Malcode, also known as malicious code or malware, can be found running rampant on Windows and other operating systems today. System administrators are no longer protecting the perimeter of a network but managing an ever-porous network constantly under attack from within and by external actors.

In 2014, a major enterprise environment suffered a large-scale botnet attack with hundreds of infected hosts appearing within the network. Multiple acquisitions and merging of networks left the network vulnerable to attack. No clear chain of command and control (C&C) for security measures existed within the global network. The bot attack was able to significantly disrupt the business due to the most basic of procedures and safeguards not being implemented effectively and thoroughly across the entire network. As a result of lax patch management procedures, inadequate change management controls, and an “it can’t happen to us” mindset, the attack was widespread, devastatingly effective, and proved to be very expensive with regards to the loss of productivity and mitigation expenses. System administrators were able to quickly reimage the affected computers and get them back online, but unfortunately they did not know how to protect against the original vector of the attack and were soon successfully attacked again. This is a lesson in properly understanding how to mitigate a threat.

In 2015, a Trojan was installed on a computer in a major network. It also installed a rootkit that was undetected by updated antivirus software. System administrators updated their antivirus and detected and removed the Trojan from multiple desktops using antivirus software. The rootkit remained undetected in the system. It also remained undetected over the network communicating with a remote C&C server through encrypted TCP port 80 communications. The integrity of the entire network was compromised for several months before the rootkit was discovered and mitigation actions were taken accordingly. This is a lesson in properly understanding the impact of an attack to restore integrity to an infected host.

Topics

• The following topics are addressed in this chapter:
  • Identify and analyze malicious code and activity
    • Malicious code (e.g., virus, worms, Trojan horses, logic bombs, malware, botnet)
    • Malicious code countermeasures (e.g., scanners, anti-malware, code signing, sandboxing)
    • Malicious activity (e.g., social engineering, insider threat, spoofing, phishing, spam, Botnets)
    • Malicious activity countermeasures (e.g., user awareness, system hardening, patching, sandboxing)
  • Implement and operate end-point device security (e.g., virtualization, thin clients, thick clients, USB devices)
    • HIDS
    • Host-based firewalls
    • Application white listing
    • Endpoint encryption
    • Trusted platform module
    • Mobile device management (e.g., COPE, BYOD, telework)
    • Secure browsing (e.g., sandboxing)
  • Operate and configure cloud security
    • Operation models (e.g., public, private, hybrid cloud)
    • Service models (e.g., DNS, email, proxy, VPN)
    • Virtualization (e.g., hypervisor)
    • Legal and privacy concerns (e.g., surveillance, data ownership, jurisdiction, eDiscovery)
    • Data storage and transmission (e.g., archiving, recovery, resilience)
    • Third-party/outsourcing implications (e.g., SLA, data portability, data destruction, auditing)
  • Secure big data systems
    • Application vulnerabilities
    • Architecture or design vulnerabilities
  • Operate and secure virtual environments
    • Software-defined network (SDN)
    • Hypervisor
    • Virtual appliances
    • Continuity and resilience
    • Attacks and countermeasures
    • Shared storage

Objectives

The security practitioner is expected to participate in the following areas related to systems and application security:

• Describe malicious code and the various countermeasures.
• Describe the processes for operating end-point device security.
• Define mobile device management processes.
• Describe the process for configuring cloud security.
• Explain the process for securing big data systems.
• Summarize the process for securing virtual environments.

Identifying and Analyzing Malicious Code and Activity

The role of the SSCP is broad ranging, covering many areas of system operations and the security requirements associated with them. One of the most important activities that the SSCP engages in on a daily basis is identifying and analyzing malicious code and activity within the network. The skills required to identify suspicious activity in a system that may indicate that malicious code is at work are not really complicated to acquire, as they are primarily focused around common sense, situational awareness, and the use of configuration management baselines. The challenging and unique skills that the SSCP has to work hard to acquire are those that speak to the analysis of malicious code once it has been discovered in a system. The skills required to engage in malicious code analysis cover areas such as forensic examinations, code analysis and decomposition, and system testing.

CIA Triad: Applicability to Malcode

The CIA triad shown in Figure 7-1 is the central component of all eight domains of computer security and especially pertinent to malcode risk. Table 7-1 gives examples of how all elements of the triad are applicable to malcode.

Malcode Naming Conventions and Types

There is no international standard for malcode naming conventions. Some names, like the infamous Storm worm from 2007, StuxNet, Duqu, and Flame get traction in public media reports and become popularized over time. Others, such as Code Red, are assigned as a family name by individuals analyzing a new worm while staying up late at night drinking Code Red soda. In general, the antivirus industry follows CARO-like naming standards.

CARO-Like Naming Standards

CARO is short for the Computer Antivirus Research Organization and was established in the early 1990s to research malcode.¹ In 1991, a committee was formed to develop a naming convention to help organize the technical classifications of malicious code. What they came up with was a way to classify codes based on the following general structure:

Platform.Type.Family _Name.Variant[:Modifier]@Suffix

It is important to note that the above syntax has been modified slightly to best reflect the combined usage and terms related to the original CARO naming standard proposed years ago. The above syntax is how malcode is generally named today based on CARO discussions in the early 1990s and later.²

• Platform—commonly denotes the operating system, such as W32 for a Windows 32-bit platform malicious code. It can also be an application specific to that threat, such as PPT for PowerPoint-based malicious code. Proposed prefixes from 1999 are below, taken from http://members.chello.at/erikajo/vnc99b2.txt:
  • BOOT—MBR, DOS-BR, Floppy-BR
  • DOS—DOS file
  • BAT—DOS Batches
  • OS2—IBM’s OS/2 viruses
  • MAC—Macintosh viruses
  • W3X—Windows 3.x files
  • W95—Windows 95 files
  • WNT—Windows NT files
  • W2K—Windows 2000 files
  • W32—Windows 95/98/NT/2K files
  • WM—MS Winword Macro viruses
  • XM—MS Excel Macro viruses
  • W97M—MS Word97 viruses
  • X97M—MS Excel97 viruses
  • PPT—MS PowerPoint
  • WORK—MS Works
  • AM—MS Access
  • A97M—MS Access97
  • O97M—MS Office97
  • HLP—MS Helpfile viruses
  • VBS—MS Visual Basic
  • JS—Java Script
  • JAVA—Java viruses
  • COR—Corel Draw viruses
  • AMI—AmiPro viruses
  • ELF86—ELF x86 binary viruses
  • BASH—Bash viruses
  • PERL—Perl viruses

  Obviously technology has changed since this original suggestion was made by CARO in the early 1990s. These platform rules are roughly followed by antivirus companies helping computer professionals to extract some meaning from the CARO-like name of a sample.

• Type is the next major category that sometimes appears first in a malcode name, such as Trojan.FamilyName.Variant. Types correlate to the types seen in this domain, such as Trojan, worm, virus, joke, dropper, etc. Each antivirus company uses its own naming schemes or abbreviations that roughly follow this model.
• Family Name is the name given to the family. There is a “group name” that can also be assigned according to older proposed standards, but this is not used today. The family name is the area where antivirus companies have had great variance in the past. Family names vary based on how each company or reporter references a malcode. Family names are selected for a variety of reasons, such as a string seen in egress packets to a remote C&C, strings within the binary, text related to the author or target of attack, etc. In general, professionals try not to honor bad actor names for code or promote virus authoring group names to avoid any gratification for bad actors. To look at how family names can vary greatly, take a look at Backdoor.Win32.Breplibot.b (Kaspersky):
  • CA—Win32.OutsBot.U
  • F-Secure—Breplibot.b
  • Kaspersky—Backdoor.Win32.Breplibot.b
  • McAfee—W32/Brepibot!CME-589
  • Microsoft—Backdoor:Win32/Ryknos.A!CME-589
  • Norman—W32/Ryknos.A
  • Panda—Bck/Ryknos.A
  • Sophos—Troj/Stinx-E
  • Symantec—Backdoor.Ryknos
  • Trend Micro—BKDR_BREPLIBOT.C

  Notice in the preceding example CARO-like naming standards. Unfortunately, naming conventions and family names vary greatly among antivirus companies. Some start with the operating system, such as W32, and others with the type, such as Backdoor or Troj (short for Trojan). Some spell out W32 to Win32, etc. Also notice that some use slashes instead of dots (or underscores and hashes), and some an exclamation point to then include the common malware enumeration (CME) value assigned to the code, 589. Family names are even worse for this sample with names such as OutsBot, Breplibot, Brepibot (no L), Ryknos, and Stinx. This makes correlation of samples very difficult, if not impossible, with binaries in hand for proper comparisons.

• Variants, also referred to as identifiers and with major and minor classification possibilities, identify each unique member of a family. In some cases, antivirus companies use a .GEN signature for code to generically handle a certain code family. In other cases, especially with companies like Kaspersky, unique individual variant names are assigned to each variant of code within a family. Variants may be minor, like a small repacking of a Trojan, or major, like an upgrade from AgoBot to PhatBot code justifying an entire new family name. However, antivirus companies all handle such situations differently, resulting in some using one family name forever if the code is based on the same source code, such as AgoBot, while others differentiate based on major changes in functionality or similar malcode characteristics.

  Variants are typically done with A—Z assignments, using the structure “.AAA. . .” as needed for variants of a family. For example, the first new variant of a family is “.A.” The next variant is “.B.” When the “.Z” variant is used, the next variant is “.AA,” then “.AB,” and so on. Numbers and symbols can also be used for the naming of malcode.

• @Suffix may be attached to some CARO-like naming conventions to identify how a malcode spreads. Common suffixes include @M for mailing virus or worm code by Symantec and @MM for a mass mailing virus or worm. Symantec defines a mailing malcode as one that only sends out malicious emails as the user sends out emails, appending or hijacking the mail code. A mass mailing malcode is one that sends messages to every email found within the address book of the infected computer or addresses harvested from multiple other locations on the computer.

Cross-Referencing Malcode Names

This generally involves looking at multiscanner results, looking up available documentation on specific antivirus vendor sites, open source intelligence (OSINT) queries for incidents and data related to the threat, and more. To get started, refer to a few cross-referencing and documentation tools that exist on the Internet, which every professional should properly understand: CME, multiscanners, and VGrep.

Common Malware Enumeration

Common malware enumeration (CME) is yet one of many such failed efforts to coordinate naming conventions to date. A public site for the initiative first appeared in late 2005. The goal of the group was to reduce public confusion in referencing malcode threats, enhance communications between antivirus vendors, and improve communication and information sharing for the information security community at large. In short, many names and a lack of sharing lead to confusion during a malcode outbreak.

CME included a group of experts who submitted, analyzed, and shared threats to evaluate them for CME inclusion. If accepted, a CME number or identifier is assigned in a semirandom order (not 1, 2, 3, but 711, 416, etc.). Each participating vendor then assigns their unique name to that same sample shared within CME to help produce an authoritative laboratory-qualified correlation of names to a specific binary. A list of all the samples managed by the CME effort while still funded is available online at http://cme.mitre.org/data/list.html.

Unfortunately, the group lost funding and momentum by 2007. Today, CME is nonfunctional other than as a historical reference on their public website. This is sadly the reality when it comes to information sharing and especially code sharing within the antivirus industry to date. Competitive interests and costs associated with having to rename samples for standardization greatly hinder global coordination. For this reason, it is important to learn how to cross-correlate names for malcode to properly analyze code.

Public Multiscanners

Public multiscanners (multiple antivirus engines are deployed through a common web-based front end to scan the code) exist today that make it trivial for any user to upload and quickly identify names assigned to a specific binary. Analysts can then look up specific malcode names on each vendor site to identify any documentation related to the sample in question. If no specific information is available on a specific variant of a family, sometimes a family report may exist or a similar variant within the family (if you cannot find FamilyName.C, FamilyName.A may be documented). A partial list of public multiscanner sites is below:

1. https://www.virustotal.com/en/
2. http://virusscan.jotti.org/en
3. http://www.virscan.org/
4. https://www.metascan-online.com/

These systems provide a valuable service, allowing individuals to upload suspicious files, scan them in a controlled environment, and share the results of that scan with the participating antivirus software vendors to enable them to glean intelligence directly from the wild in real time. However, there is also a dark side to this technology that the security practitioner needs to be aware of as they weigh the value of using this approach to gain insights into the kind of files that are transiting their networks.

The use of public cloud scanning platforms is not restricted to security practitioners today, as the BlackHat hacking community has also picked up on these tools as a way to achieve ongoing real time validation of their exploit code and in the process has built a parallel “hidden” cloud infrastructure to allow members to carry out real time validation of their exploit code without the concern of having that code sent to the AV software vendors, thus rendering its efficacy and impact as an exploit tool short-lived. These sites are often using the same exact technologies and AV engines as the public sites maintained by the AV vendors. The AV engines are “hijacked” versions of the official products and are maintained by the hackers in order to offer up-to-date scanning and detection capabilities to their users.

As shown in Figure 7-2, these sites warn users to not use public AV scanners because they maintain their own scanners and scan the file base every hour to ensure that it is up to date, clean, and always providing the latest exploit code for download. The entities behind these sites are typically using a pay per install (PPI) subscription model to allow members access to the scanned and validated source files for the various malware packages being hosted at any given time on the sites. The interesting thing about these services is that they also offer updates to member users and will alert them when scanning has picked up on the fact that the exploit package has been detected during a scan and as a result may be compromised. This alerting feature allows the authors to be notified and upload newer versions of their malware to keep the distributions up to date and stealthed for as long as possible. This also allows members that are actively deploying the malware in the wild to be alerted as soon as possible to the potential for exposure, thus giving them the opportunity to achieve and maintain deep, persistent access to the networks that they have infected by simply continuing to update and redeploy the newest binary exploit packages once they become available through the marketplace.

A specific example of software designed for these kinds of activities is called the Kim Multiscanner (up to version 1.2) and now goes by the name KIMS 2.0 Indetectables. Figure 7-3 shows the main screen from KIMS 2.0 in English. (The software is written in Spanish, but it can be used in a variety of languages that include English, French, Portuguese, and Turkish as well.)

Figure 7-4 shows what is one of the most interesting and potentially dangerous features of the program, which is the ability to toggle on and off the use of the heuristic scanning capabilities of the various AV software packages being used by the tool, as well as setting the specific level for the heuristic scans. This capability combined with the capability to scan “offline” so that no data is uploaded to the AV vendors, and the ability to download and update the AV software for all supported vendors, makes this tool, and others like it such as AntivirusMulti, a potent tool in the wrong hands.

vgrep

Vgrep is another tool that has been used by antivirus professionals for many years that helps to correlate codes by name. Once registered on the site, users may freely use vgrep to correlate samples of interest.⁴ Figure 7-5 is a screenshot of what it looks like when one searches for a common family name like “MyDoom,” one of the most prolific mass mailing worm families in the history of computing.

Today, vgrep also includes hyperlinks to vendor reports rendered with the vgrep results. This makes it easy to quickly correlate codes and look up information on multiple vendor sites related to a variant or family of code. Unfortunately, it is a database and may not include emergent threats of interest to a security practitioner. In short, it is a fantastic tool for looking at historical codes, but it may not help with the latest variants to be spread in the wild.

Malcode Types and Terminology

Classification schemes were heavily debated in the 1990s as the malcode scene significantly changed and matured. Shortly after 2000, the term blended threats became popularized through white papers and media. A blended threat is one that combines multiple characteristics of malcode (viruses, worms, Trojan, etc.) to initiate, transmit, and spread an attack. This means that lots of codes with varied functionality are used in an attack.

The days of a single backdoor Trojan attack on a computer quickly faded into the sunset as criminals sought financial gain. Within a few years attacks became increasingly large scale, automated by bad actors, including multiple minor variants and multiple codes in an incident. In some cases hundreds of files are installed on a computer for maximum financial gain and abuse. The advent of such attacks has quickly dissolved traditional classification schemes, largely rendering them useless. For example, what do you call a threat that includes a downloader Trojan horse, a mass mailing worm, a rootkit to conceal files and activity on a computer, ad/spyware illegally installed on the computer but has a legal end user license agreement included, and a backdoor Trojan that steals sensitive information? Most companies have since moved to an itemized approach, naming and handling each threat individually. Unfortunately, this acts to hinder the security practitioner, who needs to understand the entire scope of the attack in order to be able to prevent, identify, and mitigate all the codes and vectors of vulnerability used in such an attack.

An excellent professional source for technical terms relating to malcode exists on the Virus Bulletin site.⁵ Virus Bulletin is also a leading malcode research organization that should be considered a resource of interest for any security practitioner that specializes in malcode-related work.

The following sections explore types, aspects, and related terminology of malcode.

Vector

The vector of attack is how the transmission of malcode takes place, such as email, a link sent to an instant messenger user, or a hostile website attempting to exploit vulnerable software on a remote host. This is one of the most important components of a malcode incident for a security practitioner to understand to properly protect against reinfection or additional attacks on the infrastructure of a corporate network.

Payload

A payload is the primary action of a malicious code attack. This generally refers to the end point or primary impact rather than smaller components of an attack.

Virus

A virus is malicious software that infects a host file in order to spread. It is commonly used in a general sense to refer to all sorts of malcode, but this is not technically accurate. Fred Cohen is credited with first using this term officially in 1983.⁶ There are many lists and reports on all aspects of the history of the computer virus, tracking all the way back to its official naming by Fred Cohen. The following list represents some of the more interesting items found on the World Wide Web:

• The History of Computer Viruses (Infographic): http://mashable.com/2011/03/16/history-of-computer-viruses/
• 14 Infamous Computer Virus Snippets That Trace a History of Havoc: http://gizmodo.com/14-infamous-computer-virus-snippets-that-trace-a-histor-601745022
• Computer Virus Timeline: http://www.infoplease.com/ipa/A0872842.html

Logic Bomb

A logic bomb is a type of Trojan that typically executes a destructive routine when certain conditions are met, such as date and time. A logic bomb can be planted by a disgruntled employee within a network to then launch a destructive routine, such as overwriting or corrupting data, several weeks or months after the employee leaves the company.

Worm

A worm is malicious software that creates a copy of itself (or clones itself) in order to spread. For example, a mass-mailing worm sends out copies of itself via email. It is possible for worms to even occur accidentally. One famous example of an accidental worm is the Morris worm, which was created to gauge the size of the Internet but due to an error actually resulted in denial of service attacks. (See Figure 7-6.)

Trojan

A Trojan is malicious software that masquerades as something it is not. It does not replicate. Up-to-date lists of Trojans being found in the wild are maintained by all of the major virus software vendors and research companies. Here is a small list of the most common sites:

• http://www.symantec.com/security_response/landing/threats.jsp
• http://home.mcafee.com/virusinfo
• http://www.bitdefender.com/resourcecenter/virus-encyclopedia/

Dropper

A dropper is a malicious file used to install malicious code on a computer. Downloader Trojans are sometimes also called droppers.

Keylogger

A keylogger is a type of Trojan used to capture data keylogged on a system. It may also include sophisticated Trojans that can capture all keystrokes and take pictures of the screen at specific points in time to steal online credentials and other sensitive information. It may also refer to physical keylogger devices that can be placed in line between keyboards and a computer to steal sensitive information. An example of a physical keylogger device is KeyGhost, available at: http://www.keyghost.com/keylogger/.

Bot

A bot is malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities. This term may refer to the code itself or an infected computer, also known as a drone or zombie. Other related terms are bot herder or botmaster, for the bad actor that manages the bot herd or botnet (typically thousands of infected zombies). Some also refer to automation as a key component differentiating bots from other types of code. However, that definition then can be confused with worms that can be fully automated rather than carefully controlled like a bot. McAfee and Guardian Analytics released a report on June 26, 2012 that detailed a sophisticated type of bank fraud that originated in Italy and spread globally, initiating the transfer of at least $78 million from around 60 financial institutions. Banks in the Netherlands were hit the hardest, with fraudsters attempting to transfer over $44 million worth of funds.

The security firms said the attack was unique because it featured both off-the-shelf and custom malicious code to break into the banks’ systems. The firms suggested that the creators of the code knew a lot about internal banking transactions. McAfee and Guardian called their investigation “Operation High Roller” because the fraudsters targeted high-worth individuals and businesses to disguise illegal transfers that were much larger than those in usual bank fraud.

“While at first consistent with other client-based attacks we have seen, this attack showed more automation. Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account—initiating the transaction locally without an attacker’s active participation,” according to the Operation High Roller white paper (PDF). In Italy, “the code used by the malware looked for the victim’s highest value account, looked at the balance, and transferred either a fixed percentage (defined on a per campaign basis, such as three percent) or a relatively small, fixed €500 amount [roughly $625] to a prepaid debit card or bank account.” ⁷

Eventually, the money launderers were able to simulate a two-factor authentication. Where the victim would have to use a SIM card to authenticate a transfer in the system, the whitepaper notes that the thief’s system was “able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication.” During the Netherlands attack, the criminals found that they could get around security and monitoring tools by enabling transfers on the server side of the bank accounts. In one instance where servers automating the attacks were found in Brea, California, a criminal was found logging in from Moscow, Russia.

The dynamics of a botnet attack can be very difficult to understand and defend against for the security practitioner. Understanding the underlying architecture of a botnet attack, the tools that are being used to build the components of these advanced persistent threats (APTs), and how they are deployed are skills that many security practitioners will need to build in real time as these threats continue to evolve and change to elude detection.

Some examples of financial botnets that have continued to wreak havoc in 2014 and 2015 are Zeus, Carberp, Citadel, and SpyEye, to name a few. Following is a list of several YouTube videos that will give the security practitioner an overview of how to build, install, and manage several different botnets, including Zeus.⁸

• Nuke Portal Botnet: http://www.youtube.com/watch?v=S81diy9-d28
• ICE9 Botnet: http://www.youtube.com/watch?v=TKQEItg0dck
• Zeus Botnet: http://www.youtube.com/watch?v=QAQC8oT2w7g

File Infector

File infector, mostly a historical term, generally refers to viruses that infect files. Perhaps the most well-known historical file-infecting virus is Jerusalem, which infects all executable files run except for command.com in DOS.

File-infecting viruses may prepend code to the front of the file, append code to the end of the file, or creatively inject into various locations of the file. File-infecting viruses that inject into various locations of the body are also known as Cavity Viruses, such as the infamous Elkern. Removal of such code can be quite difficult, and multiple file infections often corrupt files beyond repair.

Modern-day file-infecting viruses are rare but are sometimes included with blended threats that install Trojans, spreading as worms across the network and infecting specific files types of interest on the host, such as EXE or even web content such as HTML pages (with script injects).

Macro Viruses

Macro viruses first emerged with Concept in 1995, spreading within Microsoft Office software. They are created within Visual Basic for Applications or WordBasic, and spread through Office documents such as DOC files. Macro viruses spread like wildfire for several years until changes in technology and security responses to the threat, in addition to a competitive criminal marketplace with Trojans and bots, essentially removed them from the wild as a prevalent threat shortly after the turn of the century.⁹

Boot Sector Virus

A boot sector virus is malcode that spreads in the wild by copying itself to the master boot record (MBR) of a hard disk and boot sectors of floppy disks. Brain, the first PC virus, is a boot sector virus. Other notable examples include Form, Joshi, and AntiCMOS. In 2007, a new threat emerged against the MBR called Mebroot, which modified the MBR of hard disks and installed into the slack space (unused space at the end of a drive) to load a kernel-level rootkit before the operating system even booted up. It is possible that such stealthy code would then be installed in available memory on hardware, pushing the boundaries of software-based threats on hardware loading before the operating system. Removal of such threats required that the MBR be overwritten with new data in addition to reimaging or reinstalling of the operating system.

Windows Rootkit

The historical definition of a rootkit comes from UNIX computers that had been hacked, where the attacker wanted to maintain root or administrator privileges on a computer after a compromise. To accomplish this feat, the attacker installed a variety of modified UNIX tools to function as normal but not show the compromise, such as an open port to the attacker or malicious files installed on the computer. As a result the name rootkit makes sense, where a “kit” or suite of tools was used to maintain root.

Some have defined Windows rootkits as codes that mask intrusion as well as being used in the compromise of a system. Strictly speaking, rootkits are used to maintain elevated privileges on a system by being stealthy. In Windows the term rootkit is more generalized to identify malcode that attempts to conceal the presence of code (stealth techniques) on a system by injecting processes, concealing files on the system, hiding registry keys from users attempting to analyze keys on the system, and more. Windows rootkits are not necessarily a suite of tools but are often one or two files. There are four types of Windows rootkits: persistent rootkits, memory-based rootkits, user-mode rootkits, and kernel-mode rootkits.

• Persistent-Mode Rootkits—A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contains code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
• Memory-Based Rootkits—Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
• User-Mode Rootkits—User-mode rootkits involve system hooking in the user or application space. Whenever an application makes a system call, the execution of that system call follows a predetermined path and a Windows rootkit can hijack the system call at many points along that path.
• Kernel-Mode Rootkits—Kernel-mode rootkits are more powerful than user-mode rootkits because they have the same level of power as an administrator (root on Windows). Software attempting to identify and remove rootkits on a system is in a race condition to not be manipulated or controlled by hostile code operating on the same layer of access control and permissions. Kernel level rootkits are typically installed as a SYS or VXD file type in the Windows or Windows System32 directories. Kernel-mode rootkits are considered to be more powerful than other kinds of rootkits because not only can they intercept the native API in kernel mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel’s list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Another kernel-mode rootkit technique is to simply modify the data structures in kernel memory. For example, kernel memory must keep a list of all running processes, and a rootkit can simply remove themselves and other malicious processes they wish to hide from this list. This technique is known as direct kernel object modification (DKOM).

Adware, Spyware, and Potentially Unwanted Programs

Adware, spyware, and potentially unwanted programs are technically legal software, but they are frequently illegally installed without user consent to display advertisements or monitor behavior or sensitive data. These programs are technically legal, including an end user license agreement (EULA). However, affiliate abuse frequently involves such software being illegally installed by bad actors who seek financial rewards per install. As a result, the legal software is illegally installed on computers.

Adware is software funded for advertising, such as pop-up advertisements for porn sites.

Spyware is legal software that is used to report user information to a remote party. For example, the code used tracks user habits online such as search terms and then reports it to a remote agency. This is different from malicious Trojans, which keylog or steal sensitive information, because spyware includes a valid EULA agreement.

Rogue software, also known as goadware, is a new subset of this type of malcode that may or may not include a EULA. They are illegal due to their deceptive business practices and court cases to date. Rogue software is commonly installed illegally through exploitation or through deceitful user interaction procedures. Once installed, they goad the user in an aggressive fashion, such as changing the desktop image, displaying frequent pop-ups and windows with no easy close options. They frequently masquerade as antivirus, ad/spyware software, and performance-improving software programs, making it difficult for consumers to identify what is legitimate and what may be rogue software.

1. Polymorphic Polymorphic viruses assume many (poly) shapes and forms (morphic) by encrypting code differently with each infection. This term caught on in the mid-1990s with tools that emerged to generate thousands of new minor variants of code based on mutation routines to subvert signature technology used by antivirus software at the time.
2. Like an encrypted virus, a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer, then decrypts the virus body. However, a polymorphic virus also adds a mutation engine that generates randomized decryption routines that change each time a virus infects a new program. In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs a program infected with a polymorphic virus, the decryption routine first gains control of the computer, then decrypts both the virus body and the mutation engine. Next, the decryption routine transfers control of the computer to the virus, which locates a new program to infect. At this point, the virus makes a copy of both itself and the mutation engine in random access memory (RAM). The virus then invokes the mutation engine, which randomly generates a new decryption routine that is capable of decrypting the virus yet bears little or no resemblance to any prior decryption routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, the virus appends this new encryption routine, along with the newly encrypted virus and mutation engine, onto a new program. As a result, not only is the virus body encrypted, but the virus decryption routine varies from infection to infection. This confounds a virus scanner searching for the tell-tale sequence of bytes that identifies a specific decryption routine. With no fixed signature to scan for, and no fixed decryption routine, no two infections look alike.¹⁰
3. Proof of Concept A proof of concept (POC) is functional code that can be used in order to validate that an exploit actually works and to detail the specifics of how it functions. POCs are created by authors of exploits to prove that exploitation of a vulnerability is possible. POC malcode may also be created to show that malcode can be spread in new environments or across new platforms.
4. One example of the use of a proof of concept in order to validate and test a disclosed vulnerability took place in July 2013. A proof of concept exploit was built and released for a discovered application signature checking vulnerability on the Android platform. At the time that the vulnerability was discovered and disclosed, the potential existed to affect millions of devices on the Android platform, potentially allowing attackers exploiting the vulnerability to turn legitimate apps into Trojan programs capable of launching malware. Pau Oliva Fora, a mobile security engineer at the security firm ViaForensics, developed a proof-of-concept Linux shell script that could be used to modify an app in a way that exploited the flaw. The code made use of the APKTool program and was released on Github.¹¹
5. The exploit takes advantage of the way Android handles APKs that have duplicate file names inside; the entry that is verified for signature is the second one inside the APK, and the entry that ends up being installed is the first one inside the APK—the injected one that can contain the malicious payload and is not checked for signature at all. Shortly after the release of this exploit, Google made changes to Google Play in order to detect apps modified in this way and issued a patch to device manufacturers. The remaining issue, which is a potentially serious one for security practitioners in this case, stems from behavior that would leave users who install applications from sources other than Google Play, a process known as sideloading, potentially vulnerable. If a business allows users to engage in sideloading of applications into their devices, then this vulnerability, and others like it, will go unchecked and unpatched, and as a result it will continue to present threats to the business that the security practitioner may or may not even be aware of. This vulnerability allows Android malware authors to add malicious code to legitimate app packages and have them properly update the original applications if they are installed on the targeted devices. Android malware authors are already distributing malicious apps that masquerade as popular games or applications through a variety of methods, including through third-party app stores. Vulnerabilities like this could make this social engineering technique more efficient.

Malicious Code Countermeasures

Malicious code is a type of software designed to take over or damage a computer’s operating system, without the user’s knowledge or approval. Malicious code protection is commonly provided at both the gateway and workstations that access information services. Because most data files are stored on networks or shared file systems, the constant protection of network connections at the gateway is crucial. Malicious code often enters networks by means of security loopholes, email attachments, or protocols such as File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and Simple Mail Transfer Protocol (SMTP) (email).

Malicious Code Detection System Requirements

NSA’s Information Assurance Technical Framework defines malicious code detection system requirements. The following section is reproduced directly from that document.

The following have been identified as representative malicious code detection system requirements from a customer’s perspective of needs.

The malicious code detection system shall

• Allow access to all services available on the wide area networks (WAN) using any of the existing and emerging networking technologies and applications.
• Be able to locate the source and type of an infection, be able to react to such intrusions, and be able to fully reconstitute the system following damage caused by intrusions.
• Have minimal operational effect on the user.
• Have minimal operational effect on performance of the associated components.
• Have appropriate documentation for its use and upgradability and contain all currently available references and resources.
• Allow automatic malicious code prevention programs to run in the background.
• Allow a disaster recovery plan to recover data if necessary.
• Provide adequate scanning tools to be able to contain an identified virus by isolating affected systems and media.
• Have appropriate means to trace all incoming and outgoing data, including email, FTP transactions, and Web information.
• Be able to, in the event the Internet is unavailable for any reason, still have access to virus updates from the manufacturer or vendor of the antivirus product.
• Monitor usage as required by the administrator.
• Scan for malicious software at the enclave boundary and at individual workstations.
• Log and analyze source-routed and other packets; react to or restrict malicious code attacks.
• Allow a rapid disconnect from the network in the event of a detected malicious code attack.

