exports 1

Figure 5: Qnotes Exports One Content Provider

Qnotes Exports 2

Figure 6: Qget Exports One Content Provider

A large number of URIs was identified.

Qnotes Exports 3

Figure 7: Qnotes Identified URI’s

Qnotes Exports 4

Figure 8: Qget Identified URI’s

A number were queried. It was possible to retrieve notes without authentication.

Retrieving Cached Notes

Figure 9: Retrieving Cached Notes

Additionally a username and Base64 encoded password was identified for Qnotes. This was not only valid for the application, but also across the backend NAS. In this case it was the device’s administrator account.

Qnotes Applications

Figure 10: Qnotes Application/NAS Credentials

Similarly for Qget it was possible to identify a valid username (not Base64 encoded), which related to both the application and backend NAS.

Qget Applications

Figure 11: Qget Application / NAS Credentials

Vulnerability – OWASP M7 (2014) Client Side Injection

SQL injection (SQLi) is a code injection technique in which malicious SQL statements are inserted into an input for execution by a database. The Android platform promotes the use of SQLite and as such can be vulnerable. Content providers often provide an interface to these client side databases and as such can be the initial input vector.

Again using the open-source tool drozer content providers for both Qget and Qnotes were audited for SQLi. By making queries using a “magic quote” each was observed to be vulnerable via multiple content providers.

Qget Vulnerbale SQLi

Figure 12: Qget Vulnerable to SQLi

Qnotes Vulnerable SQLI

Figure 13: Qnotes Vulnerable to SQLi

Using this vulnerability it was possible to retrieve all data, including credentials valid for the application and backend NAS.

Qget-NAS

Figure 14: Qget/NAS Credentials via SQLi

Qnotes-NAS

Figure 15: Qnotes/NAS Credentials via SQLi

Summary

Qnotes and Qget suffer from OWASP M4 (2014) Unintended Data Leakage and OWASP M7 (2014) Client Side Injection. This grants a malicious process the opportunity to gain access to cached data and logon credentials for the backend NAS device. All testing took place on a non-rooted Moto G 3rd Generation phone running Android 5.1.1 against Qnotes 1.1.8.0128 and Qget 2.0.1.1029. The NAS was running Note Station 2.1.10 and Download Station 4.2.1. System users should contact the vendor for a fix.

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed.

Timeline

• QNAP informed via email 06/04/2016
• QNAP contacted via email advising agreed publication date approaching 30/05/2016
• Vulnerability disclosed 07/06/2016

References

• QNAP Qnotes – https://play.google.com/store/apps/details?id=com.qnap.qnote&hl=en_GB
• QNAP Notes Station – https://www.qnap.com/event/station/en/notes.php
• QNAP Qget – https://play.google.com/store/apps/details?id=com.qnap.com.qgetpro&hl=en_GB
• Drozer – https://github.com/mwrlabs/drozer
• OWASP Mobile Top 10 2014-M4 – https://www.owasp.org/index.php/Mobile_Top_10_2014-M4
• OWASP Mobile Top 10 2014-M7 – https://www.owasp.org/index.php/Mobile_Top_10_2014-M7

 

To contact Nettitude’s editor, please email media@nettitude.com.

PCI DSS: The Best Show In Town

PCI DSS – The Longest Running Show

Coming to a theatre near you!

Not everybody understands the importance of PCI DSS, so sometimes making it accessible with analogies can help bring others on the journey.  PCI DSS is the script and your company is the theatre, preparing for ‘Showtime’!

Figure 1: PCI DSS Play


Picking the script

The budget can be a key factor in the decision to put on a production:

  • How many tickets will you sell?
  • What can you afford to pay?

A small community theatre can’t handle a large production like you’d find on Broadway or in the West End, therefore a show is scaled down and the script abridged.

Within PCI DSS, the choice of the payment channels you offer and the technology used to deliver them can have a huge impact of how many controls are required to implement and what it’ll cost.

Choose wisely to meet your objectives and select that smaller script in form of an:

  • SAQ-A,
  • SAQ-B,
  • SAQ-B(IP) or
  • SAQ-P2PE

Be sure to ask the licensee (Acquiring Bank) though, after all its their decision which they want to let you use.

Stage Directions

NETT_STAGE_DIRECTIONS

Figure 2: PCI Stage Directions

The success of a production is the people on stage and the performance they give, their:

  • Passion
  • Timing
  • Delivery

This is often the difference between a hit and a flop!

The best shows are consistent in their delivery and exhibit a “Business As Usual” feel but the performers and stage crew go above and beyond each time to make it better and better each time.

By having good direction (policies and business processes) to interpret the script you’ve chosen, the actors (employees) give you a performance which endures and matures over time.

  • Technical and Dress Rehearsal – Before you let in the critics (your QSAs), any production goes through  technical and dress rehearsals.
  • The technical rehearsal – Before opening the doors, ensure that lights, sound,  props and staging are setup and operating as per the stage direction.  For the PCI DSS, this takes the form of a penetration test, technical standards and implementation, ASV scans, vulnerability management and so on, but depending on which script you chose, you might not need all of these. Not everything can be fixed on day one, but plans are put in place ready for dress rehearsal.
  • The dress rehearsal – This is your pre-assessment by a QSA to provide notes to the directors of where you’re not quite hitting the mark.

Previews

Critics

Figure 3: PCI DSS Show Critics

The critics come in and watch the performance carefully, writing up the review of your PCI DSS production; your assessment begins!

At the end of previews, they may tell you about something that isn’t right, so come back within a short timescale to check you’ve remediated the problems so they can publish the review to the licensees.

In this case, if they like what they see, then you’ve landed yourself a license for one year, but you have to keep that production running smoothly with regular technical rehearsals throughout the year.

You cannot rely solely on your performance at night!

Keeping the House Lights Lit

The best shows and plays run for years and years, but why and what is their secret? It’s quite easy really, they are well managed, with good scripts, with an excellent cast, to deliver consistently day after day, but they keep working on it and don’t rest on their laurels.

Mistakes and problems lose money and eventually the curtain comes down. Mistakes in your production of PCI DSS can lead to the licensee fining you, or worse still, they’ll withdraw you license.

The value of consistency cannot be stressed enough, so work with a good QSA company and engage with the license holder to keep that show on stage in an award winning manner.

Keep an eye on the script though, sometimes it changes, so work them into your performance as the SHOW MUST GO ON !

 

To contact Nettitude’s editor, please email media@nettitude.com.