20 Critical Controls, “Aurora”, APT, and the Google Hack
By James Tarala | February 4, 2010
Obviously there has been a lot of discussion in the news, on blog posts, even tweets, on the issue of the Aurora attacks and what they mean. This is certainly not a new threat. Evidence of this threat can be seen back to at least 2008 if not earlier (if you consider Titan Rain or other operations), but until now no one wanted to talk about it publicly. But in the background work has been in progress to discover techniques to stop the threat.
Enter the 20 Critical Controls…
In 2009 the Consensus Audit Guidelines / 20 Critical Controls were released to prioritize the information security controls that need to be implemented in order to combat known attacks (ie. think Aurora or APT). US federal government and commercial systems were being compromised by this threat and others and something had to change. But what was the tipping point? Why were these controls introduced in 2009? The tipping points were these advanced, directed attacks against US federal systems by foreign entities. That’s what tipped the scales and precipitated the release of these controls.
So let me say what a lot of us have been dancing around for the last two years – there are dedicated, focused, well-funded attackers who are successfully breaking into government and commercial network systems and the 20 Critical Controls were introduced to stop this threat. It’s real, many of us have seen it first hand, and it’s hard to get out of your systems. Call it APT, Aurora, whatever, the 20 Critical Controls were put in place to stop these hacks.
Sales pitch time – so why should you care about the 20 Critical Controls? Why should you learn more? Because this is a real threat and it seems to be getting worse. The controls are meant to prioritize your resources and encourage you to automate an effective response. They’re more than just a list of good things to do, the purpose behind the controls is to change our way of thinking about how we protect our systems. One great place to start the education is here:
http://www.sans.org/security-training/20-critical-security-controls-in-depth-1362-mid
There have been a lot of good people commenting and posting information on the topic as well. If you aren’t following this information already, here are a couple other sources you might look into as you’re learning more about these attacks:
Mandiant M-Trends & Blog (http://blog.mandiant.com/)
Enclave Security Blogs (http://enclavesecurity.com/blogs/)
TaoSecurity Blogs (http://taosecurity.blogspot.com/)
But my biggest complaint however, and I’m sure I’ll rant more about this later, is that we are simply not sharing enough information as a community on this subject. We have to share more. We all have reasons why we’re not sharing the attack signatures we’ve seen – some reasons are commercial, some are because of fear of retribution, some are due to contractual restraints. I get it. But if we’re going to be successful at combating this threat, we have to share signatures and methodologies. But I’ll leave the rest of this rant for another day…
Some people are already sharing, here are two of the few postings I’ve found publicly on the subject. Take advantage of these when you find them, there aren’t many people sharing. Or if you are sharing signatures or indicators of compromise, drop me a note at james.tarala (a) enclavesecurity.com and I’d be happy to link to you as well. Here are a couple:
Mandiant Blogs (http://blog.mandiant.com/archives/730)
McAfee (http://www.mcafee.com/us/local_content/reports/how_can_u_tell_v5.pdf)
More to come…
Topics: 20 Critical Controls, Advanced Persistent Threat | No Comments »
Aurora Malware Hashes and Domains
By James Tarala | February 2, 2010
McAfee has recently released specific details about their analysis of the Aurora malware that was used to compromise 30+ companies over the past few months. This malware is consistent with the types of files that Enclave and other organizations who have responded to APT based attacks have discovered. It appears to utilize many of the same mechanisms and even file name in many such cases. A link to one of their reports on the topic can be found at:
www.mcafee.com/us/local_content/reports/how_can_u_tell_v5.pdf
Specifically the hashes for the Aurora malware are:
securmon.dll: E3798C71D25816611A4CAB031AE3C27A
Rasmon.dll: 0F9C5408335833E72FE73E6166B5A01B
a.exe: CD36A3071A315C3BE6AC3366D80BB59C
b.exe: 9F880AC607CBD7CDFFFA609C5883C708
AppMgmt.dll: 6A89FBE7B0D526E3D97B0DA8418BF851
A0029670.dll: 3A33013A47C5DD8D1B92A4CFDCDA3765
msconfig32.sys: 7A62295F70642FEDF0D5A5637FEB7986
VedioDriver.dll: 467EEF090DEB3517F05A48310FCFD4EE
acelpvc.dll: 4A47404FC21FFF4A1BC492F9CD23139C
wuauclt.exe: 69BAF3C6D3A8D41B789526BA72C79C2D
jucheck.exe: 79ABBA920201031147566F5418E45F34
AdobeUpdateManager.exe: 9A7FCEE7FF6035B141390204613209DA
zf32.dll: EB4ECA9943DA94E09D22134EA20DC602
In addition they have also identified a list of domains that you should be blocking that are used as a part of this malware as well. The following domains have been detected as containing malicious code associated with the Aurora malware:
ftpaccess[dot]cc
google[dot]homeunix[dot]com
tyuqwer[dot]dyndns[dot]org
blogspot[dot]blogsite[dot]org
voanews[dot]ath[dot]cx
360[dot]homeunix[dot]com
ymail[dot]ath[dot]cx
yahoo[dot]8866[dot]org
sl1[dot]homelinux[dot]org
members[dot]linode[dot]com
ftp2[dot]homeunix[dot]com
update[dot]ourhobby[dot]com
filoups[dot]info
Thanks again to the teams at McAfee / Foundstone for releasing this data. These are the types of datasets we need to be better about sharing if we are going to be effective at stopping these directed attacks!