Configuration/Management Requirements

NSA’s Information Assurance Technical Framework defines malicious code detection system configuration and management requirements. The following section is reproduced directly from that document.

The following have been identified as representative configuration and/or management requirements for malicious code detection systems.

The malicious code detection system shall:

• Be updated with regard to relevant security issues (malicious code detection, system vulnerability) so maximum protection is provided.
• Be configured by the administrator to filter all incoming data, including email, FTP transactions, and Web information, for all types of malicious code.
• Allow the administrator to automatically create policy for network usage that details what sort of computing activity will and will not be allowed.
• Allow regular backups of all system data by the administrator.
• Provide adequate controls such as strong user authentication and access control mechanisms on network connections for the administrator.
• Be capable of setting additional passwords or authentication for select files and accounts accessed from network ports.
• Be capable of placing restrictions on types of commands used on networks and in select files.
• Deny access to system manager accounts from network ports, if possible.
• Monitor usage of the network during odd hours, if possible, and create a log of all activity for the system administrator.
• Provide no more than one administrator account (i.e., not give other users administrator privileges).

Common malware examples include the following:

1. Virus A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus:

• Requires a host to replicate and usually attaches itself to a host file or a hard drive sector.
• Replicates each time the host is used.
• Often focuses on destruction or corruption of data.
• Usually attaches to files with execution capabilities such as .doc, .exe, and .bat extensions.
• Often distributes via email. Many viruses can email themselves to everyone in your address book.

1. Examples: Stoned, Michelangelo, Melissa, I Love You.
2. Worm A worm is a self-replicating program that can be designed to do any number of things, such as delete files or send documents via email. A worm can negatively impact network traffic just in the process of replicating itself. A worm:

• Can install a backdoor in the infected computer.
• Is usually introduced into the system through a vulnerability.
• Infects one system and spreads to other systems on the network.

1. Example: Code Red.
2. Trojan Horse A Trojan horse is a malicious program that is disguised as legitimate software. Discretionary environments are often more vulnerable and susceptible to Trojan horse attacks because security is user focused and user directed. Thus the compromise of a user account could lead to the compromise of the entire environment. A Trojan horse:

• Cannot replicate itself.
• Often contains spying functions (such as a packet sniffer) or backdoor functions that allow a computer to be remotely controlled from the network.
• Often is hidden in useful software such as screen savers or games.

1. Examples: Back Orifice, NetBus, Whack-a-Mole.
2. Logic Bomb A logic bomb is malware that lies dormant until triggered. A logic bomb is a specific example of an asynchronous attack. A trigger activity may be a specific date and time, the launching of a specific program, or the processing of a specific type of activity. Logic bombs do not self-replicate.

Countermeasures for malware are as follows:

• Antivirus software on user machines. Update antivirus definition files as soon as they are released. Most antivirus software automatically checks for updated definition files each time the system starts. Update checks should be made daily. Antivirus software is the least effective protection against zero-day malicious code as the AV product will unlikely be able to detect the new malicious code. Only after the signature or pattern of malicious code is added to its database can an AV product reliably protect against it.
• Install and use several different antivirus software products on enterprise infrastructure.
• User awareness training to help with identifying suspicious email.
• Disable scripts when previewing or viewing email.
• Block attachments at network borders.
• Prevent download of software from the Internet.
• Strict software installation policies.
• Block the use of removable drives to prevent unauthorized software entering a system.
• Antivirus scanners on email gateways are the most effective security measure against email viruses.

Software exploitation involves taking advantage of known vulnerabilities in software and systems. The following are common exploitation methods:

1. Backdoor A backdoor attack exploits an unprotected access method or pathway. A backdoor:

• May be developer-installed for easier debugging or to simplify distribution of software updates.
• May be an intentionally placed vulnerability installed by a Trojan horse, a remote control tool, or utility.
• On devices, it could be console ports, maintenance modems, or open connection ports.

1. Countermeasures for a backdoor attack are as follows:

• Auditing.
• Antivirus and malware code scanning.
• For malicious user-installed backdoors, use access control management and controlled software deployment.
• For developer-installed backdoors, disable them, change the defaults, or block access.
• For device backdoors, maintain physical access control.

1. Buffer Overflow Attack A buffer overflow attack exploits programs with poor buffer management. In the buffer overflow attack:

• The attacker identifies a system using an application with poor buffer management.
• The attacker determines where the next process pointer is in the stack.
• The attacker overflows the buffer and places a malicious application at location in the stack where the process pointer is pointing.
• The malicious application is launched when the process pointer is activated.

1. Countermeasures for buffer overflow attacks include:

• Limit user input to less than the size of the buffer.
• Validate input by looking for certain symbols that may be program instructions.
• Implement strict coding standards to eliminate the potential for weaknesses.

1. Pointer Overflow Attack A pointer overflow attack is similar to a buffer overflow attack in that it exploits programs with poor buffer management. In the pointer overflow attack:

• The attacker identifies a system using an application with poor buffer management.
• The attacker determines where the next process pointer is in the stack.
• The attacker overflows the process pointer.
• The attacker changes the pointer to go to the location of the malicious application.

1. Countermeasures for pointer overflow attacks are the same as buffer overflow attacks.
2. Directory Traversal A directory traversal exploits a lack of security in web applications and allows an attacker to access files. The directory traversal:

• Uses a common means of representing a parent directory, ./ (dot dot slash), to access files not intended to be accessed.
• Consists of adding the characters ./ to the right side of a URL, An example is: ././././<filename>.

1. Countermeasures include:

• Disable all services that are not explicitly required.
• Install security patches.
• Review audit logs.

1. Covert Channels A covert channel is hidden use of bandwidth or storage to communicate or hide a message.

• Covert timing channels use the timing of occurrences of an activity to transfer information in an unintended manner.
• Covert storage channels store hidden data in unused portions of a file.
• A timing covert channel works by modulating utilization levels. The recipient needs only to monitor those levels in order to receive the communication.
• Covert channels have the potential for occurring when two or more subjects or objects share a common resource.
• Covert channels can involve saturating or not saturating a communications path in a timed fashion to transfer information to a receiver observing the communication path in synchronization with the sender.

Scanners

Different forms of malicious code can be detected and removed by special scanning software and integrity checkers. Scanners can work in offline or online modes. Online operation of a scanner provides active protection, i.e., detection (and possible removal) of malicious code before any infection takes place and damage is done to the IT system. Scanners are available for stand-alone computers, workstations, file servers, electronic mail servers, and firewalls. However, users and administrators should be made aware that scanners cannot be relied upon to detect all malicious code (or even all malicious code of a particular type) because new forms of malicious code are continually arising. There are four generations of antivirus scanning software:

• First Generation—simple scanners
• Second Generation—heuristic scanners
• Third Generation—activity traps
• Fourth Generation—full-featured protection

A first-generation scanner requires a malware signature to identify the malware. The signature may contain “wildcards” but matches essentially the same structure and bit pattern in all copies of the malware. Such signature-specific scanners are limited to the detection of known malware. Another type of first-generation scanner maintains a record of the length of programs and looks for changes in length as a result of virus infection.

A second-generation scanner does not rely on a specific signature. Rather, the scanner uses heuristic rules to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware. An example of this type of scanner would be a scanner that may look for the beginning of an encryption loop used in a polymorphic virus and discover the encryption key. Once the key is discovered, the scanner can decrypt the malware to identify it, then remove the infection and return the program to service. Another second-generation approach is integrity checking. A checksum can be appended to each program. If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. To counter malware that is sophisticated enough to change the checksum when it alters a program, an encrypted hash function can be used. The encryption key is stored separately from the program so that the malware cannot generate a new hash code and encrypt that. By using a hash function rather than a simpler checksum, the malware is prevented from adjusting the program to produce the same hash code as before.

Third-generation programs are memory-resident programs that identify malware by its actions rather than its structure in an infected program. Such programs have the advantage that it is not necessary to develop signatures and heuristics for a wide array of malware. Rather, it is necessary only to identify the small set of actions that indicate malicious activity is being attempted and then to intervene.

Fourth-generation products are packages consisting of a variety of antivirus techniques used in conjunction. These include scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of malware to penetrate a system and then limits the ability of a malware to update files in order to propagate.

Generic decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses and other malware while maintaining fast scanning speeds. Remember that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a GD scanner, which contains the following elements:

• CPU Emulator—A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware so that the underlying processor is unaffected by programs interpreted on the emulator.
• Virus Signature Scanner—A module that scans the target code looking for known malware signatures.
• Emulation Control Module—Controls the execution of the target code.

At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the malware, that code is interpreted. In effect, the malware does the work for the antivirus program by exposing itself. Periodically, the control module interrupts interpretation to scan the target code for malware signatures. During interpretation, the target code can cause no damage to the actual personal computer environment because it is being interpreted in a completely controlled environment. The most difficult design issue with a GD scanner is to determine how long to run each interpretation. Typically, malware elements are activated soon after a program begins executing, but this need not be the case. The longer the scanner emulates a particular program, the more likely it is to catch any hidden malware. However, the antivirus program can take up only a limited amount of time and resources before users complain of degraded system performance.

Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include:

• Attempts to open, view, delete, and modify files.
• Attempts to format disk drives and other unrecoverable disk operations.
• Modifications to the logic of executable files or macros.
• Modification of critical system settings, such as start-up settings.
• Scripting of email and instant messaging clients to send executable content.
• Initiation of network communications.

Because a behavior blocker can block suspicious software in real time, it has an advantage over the antivirus detection techniques like fingerprinting or heuristics. There are literally trillions of different ways to obfuscate and rearrange the instructions of a virus or worm, many of which will evade detection by a fingerprint scanner or heuristic. But eventually, malicious code must make a well-defined request to the operating system. Given that the behavior blocker can intercept all such requests, it can identify and block malicious actions regardless of how obfuscated the program logic appears to be. Behavior blocking alone has limitations. Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked. For instance, a new item of malware might shuffle a number of seemingly unimportant files around the hard drive before modifying a single file and being blocked. Even though the actual modification was blocked, the user may be unable to locate his or her files, causing a loss to productivity or possibly worse.

Spyware-specific detection and removal utilities specialize in the detection and removal of spyware, and provide more robust capabilities. Thus, they complement, and should be used along with, more general antivirus products.

Rootkits can be especially difficult to detect and neutralize, particularly so for kernel-level rootkits. Many of the administrative tools that could be used to detect a rootkit or its traces can be compromised by the rootkit precisely so that it is undetectable. Countering rootkits requires a variety of network- and computer-level security tools. Both network-based and host-based intrusion detection systems can look for the code signatures of known rootkit attacks in incoming traffic. Host-based antivirus software can also be used to recognize the known signatures.

The next location where antivirus software is used is on an organization’s firewall and IDS. It is typically included in email and web proxy services running on these systems. It may also be included in the traffic analysis component of an IDS. Antivirus software:

• Has access to malware in transit over a network connection to any of the organization’s systems.
• Gets a larger scale view of malware activity.
• Can block the flow of any suspicious traffic.

However, this limits to scanning the malware content, and it does not have access to any behavior observed on an infected system. Two types of monitoring software may be used:

• Ingress Monitors—Located at the border between the enterprise network and the Internet. An example of a detection technique for an ingress monitor is to look for incoming traffic to unused local IP addresses.
• Egress Monitors—Located at the egress point of individual LANs on the enterprise network as well as at the border between the enterprise network and the Internet. The egress monitor is designed to catch the source of a malware attack by monitoring outgoing traffic for signs of scanning or other suspicious behavior.

Code Signing

A fundamental technique for protecting an agent system is signing code or other objects with a digital signature. A digital signature serves as a means of confirming the authenticity of an object, its origin, and its integrity. Typically, the code signer is either the creator of the agent, the user of the agent, or some entity that has reviewed the agent. Because an agent operates on behalf of an end-user or organization, mobile agent systems commonly use the signature of the user as an indication of the authority under which the agent operates.

Code signing involves public key cryptography, which relies on a pair of keys associated with an entity. One key is kept private by the entity and the other is made publicly available. Digital signatures benefit greatly from the availability of a public key infrastructure because certificates containing the identity of an entity and its public key (i.e., a public key certificate) can be readily located and verified. Passing the agent’s code through a non-reversible hash function, which provides a fingerprint or unique message digest of the code, and then encrypting the result with the private key of the signer forms a digital signature. Because the message digest is unique, and thus bound to the code, the resulting signature also serves as an integrity mechanism. The agent code, signature, and public key certificate can then be forwarded to a recipient, who can easily verify the source and authenticity of the code. Note that the meaning of a signature may be different depending on the policy associated with the signature scheme and the party who signs. For example, the author of the agent, either an individual or organization, may use a digital signature to indicate who produced the code but not to guarantee that the agent performs without fault or error.

In fact, author-oriented signature schemes were originally intended to serve as digital shrink wrap, whereby the original product warranty limitations stated in the license remain in effect (e.g., manufacturer makes no warranties as to the fitness of the product for any particular purpose). Microsoft’s Authenticode, a common form of code signing, enables Java applets or Active X controls to be signed, ensuring users that the software has not been tampered with or modified and that the identity of the author is verified.

Code signing certificates are digital certificates that will help protect users from downloading compromised files or applications. When a file or application signed by a developer is modified or compromised after publication, a popup browser warning will appear to let users know that the origin of the file or application cannot be verified.

Sandboxing

Dynamic analysis of malicious code has increasingly become an essential component of defense against Internet threats. By executing malware samples in a controlled environment, security practitioners and researchers are able to observe its malicious behavior, obtain its unpacked code, detect botnet C&C servers, and generate signatures for C&C traffic as well as remediation procedures for malware infections. Large-scale dynamic malware analysis systems (DMAS) based on tools such as Anubis and CWSandbox are operated by security researchers and companies. These services are freely available to the public and are widely used by security practitioners around the world. In addition to these public-facing services, private malware analysis sandboxes are operated by a variety of security companies such as antivirus vendors.

One way for malware to defeat dynamic analysis is to detect that it is running in an analysis sandbox rather than on a real user’s system and refuse to perform its malicious function. For instance, code packers that include detection of virtual machines, such as Themida, will produce executables that exit immediately when run inside a virtual machine such as VMWare. There are many characteristics of a sandbox environment that may be used to fingerprint it. Malware authors can detect specific sandboxes by taking advantage of identifiers such as volume serial numbers or IP addresses.

Sandboxes and Virtual Machines

A sandbox is a secluded environment on a computer where you can run untested code or malware to study the results without having any ill effects on the rest of your software. A virtual machine is the most commonly used example of a sandbox because it emulates a complete computer, called a guest operating system, on the main machine (called the host). Well-known examples include Microsoft Hyper-V, VMWare ESXi, VirtualBox, Sandboxie, The Chromium Projects, and QEMU. Some even offer online sandboxes that present the analysis results in an organized way. Anubis, ThreatExpert, and GFI ThreatTrack are a few examples of services that offer online sandboxes.

How Malware Researchers Use VMs

In malware research, sandboxes are used to study the behavior of malware. It is not only safer, it’s also a lot quicker to restore an image of a previous state of the guest machine as opposed to the worst case scenario for a real computer, re-formatting and re-installing the software that you need, which could take hours.

How Malware Writers Try to Avoid Sandboxes

There are a few methods for a process to determine if it is running in a virtual environment. The most obvious one would be to check for running processes that a VM uses, like for example VBoxTray.exe (VirtualBox). A similar method is to compare the services that are running to a list of known services in use by virtualization software or check for drivers like vmmouse.sys (VMWare). Another approach would be to check for virtual hardware like a network interface. Like any network interface, they are assigned a unique MAC address that includes the manufacturer’s identification number. Given the limited number of manufacturers, checking for these processes and interfaces does not require a lot of code. The same kind of checks can be done for GUIDs and other unique identifiers used by virtualization software. In addition, the malware can run a check for extra debuggers. The program that wants to avoid being debugged checks the port number for the debugger of the process. A value other than 0 indicates that the process is being run through a debugger handled by the user.

Reviewing Application Code

The Veracode State of Software Security Report states:

“Cryptographic issues affect a sizeable portion of Android (64%) and iOS (58%) applications.

Using cryptographic mechanisms incorrectly can make it easier for attackers to compromise the application. For example, cryptographic keys can be used to protect transmitted or stored data. However, practices such as hard-coding a cryptographic key directly into a mobile application can be problematic. Should these keys be compromised, any security mechanisms that depend on the privacy of the keys are rendered ineffective.”¹²

The above quoted passage illustrates several facts that the security practitioner needs to be aware of. First, security is not limited to a single platform in the enterprise, nor are the issues associated with security. Second, while good design and architecture is important, bad implementation can still render a system or an application insecure. Third, using shortcuts to design applications can lead to unintended consequences and can impact many systems, not just those that the application is running on top of. All of these issues lead the security practitioner to the need for clarity—clarity with regards to the application code running in the enterprise systems that they are being asked to operate. The big question for the security practitioner is “How do I develop an understanding of the application code running on my systems?” That is where tools such as SWAMP and static source code analyzers come in handy.

SWAMP

SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. The SWAMP servers themselves are hosted at the Morgridge Institute in Madison, WI. At the Institute, the clustered servers are kept at a secure facility. The SWAMP cluster currently has 700 cores, 5TBs of RAM, and 100TBs of storage to meet the continuous assurance needs of multiple software and tool development projects. SWAMP opened its services to the community in February of 2014, offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. These tools currently are the following:

• FindBugs: Identifies errors in Java programs using Java bytecode rather than source code.
• PMD: Finds common programming flaws in Java, JavaScript, XML, and XSL applications.
• Cppcheck: Detects bugs usually missed by compilers in the C and C++ languages.
• Clang Static Analyzer: Finds bugs in C, C++, and Objective-C programs.
• GCC: The Gnu C compiler is used to ensure C and C++ code is syntactically correct.
• CheckStyle: Evaluates a wide variety of programming style rules for Java.
• error-prone: This tool finds violations in Java code using Google’s best practice programming style.

In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that, the SWAMP provides developers with software packages from the National Institute for Standards and Technology’s (NIST) Juliet Test Suite. The Juliet Test Suite is a collection of over 81,000 synthetic C/C++ and Java public domain programs with known flaws. These known flaws are used to test the effectiveness of static analyzers and other software assurance tools. The Juliet Test Suite covers 181 different common weakness enumerations (CWEs) and also includes similar, but non-flawed, code to test tool discrimination.¹³ Tools such as SWAMP allow for the testing and review of application code in order to uncover potential vulnerabilities and threats in their design and implementation.

Static Analysis

Static source code analyzers attempt to find code sequences that, when executed, could result in buffer overflows, resource leaks, or many other security and reliability problems. Source code analyzers are effective at locating a significant class of flaws that are not detected by compilers during standard builds and often go undetected during runtime testing as well.

A typical compiler will issue warnings and errors for some basic potential code problems, such as violations of the language standard or use of implementation-defined constructs. In contrast, a static source code analyzer performs a full program analysis, finding bugs caused by complex interactions between pieces of code that may not even be in the same source file. The analyzer determines potential execution paths through code, including paths into and across subroutine calls, and how the values of program objects (such as standalone variables or fields within aggregates) could change across these paths. The objects could reside in memory or in machine registers.

The analyzer looks for many types of flaws. It looks for bugs that would normally compile without error or warning. The following is a list of some of the more common errors that a modern static source code analyzer will detect:

• Potential NULL pointer dereferences
• Access beyond an allocated area, otherwise known as a buffer overflow
• Writes to potentially read-only memory
• Reads of potentially uninitialized objects
• Resource leaks (e.g., memory leaks and file descriptor leaks)
• Use of memory that has already been deallocated
• Out-of-scope memory usage (e.g., returning the address of an automatic variable from a subroutine)
• Failure to set a return value from a subroutine
• Buffer and array underflows

The static analyzer also has knowledge about how many standard runtime library functions behave. The analyzer uses this information to detect errors in code that calls or uses the result of a call to these functions. The analyzer can also be taught about properties of user-defined subroutines. For example, if a custom memory allocation system is used, the analyzer can be taught to look for misuses of this system. By teaching the analyzer about properties of subroutines, users can reduce the number of false positives. A false positive is a potential flaw identified by the analyzer that would not actually occur during program execution. Of course, one of the major design goals of a static source code analyzer is to minimize the number of false positives so that developers can minimize time looking at them.

Vectors of Infection

The vector is where the malcode comes from, which can be a form of media transfer such as email or peer-to-peer (P2P) networks, or exploitation combined with web browsing. Various techniques exist to trick users into executing code or revealing sensitive information. For example, the default view settings inside of the Windows explorer do not show the true extension of a file. “report.doc” may only appear as “report” to the end user. Various methods exist to then trick users into thinking malicious files are safe, allowing the file to exploit this default behavior of Windows, when it is actually malicious.

An interesting new vector emerged around Christmas of 2007, where digital frames were infected with malcode. These new gifts enabled users to transfer malcode through a USB-based thumb drive. One example of redirection and the abuse of default behavior can be seen in the following description, reproduced directly from the InfoSec Community Forums at https://isc.sans.edu/forums/diary/More+on+Google+image+poisoning/10822/, of how hackers were able to exploit Google’s image search capability to serve up malware to unsuspecting users.

1. The attackers compromise a number of legitimate websites.
2. Once the source websites have been exploited, the attackers plant their PHP scripts. These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial webpages based on current trending in Google’s search results. These websites contain not only text but also images that are acquired from various websites. They embed links to pictures that are really related to the topic, so the automatically generated webpage contains convincing content.
3. 3. Google now crawls through these websites. The scripts from the attackers will detect Google’s bots either by their IP address or the User Agent and will deliver special pages back containing automatically generated content. Google will also parse links to images and, if appropriate, populate the image search database.
4. Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content created in step 3, as well as the number of links to the webpage and other parameters used by Google, the attacker’s page will be shown at a certain position in the results webpage. The exploit happens when a user clicks on the thumbnail. Google now shows a special page that shows the thumbnail in the center of the page, links to the original image on the right, and the original website in the background. This is where the “vulnerability” is. Google displays this in a simple iframe. The user’s browser will automatically send a request to the bad page that has been made available through the compromise of legitimate websites in step 1, which runs the attacker’s PHP script. This script checks the request’s referrer field, and if it contains “Google,” meaning this was a click on the results page in Google, the script displays a small JavaScript script that causes the browser to be redirected to another site that is serving up malware.

By pairing malicious script actions with Google’s default behavior, the hackers are able to touch thousands of people’s machines and infect many of them without anyone’s knowledge. This activity was very prevalent in 2011, and while Google was able to take steps to mark and eliminate bad or suspicious URLs being returned to users in search results, they were unable to eliminate this issue with their image browser results as quickly, and as a result, this behavior continued to infect unsuspecting users for several months.

At the end of 2013, another example emerged, although this time it was in the form of a Trojan purporting to be antivirus software. The Protector Rogue took its namesake from the file-name protector-xxx.exe (where x’s were random letters). This malware was very common until it was mostly eradicated in September of 2012. This new version of the Protector Rogue has the filename guard-xxx.exe and the registry run value GuardSoftware. GuardSoftware’s installer, or dropper, has a valid digital signature, which makes it appear to be trustworthy and which can bypass certain forms of heuristic detection. At the same time, GuardSoftware utilizes hijacking techniques not previously observed in comparable rogue programs. After installation, GuardSoftware restarts the computer and then essentially locks the desktop with a “scanning in progress” screen, as can be seen in Figure 7-7.

This screen is meant to fool users into trusting GuardSoftware, and it even goes as far as allowing the user to disable the scan through an options feature. This will unlock the desktop, but it will not stop the scan. Instead, the supposed scan will continue to run in the background, with constant pop-up reminders that the computer is infected, all aimed at persuading the user to purchase the full version of GuardSoftware by entering their credit card information into the purchase screen pop up.

GuardSoftware is one of the first rogue programs to utilize such screen locking, which in the past has typically only been observed in ransomware. In the past, Protector Rogues would instead just scare users with frightening messages, such as “YOUR COMPUTER IS INFECTED” or “PROTECTOR FOUND 136 VIRUSES ON YOUR COMPUTER!!!” This rogue family uses a variety of names; some examples are Windows Expert Console, Windows Cleaning Toolkit, and Windows Active Hotspot. Below are some SHA1 hashes listed for these variants:

• FAAB416D4423F08337707D6FC15FA4ACA143D9BE
• 2966D9B0B7B27C1CA2FA46F93E26E82FBB7FE64C
• CB8B40EACC05C5D34396D70C9B9C1D931A780517

The security practitioner needs to be aware of exploits such as the GuardSoftware Protector Rogue in order to be able to defend against them and to ensure that end users are educated about the types of exploits and threats that they face in the wild as well.

Malicious Activity

Social engineering is a term used to describe methods that bad actors can use to trick users or “con” them into engaging in behavior that they would not normally engage in. For instance, opportunistic attacks may make use of promising something sexual as a popular theme to get someone to click on a link, open a file, or perform some other sort of desired action. Another common approach may be the use of fear, such as falsely claiming that the user’s services have been or are about to be terminated, or that there is a problem of some sort with an account or service, attempting to trick the user into revealing sensitive information (phishing-type scams) or performing actions to install malcode. The use of phishing attacks to target individuals, entire departments, and even companies continues to be a significant threat that the security practitioner needs to be aware of and be prepared to defend against. The many derivative attack vectors that have been spawned as a result of the modification of the basic phishing attack in recent years have led to a variety of attacks that are deployed relentlessly against individuals and networks in a never ending stream of emails, phone calls, spam, instant messages, videos, file attachments, and many other delivery mechanisms.¹⁴

Here are five examples of additional social engineering attacks:

1. Baiting Baiting involves dangling something that the target will want to entice them into taking an action that the criminal desires. It can be in the form of a music or movie download on a peer-to-peer site, or it can be a file on a USB flash drive with a company logo labeled “Financials Q2” left out in the open for you to find. Then, once the device is used or downloaded, the person or company’s computer is infected with malicious software, allowing the criminal to take control of the targeted system.
2. Phone Phishing—Vishing Phone phishing, or vishing, uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted via a phishing email to call in to the “bank” via a number provided in order to verify certain information such as account numbers, account access codes or a PIN, answers to security questions, as well as contact information and addresses. A typical system will reject logins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may be used to transfer the victim to the attacker posing as a customer service agent for further questioning.
3. Pretexting Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone you trust to gain access to your login information. It can take form as fake IT support needing to do maintenance or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities, or other seemingly legitimate people in order to gain access to your computer and information.
4. Quid Pro Quo Quid pro quo is a request for your information in exchange for some compensation. It could be the offer of a free item or access to an online game or service in exchange for your login credentials, or a researcher asking for your password as part of an experiment in exchange for money. If it sounds too good to be true, it probably is quid pro quo.
5. Tailgating Tailgating is when someone follows you into a restricted area or system. Traditionally, this is when someone asks you to hold the door open behind you because they forgot their company RFID card. However, this could also take the form of someone asking to borrow your phone or laptop to perform a simple action when they are actually installing some malicious software.

Security awareness training can be highly effective in helping those who may become the targets of social engineering attacks to not be taken advantage of easily. Simply training people to never trust unsolicited emails, instant messages, or other communications is an essential step but is only the beginning.¹⁵ In addition to basic awareness, all users in a system must be provided training that is targeted toward situational specific awareness based on their roles and responsibilities within an organization. For instance, a senior level executive within a bank must be given additional security awareness training focused around their situational awareness to educate them with regards to threats that they may face as they interact with peers and colleagues outside the bank in social settings such as conferences and while travelling. This training would be different in focus and content than the training that a teller in the bank would receive. However, an acceptable use policy and support from management must be in place to give any such training teeth and follow up. With such a combination, the “user-to-keyboard” error risk can be lowered. Examples of this abound, such as the Storm worm of 2007/2008 as well as the highly publicized 2011 breach of RSA by a hacker using socially engineered emails and malware attachments.¹⁶ Some additional well known examples include the Facebook social engineering attacks against NATO in early 2012, the hack of a Wal-Mart store in Canada during a social engineering capture the flag contest at DefCon in August 2012, and the Francophoned social engineering attack carried out against a French-based multinational in April of 2013.¹⁷

How to Do It for Yourself: Using the Social Engineer Toolkit (SET)

You can examine one of the toolkits that is being used by hackers to execute social engineering attacks against systems and, in so doing, gain insights into how these attacks are built and executed. The required tool and a step-by-step overview of the Social Engineer Toolkit (SET) can be found below.

What you will need:

1. A Linux-based machine that is running KALI Linux (this can be either a physical or a virtual machine). The current distribution (distro) for KALI can be found here:

   http://www.kali.org/

2. If you choose not to use KALI Linux, which has the Social Engineer Toolkit already built in, then the toolkit can be downloaded separately from here:

   https://github.com/trustedsec/social-engineer-toolkit

To open the SET in the KALI distribution, go to Applications > KALI Linux > Exploitation Tools > Social Engineering Toolkit > se-toolkit, as shown in Figure 7-8.

The SET is a menu-driven based attack system. The SET menu is listed below:

1. Social-Engineering Attacks
2. Fast-Track Penetration Testing
3. Third Party Modules
4. Update the Metasploit Framework
5. Update the Social-Engineer Toolkit
6. Update SET configuration
7. Help, Credits, and About

The menu item that you will be interested in for this exercise will be number 1, as shown in Figure 7-9.

Now, you will select social engineering attacks from the menu. Once it is chosen, you will get the sub menu list, which gives details about the type of attack, as shown in Figure 7-10.

1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Arduino-Based Attack Vector
7. SMS Spoofing Attack Vector
8. Wireless Access Point Attack Vector
9. QRCode Generator Attack Vector
10. Powershell Attack Vectors
11. Third Party Modules

Now, you will be able to select any of the listed options to explore the attacks by category and to gain a better understanding of the options available within each attack type. For instance, if you choose the website attack vectors from the menu, which is item 2, then you will get the sub menu list, which gives details about the type of attacks available, as shown below:

1. Java Applet Attack Method
2. Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Create or Import a CodeSigning Certificate

SET will provide a small summary of the functionality of each attack when chosen, as the following example illustrates for the first 3 items listed in the menu:

• The Java Applet Attack method will spoof a Java Certificate and deliver a Metasploit based payload. It uses a customized Java applet created by Thomas Werth to deliver the payload.
• The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
• The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.

Long File Extensions

Long file extensions have been around for many years. On Windows NTFS-based operating systems, the filename can be up to 255 characters long.¹⁸ Filenames that are very long are abbreviated with three dots, “. . .”, concealing the true extension of the file. The security practitioner needs to be familiar with how to view a full file name, including the extension of the file being examined, because this information can be very valuable in many circumstances.

Double File Extensions

The use of double file extensions is often combined with long filenames to show only the first extension, such as Madonna.jpg followed by many spaces and then the real extension, such as .exe: Madonna.jpg.exe. The security practitioner needs to be aware of this kind of behavior because the information that is being hidden through the use of the double file extension will help to provide an understanding of the true nature of the file as well as its contents. See Figure 7-11 for an example of double file extensions.

The “original” version of this file was created as a Microsoft Word file, using Office 2013. Once the second file extension was added to the file, two critical things happened. First, the file type, according to Windows Explorer, is now registered as being an Excel file of type version 97—2003, based on the file extension .xls being used for the file. The second thing that has happened is that the file icon, the file association, and all of the metadata associated with the file has been modified, and now references Microsoft Excel, not Microsoft Word. When you try to open the file, this will result in a warning similar to the one shown in Figure 7-12.

The security warning prompted by the system indicates another interesting behavior for the security practitioner to be aware of when dealing with double file extensions. The security warning indicates that this file is attempting to be opened in a different format by a program of a different type than the file extension would normally indicate should be opening the file. This is happening because the version of the file was set to .xls when saved, but the program being used to open the file is newer, specifically Excel 2013, and is expecting to see an .xlsx file extension. If the Yes button is clicked, the file would open with no trouble, even though the security warning indicated that the file could possibly be corrupt. The security practitioner needs to understand that file extensions can be used to alter file associations, as well as the default program that would be used by the operating system to open a file, and as a result, could potentially lead to a rogue program being launched without the prior knowledge of the end user once a modified file has been accessed.

The security practitioner cannot always rely on the operating system to provide a security prompt, or a warning of any kind for that matter, indicating that a modified file is being accessed. Figure 7-13 shows another file with double file extensions.

The file, which was originally created as a Microsoft Office Word 2013 document and then “transformed” into a Notepad text file through the addition of the .txt file extension, opens with no security warning of any kind for the end user when accessed, as Figure 7-14 illustrates.

This kind of behavior can lead to an end-user’s system being compromised easily if the right type of modified file is accessed by the user under the guise of “legitimate” use.

Figure 7-15 shows one final issue that double file extensions can cause if left undiscovered in a system.

The file wmplayer.exe.txt was created by taking a copy of the legitimate wmplayer.exe file from a Windows 7 machine and renaming it by adding a .txt extension onto the end of the file name. This action allowed the file type to be registered by the Windows OS as a text document type, as can be seen at the top right corner of the figure. When the file is accessed, it is now opened by the notepad.exe program, not by the Windows Media Player. This allows the underlying source code of the wmplayer.exe file to be examined, as can be seen in the lower portion of Figure 7-16.

The reader should take notice of the fact that while a lot of the code is unreadable, there are also several pieces of information that may be of value for an attacker if he or she is looking to modify the functionality of this file or add instructions or additional information into the file in some way.

Figure 7-17 shows what a simple modification of the wmplayer.exe.txt file might achieve. The two modifications made are found in the second and third lines of text up from the bottom of Figure 7-17. Notice that the URL path has been modified in the third line of text from the bottom and that the second line of text from the bottom shows modifications to the “LinkID =“ statement. While neither of these modifications by themselves could be harmful, taken together, these modifications could allow the program to be redirected to a website controlled by a hacker and potentially cause the download of modified software onto the end-user system that executes this modified file.

Fake Related Extension

Sometimes a fake related extension is what works best for an attack vector. An example of this type of behavior can be seen by examining the Unitrix exploit. Named the Unitrix exploit by Avast after it was used by the Unitrix malware, this method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name. The Unicode character is U+202E: Right-to-Left Override, and it forces programs to display text in reverse order. Figure 7-18 shows the Unicode Character Map in Windows 8.1, with the U+202E: Right-to-Left Override selected.

The way this would work is that the file’s actual name can be something like “Cool song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Cool song uploaded by RCS.mp3”. However, it’s not an MP3 file; it is an SCR file and it will be executed if you double-click it. Analysis of this exploit showed that the hackers did not directly takeover the infected computers. Instead, they had a “pay per installation” network that provided outsourced infection and malware distribution services for other cybergangs, hitting a peak of 25,000 infections daily during the last quarter of 2011.

The security practitioner needs to be focused on what kind of files are being used and made available in end-user systems in order to better understand the potential threats that may exist. Additional file types that could prove to be problematic include the following: .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh.

Fake Icons

Fake icons are often given to files to make them appear as something safe or trusted, tricking the end user into executing rogue software. Some actors will give file names that appear to be something like a PDF or similar file, and then an icon for PDF files, but they will configure the file so that it runs as an executable.

Password-Protected ZIP Files/RAR

Some malcode attacks can be used to send compressed or encrypted files to potential victims. This helps to bypass some gateway filters that exist to block EXE, COM, SCR, and similar file types known to be of high risk. Such attacks will normally include text or an image to provide the password to a possible victim, instructing them to open the file. Another use for modified .zip files could be to use them to carry out a zip bomb attack. A zip bomb is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software in order to create an opening for more traditional viruses. Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it requires inordinate amounts of time, disk space, or memory. One example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3 gigabyte file for a total of 4.5 petabytes of uncompressed data.¹⁹

Hostile Codecs

This family of code spread through multiple vectors, but it always ended up with a user installing a hostile codec of some kind. Various posts are made to forums or users may be directed via email or some other vector to visit a pornography site. Upon visiting the pornography site, or similar content, they are told they cannot view the video without installing a codec first. Installation of the codec gives permission to install Zlob or similar malicious code onto the targeted system, thus opening it up to attack and compromise by the hacker.

Email

Email is one of the most well-known vectors for spreading malcode. It is heavily used and depended upon by millions daily. Sometimes, email threats can involve a vulnerability related to email clients or even web browsers, such as Internet Explorer, that are used to view HTML-based content. One example of an email based attempt to infect end-user systems with malware has been targeted at users of the Google Chrome web browser. Google Chrome users receive an unsolicited email that announces that a new extension for their favorite browser has been developed to facilitate their access to documents from emails. A link is provided, and the recipients are advised to follow it in order to download the new extension. Once they click the link, they are redirected to a look-alike of the Google Chrome Extensions page, which, instead of the promised extension, provides them with a fake application that infects their systems with malware. Figure 7-19 shows a sample of the spam email that would be used by the attacker to convince a targeted end user to click on the bad URL to force a redirect to the modified webpage where the malware would be waiting to be downloaded into the computer once the user attempted to download the extension file.

Another example of email being used as an attack vector against unsuspecting users was targeted at a very narrowly defined silo of users. This attack, launched in the end of October 2013, was targeted at fliers who would be taking Lufthansa Flights on Nov. 4th, 2013.

A description of the attack and the image of the email shown in Figure 7-20 is reproduced directly from the Hot for Security blog post, “Fake Lufthansa Ticket Reservation Plants Spyware on Germans’ PCs,” at http://www.hotforsecurity.com/blog/fake-lufthansa-ticket-reservation-plants-spyware-on-germans-pcs-7297.html. These travelers received the email shown in Figure 7-20, which appears to be from Lufthansa customer service.

The fake message informs travelers that they have been issued an electronic ticket and that they can use the flight data in the attachment to perform an advance online check-in. The attachment includes a hidden Trojan that deploys spyware on the compromised system. The Trojan spies on users’ network activities to steal system data, browser-related credentials, and email login data. The collected data is sent to the attackers’ remote servers. These servers tell the malware when and where to download and run files, remove itself from the system, and update its code to avoid detection.

The security practitioner needs to be able to create a culture within their networks that allows users to report unusual events of any kind in order to ensure that attacks such as the ones described do not go unnoticed and, as a result, have the ability to infect multiple systems before they are discovered. While there are many ways for the security practitioner to communicate with users, one of the most effective ways to help users to understand the importance of understanding what an expectation of normalcy may be for a network, and as a result, what a deviation from that baseline is, would be to create security awareness training content that is made available to all users of the network, regardless of job role.

Insider Human Threats

The following discussion of insider threats is reproduced directly from the Department of Homeland Security whitepaper, “Combating the Internal Threat.”

An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems. Insider threats, to include sabotage, theft, espionage, fraud, and competitive advantage, are often carried out through abusing access rights, theft of materials, and mishandling physical devices. Insiders do not always act alone and may not be aware they are aiding a threat actor (i.e., the unintentional insider threat). It is vital that security practitioners understand normal employee baseline behaviors and also ensure employees understand how they may be used as a conduit for others to obtain information. Some behavioral indicators of malicious threat activity include:

• Remotely accesses the network while on vacation, sick, or at odd times.
• Works odd hours without authorization.
• Displays notable enthusiasm for overtime, weekend, or unusual work schedules.
• Unnecessarily copies material, especially if it is proprietary or classified.
• Shows an interest in matters outside of the scope of their duties.
• Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health, or hostile behavior, should trigger concern. Be on the lookout for warning signs among employees such as the acquisition of unexpected wealth, unusual foreign travel, irregular work hours, or unexpected absences.

Identifying behavioral indicators may be difficult, particularly if they do not occur for a long period of time and therefore do not set a pattern. Therefore, a good understanding of risk characteristics and events that may trigger those characteristics is essential. It’s equally important for the security practitioner to create productive and healthy work environments to help reduce the unintentional insider threat. Some countermeasures include:

• Training employees to recognize phishing and other social media threat vectors.
• Training continuously to maintain the proper levels of knowledge, skills, and abilities.
• Conducting training on and improving awareness of risk perception and cognitive biases that affect decision making.
• Improving usability of security tools.
• Improving usability of software to reduce the likelihood of system-induced human error.
• Enhancing awareness of the unintentional insider threat.
• Providing effective security practices (e.g., two factor authentication for access).
• Maintaining staff values and attitudes that align with organizational mission and ethics.

There are several detection, prevention, and deterrence methods to consider:

• Data/file encryption
• Data access monitoring
• SIEM or other log analysis
• Data loss prevention (DLP)
• Data redaction
• Enterprise identity and access management (IAM)
• Data access control
• Intrusion detection/prevention systems (IDS/IPS)
• Digital rights management (DRM)

Finally, continual training is always a recommended option. Below are descriptions of two free of charge courses that organizations may want to consider offering to employees, contractors, and others that meet the description of an “insider.”

• The Department of Homeland Security (DHS) offers an online independent study course titled Protecting Critical Infrastructure Against Insider Threats (IS-915). The one-hour course provides guidance to critical infrastructure employees and service providers on how to identify and take action against insider threats.²⁰
• The Department of Defense (DoD) also offers an Insider Threat Awareness course free of charge. The course includes a printable certificate after completion and focuses on the insider threat as an essential component of a comprehensive security program.²¹

Insider Hardware and Software Threats

The following list details the most common behaviors that security practitioners should be engaging in on a regular basis to detect insider threats:

• Monitor phone activity logs to detect suspicious behaviors.
• Monitor and control privileged accounts.
• Monitor and control external access and data downloads.
• Protect critical files from modification, deletion, and unauthorized disclosure.
• Disable accounts and connections upon employee termination.
• Prevent unauthorized removable storage mediums.
• Identify all access paths into organizational information systems.

There are many ways that insider threats can be executed inside of a network, many of which can go unnoticed. For example, Knoppix can be loaded onto a thumb drive and then used to boot up a computer and possibly gain unauthorized access to files on the drive or make changes in Linux mode.²² Another example of this kind of a solution is the Windows To Go feature that is available with the Windows 8 and 8.1 releases. The use of the Windows To Go technology could allow an attacker to use any device that could boot from a USB drive to run a full featured version of Windows 8. The issues that this poses for the security practitioner are as follows. First, this behavior could allow for an unsupported version of a network operating system to be deployed and used within the network. This would violate usage policies and could also have unknown consequences. In addition, and perhaps more importantly, if security has not been set up properly within the network to implement the use of policy based device management and drive encryption, the attacker could potentially gain access to data stored on the local hard drive of the machine being used to run the Windows To Go solution.

Another area of potential compromise involves the use of hardware and software Keyloggers to steal information without the knowledge of the user sitting at the computer.

The German news source Der Spiegel reported that the NSA’s elite hacking unit Tailored Access Operations (TAO) conducts sophisticated wiretaps.²³ The NSA, CIA, and FBI, routinely and secretly intercept shipments of laptops and computer accessories. The TAO unit diverts shipments to a secret workshops where agents install malware malicious hardware that grants remote access to U.S. intelligence agencies. Since 2009 the NSA has used a USB hardware implant codenamed COTTONMOUTH that secretly provides the NSA with remote access to the compromised machine. COTTONMOUTH-1 provides a wireless bridge into a network and the ability to load exploitative software onto computers.

Another NSA unit named ANT can compromise the security architecture of Cisco, Huawei, Dell, Juniper, and similar companies. The NSA uses malware called FEEDTHROUGH to burrow into firewalls and make it possible to smuggle other NSA programs into mainframe computers. These programs can even survive reboots and software upgrades.

Available software and hardware for such purposes runs the full gamut of prices. A rigged monitor cable that shows what is displayed on a targeted monitor is available for $30. An active GSM base station that mimics a mobile phone tower so you can monitor cell phones costs $40,000. Computer bugging devices disguised as USB plugs that can transmit data via radio undetected are sold in packs of 50 for more than $1 million.

The security practitioner faces a large array of potential threats to the confidentiality, integrity, and availability of the systems and information that they are tasked with protecting. Some of these threats are easily identified and mitigated, while others may be impossible to foresee and detect until well after they have done damage to one or more systems. The need for training as well as situational awareness has never been greater. The security practitioner has several responsibilities that are instrumental to the success of creating and maintaining a secure environment within the enterprise. They may need to partner with one or more additional resources, such as a CISSP or senior information systems architect, in order to be able to fully execute on some of the responsibilities discussed below.

1. They must examine the architecture of all systems being used to ensure that any known issues, threats, vulnerabilities, and risks have been identified and plans are drawn up to address them in some way.
2. They must review the documentation for all systems and validate that it is up to date and properly managed through the use of a change management structure.
3. 3. They must ensure that security awareness training is carried out at every level of the enterprise in order to ensure that all team members are aware of their role, the specifics of their role with regards to information and systems security, and also aware of the requirements that any and all policies may put in place with regards to system access and usage.
4. They must analyze all system usage and access policies in order to ensure that they are up to date and accurately represent current technology deployed in the enterprise, as well as current usage patterns of the technology deployed.

Spoofing, Phishing, Spam, and Botnets

Spoofing, phishing, spam, and botnets are all techniques that can compromise security. They sometimes are used in conjunction with each other. This section explores how you can recognize and address each of them.

Spoofing

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Spoofing is the creation of TCP/IP packets using somebody else’s IP address. Routers use the destination IP address in order to forward packets through the Internet, but they ignore the source IP address. That address is only used by the destination machine when it responds back to the source. A common misconception is that “IP spoofing” can be used to hide your IP address while surfing the Internet, chatting online, sending email, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses, such as blind spoofing. Examples of spoofing:

• Man-in-the-middle—Packet sniffs on link between the two end points and can therefore pretend to be one end of the connection.
• Routing redirect—Redirects routing information from the original host to the hacker’s host (this is another form of man-in-the-middle attack).
• Source routing—Redirects individual packets by hacker’s host.
• Blind spoofing—Predicts responses from a host, allowing commands to be sent, but cannot get immediate feedback.
• Flooding—SYN flood fills up receive queue from random source addresses; smurf/fraggle spoofs victim’s address, causing everyone to respond to the victim.

Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Some of the most common characteristics that these forged email messages present are:

• Use of the Names of Existing Companies—Instead of creating a company’s website from scratch, fraudsters imitate the corporate image and website functionality of an existing company in order to further confuse recipients of the forged message.
• Use of the Name of a Real Company Employee as the Sender of the Spoofed Message—By the fraudsters doing so, if recipients attempt to confirm the authenticity of the message by calling the company, they will be assured that the person that acts as spokesman of the company does actually work for the company.
• Web Addresses that Seem to be Correct—Forged emails usually take users to websites that imitate the appearance of the company used as bait to harvest the information. In fact, both the contents and the web address (URL) are spoofed and simply imitate legitimate contents. What’s more, legal information and other non-critical links could redirect trusting users to the real website.
• Fear Factor—The window of opportunity open to fraudsters is very short because once the company is informed that its clients are targets of these techniques, the server that hosts the fake website and harvests the stolen information is shut down within a few days. Therefore, it is essential for fraudsters to obtain an immediate response from users. On most occasions, the best strategy is to threaten them with either financial loss or loss of the account itself if the instructions outlined in the forged email are not followed, which usually refer to new security measures recommended by the company.

In addition to obscuring the fraudulent URL in an apparently legitimate email message, this kind of malware also uses other more sophisticated techniques:

• In the man-in-the-middle technique, the fraudster is located between the victim and the real website, acting as a proxy server. By doing so, he can listen to all communication between them. In order to be successful, fraudsters must be able to redirect victims to their own proxy, instead of to the real server. There are several methods, such as transparent proxies, DNS cache poisoning, and URL obfuscation, among others.
• Exploitation of cross-site scripting vulnerabilities in a website, which allow a secure banking webpage to be simulated, without users detecting any anomalies neither in the web address nor in the security certificate displayed in the web browser.
• Vulnerabilities in Internet Explorer, which by means of an exploit allow the web address that appears in the browser address bar to be spoofed. By doing so, while the web browser could be redirected to a fraudulent website, the address bar would display the trustworthy website URL. This technique also allows false pop-up windows to be opened when accessing legitimate websites.
• Some attacks also use exploits hosted in malicious websites, which exploit vulnerabilities in Internet Explorer or the client operating system in order to download keylogger type Trojans, which will steal confidential user information.
• Pharming is a much more sophisticated technique. It consists in modifying the contents of the DNS (domain name server), either via the TCP/IP protocol settings or the lmhost file, which acts as a local cache of server names in order to redirect web browsers to forged websites instead of the legitimate ones, when the user attempts to access them. Furthermore, if the victim uses a proxy in order to remain anonymous while surfing the Web, its DNS name resolution could also become affected so that all the proxy users are redirected to the false server.

How Phishing Works and Is Distributed

The most common attack vector is a forged email message that pretends to come from a specific company, whose clients are the target of the scam. This message will contain links to one or more fraudulent webpages that totally or partially imitate the appearance and functionality of the company, which is expected to have a commercial relation with the recipient. If the recipient actually works with the company and trusts the email to have come from the legitimate source, he is likely to end up entering sensitive information in a malicious form located in one of those websites.

The means of distribution of these emails also shares several common characteristics.

Much the same as spam, it is massively and indiscriminately sent via email or instant messaging programs: The message urges users to click on a link, which will take them to a website in which they must enter their confidential data in order to confirm it, reactivate their account, etc. It is sent as a financial company alert, warning users of an attack. It includes a link to a website in which they are prompted to enter personal data.

As the message is massively distributed, some of the recipients will actually be clients of the company. The message states that due to some security concerns, users should visit a website and confirm their data: username, password, credit card number, PIN, social security number, etc.

Of course, the link does not point to the company page but to a website developed by the fraudsters and that imitates the corporate image of the financial or banking entity. The web address displayed usually includes the name of the legitimate institution so that users do not suspect any deception.

When users enter their confidential data, these are stored in a database, allowing fraudsters to use the harvested information to connect to the accounts and strip all of the funds out.

The main damage caused by phishing is:

• Identity and confidential user data theft.
• Loss of productivity.
• Use of corporate networks resources: bandwidth, mail flooding, etc.

Recognizing a Phishing Email

It might be difficult for users that have received a message with these characteristics to tell the difference between a phishing email and a legitimate one, especially for those that are clients of the financial entity from which the email message is supposed to come from.

The From: field shows an address belonging to the legitimate company. However, it is very easy for fraudsters to spoof the source email address that is displayed in any mail client.

The message includes logos or images, which have been collected from the legitimate website to which the forged email refers to.

Though the link included seems to point to the original company website, it actually directs the browser to a fraudulent webpage, in which user data, passwords, etc. must be entered.

These messages frequently contain grammatical errors or spelling mistakes, or special characters, none of them usual in communication sent from the company that they are pretending to represent.

Spam

Spam is unsolicited email, normally with an advertising content sent out as a mass mailing. Some of the most common characteristics these types of email messages have are:

• The address that appears as that of the message sender is unknown to the user and is quite often spoofed.
• The message does not often have a Reply address.
• An eye-catching subject is presented.
• It has advertising content: website advertisements, ways to make money easily, miracle products, property offers, or simply lists of products on special offer.
• Most spam is written in English and comes from the United States or Asia, although spam in Spanish is also now becoming common.

Although this type of malware is normally spread via email, there are variants, each with their own name according to their distribution channel:

• Spam—Sent by email.
• Spim—Specific to Instant Messaging applications (MSN Messenger, Yahoo Messenger, etc.).
• Spit—Spam over IP telephony. IP telephony consists in using the Internet to make telephone calls.
• Spam SMS—Spam designed to be sent to mobile devices using SMS (short message service).

How Spam Works and Is Distributed

Spammers try to obtain as many valid email addresses as possible, i.e., actually used by users. They use different techniques for this, some of which are highly sophisticated:

• Mail Lists—The spammer looks in the mail list and notes down the addresses of the other members.
• Purchasing User Databases from Individuals or Companies—Although this type of activity is illegal, it is actually carried out in practice and there is a black market.
• Use of Robots (Automatic Programs)—These robots scour the Internet looking for addresses in webpages, newsgroups, weblogs, etc.
• DHA (Directory Harvest Attack) Techniques—The spammer generates email addresses belonging to a specific domain and sends messages to them. The domain mail server will respond with an error to those addresses that do not actually exist, so the spammer can discover which addresses generated are valid. The addresses can be compiled using a dictionary or through brute force, i.e., by trying all possible character combinations.

Consequently, all email users are at risk from these types of attacks. Any address published on the Internet (used in forums, newsgroups, or on any website) is more likely to be a spam victim.

Protecting Users Against Spam

The mail message filter is a basic measure to prevent spam entering users’ mail boxes. There are many applications that can filter emails by message, keywords, domains, IP addresses from where the messages come from, etc. The best anti-spam systems should be based on more than just one technology. They should use diverse techniques (heuristic rules, Bayesian filters, white and black lists, digital signatures, sender authentication, etc.) that achieve the basic aim of reducing false positives to a minimum and therefore eliminate the possibility of a user losing a message as a result of a system error, maintaining a high degree of efficiency in the spam detection process. Also, take into account the following guidelines for protecting users against spam and minimizing its effects:

• Do not publish personal email addresses in any public site, such as webpages for example.
• Never click on the “unsubscribe” link in a spam message. All this will do is let the spammer verify that the email address is active.
• Never reply to a spam message.
• Do not resend chain letters, requests, or dubious virus alerts.
• Do not open the spam message.
• Disable the Preview Pane of the email client.
• Do not purchase products offered through unsolicited emails.
• Have various email accounts, and use them for separate purposes: personal, work, etc.
• Use an anti-spam filter or an anti-spam solution.
• Install an antivirus solution.
• Install content filter software.

Botnets

A botnet is an army of compromised machines, also known as zombies, that are under the command and control of a single botmaster. The rise of consumer broadband has greatly increased the power of botnets to launch crippling denial-of-service (DoS) attacks on servers, infect millions of computers with spyware and other malicious code, steal identity data, send out vast quantities of spam, and engage in click fraud, blackmail, and extortion.

How Botnets Are Created

Botnet creation begins with the download of a software program called a bot (for example, IRCBot, SGBot, or AgoBot) along with an embedded exploit (or payload) by an unsuspecting user, who might click an infected email attachment or download infected files or freeware from P2P networks or malicious websites. Once the bot and exploit combination is installed, the infected machine contacts a public server that the botmaster has set up as a control plane to issue commands to the botnet. A common technique is to use public internet relay chat (IRC) servers, but hijacked servers can also issue instructions using HTTPS, SMTP, TCP, and UDP strings. Control planes are not static and are frequently moved to evade detection; they run on machines (and by proxies) that are never owned by the botmaster.

Using the control plane, the botmaster can periodically push out new exploit code to the bots. It can also be used to modify the bot code itself in order to evade signature-based detection or to accommodate new commands and attack vectors. Initially, however, the botmaster’s primary purpose is to recruit additional machines into the botnet. Each zombie machine is instructed to scan for other vulnerable hosts. Each new infected machine joins the botnet and then scans for potential recruits. In a matter of hours, the size of a botnet can grow very large, sometimes comprising millions of PCs on diverse networks around the world.

The Impact of Botnets

Botnet-led exploits can take many forms, as detailed below:

1. Distributed Denial-of-Service (DDoS) Attacks With thousands of zombies distributed around the world, a botnet may launch a massive, coordinated attack to impair or bring down high-profile sites and services by flooding the connection bandwidth or resources of the targeted system. Multigigabit-per-second attacks are not uncommon. Most common attack vectors deploy UDP, Internet Control Message Protocol (ICMP), and TCP SYN floods; other attacks include password brute forcing and application-layer attacks.
2. Targets of attack may include commercial or government websites, email services, DNS servers, hosting providers, and critical Internet infrastructure, even anti-spam and IT security vendors. Attacks may also be directed toward specific political and religious organizations, as well as gambling, pornography, and online gaming sites. Such attacks are sometimes accompanied by extortion demands.
3. Spyware and Malware Zombies monitor and report users’ web activity for profit, without the knowledge or consent of the user (and at times for blackmail and extortion). They may also install additional software to gather keystroke data and harvest system vulnerability information for sale to third parties.
4. Identity Theft Botnets are often deployed to steal personal identity information, financial data, or passwords from a user’s PC and then either sell it or use it directly for profit.
5. Adware Zombies may automatically download, install, and display popup advertising based on a user’s surfing habits or force the user’s browser to periodically visit certain websites.
6. Email Spam Most of today’s email spam is sent by botnet zombies.
7. Click Fraud The exploit code may imitate a legitimate web browser user to click on ads for the sole purpose of generating revenue (or penalizing an advertiser) for a website on pay-per-click advertising networks (such as Google Adwords).
8. Phishing Zombies can help scan for and identify vulnerable servers that can be hijacked to host phishing sites, which impersonate legitimate services (e.g., PayPal or banking websites) in order to steal passwords and other identity data.

Botnet Detection and Mitigation

Botnets use multiple attack vectors; no single technology can provide protection against them. For instance, the goal of a DDoS attack is to cripple a server. The goal of a phishing attack is to lure users to a spoofed website and get them to reveal personal data. The goal of malware can range from collecting personal data on an infected PC to showing ads on it or sending spam from it. A defense-in-depth approach is essential to detect and mitigate the effects of botnets.

Traditional packet filtering, port-based, and signature-based techniques do not effectively mitigate botnets that dynamically and rapidly modify the exploit code and control channel, resort to port-hopping (or using standard HTTP/S ports such as 80 and 443), and shuffle the use of zombie hosts. A variety of open source and commercial tools are currently used for botnet detection. Many of them analyze traffic flow data reported by routers, such as Cisco NetFlow. Others use behavioral techniques; for example, building a baseline of a network or system under normal conditions and using it to flag abnormal traffic patterns that might indicate a DDoS attack. DNS log analysis and honeypots are also used to detect botnets, but these technique are not always scalable.

The most common detection and mitigation techniques include:

1. Flow Data Monitoring This technique uses flow-based protocols to get summary network and transport-layer information from network devices. Cisco NetFlow is often used by service providers and enterprises to identify command-and-control traffic for compromised workstations or servers that have been subverted and are being remotely controlled as members of botnets used to launch DDoS attacks, perform keystroke logging, and other forms of illicit activity.
2. Anomaly Detection While signature-based approaches try to have a signature for every vulnerability, anomaly detection (or behavioral approaches) try to do the opposite. They characterize what normal traffic is like, and then look for deviations. Any burst of scanning activity on the network from zombie machines can be detected and blocked. Anomaly detection can be effectively used on the network as well as on endpoints (such as servers and laptops). On endpoints, suspicious activity and policy violations can be identified and infections prevented.
3. DNS Log Analysis Botnets often rely on free DNS hosting services to point a subdomain to IRC servers that have been hijacked by the botmaster and that host the bots and associated exploits. Botnet code often contains hard-coded references to a DNS server, which can be spotted by any DNS log analysis tool. If such services are identified, the entire botnet can be crippled by the DNS server administrator by directing offending subdomains to a dead IP address (a technique known as null-routing). While this technique is effective, it is also the hardest to implement since it requires cooperation from third-party hosting providers and name registrars.
4. Honeypots A honeypot is a trap that mimics a legitimate network, resource, or service but is in fact a self-contained, secure, and monitored area. Its primary goal is to lure and detect malicious attacks and intrusions. Effective more as a surveillance and early warning system, it can also help security researchers understand emerging threats. Due to the difficulty in setup and the active analysis required, the value of honeypots on large-scale networks is rather limited.

Malicious Web Activity

Web-based attacks are one of the most popular ways to spread malcode in the wild. Social network sites can contain vulnerabilities designed to spread malware code through one or more “profiles” that have been crafted by attackers to draw in hundreds and thousands of potential “drive-by” victims. Web-based vectors commonly spread through social engineering and through the exploitation of Internet Explorer as well as Firefox and other browsers. Web attack vectors offer a multitude of possibilities for an attacker to reach thousands of targets in a very short amount of time with little to no effort at all.

Cross-Site Scripting (XSS) Attacks

In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. According to the CERT Coordination Center:

“A webpage contains both text and HTML markup that is generated by the server and interpreted by the client browser. Websites that generate only static pages are able to have full control over how the browser interprets these pages. Websites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the website nor the client has enough information to recognize that this has happened and take protective actions.”

According to Acunetix:

“Cross-site scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and is distributed over any possible means on the Internet.”²⁴

To check for cross-site scripting vulnerabilities, use a web vulnerability scanner. A web vulnerability scanner crawls an entire website and automatically checks for cross-site scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks. Besides cross-site scripting vulnerabilities, a web application scanner will also check for SQL injection and other web vulnerabilities.

Zero-Day Exploits and Advanced Persistent Threats (APTs)

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch. It is called a “zero-day” because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.

A special type of vulnerability management process focuses on finding and eliminating zero-day weaknesses. This unknown vulnerability management lifecycle is a security and quality assurance process that aims to ensure the security and robustness of both in-house and third-party software products by finding and fixing unknown (zero-day) vulnerabilities. According to Codenomicon, the unknown vulnerabilities management process consists of four phases: analyze, test, report, and mitigate.²⁵

• Analyze—This phase focuses on attack surface analysis.
• Test—This phase focuses on fuzz testing the identified attack vectors.
• Report—This phase focuses on reporting of the found issues to developers.
• Mitigate—This phase looks at protective measures explained below.

Zero-day exploits can take many forms. One example was announced in early October of 2014. In this case, Bugzilla, a system that many developers use to track and discuss bugs in their code, was the target. Patches released for Bugzilla addressed a privilege escalation vulnerability that could have allowed attackers to gain administrative access to software bug trackers based on the open-source application. Bugzilla is developed with support from the Mozilla Foundation, which uses it to track issues for many of its own products. However, the platform is also used by the Apache Software Foundation, the Linux kernel developers, LibreOffice, OpenOffice, OpenSSH, Eclipse, KDE, GNOME, various Linux distributions, and many other projects. The vulnerability was discovered by security researchers from Check Point Software Technologies and was reported to the Bugzilla developers on September 30, 2014. The flaw has been in the software for a long time, and it’s unclear whether anyone discovered and exploited it independently in the past.

In July of 2014, Google announced a Zero-Day tracking initiative called Project Zero.²⁶ Google claims that this project will allow them to document and stop the latest zero-day threats before they can be exploited. Project Zero is a two-pronged attack against zero-days. It creates within Google a team of elite security researchers who have a broad mandate to go bug-hunting. Project Zero also will create a public database of zero-day bugs that will be first reported only to the software vendor, without contacting third parties.²⁷

An APT uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term. This infographic details the attack phases, methods, and motivations that differentiate APTs from other targeted attacks.