Topics: 20 Critical Controls, Advanced Persistent Threat | No Comments »
Checklists a Day: Web Application Audit Checklists (Week in Review – January 25, 2010)
By James Tarala | February 1, 2010
Last week we returned to the more traditional approach of posting audit checklists that were just that – checklists for auditing controls. We try our best to alternate between postings on how to audit technical controls and how to audit process based controls. Last week we took the technical approach and posted checklists for how to audit web applications that you might encounter.
Of course I always have my biases. I really like the work the people at OWASP have contributed on this topic and I think you’ll find their assessment methodology quite comprehensive. But check them all out as you prepare for your reviews. Smashing magazine especially has a great list of business oriented assessment questions to consider when you’re auditing your applications as well.
In addition to the checklists, I also noticed that Fortify is getting into the SAAS / Cloud / whatever you want to call it space and doing on demand assessments of applications (web applications included). Here’s a link to their Fortify on Demand product suite:
http://www.fortify.com/products/ondemand/
Audit Checklists for Assessing Web Applications:
We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.
Topics: Audit, Free Audit Checklists | No Comments »
Daily IT audit checklists via Twitter (free)
By James Tarala | February 1, 2010
As a part of our effort to provide resources to the audit community we have been sending everyone free audit checklists daily via Twitter. Simply follow @isaudit on twitter to get the latest free checklists.
We try to focus on one topic every week that we thing will be useful to the community. Last week we covered a technical topic (web application auditing) and this week we’ve moved to process controls (auditing change management programs). We try to pick another interesting topic once per week (and yes, we do take requests).
Or if you’re looking for a more personal touch and want to learn about or discuss information security or audit topics, feel free to send me a notes at @jamestarala.
Using social media to promote good security…
Topics: Audit, Checklists | No Comments »
Worried about Your Facebook being Indexed by Google?
By Kelli Tarala | January 26, 2010
Here is how to keep your data from search engines:
1. Click on your Profile page
2. Hover your mouse over the Settings menu at the top right and click “Privacy Settings” from the list that appears.
3. Click “Search” from the list of choices on the next page.
4. Uncheck the box labeled “Allow” next to the second setting “Public Search Results.”
This will keep all your publicly shared information (items set to viewable by “Everyone”) out of the search engines.
Topics: Social Networking, Web 2.0 | No Comments »
Checklists a Day: Week in Review – January 25, 2010
By James Tarala | January 25, 2010
This week we took a slightly different approach than our normal audit checklist postings. Many times, especially when we take a look at bigger picture issues, like risk assessment, we receive questions on how to make these issues practical. If risk assessment is so important, how do we actually perform a risk assessment?
There are a number of ways to go about this, ranging from simple Excel worksheets to more complicated approaches to assessment. There are even software tools that you can purchase that can help you implement your programs. This week we are focusing on a few of the more popular frameworks for risk assessment that are available. You don’t need to learn all of these, but you should consider picking one such framework and fully utilizing it to help you manage your IT risk.
Here are a few of the frameworks that are available that we think might be helpful to you as you make this topic practical for your organization:
Risk Management Frameworks:
We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.
Topics: Audit, Checklists, Free Audit Checklists | No Comments »
Checklists a Day: Week in Review – January 18, 2010
By James Tarala | January 18, 2010
This week we will be focusing our checklists on guides that will help you to assess your risk management programs. Often times we like to say that risk management drives our audit programs and it drives our information security programs – but how do we know our risk management programs work? I have seen some companies run asset inventories and call that a risk assessment. I’ve seen other companies run vulnerability scans of their systems and call that a risk assessment. What is a risk assessment and how do I know if it meets my business needs. This week’s resources try to answer those questions and a little more.
We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management models for those of you trying to decide which model works best for you. We hope you enjoy them.
Risk Management Checklists & Security Guides
NIST 800-30 on Risk Assessment
Risk Assessment Resources from the University of GA
Truth 2 Power on Assessing Risk Management
Resources from the State of Ohio EPA
Resources from the State of DE
We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.
Topics: Audit, Checklists, Free Audit Checklists | No Comments »
Automating Audit Tests with Eventtriggers.exe (20 Critical Control Scripting Tip)
By James Tarala | January 12, 2010
One of the issues that we have been dealing with extensively lately is the issue of auditing and automation. This has come most often been raised when we’ve been discussing how to address automating control assessments in conjunction with implementing the 20 Critical Controls. One of the core principles of the 20 Critical Controls is that organizations need to have the ability to automate security assessments in order to reduce risk detection times and allow for a more prompt response to detected threats.
One way to assist with the automation of any given assessment is to script your assessments and automate the scripts you write. This way your tests can work for you and can automatically respond in some way should a particular event be discovered. Rather than creating a mechanism to perform detection and alerting from scratch, why not use a mechanism that’s already built into most Microsoft Windows versions you’re already running? The Windows Event Log is a great place to start.
First, you can use a command such as EventCreate to generate new event log entries as a result of a particular action in your scripts. For example, if you use nmap with PBNJ to look for new hosts on your network (think critical control #1), then you could use EventCreate to generate an event log entry every time a new device is discovered. Or, for example, let’s say you use WMIC to list startup items on a machines (think critical control #2), then you could use EventCreate to generate an event log entry every time a new startup entry is added. Get the idea? Use built in Windows tools to support your automation efforts – and all it costs is a little sweat equity and trial with built in tools!
For more details on how to use EventCreate, check out these resources to get started:
Microsoft TechNet Reference on EventCreate:
http://technet.microsoft.com/en-us/library/bb490899.aspx
Microsoft Support article for creating custom event log entries:
http://support.microsoft.com/kb/324145
For details on how to use eventtriggers in more depth, here are a couple resources that will help to get you started:
Microsoft TechNet Reference on EventTriggers.exe:
http://technet.microsoft.com/en-us/library/bb490901.aspx
Petri.co.il Article on EventTriggers.exe:
http://www.petri.co.il/how-to-use-eventtriggersexe-to-send-e-mail-based-on-event-ids.htm
In addition to automating tasks with the eventtriggers.exe command, you may also want to consider command line e-mail tools which can be used to generate an e-mail as a result of an action in your command line tool. Two such free command line tools that you may want to consider are:
Blat (http://www.blat.net/)
Bmail (http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm)
To run either of these tools you will need to have access to an active mail server, although thankfully it does not need to listen only on tcp/25 – but you do have to use the SMTP protocol. While security by obscurity is certainly no singular way to protect your system, running administrative mail servers like this on alternate ports can never hurt!
Topics: 20 Critical Controls, Audit | No Comments »
Checklists a Day: Week in Review – January 4, 2010
By James Tarala | January 12, 2010
Now that the New Year has begun, we’re back in the saddle providing audit checklists and resource that we hope will help auditors and information security professionals in general with their daily jobs. There are a lot of really good resources on the web that we can take advantage of, but the trouble is who has the time to find them. It turns out we do. And as we find these resources we hope it will make your lives easier by showing you some of the audit resources that are already out there for you.
This last week our focus for the week was on security metrics and organizations that have provided resources on security metrics. More and more when we’re at conference venues we have students asking us if we have resources on security metrics. Especially students of the 20 Critical Controls have been asking us – who else is providing security metrics? Here are a few for you to consider.
We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management resources and checklists for evaluating risk management programs. We hope you enjoy them.
Security Metric Checklists & Security Guides:
Security Metrics from the 20 Critical Controls
The Center for Internet Security Metrics Guide
We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.
Topics: Audit, Checklists, Free Audit Checklists | No Comments »
IT Security Highlights from DHS 1-06-2010
By Kelli Tarala | January 6, 2010
Symantec Product Hits End-of-Decade Snafu
Symantec’s Endpoint Protection Manager server product is erroneously marking signature updates issued this year as out of date. Antivirus, antispyware and intrusion protection updates with a date after Dec. 31, 2009, at 11:59 p.m. are considered out of date by the software. The problem affects the Endpoint Protection v11.x and v12.x versions of the company’s small business edition of the product.
Full Story:
http://www.networkworld.com/news/2010/010510-symantec-product-hits-end-of-decade.html?hpg1=bn
SANS Internet Storm Center Diary Entry:
http://isc.sans.org/diary.html?storyid=7870
Symantec’s Official Status:
http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010
Two Political Websites hacked by Cross-Site Scripting Vulnerabilities
Visitors to Spain’s EU presidency website saw am an image of comedy character Mr. Bean instead of the Spanish Prime Minister Jose Luis Rodriguez Zapatero. Trend Micro also flagged a compromise on the official website of President Ahmadinejad of Iran.
Kingston Admits to Security Flaw in ‘Secure’ Flash Drive
Kington said in a security notice that the models affected were “privacy” editions of the DataTraveler Secure, DataTraveler Elite and DataTraveler Blackbox. Kingston said the security flaw could allow a wrongdoer to hack into the memory sticks. Customers whose drives could be exploited by the security loophole should return the product, where Kingston said it would apply a factory update.
Full Story:
http://www.theregister.co.uk/2010/01/04/kingston_technology_flash_drive_flaw/
25 Million New Malware Strains in One Year
25 million new strains of malware were created in just one year, compared to a combined total of 15 million throughout the last 20 years. This is one of the findings of the latest malware report by PandaLabs. A large percentage of the increase is made up of banker Trojans, fake anti-virus programs called rogueware, and a resurgence of traditional viruses.
Full Story:
http://www.net-security.org/malware_news.php?id=1185
Complete Panda Report:
http://www.pandasecurity.com/img/enc/Annual_Report_PandaLabs_2009.pdf
To Read the Complete DHS Report:
www.enclavesecurity.com/blogs/cdr_010610.pdf
Topics: DHS Infrastructure Reports, Malware, Web 2.0 | No Comments »
« Previous Entries