The five phases of an APT are detailed below:

• Reconnaissance—Attackers leverage information from a variety of areas to understand their target.
• Incursion—Attackers break into the target network by using social engineering to deliver targeted malware to vulnerable systems and people.
• Discovery—The attacker maps the organization’s defenses from the inside out, allowing them to have a complete picture of the strengths and weaknesses of the network. This allows the attacker to pick and choose what vulnerabilities and weaknesses they will attempt to exploit through the deployment of multiple parallel vectors to ensure success.
• Capture—Attackers access unprotected systems and capture information over an extended period of time. They will also traditionally install malware to allow for the secret acquisition of data and potential disruption of operations if required.
• Exfiltration—Captured information is sent back to the attackers for analysis and potentially further exploitation.

Brute Force Attacks

A brute force attack can manifest itself in many different ways, such as an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. An attacker may use a dictionary attack, with or without mutations, or a traditional brute force attack with given classes of characters, e.g., alphanumerical, special, case (in)sensitive. There are several different types of brute force attacks as listed below:

1. Dictionary Attack Dictionary-based attacks consist of automated scripts and tools that will try to guess usernames and passwords from a dictionary file. A dictionary file can be tuned and compiled to cover words potentially used by the owner of the account. The attacker can gather information via many methods such as active/passive reconnaissance, competitive intelligence, dumpster diving, and social engineering to better understand the target.
2. Search Attacks Search attacks will try to cover all possible combinations of a given character set and a given password length range. This kind of attack is very slow because the space of possible candidates is quite big.
3. Rule-Based Search Attacks The creation of good rules to drive the search can serve to increase the combination space coverage without slowing down the process too much. For example, a password cracking software tool such as John the Ripper can generate password variations from part of the username or modify them through the use of a preconfigured mask word in the input (e.g., 1st round “tool” > 2nd round “t001” > 3rd round “too1t0”).²⁸

One example of a brute force attack can be targeting a web application by taking a word list of known pages, for instance from a popular content management system, and simply requesting each known page, and then analyzing the HTTP response code to determine if the page exists on the target server. DirBuster is one tool that can be used to carry out this kind of an attack.²⁹

Figure 7-21 shows the main DirBuster tool interface running in Windows 7. If the option for scanning type is set to “List based brute force,” then a selection must be made to indicate which list to use. Figure 7-22 shows the built-in list options that are available for use. The user can also make their own list(s) and place them into the C:Program Files (x86)DirBuster directory if they choose to in Windows or the installation directory for DirBuster in Linux.

The main issue with the use of tools like dirb or DirBuster is the way that they analyze server responses. With more advanced server configurations such as with mod_rewrite, automatic tools are sometimes unable to understand and correctly process “File not found” errors due to the server response being an HTTP response code 200, even though the webpage itself indicates “File not found” as text somewhere on the page. This can lead to false positives if the brute force tool is only relying on HTTP response codes to determine success or failure of the attack. One way to address this issue is to deploy a more advanced application assessment tool, such as Burp Suite, which can be used to parse specific parts of the page returned, looking for certain strings in an effort to reduce false positives.³⁰

The security practitioner should become familiar with brute force attack methodology as well as the tools that are used to execute these attacks in the wild. One of the resources that security practitioners should consider taking advantage of in this regard is the use of defensive tools to help detect brute force attacks when they are occurring. Php-Brute-Force-Attack Detector is one such tool that could be used for this purpose.³¹

Instant Messaging

Instant messaging (IM) threats may involve exploitation of software to spread code but more frequently rely on social engineering. Kelvir is one such bot, infamous for spreading as a bot through traditional means and also through IM.³² Historically, IM threats are less likely to be trusted and followed compared to email threats. Most involve a user receiving a message with a link that the user is required to click on to visit the hostile site. The remote hostile site may involve social engineering or include an exploit to attack the computer. There was an interesting resurgence of this attack vector in 2010 surrounding the World Cup events being hosted in South Africa. According to Symantec researchers, by the end of 2010, one in 300 IM messages would contain a URL. Also, in 2010, Symantec predicted that overall one in 12 hyperlinks would be linked to a domain known to be used for hosting malware. Thus, one in 12 hyperlinks appearing in IM messages would contain a domain that is considered suspicious or malicious. In mid-2009, that level was one in 78 hyperlinks.

Instant messaging threats are more of a historical issue today for most security practitioners because much of the instant messaging usage taking place across company owned networks is secured and encrypted traffic, even when it transits across the World Wide Web between federated partners. The advent of instant messaging platforms that use encryption, as well as log user interactions, transcribe conversations, and archive them for storage, subjecting them to retention policies and governance regimes has changed the way this technology is being used by business today, and as a result, the nature of the threats that users may be exposed to. There are still threats that users of instant messaging platforms may face, such as account hijacking and the ability to become a launching pad for the spread of worms through the use of the contact lists maintained by the instant messaging software.

Peer-to-Peer Networks

P2P networks involve hosts sharing files with one another, either directly or through a centralized P2P server.³³ A wide variety of files are shared on P2P networks, including those that are unintentionally shared and pirated, illegal, and warez-type media. Most P2P downloads are not malicious. However, risk escalates to more than 75% on average once a user starts to search for specific terms like pornography related words and illegal terms such as “warez” and “crack.” Studies analyzing the spread of malware on P2P networks found that 63% of the answered download requests on the Limewire network contained some form of malware, whereas only 3% of the content on OpenFT contained malware. In both cases, the top three most common types of malware accounted for the large majority of cases (99% in Limewire and 65% in OpenFT). Another study analyzing traffic on the Kazaa network found that 15% of the 500,000 file sample examined was infected by one or more of the 365 different computer viruses that were tested for.³⁴ Most organizations block the use of P2P software for security and liability reasons today. Security practitioners need to be diligent to monitor network traffic for possible rogue P2P installations, as they can lead to unintentional sharing of files. Figure 7-23 shows what typical P2P software looks like on an end-user system.

Internet Relay Chat

IRC was a big part of how people chatted or communicated near the turn of the century. Today, social networking sites and forums are dominating the scene as IRC falls into the background. IRC is still used by thousands daily and has similar threats to several years ago. It is common to receive spammed messages within IRC chat rooms, private messages from bots by bad actors, and more. Sometimes bad actors attempt to exploit vulnerable software (chat clients) or may send malcode through IRC to the user via links or files directly through a Direct Client to Client Protocol (DCC) connection. ³⁵

As of December 2014, the largest IRC networks were the following:³⁶

• IRCnet—Around 50k users during peak hours
• QuakeNet—Around 40k users during peak hours
• Undernet—Around 30k users during peak hours
• EFnet—Around 28k users during peak hours
• Rizon—Around 25k users during peak hours

Rogue Products and Search Engines

There are literally hundreds of rogue security products, such as Antivirus XP 2008/9, Antivirus Pro, and many others. They have legitimate sounding names and GUIs but are not legitimate programs. They even have successfully hosted advertisements for short periods of time on major websites. Parked domains and manipulated search engine results and abuse can also be used to help spread malcode to computers via social engineering and exploitation. One tip is to scan files before installation with a free multiscanner like VirusTotal (http://www.virustotal.com) or Jotti (http://virusscan.jotti.org/en) to see if they are detected as malicious.

Infected Factory Builds and Media

Should you scan media for malcode? While it is a rare occurrence, some major cases of media being infected are reported every year. Infected media and computers are a possibility, especially as major changes take place in highly competitive industries with outsourced or overseas operations. Sometimes core builds of various downloads on the Internet are also hacked or compromised by bad actors, leading to malicious installations of software. Again, these cases are rarer than other vectors but do happen and are normally communicated clearly and globally when such incidents take place.

Web Exploitation Frameworks

Web exploitation frameworks are tools that include many exploits and a user interface to launch attacks against computers visiting a website. Exploit kits, also referred to as exploit packs, are a type of malware that allows hackers to exploit vulnerabilities in a given system. The packs might target vulnerabilities in programs such as Adobe Flash Player, which would allow the hacker to gain access to a system remotely by way of a web browser, or they may exploit faulty or non-existent patches in third-party applications or operating systems. Exploit kits can be downloaded for free or purchased.

There are many exploit frameworks available in the wild. A partial listing includes the following: Redkit, Crime Boss, Cool, Sweet Orange, Phoenix, Sakura, Siberia Private, g01Pack, Impact, Popads, and SofosFO. The security practitioner needs to stay up to date on what exploit frameworks are being used in the wild and how to detect their use in order to be able to defend their users and networks from attack.³⁷

Payloads

There are a wide range of payloads being used to deliver malcode in the wild today. In the early days, payloads were more related to fame, such as promoting an alias of a virus writing author. Early malcode often asked for permission to spread or simply spread and notified the user. Then destructive payloads followed, resulting in a loss of data. Common payloads are overviewed in this section.

Backdoor Trojans

Backdoor Trojans are malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer. These are the most dangerous, and most widespread, type of Trojan. Backdoor Trojans provide the author or “master” of the Trojan with remote administration capabilities of victim machines. Unlike legitimate remote administration utilities, they install and launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, and more.

As the name suggests, these threats are used to provide a covert channel through which a remote attacker can access and control a computer. The Trojans vary in sophistication, ranging from those that only allow for limited functions to be performed to those that allow almost any action to be carried out, thus allowing the remote attacker to almost completely take over control of a computer. A computer with a sophisticated back door program installed may also be referred to as a zombie or a bot. A network of such bots may often be referred to as a botnet. Botnets have been well publicized in the news over the years, with different instances being given specific names such as Kraken, Mariposa, Kneber, Virut, ZeroAccess, and Zeus along with claims of hundreds of thousands of nodes belonging to certain networks.

Typical back door capabilities may allow a remote attacker to:

• Collect information (system and personal) from the computer and any storage device attached to it
• Terminate tasks and processes
• Run tasks and processes
• Download additional files
• Upload files and other content
• Report on status
• Open remote command line shells
• Perform denial-of-service attacks on other computers
• Change computer settings
• Shut down or restart the computer

Backdoor Trojan horse programs have become increasingly popular amongst malware creators over the years because of the shift in motivation from fame and glory to money and profit. In today’s black market economy, a computer with a back door can be put to work performing various criminal activities that earn money for their controllers. Schemes such as pay per install, sending spam emails, and harvesting personal information and identities are all ways to generate revenue. The security practitioner needs to be aware of backdoor Trojans and their potential impact they can have on a network.³⁸

Man-in-the-Middle Malcode

Man-in-the-middle (MITM) refers generically to any agent that is in between communications or processing and is able to influence it in some regard. It is traditionally used to describe communication flows across the Internet. With regard to malcode, it is more commonly used to describe malcode that infects a host and then plays MITM locally to manipulate traffic and events. A man-in-the-middle attack is a type of attack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties, and gains access to information that the two parties were trying to send to each other. A man-in-the-middle attack allows a malicious actor to intercept, send, and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. Man-in-the-middle attacks can be abbreviated in many ways, including MITM, MitM, MiM, or MIM.

Key concepts of a man-in-the-middle attack include the following:

• Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems.
• A MITM attack exploits the real time processing of transactions, conversations, or transfer of other data.
• A man-in-the-middle attack allows an attacker to intercept, send, and receive data never meant to be for them without either outside party knowing until it is too late.

There are now phishing attacks that are controlled by malcode that are very sophisticated. In one instance the malcode monitors URLs. If it sees a URL that it targets for phishing, it sends encrypted data over TCP port 80 to a remote C&C. The remote C&C returns customized phishing data to the code in real time to display in the browser instead of the URL accessed by the end user.

Additional examples of MITM attacks have come to light through the activities of Edward Snowden. Some of the documents leaked by him show that the NSA’s so-called STORMBREW program, which involves copying Internet traffic directly off of cables as it is flowing past, is being operated with the help of a “key corporate partner” at about eight strategic locations across the United States where there is access to “international cables, routers, and switches.” According to a leaked NSA map, this surveillance appears to be taking place at network junction points in Washington, Florida, Texas, at two places in California, and at three further locations in or around Virginia, New York, and Pennsylvania.

In addition to the STORMBREW program, there is evidence in leaked documents that the NSA and British counterpart/partner, the GCHQ, have directly performed a man-in-the-middle attack to impersonate Google security certificates.³⁹ One document, apparently taken from an NSA presentation that also contains some GCHQ slides, describes how the attack was carried out to snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format. Figure 7-24 shows the diagram of the attack vector.

Documents from GCHQ’s network exploitation unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor. FLYING PIG has the option to query Tor events and also allows spies to collect information about specific SSL encryption certificates. GCHQ’s network exploitation unit boasts in one document that it is able to collect traffic not only from foreign government networks but also from airlines, energy companies, and financial organizations.

Identifying Infections

Identification of infections often takes place through network alerts or antivirus scanning results. Unfortunately, these alerts all too often do not include enough details to enable a thorough response by a security practitioner. For example, a network tool may identify a hostile IP address and sample traffic but may not include the domain or original universal resource identifier (URI). As a result the security practitioner may need to perform open source intelligence queries against the IP alone in hopes of identifying possible related malicious activity to know how to follow up on the malcode threat.

In addition, an investigation of cache data and logs from the local host may also be required to investigate a possible infection. Security practitioners need to review policies to ensure that logs are detailed enough and not deleted too quickly to empower malcode mitigation and investigations. For example, a decision to delete detected malicious code removes any samples that could have been quarantined instead and then captured for laboratory analysis.

If antivirus software on a host identifies malcode, it may only be detecting part of the incident. New private code may have been installed following the infection. A second antivirus program and specialty programs like anti-rootkit software may be required to quickly identify other binaries on the system in question. In addition, manual inspection of drive contents or mounting the drive and identifying changes to the system may be required.

There are many tools that the security practitioner may use to evaluate a system’s health, as well as to monitor a system in real time. One example of a tool that can be very effective when used to establish a baseline for a system, allowing the security practitioner to understand what system files and processes are present during normal operations, is Process Explorer. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: If it is in handle mode, you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode, you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The Process Explorer window lists the processes that are running in the system, along with a variety of additional Information. In Figure 7-25, the properties of a specific running process, Acrotray.exe, are shown. The security practitioner should take note of the various options and additional information available to them from within the properties area, such as the ability to find and verify the Path, Command Line, Current Directory, and Autostart Location for the process being examined. In addition, the ability to kill the process is also available.

Using a tool such as ProcNetMonitor, the security practitioner will be able to have visibility into what processes are running on a given machine, as well as what ports they are using to communicate. Figure 7-26 shows the information that ProcNetMonitor displays when launched. The AppleMobileDeviceService process has been selected, and the resulting information displayed in the lower left and right portions of the screen show the Open Network Ports and the Active Network Connections.

Another type of tool that security practitioners should consider using is one that allows for the examination of executable files. This kind of a tool can be used to examine the internal make-up of the executable package, allowing the security practitioner to see if there is potential malware included inside of the .exe file. Figure 7-27 shows PeStudio, a Windows Image Executable Analysis tool that has been used to examine the ArpScan executable. The VirusTotal scores section has been highlighted in the left hand column, and the resulting information in the right hand column shows that 5 AV scanning engines have tagged this file as potentially having malware or malware-like components contained within it.

An antivirus scanning engine is also a tool that the security practitioner needs to make sure that they are using in order to protect computers, as well as to validate what kind of malware may have been used to infect a specific machine.

Malicious Activity Countermeasures

A wide variety of security solutions exist to help fight malcode on multiple layers. A brief annotation of common areas of concern is outlined in this section. Configuration options of solutions like antivirus software are not covered here since that is specific to each application and policies implemented by individual organizations.

Network Layer

A large number of solutions and managed services exists for working with the network layer of an enterprise. It is very important for a security practitioner to be able to monitor and manage all network traffic across an enterprise. Best practices for managing and securing network traffic include locking down ports that are not used, encouraging the use of nonstandard ports to avoid brute force attacks against protocols such as FTP and SSH and similar services, as well as using encryption solutions for secure traffic flows. Security practitioners also need to deploy network monitoring to identify questionable egress traffic made by hosts, such as excessive DNS requests, port scanning activities, and worm behavior related to the network. For example, if a backdoor Trojan is discovered on a computer, monitoring for egress traffic can help to identify the C&C server and activity of the code. Monitoring can take place with tools such as Advanced Port Scanner, which maps open ports per host, Open Ports Scanner for mapping processes to ports on a specific host, as well as network solutions like Snort, which can capture network traffic between multiple hosts across a network.

Figure 7-28 shows Advanced Port Scanner being used to scan an IP address range. A security practitioner can use this tool to examine a range of hosts over the network and establish which ports are open per host, and as a result, can understand several things about the hosts being profiled, such as O/S type, services running on the host, as well as unusual traffic patterns based on ports in use.

Figure 7-29 shows Open Ports Scanner being used to scan a single host. The detailed output shows the Protocol, PID, Process Name, Local Port, Remote IP Address, Remote Port, and Connection State for each item recorded during the scan. A security practitioner can use this tool to examine a single host in depth, gaining detailed understanding of what processes are running on the host, what port they are connecting from, and where they are connecting to. This information can help to uncover if there is malware running on the host, and if so, what ports it may be using to interact with its C&C infrastructure.

Figure 7-30 shows Snort being initialized and set up to run on a host. Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort has become a tool that security practitioners are very likely to come across in the enterprise today. The security practitioner should have a working knowledge of Snort, and a familiarity with how to install, set up, and configure Snort for basic network monitoring. There is a set of detailed step-by-step guides that walk through the process of configuring a Snort solution for both Windows and Linux based installations.

All of the relevant Snort documentation can be found at https://www.snort.org/documents. The landing page for setting up a Snort solution in a Windows environment can be found at http://www.winsnort.com/.

Deep-analysis capabilities are also required to help identify and mitigate code. For example, if an incident takes place, the security practitioner may benefit greatly from having a PCAP file of how the malcode functions within a laboratory environment. That information can then be used to develop custom Snort signatures or similar solutions across the network. Security practitioners can work with intelligence agencies like iSIGHT Partners to acquire support for malcode incidents of interest and the deep data required to develop Snort signatures or coordinate managed security service provider (MSSP).⁴⁰ An MSSP is an Internet service provider (ISP) that provides an organization with some amount of network security management, which may include virus blocking, spam blocking, intrusion detection, firewalls, and virtual private network (VPN) management. An MSSP can also handle system changes, modifications, and upgrades.

Application Layer

The security practitioner will need to ensure that some form of antivirus software is being deployed and used throughout the enterprise. There are two main methods that are used to search for and detect viruses and malcode. The first is signature detection. A signature is a string of bits found in a virus. An effective signature is the string of bits that is commonly found in viruses but not likely to be found in normal programs. Generally, each virus has its own unique signature. All known signatures are organized in a database. A signature-based virus detection tool searches for a known signature in all the files on a system. The second method used is heuristic analysis. Heuristic analysis is useful in detecting new or unknown viruses. Heuristic analysis can be static or dynamic. Static heuristics mainly analyze the file format and the code structure of the virus body. Dynamic heuristics use code emulators to detect unusual behavior while the virus code is running inside the emulator.

Heuristics, if properly employed, can improve detection by 7–10%. There are several different types of heuristic analysis that may be deployed by an antivirus software engine, as noted below:

1. File Emulation Also known as sandbox testing or dynamic scanning, file emulation allows the file to run in a controlled virtual system, or sandbox, to see what it does. If the file acts like a virus, it’s deemed a virus.
2. File Analysis File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose. Perhaps the file has instructions to delete certain files, to format a hard drive, or to replace certain files with altered versions containing the malcode itself, and as a result it should be considered a virus.
3. Genetic Signature Detection This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known by a variety of names, but they essentially come from the same family, or classification. Genetic detection uses previous antivirus definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters.⁴¹

In order to deploy a robust antivirus solution, the security practitioner should use a multilayered approach that is part of a greater enterprise security plan. For example, use one anti-virus engine on the gateway and another on the host. This greatly improves the chances of detecting the malcode since one single antivirus solution is limited to its unique detection capabilities. Two or more layers of antivirus protection help to improve overall detection and mitigation rates.

Third-Party Certifications

To identify what will be an appropriate antivirus solution, the security practitioner will need to do some research. First, identify those solutions that provide the type of centralized management and options required to fulfill the needs of the enterprise. It is then appropriate to consider demonstrations of products as well as reviewing third-party certifications of antivirus software. Several reliable third-party certification sources exist online:

• AV-Test.org:http://www.av-test.org/
• Virus Bulletin VB100 Awards:http://www.virusbtn.com/vb100/index

Look for consistency in certifications. Those that regularly obtain certification are generally considered more robust for functionality than those that do not. One of the challenges is how samples are acquired and then used in tests performed by such agencies. One of the key components of this historically is what is known as the Wildlist.

The Wildlist

Malcode that actually infects a computer is considered “in the wild,” in loose terms. This is different from proof of concept (POC) code that may only exist within a laboratory environment, or some new code created by an author but not launched against a victim. The technical definition for malcode in the wild is derived from a group known as the Wildlist. The Wildlist maintains a website at http://www.wildlist.org/. When two or more Wildlist reporters, experts in the industry, submit the same code, it is considered “in the Wild.” A monthly Wild list is published, and samples are shared among WildCore participants for testing and analysis.

Questionable Behavior on a Computer

Questionable behavior may indicate many things, including possible malicious behavior.

Pop-Ups

Pop-ups are one of the most common issues that users will report to a help desk. Take, for example, ad/spyware warnings like the one in Figure 7-31.

The pop-up shown in Figure 7-31 is a common message that will appear on a computer, and if an unsuspecting user has not been given the proper security awareness training, they may very well choose to follow the instruction to “click here” and infect their machine with spyware. This is where research is required to follow up on such threat reports by end users. The security practitioner would need to be aware of the issue being reported by the end user and then be able to quarantine the computer in order to examine it and uncover whatever malcode may have been installed onto the machine. Figure 7-32 shows two tools that the security practitioner may use to detect malware that has been installed on a targeted computer. Programs such as Malwarebytes and CCleaner can be used to detect malware that is running on a system under investigation. CCleaner is also able to examine and report on what programs have been installed and set to run at startup on the computer.

Degraded Performance

Degraded performance can happen for many reasons, such as memory-handling issues within the OS, the need to work with large and complex files that are graphic intensive, or incorrect hardware or software settings. If a noticeable change in performance takes place, it may be worthwhile for the security practitioner to investigate egress traffic on a computer as well as look at performance and process information on the host. This may lead to an investigation to discover an injected rootkit and malicious process or perhaps just optimization of the computer.

Modified HOSTS File and DNS Changes

Malicious code may modify the HOSTS file to block or redirect traffic on the host. The HOSTS file is located in the WindowsSystem32DriversETC directory. It normally has just a few entries, like the sample below showing a printer, Exchange, and a Shared drive for VPN access:

127.0.0.1        localhost
::1              localhost
HP001635578986   HP001635578986
10.1.100.5       exchange.local
192.168.155.5    SharedDrive

However, if it has additional entries that point to questionable content or loopback, it may indicate a malicious code infection. Data below are from an actual HOSTS-related file infected with malcode:

0.0.0.0    avp.ch
0.0.0.0    avp.com
0.0.0.0    avp.ru
0.0.0.0    avast.com

The above changes block access to known antivirus domains such as AVP.ch and others. They are redirected to 0.0.0.0, which goes nowhere.

Also, the security practitioner needs be on guard for changes to the DNS server(s) used by the client. Some malicious codes now change the DNS server to point to a remote rogue server that then acts as a MITM to monitor or manipulate traffic from the infected host.

Inspection of Processes

Inspection of processes on a computer can be very time consuming and difficult. First, a security practitioner needs to have a baseline of what should be expected on the computer per the enterprise build for that type of host. Then, processes such as Explorer.exe can be looked for in the Windows Task Manager. If a program like Explorer.exe, which renders the Windows GUI for the desktop used by a user, is not visible, it is likely that it is being hidden by a Windows rootkit, as this process should always be visible when viewed via the Windows Task Manager under normal operating conditions.

The more traditional approach to looking for malcode in processes is to look for new processes taking up lots of memory or finding a new or unexpected process in the list of running processes. Programs like Process Explorer help the analyst to dive deep into the code, terminate it, and perform actions not possible from within Windows Task Manager.⁴²

Other programs such as EnCase Enterprise include a response component that enables the security practitioner to log in remotely to any host within the network.⁴³ EnCase then includes MD5 solutions to quickly identify known good (whitelisted) processes, known malicious processes, and those that are in question (unknown). EnCase also includes its own anti-rootkit process that helps subvert such threats. This provides the security practitioner an excellent remote view into what needs to be looked at on a system, possibly captured, and then analyzed for malicious behavior.

Inspection of the Windows Registry

Security practitioners can create Perl scripts to audit a network for possible malicious changes to the Windows registry on hosts of a network. This is a very efficient way to quickly identify any questionable or known malicious entries that may exist in the traditional AutoRun areas of the Windows registry, such as HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun and RunOnce.

Run and RunOnce registry keys cause programs to run each time that a user logs on. The data value for a key is a command line. Register programs to run by adding entries of the form description-string=commandline. You can write multiple entries under a key. If more than one program is registered under any particular key, the order in which those programs run is indeterminate.

The Windows registry includes the following four keys:

• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails, the associated program will not be asked to run the next time you start the computer.

By default, these keys are ignored when the computer is started in safe mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in safe mode. Run and RunOnce keys are run each time a new user logs in.

How to Do It for Yourself: Installing Strawberry Perl in Windows 7 or Windows 8

Perl is a programming language suitable for writing simple scripts as well as complex applications. For more information, see http://www.perl.org.

Strawberry Perl is a perl environment for Microsoft Windows containing everything needed to run and develop perl applications. It is designed to be as close as possible to the perl environment on UNIX systems. It includes perl binaries, compiler (gcc) + related tools, all the external libraries (crypto, graphics, xml . . .), as well as all the bundled database clients.

Security practitioners should be familiar with scripting languages and how to install and use them in different operating systems.

1. Download the latest version from http://strawberryperl.com.
2. Execute the installer by double clicking on .msi file (Ex: strawberry-perl-5.20.1.1.msi), and follow the setup wizard.
3. By default, the installer creates the C:strawberry directory and extracts all of its contents there. Installing Perl elsewhere is fine, but the README warns that whatever path you decide to install into needs to have directory names free of spaces (i.e., “C:isc2 sscpperlin” is bad).
4. Next, open a command prompt and switch into whatever directory you installed perl into. Type perl -v, hit enter, and you should get the version info.
5. To create an association between the .pl file extension and Strawberry Perl, do the following:
   1. Open Notepad and copy in the following code (line numbers are added simply for reference):

      1 Windows Registry Editor Version 6.2
      2
      3 [HKEY_LOCAL_MACHINESOFTWAREClasses.plshellopenCommand]
      4 @=""C:\strawberry\perl\bin\perl.exe" "%1" %*"

   2. Save the file to the Desktop with a .reg extension.
   3. Double click on it to make it apply the appropriate changes to the Registry.
6. Now, it is time to create a test script. In Notepad, type the following (line numbers are added simply for reference):

   1 print "Hello, World!
   ";

   When you are done typing, save the file as script.pl and in the command prompt cd to the directory in which it was saved. Type perl script.pl and you should see “Hello, World!” on the screen.

Security practitioners can see the following websites for information and research into Perl:

• http://www.perl.com/
• http://learn.perl.org/
• http://www.perlmonks.org/?

When you are dealing with known questionable or malicious executables, a manual search of the Windows registry can be very useful. Simply type regedit into the StartRun location on a Windows computer to pull up the Windows registry editor program. Then, use the Edit menu to perform a Find for the executable name of interest. Press F3 to move to the next instance, quickly searching the entire Windows registry.

Tools such as Autoruns, cports, and “HiJack This!” are excellent freeware programs that may also be useful in quickly identifying autostart entries.

Since the functionality of Windows registry keys are often not known or well documented, one must perform queries on the Internet or within various Windows registry guides to identify what the role of a specific entry may be. For example, if one enters a suspect key into an Internet search engine and gets back many replies related to malicious code, a quick review may highly suggest a malicious entry for the host computer being investigated. Once this can be correlated back to a specific code, the security practitioner can then look for files of interest, capture, and qualify the threat in a laboratory environment.

Inspection of Common File Locations

A manual inspection of files is also helpful, but it can be subverted by Windows rootkits that may conceal files. Malicious code changes are typically performed in the Windows and Windows System32 directories.⁴⁴ Files are also frequently stored in temporary Internet locations, the user directory, and the root directory of the drive (C:). It is also common to find files stored within a WindowsSystem32 subdirectory, such as drivers or a custom directory created by the malcode.

A rootkit is a program that takes fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer, often without authorization by the computer’s owner. When a rootkit is present on a system, it has the ability to conceal files from the end user. As a result, the end user will typically not be aware of the rootkit’s presence in the system. Therefore, it is up to the security practitioner to be able to detect and remove malware such as rootkits. The following discussion is meant to represent a high level overview of what malware removal from a Windows based system would be like for the security practitioner. The tools discussed are samples of tools that are available for use, and they are not the only tools available. The circumstances of each infection or outbreak are unique, and as such, the security practitioner will need to assess the situation and choose the most appropriate tools to use based on the circumstances involved.

Some forms of malware will not allow removal utilities and tools to be started while Windows is running normally. As a result, the security practitioner may need to restart Windows in Safe Mode with Networking. It is always a good idea to first attempt to detect and remove malware while the computer is running under normal conditions, and only as a secondary option to use safe mode to run detection and removal tools.

To start a computer in Safe Mode with Networking, follow these steps:

1. Remove all floppy disks, CDs, and DVDs and then restart the computer.
2. For Windows XP, Vista, or Windows 7, press and hold the F8 key as the computer restarts. Please keep in mind that you need to press the F8 key before the Windows start-up logo appears.

3. In the Advanced Options screen, select Startup Settings, and then click on Restart.
4. For Windows XP, Vista, or Windows 7 in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press ENTER. For Windows 8, press 5 on the keyboard to Enable Safe Mode with Networking.

Once you have enabled/entered Safe Mode with Networking, then you will need to engage in a process similar to that outlined below, depending on the nature and extent of the problem being addressed.

1. Remove Any Master Boot Record Infections—As part of their self defense mechanisms, some types of malware will install a rootkit on the infected computer, which will compromise the Windows loading process. In this first step, the security practitioner would run a system scan with Kaspersky TDSSKiller to remove this type of rootkit if present. ⁴⁵
2. Run RKill to Terminate Any Malicious Processes—RKill is a program that will attempt to terminate all malicious processes that are running on the computer. Because this utility will only stop running processes, and does not delete any files, after running it the security practitioner should not reboot the computer, as any malware processes that are configured to start automatically will just be started up again. In this step, the security practitioner would double click on iExplore.exe to start RKill. RKill runs as a working process in the background, and it may take a while to finish, depending on the amount of malware present in a system.⁴⁶
3. Remove Trojans and Other Malicious Software Using Malwarebytes Anti-Malware—Malwarebytes Anti-Malware software can detect and remove traces of malware including Worms, Trojans, rootkits, rogues, dialers, spyware, and more. ⁴⁷ In this step, the security practitioner would run one of three possible scans on the target computer, or some combination of them, in order to establish what types of malware may be present in the computer. The scans available are shown in Figure 7-33. Once the scans have been successfully run against the computer, then the security practitioner would be presented with a list of the detected malware, as well as mitigation options, as shown in Figure 7-34.
4. Remove Additional Rootkits with HitmanPro—HitmanPro is a “second opinion” scanner, designed to disinfect a computer that has been infected with malware despite the security measures that may have been applied prior to running the scanner. In this step, the security practitioner would scan the computer with HitmanPro to establish what malware may still remain resident and active on the computer, and then mitigate what is found through whatever actions are appropriate. ⁴⁸

   

   

5. Remove Malicious Registry Keys Added by Malware with RogueKiller—Malware often modifies the registry of the computer it infects in order to successfully run. Using software such as RogueKiller allows the security practitioner to search for, find, and, if needed, mitigate modified registry keys.⁴⁹ In this step, the security practitioner would scan the computer using RogueKiller, and then would choose which modified registry keys to delete based on the output of the scan, as shown in Figure 7-35.
6. Remove Malicious Adware from the Computer Using AdwCleaner—The AdwCleaner utility will scan the computer and browsers for adware files and registry keys that may have been installed on the computer.⁵⁰ In this step, the security practitioner would scan the computer using AdwCleaner, and then would choose which selected items in the Folders, Files, Shortcuts, and Registry tabs that they would want to remove from the computer. The items that are left checked are removed by the program when the clean button is selected.
7. Remove Browser Hijackers with the Junkware Removal Tool—The Junkware Removal Tool is a powerful utility, which will remove malware within Internet Explorer, Firefox, or Google Chrome, on a computer.⁵¹ The Junkware Removal Tool runs from a command prompt and requires the security practitioner to press a key in order to perform the scan of the computer, as Figure 7-36 shows. Once the security practitioner runs the scan, removal of the malware found during the scan is automated, and a log will be created showing what malicious files and registry keys were removed from the computer.

   

   

Once the security practitioner has completed the previous steps, there will still be a need to monitor the computer to ensure that the malware has been successfully removed and has not returned upon reboot or managed to re-infect the computer due to user interaction. The security practitioner should consider using combinations of tools in an ongoing effort to monitor and maintain the health of the computer proactively once the initial malware infections have been mitigated and removed.

In addition, the security practitioner should also consider the use of a host-based intrusion detection system (HIDS) that will allow for a broad and centralized monitoring and integration with a security incident management/security events management (SIM/SIEM) solution. OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX, and Windows. OSSEC is composed of multiple pieces. It has a central manager monitoring everything and receiving information from agents, syslog, databases, and from agentless devices.⁵² There are also managed security services that the security practitioner should consider as a possible solution, depending on the nature and scope of the systems under management. Dell SecureWorks provides an array of managed security services for businesses including a Managed Advanced Malware Protection service.⁵³ Symantec also provides managed security services, as does Solutionary, among others.⁵⁴

Behavioral Analysis of Malcode

In order for the security practitioner to begin to analyze malcode samples, a test system must be in place to properly analyze malcode behavior. This system should contain a known set of applications, processes, and tools that establish a behavioral baseline. Changes to the system can then be identified manually as well as through various tools useful in the behavioral analysis of malcode. It is important to remind the security practitioner that they must perform their work carefully so as to not bridge networking and spread a threat into the wild. In addition, any laboratory computer used for malcode analysis should be separated from the normal network to avoid any possible contamination or unwanted impact, such as a network worm attempting to exploit or spread to other computers on the network. One tool that the security practitioner can use to analyze suspected malware on a test machine is SysAnalyzer, created by David Zimmer of iDefense Labs.⁵⁵ SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

• Running processes
• Open ports
• Loaded drivers
• Injected libraries
• Key registry changes
• APIs called by a target process
• File modifications
• HTTP, IRC, and DNS traffic

The main components of SysAnalyzer work off of comparing snapshots of the system over a user specified time interval. The reason a snapshot mechanism was used compared to a live logging implementation is to reduce the amount of data that analysts must wade through when conducting their analysis. When a snapshot system is used, only the persistent changes found on the system since the application was first run are presented to the analyst for examination. When first run, SysAnalyzer will present the user with the configuration wizard, as shown in Figure 7-37; the executable path textbox represents the file under analysis.

The user can specify the following options to be used for the analysis:

• Delay—Time in seconds between before and after snapshots
• Sniff Hit—Whether to launch a specialized HTTP/IRC sniffer for analysis
• API Logger—Whether to inject an API logging DLL into the target
• Directory Watcher—Whether to monitor filesystem for all file creation activities

SysAnalyzer is designed to take snapshots of the following system attributes:

• Running processes
• Open ports and associated process
• DLLs loaded into explorer.exe and Internet Explorer
• System Drivers loaded into the kernel
• Snapshots of certain registry keys

Each logged category is stored on its own tab in the main interface. The report link to the bottom right of the main interface will arrange all of this log data and place it into a series of simple text reports for the analyst to view. Figure 7-38 shows one of the associated tools available with SysAnalyzer, called sniff_hit, which scans a selected network interface, capturing and recording traffic across that interface, as well as the associated IP addresses being used and DNS resolution requests being made during the active capture session.

Static File Analysis

Static file analysis is where it all begins for the security practitioner who is looking to analyze malcode. This involves looking at file details and characteristics, as well as using a hexadecimal editor, to properly identify and investigate the suspect code. The security practitioner will need to find an appropriate hex editor for whatever OS platform they are conducting analysis on. The following is a partial list of hex editors for the Windows, Mac, and Linux OS platforms.

• wxHexEditor is built specifically for dealing with large files, supporting up to 2⁶⁴ bytes. It is available for all three platforms.⁵⁶
• DHEX is built for Linux and Mac OS X.⁵⁷
• XVI32 is a freeware hex editor running under Windows 9x/NT/2000/XP/Vista/7. ⁵⁸
• Hex Fiend is an open source hex editor for Mac OS X.⁵⁹
• HexEdit is available for the Microsoft Windows platform.⁶⁰

Figure 7-39 shows the Hex Edit tool being used to examine the winhex.exe file. The security practitioner should examine all suspect .exe files using a hex editor to establish whether or not the file has been modified, and whether or not there are suspicious items contained within the file that could indicate the presence of malware.

File Properties

File properties can be useful in correlating a sample to related samples or data on malcode of interest. For example, a specific threat may have a static file size or average size related to codes spread by the threat. The security practitioner can correlate the file sizes to identify if it may be related or not. More importantly, exact details about the file may help identify other computers infected with a different filename but similar file size, or modified or created time values. For example, if a worm infected a system on a specific date and time, that information may help correlate network and host logs or manual inspection of targeted computers to look for similar changes around the same date and time on other computers within the network.

Some malcode modify the MAC times (modification, access, and creation times). This can hinder discovery during an incident. For example, when one is looking for changes to a system at a specified time, the modified time is the default value displayed in Windows. If the modified time is changed by the malcode to be something fairly old, it will not show up at the top of the modified time listing when sorted. This is an easy and highly effective way for malcode to subvert code identification by time stamps alone. For this reason, all MAC times should be looked at carefully when attempting to find code that may have infected a system at a specific point in time.

Behavioral tests can also be performed on code, and then a directory dump and difference analysis can be performed to identify what is different pre and post installation of the code, to identify what is new on the system. Realize, though, that if a Windows rootkit is involved, the post infection directory dump must be done from a disk mount or boot disk rather than from within the infected operating system itself.

Hash

Hash values, such as MD5 and SHA1, are a cryptographic function used to calculate a unique value for a file. Even a minor change in 1 byte of a file results in a new hash value. Many freeware tools are available to calculate the hash value, such as HashCalc for Windows.⁶¹ In addition, malcode experts are moving toward naming binaries by MD5 values for large malcode archives. If two binaries have the same hash value, they are exactly the same! There are ways to subvert hash systems, but this is not common nor should it be considered a major problem for a security practitioner attempting to identify and correlate malcode binaries of interest.

Portable Executables Header

Portable executables (PE files) for Windows 32 and 64 bit systems have a header that can tell the security practitioner much about the file. Tools such as LordPE and PEiD help the analyst to identify what type of file and packer is being analyzed.⁶² Such tools may also include the EntryPoint, File Offset, EP Section, TimeDateStamp data, and other information useful in initiating reverse engineering of a binary. Figure 7-40 shows PEiD being used to examine the lads.exe file.

String Analysis

A string analysis can be performed on both packed and unpacked files. Strings provide clues to the functionality and various system calls made by code. Comments within the original source code may also be visible in part helping to explain actor attribution or other functionality. Performing a string analysis on packed and unpacked files, including memory captures, may provide many clues, as shown in Figure 7-41.

In this figure, notice the first line talking about a program and DOS mode. This helps to further validate that the binary is indeed an executable. Then, notice a reference to a DLL, mscoree.dll, and other strings of interest. This string dump does not reveal much because the binary is still packed with UPX. However, if it is unpacked, notice how the strings change, as shown in Figure 7-42.

Strings are very useful to the reverse engineer who understands how to correlate seemingly cryptic data to what one sees while disassembling malcode. The security practitioner can look for common signs of infection, common system calls of interest, URLs, and other data used for initial triage. If detailed string files are captured by the security practitioner, they can then be shared with a reverse engineer to facilitate a deeper analysis of the malcode.

Hex Editors

There are both freeware and commercial hex editors available that will allow the security practitioner to look at the binary contents of a file. When you are using a hex editor, the information displayed may look confusing at first glance until you know what to look for. The first few characters identify the true file type, irrespective of the extension assigned to the Windows filename. Figure 7-43 shows what should be seen when working with a Windows binary: an MZ header right at the top of the screen. The string of characters 4D 5A on the left is the representation of the MZ header.

Further down towards the bottom of the picture, the file has the string “UPX,” indicating that it is likely packed with UPX. This is useful information for the security practitioner that would help them to understand what tools should be used to unpack the file successfully.

Unpacking Files and Memory Dumps

A simple explanation of software packers, or compression, is that symbols are used to represent repeated patterns in the software code. A packed file can contain malware, and unless your antivirus product knows how to unpack the file, the malware will not be detected. That would seem to be the end of the story, except that we have something called run-time packers. Here is how they work. The packed file is an executable program that is only partially packed. A tiny bit of the program is not packed. The beginning of the program is not packed, so when the packed executable is run, it starts unpacking the rest of the file. The un-packer tool is built right in.

Runtime packers are used by malware authors because it makes it much harder to detect the malware. Antivirus vendors use heuristic technologies that create a virtual computer inside the scanning engine and then run the program inside the virtualized environment. This can force a run-time packed program to unpack itself; there is always a catch though. The malware programmer can make the program detect that it is running in a virtual environment, and then the program may not unpack itself or may only unpack harmless parts of itself to fool the virus scanning program.

In order to prevent the reverse engineering of a malicious software program and to hinder the analysis of the program’s behavior, malware developers may compress or pack their malicious programs using a variety of methods combined with file encryption. Antivirus programs can detect the results of the actions of suspicious packers.

The main features that differentiate behaviors in the suspicious packers subclass are the type and number of packers used in the file compression process. The suspicious packers subclass of malware includes the following behaviors:

• Suspicious Packer—Objects that have been compressed, using packers that are designed to protect malicious code against detection by antivirus products.
• MultiPacked—Files that have been packed several times, using a variety of packers.
• Rare Packer—Files that have been compressed by packers that are rarely encountered—for example, packers that demonstrate a proof of concept.

Unpacking files can be a difficult process involving some patching of the files that have been captured. It may also result in the accidental execution of a binary, so it should always be done within a safe test environment to avoid accidental execution of code on a production machine. Unpacking files first involves trying to identify what program or tool the code was packed with, such as UPX, MPRESS, MEW, or PESpin, which are all free.⁶³ There are also commercially licensed packer programs available such as EXECryptor, VMProtect, and SoftwarePassport (using the armadillo protection engine). In the case of UPX, the security practitioner would need to run the command “upx -d filename,” where “-d” is for decompress and “filename” is the name of the file. Figure 7-44 shows the UPX interface displaying two important pieces of information. The first attempt to run “upx -d” against the richcopy.exe file produced an error, indicating that this file was not packed using UPX, which is a very important piece of information for the security practitioner to be aware of. The second attempt to run “upx-d” against the arpscan.exe file produces the desired result, an unpacked file that the security practitioner would be able to examine.

Memory dumps can be performed with tools like LordPE and OllyDbg.⁶⁴ Figure 7-45 shows a memory dump performed with LordPE of the vmplayer.exe file being used to compare to the actual file running in memory on the computer. The temp.dmp column on the left at the bottom of the figure represents the vmplayer.exe file as it is running in memory on the live machine at the time of the comparison. The dumped.dmp column on the right represents a static memory dump file that was captured prior to the demonstration being started. Memory dumps are not as good as unpacked binaries but can be patched and are certainly better than nothing when it comes to analyzing samples. A strong reverse engineer can typically overcome such issues using a variety of advanced techniques.

Testing Remote Websites Found in Network Log Files

Log files from firewalls, IDS, IPS, Snort, and others are often configured to only report the basic facts, like the IP address and packet details. Unfortunately, this often leaves out important information like the exact path or domain visited by a victim during an attack. Performing an open source intelligence query is helpful in identifying possible malicious behavior related to the address. Behavioral analysis of the sample may also reveal domains or IPs and related data of interest to a malcode attack. Extensive time-consuming research may be required to best understand an attack and related attack data.

When looking at remote hostile servers, always check into each public directory. For example, http://badsite.com/images/badfile.exe may allow a directory list of the image’s subdirectory. It is not uncommon in such situations to then locate additional binaries or log files or scripts of interest in an investigation.

Passive DNS Queries ⁶⁵

According to the Cisco blog post, “Tracking Malicious Activity with Passive DNS Query Monitoring,” (at https://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring):

When a client wants to access a service by name, it must resolve that name into a usable IP address. To do this, the client sends a request for the name to a recursive name server and that server will retrieve the information and send it back to the client. From a security perspective, there are two interesting aspects to this activity. The first is the names clients are requesting, and the second is the Internet hosts that are providing the services for any given name. In other words, the security practitioner would want to know who is looking up a service (DNS queries) and would also want to know who is providing a service (DNS answers).

The DNS answers portion of the problem has been solved by the Internet Systems Consortium’s (ISC) Passive DNS Replication Project, and the corresponding ISC DNS Database. ISC’s DNSDB is very good at answering questions like “What DNS names have pointed at this IP?” as well as “What IPs have provided services for this name?” The ISC DNSDB project has been transitioned to Farsight Security, a company started by the creators of DNSDB as of 2010. DNSDB is a database that stores and indexes both the passive DNS data available via Farsight Security’s Security Information Exchange as well as the authoritative DNS data that various zone operators make available. DNSDB makes it easy to search for individual DNS RRsets and provides additional metadata for search results such as first seen and last seen timestamps as well as the DNS bailiwick associated with an RRset. DNSDB also has the ability to perform inverse or rdata searches.⁶⁶

To get at the DNS-questions side of the problem would require the security practitioner to ensure that logging has been enabled on all of the organization’s recursive resolvers and then searching through those logs. This is an imperfect solution for a number of reasons that include:

• Most organizations have a wide variety of nameservers (BIND, Active Directory, etc.) with varying logging abilities and formats deployed.
• Clients and malware can send DNS requests to external services like Google’s Public DNS or OpenDNS with little trouble.
• Clients generate a huge volume of DNS queries, and it is difficult and costly to quickly search through such a high volume of logs.

The best open source passive DNS replication database available at the time of this writing is http://www.bfk.de/bfk_dnslogger.html. As a service to CERTs and incident response teams, BFK uses passive DNS replication to collect public DNS data. Figure 7-46 shows the results for a query run against the ISC2.ORG namespace.

This website makes it easy for a query to be entered and to then see what information has passively been stored related to that IP or domain. This information must be interpreted carefully by the security practitioner, and it needs to be vetted against additional sources of information to corroborate it thoroughly if it is to be used as part of an investigation.⁶⁷

WHOIS, Reverse IP, Name Servers

There is a wealth of information available on domains, their IPs, reverse IPs, name servers, historical IP addresses, WHOIS registrant name or company affiliations, open source correlation, and more. This can be one of the most time-consuming and difficult components of an investigation to properly understand and follow. Several sites of interest are helpful in collecting such data:⁶⁸

• Robtex—Large volumes of information and also what servers are shared with other domains or IPs. Great for looking up related data within various IP ranges or shared resources.
• DomainCrawler—Lots of interesting information on domains unique to this server.
• SpamHaus—Excellent for identifying if a server is related to known abuse in the past.
• DNSstuff—A suite of tools with powerful research options.
• DomainTools—A commercial site that offers excellent data including name server spy reports, domain history, domain monitoring, historical IP information, and more.

While all of the sites listed above are valuable tools that the security practitioner should consider using as needed to establish the authenticity of DNS information during an investigation, Robtex is of special interest due to the graphing function that it provides for the information queried. Figure 7-47 shows the search results output selection bar that is located at the top left-hand corner of the results page.

The red bar is located above the Records selection, and it produces output for the domain name search in the table form shown in Figure 7-48.

Once the output option is changed to Graph, the output of the domain name search for ISC2.ORG is produced as shown in Figure 7-49.

Scanning a target server with a tool such as Nmap may produce a detailed picture of the services that are running and the open ports available, but the security practitioner needs to exercise caution. Scans are generally considered to be legitimate within the international security community and may be useful in identifying a remote server or the ports it has open related to potential malicious behavior; however, the security practitioner runs the risk of being identified as a potential malicious actor by the target of the scan. Accessing various services, such as opening an FTP connection, may also help to capture banner data of interest in an investigation. Figure 7-50 shows the output of a target scan for the ISC2.ORG domain address using Zenmap, which is a multi-platform graphical Nmap frontend and results viewer, derived from Umit.⁶⁹

Deobfuscation of Scripts

Obfuscated JavaScript and similar content may prove to be difficult to decipher for the security practitioner. Fortunately, a few tools exist to help make this easier. One way to capture and examine traffic between machines suspected of harboring malware is to use virtualization technology to “sandbox” the suspect host. Converting the suspect machine into a virtual machine through a physical to virtual (P2V) transformation, and then using the virtual environment to allow the suspect machine to operate within along with a network sniffer being run on the physical host, will allow the security practitioner to identify all of the important network communications performed during an attack against a site or when code is run. Irrespective of any obfuscation that takes place, the links to executables and communications with remote C&Cs cannot be hidden from the sniffer on the host.

Using the Firefox “Live HTTP Headers” add-on (an extension) is also helpful in sniffing and sorting through traffic related to specific sessions of interest.⁷⁰ It is a free and powerful tool that allows the security practitioner to save HTTP headers from a session, replay, and quickly triage data from a session, as shown in Figure 7-51.

Interpreting Data

When working with a remote hostile site, the security practitioner should not make assumptions about the behavior or capabilities of the site under review. Many malcode and exploit sites now check for the IP of the inbound connection and render different behaviors if the IP visits a site a second time. Even 404 errors are sometimes bogus, created as a way to drive security experts away, while C&C activities take place for communications from a bot with a special HTTP header used to identify bot traffic. It is increasingly common for internal self-checks, browser IDs, IP checking, and other anti-security expert scripts to be running on remote hostile servers in the wild.

Anti-VMware capability is another example of being on guard for interpretation of data. If code is anti-VMware, it may detect that it is being executed inside of a virtual environment and then exit. Thus, if nothing happens when the security practitioner attempts to examine a piece of code, or unexpected behavior takes place within a virtual environment, the test may need to be performed again on a native “goat” computer used to test malcode on a real physical computer, not one that is virtualized.

Native goat machines must be able to be restored quickly through imaging solutions like Acronis software or Ghost. They ideally mirror the images used in the corporate environment and are put on a separate network for the security practitioner to use in order to run their laboratory tests. It is a good idea for the security practitioner to create multiple goat images based on patched and not patched, to test for exploitation success, and up-to-date builds from the network.

Testing of Samples in Virtualized Environments

VMware is one of the most popular tools used to analyze code in a virtual environment today. Other solutions also exist, like Qemu and Truman for Linux and Parallels for Macintosh.⁷¹ Each essentially uses a special drive to write data to a software file instead of to a disk.

Simple behavioral analysis, where one runs the code in a virtual environment, is fairly straightforward but does involve measured and experienced interpretation of data. For example, it is easy to misinterpret data and believe that snapshot changes are caused by malcode when, in fact, they are part of normal computing changes. Security practitioners should have a base system with core tools and techniques that are proven and well understood before attempting to run any code with an unknown behavior.

A good way to get started is to simply run various tools on a clean VMware system and interpret the changes when Internet Explorer is opened, or files are opened or deleted, etc. Follow this up with testing of malcode captured in quarantine from antivirus that is from a well-documented family that is easy to understand. Run the code and look for documented features to help learn tools and techniques for analyzing malcode. When an unknown sample comes across your desktop, follow the same procedures and also use a third-party sandbox solution to compare results against.

Core tools vary greatly within the industry but should include basic snapshot and real-time monitoring tools for processes, files, and network activity, as well as anti-rootkit programs. Here is a list of helpful tools for the security practitioner to start a toolkit with:

• InstallWatchPro, Regshot, and InCTRL5 for snapshot views of a system that can survive a restart.⁷²
• Autoruns, HiJack This!, and cports (CurrPorts) for quick views of open ports and auto-run entries.⁷³
• Anti-rootkit programs—as many as possible since no single scanner can detect all rootkits.⁷⁴
• File analysis tools like HashCalc, PEiD, LordPE, Windows Fila Analyzer, The Sleuth Kit, and WinHex.⁷⁵
• Monitoring tools from Microsoft (formerly SysInternals): Filemon, Regmon, TdiMon, Tcpview, and ProcessExplorer.⁷⁶
• Wireshark, Fport (NT4—Windows XP support only), Advanced Port Scanner, Advanced IP Scanner, Nmap, and NetCat/Ncat for working with networking and remote servers.⁷⁷

Proxy tools or services so that a machine can have different IP addresses for multiple tests against a site that checks for the IP. Tun2socks is a great tool to help make some programs proxy aware if they are not. Tor is also a good freeware solution to meet some needs.⁷⁸ There are also web-based anonymous proxy servers that the security practitioner can use if needed. An anonymous web proxy is a type of proxy server that works through a web form, also often called a CGI proxy. Instead of configuring the address of the server in the browser as is done for HTTP or SOCKS proxies, you simply navigate to the home page of the web/CGI proxy, where proxy functionality is then enabled for each browsing session. Some of the most popular web proxies include the following:

• Proxify
• Anonymouse
• Anonymizer
• Ninja Cloak
• Firefox, Adobe Acrobat Reader, and similar programs that may be useful in tests or exploit research.
• OllyDbg with OllyScript, the PaiMai Framework. Immunity Debugger or other debugger or disassembly programs that can be used for reverse engineering.⁷⁹

It is also advisable to create a test image that has certain configurations useful for malcode research, such as changing view settings to show the full extension, show system files, and do not hide known file types or system files. It is also helpful to create shortcut links to common malcode locations such as C:, Windows, Windows System32, Drivers, DriversETC, and similar directories.

Sometimes, files are difficult to identify or capture from a computer. For example, some files may not allow copying or moving from a virtual machine or may not be visible. Advanced techniques are then required to capture such files.

DiskMount

DiskMount is a free utility provided by VMware that enables a security practitioner to mount a virtual machine that is not currently loaded within VMware. Simply infect a virtual machine and then shut it off (no shut down required). Then, use DiskMount to mount the drive on the HOST machine. It can then be accessed with the full control of the HOST machine. There are a variety of other tools that can be used as well such as DAEMON Tools.⁸⁰ The same capability exists in Windows, as Figure 7-52 shows. Using Windows 7 or Windows 8/8.1, the security practitioner could also mount a .VHD/.VHDX file as an accessible data drive from within the Computer Management MMC, by using the Disk Management tool. A VHD file can also be mounted using the diskpart tool. In order to do so, create a text file with this content:

SELECT VDISK FILE="file path and name of the vhd file"
 ATTACH VDISK

To attach the VHD image in a script, use diskpart -s text file name.

A quick way to find files that have been changed on a drive is to use the Windows search function. After mounting the drive, right click on the mounted drive and Search. Look for files via a modified date, or created date, for the current day. All the files are loaded and easily captured. However, MAC times can be modified and, therefore, such files potentially missed requiring a manual inspection for any lingering files not yet identified through such methods.

Suspend Memory Captures

VMware supports what is known as a suspend mode. When a running virtual machine is put into suspend mode, the virtual machine’s memory state is saved to a .vmss file in the virtual machine’s working directory. The security practitioner can locate the file type and then analyze it within a hex editor or similar tool to locate files within memory of interest, such as the vmss2core tool created by VMware labs.⁸¹ The same capability exists in the Microsoft Hyper-V solution. The security practitioner would need to use the vm2dmp tool to convert the saved state of a virtual machine into a full memory dump file compatible with debugging tools on Hyper-V Version 1 and Version 2 VMs (basically anything created PRIOR to Windows Server 2012). If you are using Windows Server 2012 or later, then a different approach is required, and the use of either the Livekd tool from Sysinternals or the Debug-VM cmdlet in powershell will be required.⁸² This is a time-consuming and complicated process that can yield excellent rootkit analysis when necessary.

Linux DD Captures

Linux builds like Knoppix easily boot from a CD or thumb drive. Booting up a system from Linux enables a security practitioner to use a tool called “dd” to capture the MBR or other data from a drive. The tool “dd” can be used to take an image of the disk by using this command:

dd if=<media/partition on a media> of=<image_file>

Here is an example:

dd if=/dev/sdc of=image.dd

This can be useful if a machine is suspected of being under the control of a Windows rootkit.

Anti-VMware Code Techniques

Anti-VMware code exists to detect the presence of a virtual machine. In most cases, such code simply exists and does nothing to hinder the analysis of the code. A native goat machine can be used to analyze such code. The security practitioner may also modify default VMware settings to remove common detection vectors used by malcode in the wild. By disabling hardware acceleration and similar components on a virtual machine, and then testing code a second time, many malcode fail to detect the virtual environment and then run as expected.

Free Online Sandbox Solutions

There are several free online sandbox solutions available to the public today. When using these scanners, realize that they capture and share or sell the code submitted. Do not use such solutions for sensitive codes. Current online reputable sandbox solutions include the following:

• Anubis
• BitBlaze Malware Analysis Service
• Comodo Automated Analysis System and Valkyrie
• EUREKA Malware Analysis Internet Service
• Joe DD (PDF and MS Office files) and Joe Sandbox (registration required)
• Malwr
• Norman SandBox
• ThreatExpert
• ThreatTrack
• ViCheck
• Xandora
• XecScan (PDF and MS Office files from targeted attacks)

Reports from such sandboxes are invaluable in comparing against laboratory results to confirm or help explain malicious behavior related to a specific binary.

Interactive Behavioral Testing

Interactive behavioral testing is a very time-consuming process and is part of a more advanced reverse engineering process in most cases. Take for example a malcode that attempts to connect to a remote IRC server. The security practitioner can create a Linux virtual environment with Snort and an IRC server on the box. The security practitioner can then modify the HOSTS file of the Windows virtual machine to point to the IRC server for the domain requested by the malcode. When the malcode is run, it will be redirected to the internal Linux server and will attempt to log into the IRC server. If it is properly configured, the security practitioner can then interact with the malcode in the IRC server, trying out different commands and watching what it does when various conditions or commands change. The possibilities are almost endless on various virtual networks and solutions that can be implemented to test specific components of code within a laboratory environment.

Malcode Mitigation

Malcode mitigation can be a daunting topic of great scope. This overview provides both strategic and tactical direction for the security practitioner to consider.

Strategic

The security practitioner needs to design a defense-in-depth architecture and secure top-down support from senior management for security if they are to be successful at implementing and maintaining a comprehensive security architecture.

An emergency response team and procedures, with the necessary power to act, should be in place before an incident takes place. Ideally, an internal CERT/CSIRT should exist as part of a greater disaster recovery plan. CSIRT stands for Computer Security Incident Response Team. The term CSIRT is used predominantly in Europe for the protected term CERT, which is registered in the U.S. by the CERT Coordination Center (CERT/CC).⁸³ There exist various abbreviations used for the same sort of teams:

• CERT or CERT/CC (Computer Emergency Response Team/Coordination Center)
• CSIRT (Computer Security Incident Response Team)
• IRT (Incident Response Team)
• CIRT (Computer Incident Response Team)
• SERT (Security Emergency Response Team)

A CERT/CSIRT is a team of IT security experts whose main business is to respond to computer security incidents. It provides the necessary services to handle incidents and support the team’s constituency, enabling them to recover from breaches. In order to mitigate risks and minimize the number of required responses, most CERT/CSIRTs also provide preventative and educational services for their constituency. They issue advisories on vulnerabilities in the software and hardware in use, and also inform the users about exploits and viruses taking advantage of these flaws, so the constituents can quickly patch and update their systems.⁸⁴

There are many services that a CERT/CSIRT can choose to offer. Each CERT/CSIRT is different and provides services based on the mission, purpose, and constituency of the team. Providing an incident handling service is the only prerequisite to be considered a CERT/CSIRT. CERT/CSIRT services can be grouped into three categories:

• Reactive Services—These services are triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system. Reactive services are the core component of CERT/CSIRT work.
• Proactive Services—These services provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events. Performance of these services will directly reduce the number of incidents in the future.
• Security Quality Management Services—These services augment existing and well-established services that are independent of incident handling and traditionally performed by other areas of an organization such as the IT, audit, or training departments.

The security practitioner may or may not have experience working with a CERT/CSIRT. They may also not have any knowledge of how to go about setting up a CERT/CSIRT for their organization if asked to do so. While there are many resources for the security practitioner to turn to if needed, the FIRST website offers several that should be of particular interest. The one that stands out is the CERT-in-a-box.zip download. It is from the NCSC-NL, the National Cyber Security Centre of the Netherlands. The project CERT-in-a-Box and Alerting Service-in-a-Box is an initiative of GOVCERT.NL/NCSC to preserve the lessons learned from setting up GOVCERT.NL and De Waarschuwingsdienst, the Dutch national alerting service.⁸⁵

Tactical

Hardening systems against attack, including operating system, application, and antivirus updates, and properly backing up and protecting data is core to the tactical approach that the security practitioner should deploy against malcode. The rest of this section will focus on common mistakes that the security practitioner needs to be aware of in order to avoid making them in the field.

• Never remotely log into a potentially infected computer with an account that has administrative rights. If the malware turns out to be a worm, it can very easily spread through the administrative account into the rest of the network.
• The security practitioner always should strive to find the root cause of the problem that is being addressed. For example, if a computer has potentially been compromised by some form of malware, simply reimaging the computer to erase any signs of the malware and nullify its behavior will not allow the security practitioner to search for the root cause of the infection. Rather, this type of activity in the face of a potential infection can actually serve to further the aims of the hacker who may have planted the malware inside the infected system in the first place, as it destroys any possibility for the security practitioner to examine the malware and understand its structure, purpose, functionality, as well as its C&C infrastructure. The security practitioner needs to work hard on developing the skills necessary to allow them to thoroughly investigate a malware incident in order for them to be able to qualify the threat and properly mitigate the risk it poses.
• Do not rely on antivirus solutions to solve all problems. Just because an updated signature now detects code that has infected a host on the network does not mean that the problems are over. Do not forget that other codes that remain undetected may exist on the computers. Use anti-rootkit tools, and take nothing for granted when the integrity of a system has been compromised.
• After a malcode incident, the security practitioner should put special alerts in place within their monitoring infrastructure to watch for egress traffic related to known attack data points such as remote C&C IPs or domains.
• When working with file-infecting viruses that also have worm components, recognize the great challenge that lies ahead. These types of infections within a network environment can be almost impossible to remove unless the security practitioner is highly organized and very diligent in looking at the MD5 values of all targeted files on a drive, such as all .exe and .scr file types. Without such diligence, legitimate files that are infected with malcode may go undiscovered, reinfecting cleaned boxes as a result.
• Forget about manual disinfection after a malcode outbreak unless it is a short-term fix on a computer that cannot be taken offline immediately. If manual disinfection proves to be necessary, then careful monitoring of the affected computer needs to be put in place to ensure any remaining activity or payloads are captured and alerted on.
• Realize that safe mode can be undermined by some malcode. If an infected computer is started in safe mode, it may still have a malcode running in memory hindering disinfection efforts! Also realize that some malcode now remove all former restore points on a Windows backup solution and then install a new restore point that includes the malcode! Using a clean image from a protected location is important in maintaining the integrity of a system. This works best when user files are not stored on hosts but on a network server, making machine wipes much easier. Additionally, realize that MBR kernel level threats exist (Mebroot with Torpig) and may require that the MBR of a disk be cleaned before attempting to install a clean image on a computer.
• Just because there is a policy in place that may prevent the use of unauthorized wireless access points (WAPs) within the enterprise does not mean they do not exist on the network. Audit everything to know what is going on inside and in and out of a network at all times!
• Design networks to maximize intelligence load balancing, bandwidth, and upstream host provider anti-DDoS capabilities or throttling and tarpitting techniques to help manage DDoS attacks against one or more network resources.
• Configure routers within internal networks to explicitly limit ingress traffic to only allow IP addresses that are on a whitelist. Also, configure filtering to take place between network address translation (NAT) devices and the ISP to explicitly allow only authorized sources. Deny private, server, and un-routable traffic and direct broadcast packets as appropriate within the network topology.
• Configure routers to block spoofed traffic from within a network.
• Consider using a honeypot to trap bot traffic, analyze it, and ensure countermeasures and auditing is in place over the network to prevent similar attacks on legitimate network resources.

Finally, a complete package of training and technology is required to best mitigate malware. Humans are often the last link and the weakest link, but they can help significantly in mitigating malcode if they are taught to pay attention to the warning signs and are aware of suspicious behavior.

Implementing and Operating End-Point Device Security

When it comes to implementing and operating end-point device security, the SSCP will need to consider several things. Endpoint security implies that technologies such as host-based intrusion detection and firewalls may be used. The skills required to install, configure, and manage these technologies on a specified end-point will require a combination of vendor-specific and operating system-specific knowledge. The SSCP will need to become familiar with the required software interfaces as needed to ensure that these systems are set up and configured correctly. The use of additional technologies and protection measures such as whitelisting, endpoint encryption, and secure browsing are built on top of the host operating system and as a result will be implemented differently based on the version of host operating system being configured. The SSCP will need to take this into account as they seek to operate these systems and manage them securely.

Host-Based Intrusion Detection System

Host based intrusion detection systems, or HIDS, work by monitoring activity that is occurring internally on a host. HIDS look for unusual activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. They are installed in a particular host, or groups of hosts, and they monitor traffic coming to or from that host only. If there are attacks in any other part of the network, they will not be detected by the host based IDS. Apart from monitoring incoming and outgoing traffic, a host based IDS can also analyze the file system of a host, users’ logon activities, running processes, data integrity, etc.

According to Internet-Computer-Security.com, there are several types of HIDS:

1. Signature Based “Signatures are created by vendors based on potential attacks and attacks that have taken place in the past. These signatures are downloaded by the intrusion detection software/system itself. Any packets arriving into the network are compared to the set of downloaded signatures comparing these for any attacks. Signature based systems are the most common type of IDS. The main issue with these systems is that they cannot detect new attacks because they only compare attacks to the signatures their system currently holds.
2. Anomaly Based In anomaly based, the system would first need to learn the NORMAL behavior, traffic, or protocol set of the network/host. When the system has learnt the normal state of a network and the types of packets and throughput it handles on a daily basis, taking into account peak times such as lunch time for web browsing, then it can be put into action. Now, when traffic is detected that is outside of the “normal state” profile created, the anomaly based detection system would take action.
3. This type of system can detect new attacks as they are happening, unlike a signature based system. The downside to these systems is that the security practitioner has to spend time fine stunning the system and maintaining it in order to produce and update the protection profiles used to discern what the “normal behavior” patterns are. As a result, if this is not done correctly, then the system will usually produce many false positives, stopping normal traffic as a result.
4. Rule Based Rule based systems use a knowledge base programmed with rules paired with an inference engine to examine and assess all traffic flowing through the system. Based on assessment of traffic flows, against the rules in effect, the system makes a determination as to whether or not the traffic flow being measured is legitimate or not.”⁸⁶

Host-Based Firewalls

A host-based firewall is made up of software that is installed and configured on an individual computer. The software acts to monitor the flow of traffic into and out of the host computer. The firewall software uses rulesets to examine all traffic passing through the host, allowing or denying traffic based on the rules and the action specified when a match is found. Traffic may also be examined based on a “whitelist” of either IP addresses or applications. If the traffic is coming from a machine whose IP address is on the whitelist, than that traffic would be allowed. If the traffic is coming from an application on the whitelist, then that traffic would also be allowed. If traffic of any kind, originating from any location, is not found to be “approved” when examined by the firewall, then it is typically discarded. The user may also be prompted by the firewall to allow or deny traffic based on activity being examined that is not on covered by the list of rules already in place.

Application Whitelisting

According to the Systems and Network Analysis (SNAC) Center of the United States National Security Agency, “Application Whitelisting is a proactive security technique where only a limited set of approved programs are allowed to run while all other programs (including most malware) are blocked from running by default. In contrast, the standard policy enforced by most operating systems allows all users to download and run any program they choose. Application Whitelisting enables only the administrators, not the users, to decide which programs are allowed to run. Application Whitelisting is not a replacement for traditional security software, such as antivirus and host firewalls. It should be used as one layer in a defense-in-depth strategy.

For an application whitelisting solution to be effective:

• All executable code must be blocked by default so only approved programs can run.
• Users must not be allowed to modify the files that are allowed to run.”⁸⁷

Endpoint Encryption

According to Symantec:

“When it comes to encrypting data, there are various encryption strategies. Endpoint encryption protects a disk in the event of theft or accidental loss by encrypting the entire disk including swap files, system files, and hibernation files. If an encrypted disk is lost, stolen, or placed into another computer, the encrypted state of the drive remains unchanged, ensuring only an authorized user can access its contents.”⁸⁸

Endpoint encryption cannot, however, protect your data when you have logged into the system during startup and leave your computer unattended. In this case, your system has been unlocked, and unauthorized users can access your system just as an authorized user could. This is where file encryption comes in.

According to Symantec, “File encryption encrypts specific files so that when a user successfully authorizes to an operating system, the contents of the file still remain encrypted. File encryption requires user action, whereas drive encryption automatically encrypts everything you or the operating system creates.”⁸⁹ File encryption can also be paired with an encryption policy server, which allows IT administrators to create and deliver encryption rules across an organization, including automatically encrypting files from various applications and folders.

Trusted Platform Module

The Trusted Computing Group is an international standards body that creates specifications used to define Trusted Platform Modules, and the API’s and protocols necessary to operate a trusted environment. According to the Trusted Computing Group:

“A TPM (trusted platform module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments.”⁹⁰

Mobile Device Management

Mobile device management (MDM) is the administrative area dealing with deploying, securing, monitoring, integrating, and managing mobile devices, such as smartphones, tablets, and laptops, in the workplace. The intent of MDM is to optimize the functionality and security of mobile devices within the enterprise while simultaneously protecting the corporate network.

Bring your own device, or BYOD, is where employees bring non-company IT into the organization and demand to be connected to everything—without proper accountability or oversight. According to Gartner, BYOD forces the organization and the security practitioner to wrestle with three key operational challenges:⁹¹

• Governance and Compliance—BYOD could cause violation of rules, regulations, trust, intellectual property, and other critical business obligations.
• Mobile Device Management—The security practitioner needs to manage growing workforce expectations around mobility. Employees use many devices, and they expect to use any device or application anytime, anywhere.
• Security—If left unmanaged, BYOD can lead to loss of control, impact network availability, and cause data loss. Security practitioners need the right network access strategies and policies in place to secure the organization’s computing environment.

The security practitioner should consider the following items when crafting the BYOD policy and procedures for the organization:

• How to specify what devices are permitted for use, and under what circumstances
• What will the security and service/support policies for allowed devices be, and how will they be enforced
• How to differentiate who owns what applications and data, as well as what apps will or will not be allowed to be used
• How to address acceptable usage
• How to “offboard” users that have company data on their devices

According to Scott Kraege of MOBI Wireless Management, COPE (corporate owned, personally enabled) gives both employers and employees the freedom of BYOD while also offering a slew of benefits to each party:

“The “corporate owned” portion of the COPE policy helps companies keep their networks and information secure, which has become one of the biggest backlashes of the traditional BYOD program in the workplace. “CO” means that the company still owns the line of service and selects its preferred device and usage cost thresholds for employees to consider. This kind of ownership grants the company the right to wipe or disconnect devices on the corporate network, and ultimately offers the company pre-established security just like the pre-BYOD days. Studies show that up to 77 percent of BYOD employees dislike the use of MDM on their device; the “personally enabled,” or “PE,” aspect of COPE changes that as it allows employees to choose the company approved device they prefer while also enabling them to use it both personally and professionally. Employees are allowed to choose the company-approved device they prefer from the predetermined list, which enables them to utilize their device for both personal and professional use—a common perk of BYOD.”⁹²

Secure Browsing

An up-to-date browser guards you from phishing and malware attacks when you are browsing the web. It does so by limiting three types of security risk when you are online:

1. Risk 1: How often You Come into Contact with an Attacker You can be exposed to attackers through a malicious fake website, or even through a familiar website that has been hacked. Most modern browsers pre-check each webpage you visit and alert you if one is suspected of being malicious. This lets you make an informed judgment about whether you really want to visit that page. For example, Google Chrome uses Safe Browsing technology, which is also used in several other modern browsers. As you browse the web, each page is checked quickly against a list of suspected phishing and malware websites. This list is stored and maintained locally on your computer to help protect your browsing privacy. If a match against the local list is found, the browser then sends a request to Google for more information. (This request is completely obscured, and the browser does not send it in plaintext.) If Google verifies the match, Chrome shows a red warning page to alert you that the page you are trying to visit may be dangerous.
2. Risk 2: How Vulnerable Your Browser Is if It’s Attacked Old browsers that have not been upgraded are likely to have security vulnerabilities that attackers can exploit. All outdated software, irrespective of whether it’s your operating system, browser, or plug-ins, has the same problem. That’s why it’s important to use the very latest version of your browser and promptly install security patches on your operating system and all plug-ins, so that they’re always up-to-date with the latest security fixes.
3. Risk 3: How Much Damage Is Done if an Attacker Finds Vulnerabilities in Your Browser Some modern browsers like Chrome and Internet Explorer are built with an added layer of protection known as a sandbox. A browser sandbox builds a contained environment to keep malware and other security threats from infecting your computer. If you open a malicious webpage, the browser’s sandbox prevents that malicious code from leaving the browser and installing itself to your hard drive. The malicious code therefore cannot read, alter, or further damage the data on your computer.

Operating and Configuring Cloud Security

Cloud computing environments are complex systems. They are made up of hardware and software, and they use technologies such as virtualization and DLP to provide operating environments and confidentiality protection for data. Cloud systems are deployed using deployment models such as public, private, and hybrid and are consumed using service models such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). The protection of data integrity, confidentiality, and availability hinges on the understanding of data as it moves, is used, and is stored across the cloud. The ability to clearly identify what is considered to be part of the data that makes up personally identifiable information (PII), secure that data, and ensure it is managed appropriately, in accordance with the prevailing laws poses a unique set of challenges for the SSCP. The following sections will discuss these issues and concerns.

The Five Essential Characteristics of Clouds

Although clouds are widespread and diverse, they generally share five essential characteristics:

1. On-Demand Self-Service On-demand self-service is the provisioning of cloud resources on demand (i.e., whenever and wherever they are required). From a security perspective, this has introduced challenges to governing the use and provisioning of cloud based services, which may violate organizational policies.
2. Broad Network Access Cloud, by its nature, is an “always on” and “always accessible” offering for users to have widespread access to resources, data, and other assets. Access what you want, when you need it, from any location. In theory, all you should require is Internet access and relevant credentials and tokens, which will give you access to the resources.
3. Resource Pooling Resource pooling lies at the heart of all that is good with cloud computing. More often than not, traditional, non-cloud systems may see utilization rates for their resources of 80–90% for a few hours a week, and reside at an average of 10–20% for the remainder. What cloud looks to do is to group (pool) resources for use across the user landscape or multiple clients, which can then scale and adjust to the user or client’s needs, based on their workload or resource requirements. Cloud providers typically have large numbers of resources available, from hundreds to thousands of servers, network devices, applications, etc., which can accommodate large volumes of customers and can prioritize and facilitate appropriate resourcing for each client.
4. Rapid Elasticity Rapid elasticity allows the user to obtain additional resources, storage, compute power, etc. as their need or workload requires. This is often transparent to the user, with more resources added as necessary in a seamless manner. Think of a provider selling 100,000 tickets for a major sporting event or concert. Leading up to the ticket release date, little to no compute resources are needed; however, once the tickets go on sale, they may need to accommodate 100,000 users in the space of 30–40 minutes. This is where rapid elasticity and cloud computing could really be beneficial, compared to traditional IT deployments, which would have to invest heavily upfront, using capital expenditures (CapEx) to have the ability to support such demand.
5. Measured Service Cloud computing offers a unique and important component that traditional IT deployments have struggled to provide: resource usage that can be measured, controlled, reported, and alerted upon, which results in multiple benefits and overall transparency between the provider and client. Essentially, you pay for what you use and have the ability to get an itemized bill or breakdown of usage.

Deployment Models

According to NIST:

“Cloud computing allows computer users to conveniently rent access to fully featured applications, to software development and deployment environments, and to computing infrastructure assets such as network-accessible data storage and processing.”⁹³

A cloud computing system may be deployed privately or hosted on the premises of a cloud customer, may be shared among a limited number of trusted partners, may be hosted by a third party, or may be a publically accessible service, i.e., a public cloud. Depending on the kind of cloud deployment, the cloud may have limited private computing resources, or it may have access to large quantities of remotely accessed resources. The different deployment models present a number of tradeoffs in how customers can control their resources, and the scale, cost, and availability of resources.

Public

According to NIST:

“The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.”⁹⁴

Key drivers or benefits of public cloud typically include:

• Easy and inexpensive setup because hardware, application, and bandwidth costs are covered by the provider.
• Streamlined and easy use of provisioning resources.
• Scalability to meet customer needs.
• No wasted resources—pay as you consume.

Given the increasing demands for public cloud services, many providers are now offering and re-modelling their services as public cloud offerings. Providers in the public cloud space include Amazon, Microsoft, Salesforce, and Google among others.

Private

According to NIST:

“The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”⁹⁵

A private cloud is typically managed by the organization it serves; however, outsourcing the general management of this to trusted third parties may also be an option. A private cloud is typically only available to the entity or organization, its employees, contractors, and selected third parties.

The private cloud is also sometimes referred to as the internal or organizational cloud.

Key drivers or benefits of public cloud typically include:

• Increased control over data, underlying systems, and applications.
• Ownership and retention of governance controls.
• Assurance over data location, removal of multiple jurisdiction legal and compliance requirements.

Hybrid

According to NIST:

“The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”⁹⁶

Hybrid cloud computing is gaining in popularity because it provides organizations with the ability to retain control of their IT environments, coupled with the convenience of allowing organizations to use public cloud service to fulfil non-mission-critical workloads and taking advantage of flexibility, scalability, and cost savings.

Key drivers or benefits of hybrid cloud deployments include:

• Retain ownership and oversight of critical tasks and processes related to technology.
• Re-use previous investments in technology within the organization.
• Control over most critical business components and systems.
• Cost effective means to fulfilling non-critical business functions (utilizing public cloud components).
• “Cloud bursting” and disaster recovery can be enhanced by hybrid cloud deployments. “Cloud bursting” allows for public cloud resources to be utilized when a private cloud workload has reached maximum capacity.

Community

According to NIST:

“The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.”⁹⁷

Community clouds can be on premise or off-site, and should give the benefits of a public cloud deployment while providing heightened levels of privacy, security, and regulatory compliance.

Service Models

A cloud can provide access to software applications such as email or office productivity tools (the SaaS service model), or can provide an environment for customers to use to build and operate their own software (the PaaS service model), or can provide network access to traditional computing resources such as processing power and storage (the IaaS service model). The different service models have different strengths and are suitable for different customers and business objectives. Generally, interoperability and portability of customer workloads is more achievable in the IaaS service model because the building blocks of IaaS offerings are relatively well-defined, e.g., network protocols, CPU instruction sets, and legacy device interfaces.

SaaS

According to the NIST Definition of Cloud Computing, in SaaS,

“The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”⁹⁸

Within SaaS, two delivery models are currently used:

• Hosted Application Management (hosted AM)—A provider hosts commercially available software for customers and delivers it over the web (Internet).
• Software on Demand—The cloud provider gives customers network-based access to a single copy of an application created specifically for SaaS distribution (typically within the same network segment).

Software as a service has a number of key benefits for organizations, which include but are not limited to:

• Ease of use and limited/minimal administration.
• Automatic updates and patch management: The user will always be running the latest version and most up to date deployment of the software release as well as any relevant security updates (no manual patching required).
• Standardization and compatibility: All users will have the same version of the software release.
• Global accessibility.

Providers in the SaaS space include Microsoft, Google, Salesforce.com, Oracle, and SAP among others.

PaaS

According to the NIST Definition of Cloud Computing, in PaaS,

“the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.” ⁹⁹

PaaS and the cloud platform components have revolutionized the manner in which development and software has been delivered to customers and users over the past few years. The barrier for entry in terms of costs, resources, capabilities, and ease of use have dramatically reduced “time to market”—promoting and harvesting the innovative culture within many organizations.

PaaS has a number of key benefits for developers, which include but are not limited to:

• Operating system can be changed and upgraded frequently, including associated features and system services.
• Where development teams are scattered globally, the ability to work together on software development projects within the same environment can be extremely beneficial.
• Services are available and can be obtained from diverse sources that cross international boundaries.
• Upfront and recurring or ongoing costs can be significantly reduced by utilizing a single vendor rather than maintaining multiple hardware facilities and environments.

Providers in the PaaS space include Microsoft, OpenStack, and Google among others.

IaaS

According to the NIST Definition of Cloud Computing, in IaaS,

“the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”¹⁰⁰

Infrastructure as a service has a number of key benefits for organizations, which include but are not limited to:

• Usage is metered and priced on the basis of units (or instances) consumed. This can also be billed back to specific departments or functions.
• Ability to scale up and down of infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within the usage curve for infrastructure.
• Reduced cost of ownership—no need to buy any assets for everyday use, no loss of asset value over time, and reduction of other related costs of maintenance and support.
• Reduced energy and cooling costs, along with “Green IT” environment effect with optimum use of IT resources and systems.

Providers in the IaaS space include Amazon, AT&T, Rackspace, Verizon/Terremark, HP, and OpenStack among others.

Virtualization

Virtualization is the foundation for an agile, scalable cloud—and the first practical step—for building cloud infrastructure. Virtualization abstracts and isolates the underlying hardware as virtual machines (VMs) in their own runtime environment and with multiple VMs for computing, storage, and networking resources in a single hosting environment. These virtualized resources are critical for managing data, moving it into and out of the cloud, and running applications with high utilization and high availability.

Virtualization is managed by a host server running a hypervisor—software, firmware, or hardware that creates and runs VMs. The VMs are referred to as guest machines. The hypervisor serves as a virtual operating platform that executes the guest operating system for an application. Host servers are designed to run multiple VMs sharing multiple instances of guest operating systems.

Virtualization also provides several key capabilities for cloud computing, including resource sharing, VM isolation, and load balancing. In a cloud environment, these capabilities enable scalability, high utilization of pooled resources, rapid provisioning, workload isolation, and increased uptime.

A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware, or hardware that creates and runs virtual machines. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources.

In their 1974 article “Formal Requirements for Virtualizable Third Generation Architectures”, Gerald J. Popek and Robert P. Goldberg classified two types of hypervisor:¹⁰¹

Type-1: Native or Bare-Metal Hypervisors

These hypervisors run directly on the host’s hardware to control the hardware and to manage guest operating systems. For this reason, they are sometimes called bare metal hypervisors. A guest operating system runs as a process on the host. Examples include Citrix XenServer, VMware ESX/ESXi, and Microsoft Hyper-V 2008/2012.

Type-2: Hosted Hypervisors

These hypervisors run on a conventional operating system just as other computer programs do. Type-2 hypervisors abstract guest operating systems from the host operating system. VMware Workstation and VirtualBox are examples of type-2 hypervisors.

There are several different types of virtualization that the security practitioner needs to be familiar with:

1. Server Virtualization Using server virtualization, multiple operating systems can run on a single physical server as virtual machines, each with access to the underlying server’s computing resources.
2. Network Virtualization Network virtualization is the complete reproduction of a physical network in software. Virtual networks offer the same features and guarantees of a physical network, yet they deliver the operational benefits and hardware independence of virtualization—rapid provisioning, non-disruptive deployment, automated maintenance, and support for both legacy and new applications. Network virtualization presents logical networking devices and services—logical ports, switches, routers, firewalls, load balancers, VPNs, and more—to connected workloads. Applications run on the virtual network exactly the same as if on a physical network.
3. Desktop Virtualization Deploying desktops as a managed service gives you the opportunity to reduce costs and increase service by quickly delivering the desktop environment needed by the user to any endpoint in the organization.
4. Application Virtualization Deploying applications as a managed service gives you the opportunity to reduce costs and increase service by quickly delivering the required application(s) necessary to drive productivity and collaboration to any endpoint in the organization.
5. Storage Virtualization Storage virtualization abstracts the disks and flash drives inside your servers, combines them into high-performance storage pools, and delivers these as software. Storage virtualization technology provides a fundamentally better way to manage storage resources, giving the organization the ability to:

• Significantly improve storage resource utilization and flexibility.
• Simplify OS patching and driver requirements, regardless of storage topology.
• Increase application uptime and simplify day-to-day operations.

Legal and Privacy Concerns

Privacy and data protection (P&DP) matters are often cited as a concern for cloud computing scenarios. The P&DP regulations affect not just those whose personal data is processed in the cloud (the data subjects) but also those (the CS customers) using cloud computing to process others’ personal data, and indeed those providing cloud services used to process that data (the service providers).

Key questions that the security practitioner needs to understand are:

• What information in the cloud is regulated under data protection laws?
• Who is responsible for personal data in the cloud?
• Whose laws apply in a dispute?
• Where is personal data processed?

Following is an overview of some of the ways in which different countries and regions around the world are addressing the varied legal and regulatory issues they face.

The United States has many sector specific privacy and data security laws, both at the federal and state levels. There is no official national privacy data protection authority; however, the FTC (Federal Trade Commission) has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (e.g., for telemarketing, spamming, children’s privacy, etc.).¹⁰² In addition to the FTC, a wide range of sector specific regulators, particularly those in the healthcare and financial services sectors, have authority to issue and enforce privacy regulations as well.

Generally, the processing of personal data is subject to opt out¹⁰³ consent from the Data Subject, while the opt in¹⁰⁴ rule applies in special cases such as the processing of sensitive/health data. However, it is interesting to note that currently no specific geographic personal data transfer restrictions apply.

With regards to the accessibility of data stored within cloud services, it is important to underline that the 4th Amendment to the U.S. Constitution applies: It protects people from unreasonable searches and seizures by the government.¹⁰⁵ The Fourth Amendment, however, is not a guarantee against all searches and seizures but only those that are deemed unreasonable under the law. Whether a particular type of search is considered reasonable in the eyes of the law is determined by balancing two important interests. On one side is the intrusion on an individual’s Fourth Amendment rights, and on the other side are legitimate government interests, such as public safety.

In 2012 the Obama Administration unveiled a “Consumer Privacy Bill of Rights,” as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled. ¹⁰⁶

The data protection and privacy laws in the EU members states are constrained by the EU Directives, Regulations and Decisions enacted by the European Union.

The main piece of legislation is the EU directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.¹⁰⁷ These provisions apply in all the business/social sectors; thus they cover the processing of personal data in cloud computing services. Furthermore the EU enacted a privacy directive (e-privacy directive) 2002/58/EC “concerning the processing of personal data and the protection of privacy in the electronic communications sector”.¹⁰⁸ This directive contains provisions concerning data breaches and the use of cookies.

On March 12, 2014, the European Parliament formally adopted the text of the proposed EU General Data Protection Regulation for replacing the actual EU privacy directive 95/46/EC and of a new specific directive for privacy in the Police and Criminal Justice sector.¹⁰⁹

The next steps for both the Regulation and the Directive are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament, and Council to begin. Entry into force is not expected before 2017.

Latin American as well as North Africa and medium-sized Asian countries have privacy and data protection legislation largely influenced by the EU privacy laws.

APEC, the Asia-Pacific Economic Cooperation council, is becoming an essential point of reference for the data protection and privacy regulations of the region.

The APEC Ministers have endorsed the APEC Privacy Framework, recognizing the importance of the development of effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the APEC region. The APEC Privacy Framework promotes a flexible approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows.¹¹⁰

Understanding Differences Between Jurisdiction and Applicable Law

For P&DP, it is particularly important to distinguish between the concepts of the following:

• Applicable Law—Determines the legal regime applicable to a certain matter
• Jurisdiction—Usually determines the ability of a national court to decide a case or enforce a judgment or order

The applicable law and the jurisdiction in relation to any given issue may not always be the same. This can be particularly true in the cloud services environment, due to the complex nature of cloud hosting models and the ability to geo-locate data across multiple jurisdictions.

Essential Requirements in P&DP Laws

The ultimate goal of P&DP laws is to provide safeguards to the individuals (data subjects) for the processing of their personal data in the respect of their privacy and will: This is achieved with the definitions of principles/rules to be fulfilled by the operators involved in the data processing. These operators can process the data by playing the role of data controller or data processor.

The Privacy Roles for Customer and Service Provider

The customer determines the ultimate purpose of the processing and decides on the outsourcing or the delegation of all or part of the concerned activities to external organizations. Therefore, the customer acts as a controller. In this role, they are responsible and subject to all the legal duties that are addressed in the P&DP laws applicable to the controller’s role. The customer may task the service provider with choosing the methods and the technical or organizational measures to be used to achieve the purposes of the controller.

When the service provider supplies the means and the platform, acting on behalf of the customer, then he is considered to be a data processor.

As a matter of fact, there may be situations in which a service provider may be considered either as a joint controller or as a controller in his own right depending on concrete circumstances. However, even in complex data processing environments, where different controllers play a role in processing personal data, compliance with data protection rules and responsibilities for possible breaches must be clearly allocated, in order to avoid that the protection of personal data is reduced to a negative conflict of competence.

In the current cloud computing scenario, customers may not have room to maneuver when negotiating the contractual terms of use of the cloud services since standardized offers are a feature of many cloud computing services. Nevertheless, it is ultimately the customer who decides on the allocation of part or the totality of processing operations to cloud services for specific purposes.

The imbalance in the contractual power of a small controller/customer with respect to large Service Providers should not be considered as a justification for the controller to accept clauses and terms of contracts that are not in compliance with P&DP applicable to him.

In a cloud services environment, it is not always easy to properly identify and assign the roles of controller and processor between the customer and the service provider. However, this is a central factor of P&DP, since all liabilities are assigned to the controller role and its country of establishment mainly determines the applicable P&DP law and jurisdiction.

Figure 7-54 shows who is responsible depending on the types of cloud services involved. The following list explores how this applies to customers and service providers in more detail.

• SaaS—The customer determines/collects the data to be processed with a cloud service (CS), while the service provider essentially takes the decisions of how to carry out the processing and implement specific security controls. It is not always possible to negotiate the terms of the service between the customer and the service provider.
• PaaS—The customer has higher possibility to determine the instruments of processing, although the terms of the services are not usually negotiable.
• IaaS—The customer has a high level of control on data, processing functionalities, tools, and related operational management, thus achieving a very high level of responsibility in determining purposes and means of processing.

Therefore, although the main rule for identifying a controller is to search for who determines the purpose and scope of a processing, in the SaaS and PaaS types, the service provider could also be considered a controller/joint controller with the customer. Since the proper identification of controller and processor roles is essential for clarifying the P&DP liabilities of customer and service provider, as well as the applicable law.

A guide that may be helpful to use for a proper identification of controller and processor roles in a cloud services environment in terms of SaaS, PaaS, and IaaS is the NIST document, SP800—145, “The NIST Definition of Cloud Computing.”¹¹¹

Data Discovery

The implementation of data discovery solutions provides operative foundation for effective application and governance for any of the P&DP fulfillments. Data discovery is focused on the use of tools to discover patterns and trends in large data sets. According to Gartner’s IT Glossary, search-based data discovery tools enable users to develop and refine views and analyses of structured and unstructured data using search terms.¹¹² Data discovery is commonly linked to the concept of big data as well, because it focuses on the three “Vs” that are typically used to describe big data solutions: volume, velocity, and variety. Using data discovery tools, large data sets that are either structured or unstructured from multiple sources can be analyzed quickly, providing the user insights into the data that may otherwise remain hidden.

From the Customer Perspective

The customer in their role of data controller has full responsibility for compliance with the P&DP laws obligations; therefore the implementation of data discovery solutions together with data classification techniques provide him with sound basis for operatively specifying to the Service Provider the requirements to be fulfilled and for performing effective periodic audit according to the applicable P&DP laws, as well as for demonstrating, to the competent privacy authorities, his due accountability according to the applicable P&DP laws.

From the Service Provider Perspective

The service provider in their role of data processor has necessity to implement and be able to demonstrate he has implemented in a clear and objective way the rules and the security measures to be applied in the processing of personal data on behalf of the controller; thus data discovery solutions together with data classification techniques will provide him with an effective enabler factor for his ability to comply with the Controller P&DP instructions.

Implementation of data discovery together with data classification techniques represents the foundation of data leakage/loss prevention (DLP) and of data protection (DP), applied to personal data processing in order to operate in compliance with the P&DP laws.

Classification of Discovered Sensitive Data

Classification of data for the purpose of compliance with the applicable P&DP laws plays an essential role for the operative control of those elements that are the feeds of the P&DP fulfillments. This means that not only the “nature” of the data should be traced with classification but also its relation with the “P&DP law context” in which the data itself shall be processed.

Data classification can be accomplished in different ways, ranging from “tagging” the data by using other external information, to extrapolating the classification from the content of the data. The latter one, however, may raise some concerns because, according to the laws of some jurisdictions, this can result in prohibited monitoring actions on the content belonging to data subjects (for example: the laws that restrict or do not allow access to the content of email in employer-employee relationships).

The use of classification methods will be properly ruled in the cloud service agreements between the customer and the service provider, in order to achieve efficacy in classification within the limits set out by the laws ruling the access to the data content.

Mapping and Definition of Controls

All the P&DP requirements are important in a cloud service context; however, it is appropriate for the security practitioner to bear in mind the key privacy cloud service factors, depicted in Figure 7-55.

These Key Privacy Cloud Service Factors stem from the “Opinion 5/2012 on Cloud Computing” adopted by the WP 29; this working party was set up under Article 29 of Directive 95/46/EC and it is an independent European advisory body on data protection and privacy, essentially formed by the representatives of all the EU DataProtection Authorities.¹¹³

These factors show that the primary need is to properly clarify in terms of contractual obligations the privacy and data protection requirements among the customer and cloud service provider.

In this context, the Cloud Security Alliance has defined baselines for compliance with data protection legislation and best practices with the realization of a standard format named the privacy level agreement (PLA). By means of the PLA, the service provider declares the level of personal data protection and security that it sustains for the relevant data processing.

The PLA, as defined by the Cloud Security Alliance:

• Provides a clear and effective way to communicate the level of personal data protection provided by a service provider.
• Works as a tool to assess the level of a service provider’s compliance with data protection legislative requirements and best practices.
• Provides a way to offer contractual protection against possible financial damages due to lack of compliance.

All the information concerning the various PLAs are documented by the Cloud Security Alliance on its website.¹¹⁴

Application of Defined Controls for Personally Identifiable Information (PII)

Since the application of data protection measures has the ultimate goal to fulfill the P&DP laws applicable to the Controller, any constraints arising from specific arrangements of a cloud service operation shall be made clear by the service provider, in order to avoid any consequences for unlawful personal data processing. For example, with regards to servers located across several countries, it would be difficult to ensure the proper application of measures such as encryption for sensitive data on all systems.

In this context the above mentioned PLAs play an essential role. Furthermore, the service providers could benefit from making explicit reference to standardized frameworks of security controls expressly defined for cloud services.

In this sense the Cloud Security Alliance Cloud Controls Matrix (CCM) (https://cloudsecurityalliance.org/research/ccm/) is an essential and up-to-date security controls framework addressed to the cloud community and stakeholders. A fundamental richness of the CCM is its ability to provide mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002 and ISACA’s COBIT and PCI-DSS.

The CCM can be seen as an inventory of cloud service security controls, arranged in the following separate security domains:

• Application and interface security
• Audit assurance and compliance
• Business continuity management and operational resilience
• Change control and configuration management
• Data security and information lifecycle management
• Datacenter security
• Encryption and key management
• Governance and risk management
• Human resources
• Identity and access management
• Infrastructure and virtualization security
• Interoperability and portability
• Mobile security
• Security incident management, e-discovery and cloud
• Supply chain management, transparency and accountability
• Threat and vulnerability management

Although all the CCM security controls can be considered as applicable in a specific CS context, from the privacy and data protection perspective, some of them have greater relevance to the P&DP fulfillments.

Therefore, the selection and implementation of controls for a specific cloud service involving processing of personal data shall be performed within the context of an information security managed system:

• This requires at least the identification of law requirements, risk analysis, design and implementation of security policies, and related assessment and reviews.
• The cloud service provider needs to consider the typical set of data protection and privacy measures required by the P&DP laws.

Data Storage and Transmission

At the core of all cloud services, products, and solutions are software tools with three underlying pillars of functionality—tools for processing data and running applications (compute servers), moving data (networking), and preserving or storing data (storage).

Cloud storage is basically defined as data storage that is made available as a service via a network. Products and solutions are the most common cloud storage service building blocks of physical storage systems. Private cloud and public services from SaaS to PaaS and IaaS leverage tiered storage including solid state drives (SSDs) and hard disc drives (HDDs). Similar to traditional enterprise storage environments, cloud services and solution providers exploit a mix of different storage technology tiers that meet different service level objective (SLO) and service level agreement (SLA) requirements. For example, using fast SSDs for dense I/O consolidation—supporting database journals and indices, metadata for fast lookup and other transactional data—enables more work to be performed with less energy in a denser and more cost-effective footprint.

Using a mixture of ultra-fast SSDs along with high-capacity HDDs provides a balance of performance and capacity to meet other service requirements with different service cost options. With cloud services, instead of specifying what type of physical drive to buy, cloud providers cater for that by providing various availability, cost, capacity, functionality, and performance options to meet different SLA and SLO requirements.

Infrastructure as a Service (IaaS)

Cloud infrastructure services, known as infrastructure as a service (IaaS), are self-service models for accessing, monitoring, and managing remote data center infrastructures, such as compute (virtualized or bare mental), storage, networking, and networking services (e.g., firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on consumption. Compared to SaaS and PaaS, IaaS users are responsible for managing applications, data, runtime, middleware, and OSes. Providers still manage virtualization, servers, hard drives, storage, and networking. Figure 7-56 shows the differences between Object and Volume storage types.

IaaS uses the following storage types:

• Volume storage—A virtual hard drive that can be attached to a virtual machine instance and be used to host data within a file system. Volumes attached to IaaS instances behave just like a physical drive or an array does. Examples include VMware VMFS, Amazon EBS, RackSpace RAID and OpenStack Cinder.
• Object storage—Object storage is like a file share accessed via APIs or a web interface. Examples include Amazon S3 and RackSpace cloud files.

Platform as a Service (PaaS)

What developers gain with PaaS is a framework they can build upon to develop or customize applications. PaaS makes the development, testing, and deployment of applications quick, simple, and cost-effective. With this technology, enterprise operations, or a third-party provider, can manage OSes, virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the applications.

PaaS utilizes the following data storage types:

• Structured—Structured data refers to information with a high degree of organization, such that inclusion in a relational database is seamless and readily searchable by simple, straightforward search engine algorithms or other search operations.
• Unstructured—Usually refers to information that does not reside in a traditional row-column database. Unstructured data files often include text and multimedia content. Examples include e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages and many other kinds of business documents. Note that while these sorts of files may have an internal structure, they are still considered “unstructured” because the data they contain does not fit neatly in a database.

Software as a Service (SaaS)

Cloud application services, or software as a service (SaaS), uses the web to deliver applications that are managed by a third-party vendor and whose interface is accessed on the clients’ side. Many SaaS applications can be run directly from a web browser without any downloads or installations required, although some require small plugins. With SaaS, it is easy for enterprises to streamline their maintenance and support because everything can be managed by vendors: applications, runtime, data, middleware, OSes, virtualization, servers, storage, and networking. Popular SaaS offering types include email and collaboration, customer relationship management, and healthcare-related applications.

SaaS utilizes the following data storage types:

• Information Storage and Management—Data is entered into the system via the web interface and stored within the SaaS application (usually a back end database). This data storage utilizes databases, which in turn are installed on object or volume storage.
• Content/File Storage—File-based content is stored within the SaaS application (e.g., reports, image files, documents) and made accessible via the web-based user interface. This store also utilizes object and volume storage.

Other types of storage that may be utilized include:

• Ephemeral storage—This type of storage is relevant for IaaS instances, and it exists only as long as its instance is up. It will typically be used for swap files and other temporary storage needs, and will be terminated with its instance.
• Content Delivery Network (CDN)—Content is stored in object storage, which is then distributed to multiple geographically distributed nodes to improve Internet consumption speed.
• Raw storage—Raw device mapping (RDM) is an option in the VMware server virtualization environment that enables a storage logical unit number (LUN) to be directly connected to a VM from the storage area network (SAN). In Microsoft’s Hyper-V platform, this is accomplished using pass-through disks.¹¹⁵
• Long term storage—Some vendors offer a cloud storage service tailored to the needs of data archiving. These include features such as search, guaranteed immutability, and data lifecycle management. The HP Autonomy Digital Safe archiving service uses an on-premises appliance that connects to customers’ data stores via APIs and allows search. Digital Safe provides read-only, WORM, legal hold, e-discovery, and all the features associated with enterprise archiving. Its appliance carries out data deduplication prior to transmission to the data repository.¹¹⁶

Data Dispersion in Cloud Storage¹¹⁷

Data dispersion techniques are used to provide high availability, assurance, and performance when writing data into cloud based storage systems. By fragmenting the data and writing each bit into different physical storage containers, greater information assurance can be achieved by the data owner. The underlying architecture of this technology involves the use of erasure coding, which takes a data object (think of a file with self-describing metadata) and chunks it into segments. Each segment is encrypted and cut into 16 slices and dispersed across an organization’s network to reside on different hard drives and servers. If the organization has access to only 10 of the slices—because of disk failures, for instance—the original data can still be put back together. If the data is generally static with very few rewrites, such as media files and archive logs, creating and distributing the data is a one-time cost. If the data is very dynamic, the erasure codes have to be re-created and the resulting data blocks redistributed.

Threats to Storage Types

Cloud storage is subject to the following key threats:

• Administrators for the cloud provider can technically access your volumes and storage. This can be a challenge for security measures and indeed for compliance (with an emphasis on reporting/auditing).
• Private volume storage can very easily become publically available with a simple configuration change.
• Volumes and their snapshots can be used as an invaluable resource for troubleshooting purposes. Controls and verification should be in place to ensure that the data sent for external company support does not contain sensitive information.
• Object level storage typically lacks comprehensive security controls (such as access control lists (ACLs), audit, and permissions). All controls for data access should be integrated into the application as well as other supporting mechanisms.
• There can be multi-tenancy issues. When you are using a multi-tenant cloud, your data is placed on the same physical hard drive as other tenants. There is a possibility that any tenant’s data can be seized and reviewed as part of an investigation by either the provider or law enforcement. This could mean that your data is seized as part of the investigation, and it may be subject to review and disclosure as well.

Technologies Available to Address Threats

The security practitioner will need to leverage different technologies to address the varied threats that may face the enterprise with regards to the safe storage and use of their data in the cloud. The circumstances of each threat will be different, and as a result, the key to success will be the ability of the security practitioner to understand the nature of the threat they are facing, combined with their ability to implement the appropriate technology to mitigate the threat.

DLP

Data loss prevention, also known as data leakage prevention or data loss protection, are terms used interchangeably by practitioners and indeed businesses alike to describe the controls put in place by an organization to ensure that certain types of data (structured and unstructured) remain under organizational controls, in line with policies, standards, and procedures.

Controls to protect data form the foundation of organizational security, along with enabling the organization to ensure the ability to meet regulatory requirements and relevant legislation (i.e., EU data protection directives, U.S. privacy act, HIPPA, and PCI-DSS). DLP technologies and processes play important roles when building those controls. The appropriate implementation and use of DLP will reduce both security and regulatory risks for the organization.

DLP technology presents a wide and varied set of components that need to be contextually applied by the organization, often requiring changes to the enterprise security architecture. It is for this reason why many organizations do not adopt a “full blown” DLP strategy across the enterprise. In this module we will not discuss the entire implementation methodology of DLP, or indeed all relevant components, because many of these do not apply to cloud based services or solutions. For those hybrid cloud users, or those utilizing cloud based services partially within their organizations, it would be beneficial to ensure that DLP is understood and is appropriately structured across both cloud and non-cloud environments. Failure to do so can result in segmented and non-standardized levels of security—leading to increased risks.

DLP consists of three components:

• Discovery and classification—This is the first stage of a DLP implementation, and also an ongoing and recurring process; the majority of cloud based DLP technologies are predominantly focused on this component.
• Monitoring—Data usage monitoring forms the key function of DLP. Effective DLP strategies monitor the usage of data across locations and platforms while enabling administrators to define one or more usage policies. The ability to monitor data can be executed on gateways, servers, and storage, as well as workstations and endpoint devices. Recently, the increased adoption of external services to assist with DLP “as a service” has increased, along with many cloud based DLP solutions.
• Enforcement—Upon a violation of policy being detected, specified relevant enforcement actions can automatically be performed. Enforcement options can include the ability to alert and log, block data transfers or re-route them for additional confirmation, or to encrypt the data prior to leaving the organizational boundaries.

DLP Architecture

DLP tool implementations typically conform to the following topologies:

• Data in Motion (DIM)—Sometimes referred to as network based or gateway DLP. In this topology the monitoring engine is deployed near the organizational gateway to monitor outgoing protocols such as HTTP, HTTPS, SMTP, and FTP. The topology can be a mixture of proxy based, bridge, network tapping, or SMTP relays. In order to scan encrypted HTTPS traffic, appropriate mechanisms to enable SSL interception/broker are required to be integrated into the system architecture.
• Data at Rest (DAR)—Sometimes referred to as storage based. In this topology the DLP engine is installed where the data is at rest, usually one or more storage sub-systems, and file and application servers. This topology is very effective for data discovery and tracking usage, but may require integration with network or endpoint based DLP for policy enforcement.
• Data in Use (DIU)—Sometimes referred to as client or endpoint based, the DLP application is installed on a user’s workstations and endpoint devices. This topology offers insights into how the data is used by users, with the ability to add additional protection that network DLP may not be able to provide. The challenge with client based DLP is the complexity, time, and resources to implement across all endpoint devices, often across multiple locations and significant numbers of users.

Cloud Based DLP Considerations

There are several things you need to take into consideration when implementing DLP:

• Data in the cloud tends to move and replicate, whether it is between locations, data centers, backups, or back and forth into the organizations. The replication and movement can present a challenge to any DLP implementation.
• Administrative access for enterprise data in the cloud could be tricky. Make sure you understand how to perform discovery and classification within cloud based storage. Sometimes this will require authorization protocols to be involved (like OAUTH) or other processes.¹¹⁸
• DLP technology can affect overall performance. Network or gateway DLP, which scans all traffic for pre-define content, might have an effect on network performance. Client based DLPs scan all workstation access to data; this can have a performance impact on the workstation’s operation. The overall impact must be considered during testing.

DLP Best Practices

There are a number of best practices for working with DLP that can make everything work more smoothly and effectively:

• Start with data discovery and classification process. Those processes are more mature within the cloud deployments and present value for the data security process.
• Cloud DLP policy should address the following:
  • What kind of data is permitted to be stored in the cloud?
  • Where can the data be stored (jurisdictions)?
  • How should it be stored? Encryption and storage access consideration.
  • What kind of data access is permitted? Which devices and what networks? Which applications? Which tunnel?
  • Under what conditions is data is allowed to leave the cloud?
• Encryption methods should be carefully examined based on the format of the data. Format preserving encryption such as information rights management (IRM) is getting more popular in document storage applications; however, other data types may require vendor agnostic solutions.
• When you are implementing restrictions or controls to block or quarantine data items, it is essential to create procedures that will prevent business process damage due to false positive events.
• DLP can be an effective tool when planning or assessing a potential migration to cloud applications. DLP discovery will analyze the data going to the cloud for protected content, and the DLP detection engine can discover policy violations during data migration.

Encryption

Encryption is an important technology for the security practitioner to consider and use when implementing systems that will allow for secure data storage and usage from the cloud. While having encryption enabled on all data across the enterprise architecture would reduce the risks associated with unauthorized data access and exposure, there are performance constraints and concerns to be addressed. It is the responsibility of the security practitioner to implement encryption within the enterprise in such a way that it provides maximum security benefits, safeguarding the most mission critical data, while minimizing system performance issues as a result of the encryption.

Encryption can be implemented within different phases of the data lifecycle:

• Data in Motion—Technologies for encrypting data in motion are mature and well defined and include IPSEC or VPN, TLS/SSL, and other “wire level” protocols.
• Data at Rest—When the data is archived or stored, different encryption techniques should be used. The encryption mechanism itself may well vary in the manner in which it is deployed, dependent on the timeframe or period for which the data will be stored. Examples of this may include extended retention vs. short term storage, data located in a database vs. file system, etc.
• Data in Use—Data that is being shared, processed, or viewed. This stage of the data lifecycle is less mature than other data encryption techniques, and it typically focuses on IRM/DRM solutions.

Sample Use Cases for Encryption

Following are some sample use cases for encryption:

• When data moves in and out of the cloud—for processing, archiving, or sharing—we will use encryption for data in motion techniques such as SSL/TLS or VPN in order to avoid information exposure or data leakage while in motion.
• Protecting data at rest such as file storage, database information, application components, archiving, and backup applications.
• Files or objects that must be protected when stored, used, or shared in the cloud.
• When complying with regulations such as HIPAA and PCI-DSS, which, in turn, requires relevant protection of data traversing “untrusted networks,” along with the protection of certain data types.
• Protection from third party access via subpoena or lawful interception.
• Creating enhanced or increased mechanisms for logical separation between different customers’ data in the cloud.
• Logical destruction of data when physical destruction is not feasible or technically possible.

Cloud Encryption Challenges

There are a myriad of factors influencing encryption considerations and associated implementations in the enterprise. The usage of encryption should always be directly related to business considerations, regulatory requirements, and any additional constraints that the organization may have to address. Different techniques will be used based on the location of data, whether at rest, in transit, or in use, while in the cloud. Different options might apply when dealing with specific threats like protecting PII, legally regulated information, or when defending against unauthorized access and viewing from systems and platform administrators.

• The integrity of encryption is heavily dependent on control and management of the relevant encryption keys, including how they are secured. If the keys are held by the cloud provider, not all data threats are mitigated against because unauthorized actors may gain access to the data through acquisition of the keys via a search warrant, legal ruling, or theft and misappropriation. Equally, if the customer is holding the encryption keys, this presents different challenges to ensure they are protected from unauthorized usage as well as compromise.
• Encryption can be challenging to implement effectively when a cloud provider is required to process the encrypted data, even for simple tasks such as indexing, along with the gathering of metadata.
• Data in the cloud is highly portable. It replicates and is copied and backed up extensively, making encryption and key management a complex and sizeable undertaking.
• Multi-tenant cloud environments and the shared use of physical hardware present challenges for the safeguarding of keys in volatile memory such as RAM caches.
• Secure hardware for encrypting keys may not exist in cloud environments, with software based key storage often being more vulnerable to attack/compromise.
• Storage level encryption is typically less complex, but it can be most easily exploited/compromised (given sufficient time and resources). The higher you go up towards the application level, the complexity to deploy and implement encryption becomes more challenging. However, encryption implemented at the application level will typically be more effective in protecting the confidentiality of the relevant assets or resources.
• Encryption can impact negatively on performance, especially when dealing with high performance data processing mechanisms such as data warehouses and data cubes.
• The nature of cloud environments typically requires us to manage more keys than traditional environments (access keys, API keys, encryption keys, shared keys, among others).
• Some cloud encryption implementations require all users and service traffic to go through an encryption engine. This can result in availability and performance issues to both end users and to providers.
• Throughout the data lifecycle, data can change locations, format, encryption, and encryption keys. Using the data security lifecycle can help to document and map all those different aspects.
• Encryption affects data availability. Encryption complicates data availability controls such as backups, DR planning, and co-locations because expanding encryption into these areas increases the likelihood that keys may become compromised. In addition, if encryption is applied incorrectly within any of these areas, the data may become inaccessible when needed.
• Encryption does not solve data integrity threats. Data can be encrypted and yet be subject to tampering or file replacement attacks. In this case, supplementary cryptographic controls such as digital signatures need to be applied, along with non-repudiation for transaction based activities.

Encryption Architecture

Encryption architecture is very much dependent on the goals of the encryption solutions, along with the cloud delivery mechanism. Protecting data at rest from local compromise or unauthorized access differs significantly from protecting data in motion into the cloud. Adding additional controls to protect the integrity and availability of data can further complicate the process.

Typically, the following components are associated with most encryption deployments:

• The Data—The data object or objects that need to be encrypted.
• Encryption Engine—Performs the encryption operation itself.
• Encryption Keys—All encryption is based on keys. Safeguarding the keys is a crucial activity, necessary for ensuring the ongoing integrity of the encryption implementation and its algorithms.

Data Encryption in IaaS

The issues associated with data management and encryption in an IaaS model should be of concern to the SSCP. Due to the nature of the IaaS service model, the cloud service provider is often directly involved in implementing encryption of data on behalf of the customer. As a result, there is a need for the SSCP to understand the issues and concerns associated with this service model as they pertain to data confidentiality, integrity, and availability when storage versus volume level encryption solutions are deployed. In addition, issues associated with key management and secure data life cycles also need to be considered. The following sections will touch on these issues, as well as solutions for some of the concerns they raise.

Basic Storage Level Encryption

Where storage level encryption is utilized, the encryption engine is located on the storage management level, with the keys usually held/stored/retained by the cloud provider. The engine will encrypt data written to the storage and decrypt it when exiting the storage (i.e., for use). This type of encryption is relevant to both object and volume storage, but it will only protect from hardware theft or loss. It will not protect from cloud provider administrator access or any unauthorized access coming from the layers above the storage.

Volume Storage Encryption

Volume storage encryption requires that the encrypted data resides on volume storage. This is typically done through an encrypted container, which is mapped as a folder or volume. Instance based encryption allows access to data only through the volume operating system and, therefore, provides protection from the following:

• Physical loss or theft
• External administrator(s) accessing the storage
• Snapshots and storage level backups being taken and removed from the system

Volume storage encryption will not provide protection against any access made through the instance, i.e., an attack that is manipulating or operating within the application running on the instance.

There are two methods that can be used to implement volume storage encryption:

• Instance Based—Where instance based encryption is used, the encryption engine is located on the instance itself. Keys can be guarded locally but should be managed external to the instance.
• Proxy Based Encryption—Where proxy based encryption is used, the encryption engine is running on a proxy instance or appliance. The proxy instance is a secure machine that will handle all cryptographic actions including key management and storage. The proxy will map the data on the volume storage while providing access to the instances. Keys can be stored on the proxy or via external key storage (recommended) with the proxy providing the key exchanges and required safeguarding of keys in memory.

Object Storage Encryption

The majority of object storage services will offer server side storage level encryption as described above. This kind of encryption offers limited effectiveness, with the recommendation for external encryption mechanisms to be encrypting the data prior to its arrival within the cloud environments. Potential external mechanisms include:

• File Level Encryption—Such as information rights management (IRM) or digital rights management (DRM) solutions, both of which can be very effective when used in conjunction with file hosting and sharing services that typically rely on object storage. The encryption engine is commonly implemented at the client side and will preserve the format of the original file.
• Application Level Encryption—The encryption engine resides in the application that is utilizing the object storage. It can be integrated into the application component, or by a proxy that is responsible for encrypting the data before going to the cloud. The proxy can be implemented on the customer gateway or as a service residing at the external provider.

Database Encryption

For database encryption, the following options should be understood:

• File Level Encryption—Database servers typically reside on volume storage. For this deployment, we are encrypting the volume or folder of the database, with the encryption engine and keys residing on the instances attached to the volume. External file system encryption will protect from media theft, lost backups, and external attack, but it will not protect against attacks with access to the application layer, the instance’s OS, or the database itself.
• Transparent Encryption—Many database management systems contain the ability to encrypt the entire database or specific portions, such as tables. The encryption engine resides within the DB, and it is transparent to the application. Keys usually reside within the instance, although processing and management of them may also be offload to an external key management system (KMS). This encryption can provide effective protection from media theft, backup system intrusions, and certain database and application level attacks.
• Application Level Encryption—In application level encryption, the encryption engine resides at the application that is utilizing the database. Application encryption can act as a robust mechanism to protect against a wide range of threats, such as compromised administrative accounts along with other database and application level attacks. Since the data is encrypted before reaching the database, it is challenging to perform indexing, searches, and metadata collection. Encrypting at the application layer can be challenging, based on the expertise requirements for cryptographic development and integration.

Key Management

Key management is one of the most challenging components of any encryption implementation. Even though new standards like Key Management Interoperability Protocol (KMIP) are emerging, safe guarding keys and appropriate management of keys are still among the most complicated tasks that the security practitioner will need to engage in when planning cloud data security.¹¹⁹

Common challenges with key management include the following:

• Access to the Keys—Best practices, coupled with regulatory requirements, may set specific criteria for key access, along with restricting or not permitting access to keys by cloud service provider employees or personnel.
• Key Storage—Secure storage for the keys is essential to safeguarding the data. In traditional “in house” environments, keys were able to be stored in secure dedicated hardware. This may not always be possible in cloud environments.
• Backup and Replication—The nature of the cloud results in data backups and replication across a number of different formats. This can have an impact on the ability for long and short term key management to be maintained and managed effectively.

Considerations when planning key management include the following:

• Random number generation should be conducted as a trusted process.
• Throughout the lifecycle, cryptographic keys should never be transmitted in the clear and always remain in a “trusted” environment.
• When considering key escrow or key management “as a service,” carefully plan to take into account all relevant laws, regulations, and jurisdictional requirements.
• Lack of access to the encryption keys will result in lack of access to the data. This should be considered when discussing confidentiality threats vs. availability threats.
• Where possible, key management functions should be conducted separately from the cloud provider in order to enforce separation of duties and force collusion to occur if unauthorized data access is attempted.

Key storage in the cloud is typically implemented using one or more of the following approaches:

• Internally Managed—In this method the keys are stored on the virtual machine or application component that is also acting as the encryption engine. This type of key management is usually used in storage level encryption, internal database encryption, or backup application encryption. This approach can be helpful to mitigate against the risks associated with lost media.
• Externally Managed—In this method keys are maintained separate from the encryption engine and data. They can be on the same cloud platform, internally within the organization or on a different cloud. The actual storage can be a separate instance (hardened especially for this specific task) or on a HSM. When implementing external key storage, consider how the key management system is integrated with the encryption engine and how the entire lifecycle of key creation through to retirement is managed.
• Managed by a Third Party—Key escrow services are provided by a trusted third party. Key management providers use specifically developed secure infrastructure and integration services for key management. The cloud security professional must evaluate any third party key storage services provider that may be contracted by the organization to ensure that the risks of allowing a third party to hold encryption keys is well understood and documented.

Typically, cloud service providers protect keys using software-based solutions in order to avoid the additional cost and overhead of hardware based security models.

Encryption Alternatives and Other Data Protection Technologies

The solutions discussed so far with regards to data protection have focused on the use of encryption and implementation of a secure data management life cycle. There are other technologies and approaches that can be used to augment the use of encryption or even to replace it, depending on the circumstances and operational requirements of the system being discussed. The SSCP should be able to understand the use of technologies such as data masking, data obfuscation, data anonymization, and tokenization.

Data Masking/Data Obfuscation

Data masking or data obfuscation is the process of hiding, replacing, or omitting sensitive information from a specific data set. Data masking is usually used in order to protect specific data sets, such as PII, and commercially sensitive data in order to comply with certain regulations such as HIPAA or PCI-DSS. Data masking or obfuscation is also widely used for test platforms (where suitable test data is not available). Both techniques are typically applied when migrating test or development environments to the cloud, or when protecting production environments from certain threats such as data exposure by insiders or outsiders.

Common approaches for data masking include:

• Random Substitution—The value is replaced (or appended) with a random value.
• Algorithmic Substitution—The value is replaced (or appended) with an algorithm generated value (this typically allows for 2 way substitution).
• Shuffle—Shuffles different values from the dataset, usually from the same column.
• Masking—Uses specific characters to hide certain parts of the data. This usually applies for credit card data formats: XXXX XXXX XX65 5432
• Deletion—Simply put a null value or delete the data.

Primary methods of masking data include:

• Static—In static masking, a new copy of the data is created with the masked values. Static masking is typically efficient when creating clean non production environments.
• Dynamic—Dynamic masking (sometimes referred to as “on-the-fly” masking) adds a layer of masking between the application and the database. The masking layer is responsible for masking the information in the database “on the fly” when it is accessed by the presentation layer. This type of masking is efficient when protecting production environments; i.e., dynamic masking can hide the full credit card number from customer service representatives, but the data remains available for processing.

Data Anonymization

Direct identifiers and indirect identifiers form two primary components for identification of individuals, users, or indeed personal information. Direct identifiers are fields that uniquely identify the subject (usually name, address, etc.) and usually referred to as PII (personal identifiable information). Masking solutions are usually used to protect direct identifiers. Indirect identifiers typically consist of demographic or socioeconomic information, dates, or events. While each standalone indirect identifier cannot identify the individual, the risk is that combining a number of indirect identifiers together with external data can result in exposing the subject of the information. For example, imagine a scenario where users were able to combine search engine data with online streaming recommendations to tie back posts and recommendations to individual users on a website.

Anonymization is the process of removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an individual or sensitive information. The process of anonymization is similar to masking and includes identifying the relevant information to anonymize and the choosing of a relevant method for obscuring the data. The challenge with indirect identifiers is the ability for this type of data to be integrated in free text fields, which tend to be less structured than direct identifiers, thus complicating the process.

Tokenization

Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token is usually a collection of random values with the shape and form of the original data placeholder, and it is mapped back to the original data by the tokenization application or solution.

Tokenization is not encryption, and it presents different challenges and different benefits. Encryption is using a key to obfuscate data, while tokenization removes the data entirely from the database, replacing it with a mechanism to identify and access the resources.

Tokenization is used to safe guard the sensitive data in a secure, protected, or regulated environment. Tokenization can be implemented internally where there is a need to secure sensitive data centrally, or externally using a tokenization service.

Tokenization can assist with:

• Complying with regulations or laws.
• Reducing the cost of compliance.
• Mitigating risks of storing sensitive data and reducing attack vectors on that data.

The basic tokenization architecture can be seen in Figure 7-57.

There are several considerations when using tokenization with the cloud:

• When you are using tokenization as a service, it is imperative to ensure the provider and solutions have the ability to protect your data.
• When using tokenization as a service, pay special attention to the process of authenticating the application when storing or retrieving the sensitive data. Where external tokenization is used, appropriate encryption of communications should be applied to data in motion.
• As always, evaluate your compliance requirements before considering a cloud based tokenization solution. The risks of having to interact with different jurisdictions and different compliance requirements will need to be weighed by the security practitioner.

Third-Party/Outsourcing Implications

The need to understand the issues associated with the use of third party/outsourcing solutions is an important area of risk management. The concerns in this area are varied and need to be well understood and documented to be managed successfully within the enterprise. Usage of SLAs and hosting agreements to control cloud based solutions is a common practice that the SSCP should be comfortable with. The crafting of data retention policies will allow the SSCP to ensure that regardless of whether data is being managed directly within the organization or by a contracted third party, that data is securely maintained for the required period of time to ensure compliance obligations are being met. Data deletion procedures need to be documented and defined so that the SSCP can ensure that all data is being securely destroyed when the time comes to do so, regardless of who will ultimately execute the procedure.

Data Retention Policies

A data retention policy is an organization’s established protocol for retaining information for operational or regulatory compliance needs. The objectives of a data retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date, and to dispose of information that is no longer needed. The policy balances the legal, regulation, and business data archival requirements against data storage costs, complexity, and other data considerations. A good data retention policy should define retention periods, data formats, data security and data retrieval procedures for the enterprise.

A data retention policy for cloud services should contain the following key components:

• Legislation, Regulation, And Standards Requirements—Data retention considerations are heavily dependent on the data type and the required compliance regimes associated with it. For example, according to the Basel II Accords for Financial Data, the retention period for financial transactions should be between 3 to 7 years, while according to the PCI-DSS version 3.0 Requirement 10, credit card transaction data should be kept available for at least a year with at least 3 months available online.¹²¹
• Data Mapping—The process of mapping all relevant data in order to understand data types (structured, unstructured), data formats (file types), and data location (network drives, databases, object or volume storage).
• Data Classification—Classifying the data based on locations, compliance requirements, ownership, or business usage. Classification is also used in order to decide on the proper retention procedures for the enterprise.
• Data Retention Procedure—For each data category, the data retention procedures should be followed based on the appropriate data retention policy that governs the data type. How long the data is to be kept, where (physical location, jurisdiction), and how (which technology and format) should all be spelled out in the policy and implemented via the procedure. The procedure should also include backup options, retrieval requirements, and restore procedures as required and necessary for the data types being managed.
• Monitoring and Maintenance—Procedures for making sure that the entire process is working, including review of the policy and requirements to make sure that there are no changes and compensating controls such as initiated periodic data access in order to make sure that the process is working.

Data Deletion Procedures and Mechanisms

A key part of data protection procedures is the safe disposal of data once it is no longer needed. Failure to do so may result in data breaches and compliance failures. Safe disposal procedures are designed to ensure that there are no files, pointers, or data remnants left behind within a system that could be used to restore the original data.

A data deletion policy is sometimes required for the following reasons:

• Regulation or Legislation—Certain laws and regulation such as HIPAA, GLB Act, and FISMA require specific degrees of safe disposal for certain records.
• Business and Technical Requirements—Business policy may require safe disposal of data. Also processes such as encryption might require safe disposal of the clear text data after creating the encrypted copy.

Restoring deleted data in a cloud environment is not an easy task for an attacker because cloud based data is scattered, typically being stored in different physical locations with unique pointers, and achieving any level of physical access to the media is a challenge. Nevertheless, it is still an existing attack vector that the cloud security professional should consider when evaluating the business requirements for data disposal.

In order to safely dispose of electronic records, the cloud security professional should consider the following options:

• Physical Destruction—Physically destroying the media by incineration, shredding, or other means.
• Degaussing—Using strong magnets for scrambling data on magnetic media such as hard drives and tapes.
• Overwriting—Writing random data over the actual data. The more times the overwriting process occurs, the more thorough the destruction of the data is considered to be.
• Encryption—Using an encryption method to re-write the data in an encrypted format to make it unreadable without the encryption key.

Since the first three options are not applicable to cloud computing, the only reasonable method remaining is encrypting the data. The process of encrypting the data in order to dispose of it is called digital shredding or crypto-shredding.

Crypto-shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data originally. Since the data is encrypted with the keys, the result is the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable of being brute-forced by an attacker).

In order to perform proper crypto-shredding, the security practitioner should consider the following:

• The data should be encrypted completely without leaving any clear text remaining.
• The technique must make sure that the encryption keys are totally unrecoverable. This can be hard to accomplish if the keys are managed by an external cloud provider or other third party.

Data Archiving Procedures and Mechanisms

Data archiving is the process of identifying and moving inactive data out of current production systems and into specialized long-term archival storage systems. Moving inactive data out of production systems optimizes the performance of resources needed there, while specialized archival systems store information more cost-effectively and provide for retrieval when needed.

A data archiving policy for the cloud should contain the following elements:

• Data Encryption Procedures—Long term data archiving with encryption could present a challenge for the organization with regards to key management. Encryption policy should consider which media is used, restoral options, and what the threats are that should be mitigated by the encryption. Bad key management could lead to the destruction of the entire archive, and therefore requires the attention of the security practitioner.
• Data Monitoring Procedures—Data stored in the cloud tends to be replicated and moved. In order to maintain data governance, it is required that all data access and movements be tracked and logged to make sure that all security controls are being applied properly throughout the data lifecycle.
• Ability to Perform eDiscovery and Granular Retrieval—Archive data may be subject to retrieval according to certain parameters such as dates, subject, and authors and so on. The archiving platform should provide the ability to do eDiscovery on the data in order to decide which data should be retrieved.
• Backup and Disaster Recovery Options—All requirements for data backup and restore should be specified and clearly documented. It is important for the security practitioner to ensure that the business continuity and disaster recovery plans are updated and aligned with whatever procedures are implemented.
• Data Format and Media Type—The format of the data is an important consideration because it may be kept for an extended period of time. Proprietary formats can change, leaving data in a useless state, so choosing the right format is very important. The same consideration must be made for media storage types as well.
• Data Restoration Procedures—Data restoral testing should be initiated periodically to make sure that the process is working. The trial data restore should be made into an isolated environment in order to mitigate risks such as restoring an old virus or accidently over-writing existing data.

Event Sources

The relevant event sources that the security practitioner will draw data from will vary according to the cloud services modules that the organization is consuming. The service modules are Saas, IaaS, and PaaS.

SaaS

In SaaS environments, the security practitioner typically will have minimal control of, and access to, event and diagnostic data. Most infrastructure level logs will not be visible to them, and they will be limited to high level, application generated logs that are located on a client endpoint. In order for the security practitioner to maintain reasonable investigation capabilities, auditability and traceability of data, it is recommended to specify required data access requirements in the cloud SLA or contract with the cloud service provider. The following data sources play an important role in event investigation and documentation:

• Web server logs
• Application server logs
• Database logs
• Guest operating system logs
• Host access logs
• Network infrastructure devices logs
• Application level logs
• Virtualization platform logs and SaaS portal logs
• Network captures
• Billing records
• User access records
• Management application logs

PaaS

In PaaS environments, the security practitioner typically will have control of, and access to, event and diagnostic data. Some infrastructure level logs will be visible to them, along with detailed application logs. Because the applications that will be monitored are being built and designed by the organization directly, the level of application data that can be extracted and monitored is up to the developers. In order to maintain reasonable investigation capabilities, auditability and traceability of data, the security practitioner should work with the development team to understand the capabilities of the applications under development and to help design and implement monitoring regimes that will maximize the organization’s visibility into the applications and their data streams.

OWASP recommends the following application events to be logged:¹²²

• Input validation failures, e.g., protocol violations, unacceptable encodings, invalid parameter names and values
• Output validation failures, e.g., database record set mismatch, invalid data encoding
• Authentication successes and failures
• Authorization (access control) failures
• Session management failures, e.g., cookie session identification value modification
• Application errors and system events, e.g., syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, file upload virus detection, configuration changes
• Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping, or pausing)
• Use of higher-risk functionality, e.g., network connections, addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of systems administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, creation and deletion of system-level objects, data import and export including screen-based reports, and submission of user-generated content—especially file uploads
• Legal and other opt-ins, e.g., permissions for mobile phone capabilities, terms of use, terms and conditions, personal data usage consent, and permission to receive marketing communications

IaaS

In IaaS environments, the security practitioner typically will have control of, and access to, event and diagnostic data. Almost all infrastructure level logs will be visible to them, along with detailed application logs. In order for the security practitioner to maintain reasonable investigation capabilities, auditability and traceability of data, it is recommended to specify required data access requirements in the cloud SLA or contract with the cloud service provider.

The following logs might be important for the security practitioner to examine at some point, but they might not be available by default:

• Cloud or network provider perimeter network logs
• Logs from DNS servers
• VMM logs
• Host operating system and hypervisor logs
• API access logs
• Management portal logs
• Packet captures
• Billing records

Data Event Logging and Event Attributes

In order for the SSCP to be able to perform effective audits and investigations as needed, the event log should contain as much of the relevant data for the processes being examined as possible. OWASP recommends the following data to be integrated into event data:¹²³

• When
  • Log date and time (international format)
  • Event date and time—the event time stamp may be different to the time of logging, e.g., server logging where the client application is hosted on remote device that is only periodically or intermittently online
  • Interaction identifier
• Where
  • Application identifier, e.g., name and version
  • Application address, e.g. cluster/host name or server IPv4 or IPv6 address and port number, workstation identity, local device identifier
  • Service, e.g., name and protocol
  • Geolocation
  • Window/form/page, e.g., entry point URL and HTTP method for a web application, dialogue box name
  • Code location, e.g., script name, module name
• Who (human or machine user)
  • Source address, e.g., user’s device/machine identifier, user’s IP address, cell/RF tower ID, mobile telephone number
  • User identity (if authenticated or otherwise known), e.g., user database table primary key value, username, license number
• What
  • Type of event
  • Severity of event, e.g., {0=emergency, 1=alert, . . ., 7=debug}, {fatal, error, warning, info, debug, trace}
  • Security relevant event flag (if the logs contain non-security event data too)
  • Description

Additionally, consider recording:

• Secondary time source (e.g., GPS), event date, and time
• Action—original intended purpose of the request, e.g., log in, refresh session ID, log out, update profile
• Object—the affected component or other object (user account, data resource, file), e.g., URL, session ID, user account, file
• Result status—whether the ACTION aimed at the OBJECT was successful, e.g., success, fail, defer
• Reason—why the status above occurred, e.g., user not authenticated in database check, incorrect credentials
• HTTP Status Code (web applications only)—the status code returned to the user (often 200 or 301)
• Request HTTP headers or HTTP User Agent (web applications only)
• User type classification, e.g., public, authenticated user, CMS user, search engine, authorized penetration tester, uptime monitor
• Analytical confidence in the event detection, e.g., low, medium, high, or a numeric value
• Responses seen by the user and taken by the application, e.g., status code, custom text messages, session termination, administrator alerts
• Extended details, e.g., stack trace, system error messages, debug information, HTTP request body, HTTP response headers and body
• Internal classifications, e.g., responsibility, compliance references
• External classifications, e.g., NIST Security Content Automation Protocol (SCAP), Mitre Common Attack Pattern Enumeration and Classification (CAPEC) ¹²⁴

Storage and Analysis of Data Events

Event and log data can become very costly to archive and maintain depending on the volume of data being gathered. The security practitioner needs to carefully consider these issues as well as the business/regulatory requirements and responsibilities of the organization when planning for event data preservation.

Preservation is defined by ISO 27037:2012 as the “process to maintain and safeguard the integrity and/or original condition of the potential digital evidence.”¹²⁵

Evidence preservation helps assure admissibility in a court of law. However, digital evidence is notoriously fragile and is easily changed or destroyed. Given that the backlog in many forensic laboratories ranges from six months to a year (and that delays in the legal system might create further delays), potential digital evidence may spend a significant period of time in storage before it is analyzed or used in a legal proceeding. Storage requires strict access controls to protect the items from accidental or deliberate modification, as well as appropriate environment controls.

Please also note that certain regulations and standards require that event logging mechanism should be tamper proof in order to avoid the risks of faked event logs.

The gathering, analysis, storage, and archiving of event and log data is not limited to the forensic investigative process however. In all organizations, the security practitioner will be called on to execute these activities on an on-going basis for a variety of reasons during the normal flow of enterprise operations. Whether it is to examine a firewall log, to diagnose an application installation error, to validate access controls, to understand network traffic flows, or to manage resource consumption, the use of event data and logs is a standard practice.

What the security practitioner needs to concern themselves with is how they can collect the volumes of logged event data available and manage it from a centralized location. That is where SIEM systems come in.

Security information and event management is a term for software and products services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances, or managed services, and are also used to log security data and generate reports for compliance purposes.

The acronyms SEM, SIM, and SIEM have been sometimes used interchangeably. The segment of security management that deals with real-time monitoring, correlation of events, notifications, and console views is commonly known as security event management (SEM). The second area provides long-term storage, analysis, and reporting of log data and is known as security information management (SIM).

SIEM systems will typically provide the following capabilities:

• Data Aggregation—Log management aggregates data from many sources, including network, security, servers, databases, and applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
• Correlation—Looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the security event management portion of a full SIEM solution.
• Alerting—The automated analysis of correlated events and production of alerts to notify recipients of immediate issues. Alerts can be sent to a dashboard or sent via third party channels such as email.
• Dashboards—Tools can take event data and turn it into informational charts to assist in seeing patterns or identifying activity that is not forming a standard pattern.
• Compliance—Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance, and auditing processes.
• Retention—Employing long-term storage of historical data to facilitate correlation of data over time and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations because it is unlikely that discovery of a network breach will be at the time of the breach occurring.
• Forensic analysis—The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.

However, there are challenges with SIEM systems in the cloud that have to be considered when deciding whether or not this technology will make sense for the organization. Turning over internal security data to a cloud provider requires trust, and many users of cloud services will desire more clarity on providers’ security precautions before being willing to trust a provider with this kind of information.

Another problem with pushing SIEM into the cloud is that targeted attack detection requires in-depth knowledge of internal systems, the kind found in corporate security teams. Cloud-based SIEM services may have trouble with recognizing the low-and-slow attacks. In targeted attacks, many of the times that organizations are breached, attackers create only a relatively small amount of activity while carrying out their attacks. To see that evidence, you need to know the environment. Cloud services may not be able to do that effectively.

Securing Big Data Systems

The world’s effective capacity to exchange information through telecommunication networks was 281 petabytes in 1986, 471 petabytes in 1993, 2.2 exabytes in 2000, and 65 exabytes in 2007, and it is predicted that the amount of traffic flowing over the Internet will reach 667 exabytes annually by 2014.¹²⁶ It is estimated that one third of the globally stored information is in the form of alphanumeric text and still image data, which is the format most useful for most big data applications.¹²⁷

The term big data refers to the massive amounts of digital information companies and governments collect about us and our surroundings. Security and privacy issues are magnified by velocity, volume, and variety of big data, such as large scale cloud infrastructures, diversity of data sources and formats, streaming nature of data acquisition and high volume inter-cloud migration.

Though the word “big” implies such, big data is not simply defined by volume; it’s about complexity. Many small datasets that are considered big data do not consume much physical space but are particularly complex in nature. At the same time, large datasets that require significant physical space may not be complex enough to be considered big data. In addition to volume, the big data label also includes data variety and velocity making up the three V’s of big data—volume, variety, and velocity. Variety references the different types of structured and unstructured data that organizations can collect, such as transaction-level data, video and audio, or text and log files. Velocity is an indication of how quickly the data can be made available for analysis.¹²⁸

An August 2013 blog post by Mark van Rijmenam titled “Why The 3V’s Are Not Sufficient To Describe Big Data” added “veracity, variability, visualization, and value” to the definition, broadening the realm even further. Rijmenam stated “90% of all data ever created, was created in the past two years. From now on, the amount of data in the world will double every two years.”¹²⁹

Interpretation of big data can bring about insights that might not be immediately visible or that would be impossible to find using traditional methods. This process focuses on finding hidden threads, trends, or patterns, which may be invisible to the naked eye. Sounds easy, right? Well, it requires new technologies and skills to analyze the flow of material and draw conclusions. Apache Hadoop is one such technology, and it is generally the software most commonly associated with big data. Apache calls it “a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models.” Just as big data can be both a noun and a verb, Hadoop involves something that is and something that does—specifically, data storage and data processing. Both of these occur in a distributed fashion to improve efficiency and results. A set of tasks known as MapReduce coordinates the processing of data in different segments of the cluster and then breaks down the results to more manageable chunks which are summarized. Hadoop is open source, and there are variants produced by many different vendors such as Cloudera, Hortonworks, MapR, and Amazon. There are also other products such HPCC and cloud-based services such as Google BigQuery.

From a security perspective, there are two distinct issues: securing the organization and its customers’ information in a big data context; and using big data techniques to analyze, and even predict, security incidents.

According to Adrian Lane, CTO at Securosis, the big data phenomenon is driven by the intersection of three trends:¹³⁰

• Mountains of data that contain valuable information
• The abundance of cheap commodity computing resources
• “Free” analytics tools (very low to non-existent barriers to acquire)

When we are talking about the security of big data environments, it is the last item in particular that often raises security concerns. Without knowing where many of these tool sets have come from, how they are architected, and who is behind them, as well as how they are being deployed and utilized within the enterprise, the security practitioner is faced with a significant challenge with regards to data confidentiality and integrity. The addition of distributed computing architectures such as cloud based systems that allow end point access to data on demand, from anywhere that a network connection can be accessed, adds to the myriad of challenges being faced by security practitioners.

Lane says that these systems use many nodes for distributed data storage and management. They store multiple copies of data across multiple nodes. This provides the benefits of fail-safe operation in the event any single node fails, and it means the data queries move to the data, where processing resources are available. It is this distributed cluster of data nodes cooperating with each other to handle data management and data queries that makes big data so potentially valuable for enterprise architectures, but at the same time it presents such unique challenges to the security of the enterprise.

The security practitioner faces challenges in the areas of trust, privacy, and general security. In the area of trust related issues, items such as key verification, mitigation of trust based DoS attacks, and content leakage detection within trusted networks may need to be addressed. Privacy issues may include remote authentication schemes for wireless network access to data, traffic masking to obfuscate data, anonymization of large scale data sets, and decentralized access control solutions for cloud based data access. General security challenges may span a wide range of issues and concerns such as response mechanisms in the face of fast spreading/fast acting intrusion vectors, the existence of inconsistent authorization policies and user credentials within distributed databases accessed by cloud based systems, and the concerns associated with securely, efficiently, and flexibly sharing data using public key cryptosystems.

Operating and Securing Virtual Environments

There are many components that go into operating and securing virtual environments. The move to use software definition up and down the virtualization stack in the data center has meant that solutions such as software defined networking (SDN) are now commonplace, requiring the SSCP to become familiar with them as part of their operational responsibilities. In addition, the use of virtualized security appliances has also become commonplace and requires that the SSCP update their skills with the required vendor-specific knowledge to ensure the successful deployment, configuration, and management of these gateway solutions. Being able to manage and operate environments that are focused on continuity and resiliency of the systems and information that make them up is a daunting challenge, one that the SSCP has to continue to work hard to accomplish.

Software-Defined Network (SDN)

According to Wikipedia, software-defined networking (SDN) is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).¹³¹

SDN providers offer a wide selection of competing architectures, but at its most simple, the SDN method centralizes control of the network by separating the control logic to off-device computer resources. All SDN models have some version of an SDN controller, as well as southbound APIs and northbound APIs:

• Controllers—The “brains” of the network, SDN controllers offer a centralized view of the overall network, and they enable network administrators to dictate to the underlying systems (like switches and routers) how the forwarding plane should handle network traffic.
• Southbound APIs—SDN uses southbound APIs to relay information to the switches and routers “below.” OpenFlow, considered the first standard in SDN, was the original southbound API and remains as one of the most common protocols. Despite some considering OpenFlow and SDN to be one in the same, OpenFlow is merely one piece of the bigger SDN landscape.
• Northbound APIs—SDN uses northbound APIs to communicate with the applications and business logic “above.” These help network administrators to programmatically shape traffic and deploy services.

Virtual Appliances

Virtual appliances are prebuilt software solutions comprising one or more virtual machines that are packaged, updated, maintained, and managed as a unit. Because virtual appliances are preconfigured, they help organizations reduce the time and expense associated with application deployment—including the patching and ongoing management of the software.

A virtual machine has four key virtualized resources (CPU, RAM, storage, and networking). It requires the installation of an OS and runs one or more applications. A virtual appliance functions much like a virtual machine, possessing the four key characteristics of compatibility, isolation, encapsulation, and hardware independence. However, a virtual appliance contains a preinstalled, preconfigured OS and an application stack that is optimized to provide a specific set of services. Because virtual machines contain a general-purpose OS that can run multiple applications, the patches for virtual machines are delivered by both OS vendors and application software vendors. IT administrators, in turn, might need to test these patches for compatibility. In contrast, virtual appliances are a unified offering of Just Enough Operating System (JeOS, pronounced “juice”) and a single application. The application-software vendor needs only to provide a single pretested update (containing relevant patches), thereby eliminating the need for testing. JeOS is a stripped-down version of an OS. Several software vendors are creating JeOS variants to support the virtual-appliance paradigm. Examples include Ubuntu 7.04, 7.10 and 8.04, Lime JeOS from Novell, and Appliance Operating System (AOS) from Red Hat.

See the following for more information: https://www.suse.com/products/susestudio/features/jeos.html

Continuity and Resilience

A clustered host will be a host that is logically and physically connected to other hosts within a management framework that allows for resources to be centrally managed for the collection of hosts, and for the applications and virtual machines running on a member of the cluster to fail over, or move, between host members as needed to allow for continued operation of those resources, with a focus on minimizing the downtime that host failures can cause. The security practitioner will need to understand the basic concept of host clustering, as well as the specifics of the technology and implementation requirements that are unique to the vendor platforms they support. Within a host cluster, resources are allocated and managed as if they are pooled, or jointly available to all members of the cluster. The use of resource sharing concepts such as reservations, limits, and shares may also be used to further refine and orchestrate the allocation of resources according to certain requirements imposed by the cluster administrator.

Reservations allow for the guaranteeing of a certain minimum amount of the clusters pooled resources to be made available to a specified virtual machine.

Limits allow for the guaranteeing of a certain maximum amount of the clusters pooled resources to be made available to a specified virtual machine.

Shares allow for the provisioning of the remaining resources left in a cluster when there is resource contention. Specifically, shares allow the cluster’s reservations to be allocated, and then to address any remaining resources that may be available for use by members of the cluster through a prioritized percentage based allocation mechanism.

Clusters are available for the traditional “compute” resources of the hosts that make up the cluster: RAM and CPU. In addition, there are also storage clusters that can be created and deployed to allow back end storage to be managed in the same way that the traditional “compute” resources are. The management of the cluster will involve the use of a cluster manager or management toolset of some kind. The chosen virtualization platform will determine the clustering capability of the cloud hosts. Many virtualization platforms utilize clustering for high availability and disaster recovery.

For example, according to VMware, a cluster is a collection of ESXi hosts and associated virtual machines with shared resources and a shared management interface.¹³²

Microsoft provides the same level of technology to create, manage, and integrate their clustering solutions for virtualized cloud based resources as well. System Center Operations Manager (SCOM) is used in partnership with the System Center Virtual Machine Manager (SCVMM) and the Performance Resource Optimization (PRO) feature to provide the monitoring component of individual hosts and virtual machines running on them, which would be the equivalent of the DRS functionality in VMware. The HA functionality is provided through the failover clustering technology built into the Windows Server 2012/2102R2 operating systems.¹³³

Attacks and Countermeasures

To secure a server, it is essential to first define the threats that must be mitigated. Many threats against data and resources are possible because of mistakes—either bugs in operating system and server software that create exploitable vulnerabilities, or errors made by end users and administrators. Threats may involve intentional actors (e.g., attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee). Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another geographical area. Organizations should conduct risk assessments to identify the specific threats against their servers and determine the effectiveness of existing security controls in counteracting the threats; they then should perform risk mitigation to decide what additional measures (if any) should be implemented, as discussed in NIST Special Publication (SP) 800—30 Revision 1, “Risk Assessment Guide for Information Technology Systems.”¹³⁴ Performing risk assessments and mitigation helps organizations better understand their security posture and decide how their servers should be secured.

The following general guidelines will help the security practitioner to understand the key items that have to be addressed:

• Use of an asset management system that has configuration management capabilities to enable documentation of all system configuration items (CIs) authoritatively.
• Use of system baselines to enforce configuration management throughout the enterprise. In configuration management, a baseline is an agreed upon description of the attributes of a product, at a point in time, which serves as a basis for defining change. A change is a movement from this baseline state to a next state. The security practitioner should consider automation technologies that will help with the creation, application, management, updating, tracking, and compliance checking for system baselines.
• Development and use of a robust change management system to authorize the required changes needing to be made to systems over time. In addition, enforcement of a requirement that no changes may be made to production systems unless the change has been properly vetted and approved through the change management system in place. This will force all changes to be clearly articulated, examined, documented, and weighed against the organization’s priorities and objectives. Forcing the examination of all changes in the context of the business allows the security practitioner to ensure that risk is minimized whenever possible, and that all changes are seen as being acceptable to the business based on the potential risk that they pose.
• The use of an exception reporting system to force the capture and documentation of any activities undertaken that are contrary to the “expected norm” with regards to the lifecycle of a system under management.
• The use of vendor specified configuration guidance and best practices as appropriate based on the specific platforms under management.

Security Virtualization Best Practices

According to the Infosec Institute, the following are best practices for using virtualized infrastructure securely that the SSCP should consider:¹³⁵

1. Administrator Access and Separation of Duties Following are best practices for administrator access and separation of duties:

• Provide administrators with power on/power off rights for their hosts only and no others.
• Give administrators the right to deploy new VMs but not modify existing VMs. Other administrators can then be enabled to modify existing VMs but not create new ones.
• Separate authentication should be in place for each guest OS unless there is a good reason for two or more guest operating systems to share credentials.

1. Desktop Virtualization and Security Following are best practices for desktop virtualization and security:

• Update acceptable use policy. Document the exact conditions under which virtualization software can be installed and define what approvals are required. State what software can be run and how it should be protected. Document the repercussions that employees can expect if they don’t follow the rules.
• Limit the use of VMs to the users that need them. Limit permissions to a small group of developers and testers for virtual tools and VMs, and help them understand that they still have to conform to corporate security policies.
• Keep virtualization and security software up to date.
• Choose security policies that support virtualization. Make sure that there are not any known security policy conflicts with existing virtualization platforms.
• Create and maintain a library of secure VM builds. Maintain a repository of VM templates containing all of the configuration settings, security software, and patches that users can download, use, and re-use.

1. Network Security Following are best practices for network security:

• Disconnect any unused NICs so that there is not an easy way to get onto the network.
• Make sure that the host platform that connects the hypervisor and guests to the physical network is secure by setting file permissions, using access controls for users and groups, and setting up logging and time synchronization.
• Encrypt all traffic between clients and hosts, between management systems and the hypervisor, and between the hypervisor and hosts using SSL/TLS.
• Secure IP communications between two hosts by using authentication and encryption on each IP packet.
• Do not use default self-signed certificates as they are vulnerable to man-in-the-middle attacks.
• Place virtual switches into promiscuous mode for monitoring purposes, and enable MAC address filtering to prevent MAC spoofing attacks.

1. Storage Networks Following are best practices for storage networks:

• iSCSI and NFS traffic should be placed on dedicated storage networks or non-routable VLANs.
• Use IPSec to encrypt iSCSI traffic to prevent snooping.
• iSCSI supports Challenge Handshake Authentication Protocol (CHAP), and this should be used to force authentication prior to granting access.
• When using iSCSI or NFS, use physical switches to detect and disallow IP or MAC address spoofing.
• NFS is easy to set up but is the least secure storage choice. Configure the NFS server to restrict access to specific IP addresses related to your hypervisors, or use a firewall to restrict traffic to specific hosts. If the NFS server supports IPSec, use it to secure traffic between the NFS server and the hypervisors.
• All traffic to and from storage repositories needs to be isolated from non-storage traffic.
• Security for fibre channel storage networks involves the use of zoning, which is the creation of access control groups at the switch level and is similar to how VLANs operate. Although numerous topologies are available, the simplest secure form is single initiator zoning. This involves a host bus adapter in its own zone with a target device to prevent initiators from trying to communicate with each other.
• Security for fibre channel storage networks involves the use of masking, which allows the security practitioner or storage administrator to effectively “hide” one or more LUNs being made available from the storage array, presenting only those LUNs that the endpoint device seeking access is allowed to see.

1. Auditing and Logging Following are best practices for auditing and logging:

• Use centralized logging to determine whether guests have gone offline. These guests can get out of sync with regards to patches and updates. Log any VM power events (such as On, Off, Suspended, or Resumed), changes in hardware configurations, or any login events related to those with elevated privileges. VMs that are copied, moved, or deleted should also be logged.
• Audit files should be read only and should only be read by those in an auditing role to ensure forensic integrity. Unauthorized and authorized login attempts to the audit files and other virtual resources should be logged.
• Conduct regular audits of the environment including the virtual network, storage, the hypervisor, the VMs, and the management systems.
• Send log files securely to a remote log server.

1. Virtual Machine Security Following are best practices for virtual machine security:

• Turn off any unused VMs.
• Use IPSec or other forms of encryption between the host and VM to secure all traffic.
• Employ VLANs within a single vSwitch to segment traffic.
• When VMs move, active memory and state are sent over the network to the new host in clear text. Isolate this traffic from the production network on an isolated segment that is non-routable and configured with a separate vSwitch or VLAN.
• Policies can be used to make sure that a new VM is not allowed to join a VM group or cluster unless it has a specific configuration and has related updates installed.
• Do not place workloads with different trust levels in the same security domain or on the same physical server. The chance of mixing trust levels is great when users can create and deploy their own VMs.
• Restrict access to archived VMs.
• When two or more VMs are on the same VLAN and vSwitch, the traffic between the VMs is not protected. Consider placing virtual firewalls on these VMs for protection.
• Place a CPU limit on any VMs that can access the Internet. This will ensure that if a VM is compromised, the VM’s resources are limited to launch attacks on other hosts.
• If users are allowed to create VMs, consider allowing them to only create VMs from an authorized template.
• Consider deploying a security VM or virtual appliance to eliminate an agent on each VM. This can eliminate antivirus storms and any bottlenecks that would occur when all hosts and VMs start their malware scans simultaneously.
• Disable any copy-paste functionality to protect the confidentiality of the data and the integrity of the hypervisor and VMs.
• A virtual firewall attached to a VM travels with it at all times to ensure that security policy is enforced before, during, and after any moves.
• A security gateway (firewall and IDS/IPS) can be employed to inspect traffic between VMs.
• Make sure that any VMs that process protected information are isolated from other VMs so that the data is not combined with other data or is accessible through other VMs.

1. Management Systems Following are best practices for management systems:

• Secure your communications between management systems and the hosts to prevent data loss, eavesdropping, and any chance for man-in-the-middle attacks. Enable one or more of the available SSH, IPSec, and SSL/TLS protocols for this purpose.
• Do not allow a management server to be accessible from all workstations. Compromising this server could affect VMs and data stores. To prevent this, place the management server on a separate VLAN from the user computers’ subnet and then place it behind a firewall. These are two completely different security zones. Define access control lists on the network switches, and set appropriate rules on the firewall. Change the default permissions on these servers so that the admin does not have access to the entire environment.
• Separate management servers from database servers.

1. Hypervisor Security Following are best practices for hypervisor security:

• Install vendor supplied patches and updates to the hypervisor as they are released. Support this with a sound patch management process to mitigate the risk of hypervisor vulnerabilities. Place the latest service packs on guests and hosts, and remove any applications with a history of vulnerabilities.
• Disable any unused virtual hardware that connects to the hypervisor.
• Disable unneeded services like clipboard or file sharing.
• Perform constant monitoring of the hypervisor for any potential signs of compromise. Monitor and analyze the hypervisor logs on a consistent basis.
• Disable all local administration of the hypervisor, and require use of a centralized management application.
• Require multi-factor authentication for any admin functions on the hypervisor.

1. Time Synchronization Following are best practices for time synchronization:

• Network Time Protocol (NTP) should be enabled and configured to synchronize with a time server close to your network, and NTP should run on a host. Guest VMs should either use the same server as the host or use the host itself as the NTP server. If the VM layer allows a guest OS to sync time directly from the host, then this should be used as this is the simplest to implement.
• Hashing authentication should be used between NTP peers to prevent tampering.

1. Remote Access Following are best practices for remote access:

• Remote access management should be limited to a small set of authorized management system IP addresses.
• Any remote access should ask for a username as well as a password backed up with a strong password policy. For strong security environments, use two factor authentication or one time use passwords.
• Remote communication to any management tools should be encrypted and authenticated.
• When using SSH, disable the version 1 protocol, disable the admin or root SSH login, and require users to use role-based access control or their individual user accounts. Use a tool like Sudo because it allows activity to be written to a log that indicates what was done, when it was done, and by whom.

1. Backups Following are best practices for backups:

• Encrypt any backup data streams in case a server image is stolen. Data at rest should have access control lists to control copying or mounting of images.
• Network level protections like VLANs and access control lists should be in place to protect backup data whether at rest or in transit.
• Do not allow root accounts to be used for backup.
• Any backups that are sent to a disaster recovery site over the network should be securely encrypted.

1. Configuration and Change Management Following are best practices for configuration and change management:

• Make sure that any physical or virtual servers are hardened before putting them into deployment. Monitor any configuration changes to detect any unauthorized changes or deviations from compliance in regards to updates and patches.
• Harden physical and virtual switches and virtual appliances and gateways before deployment.
• Do not allow changes to the infrastructure without documentation and testing in a lab environment that is as identical to the production environment as possible. Answer these questions before making any changes:
  • What are the implications of the change?
  • Who and what will be affected?
  • How much of a risk does the change represent?
  • Can the change be reversed if necessary?
  • How long will it take to roll back a change?
• Track VM configurations and issue alerts for any changes to a desired configuration.

Summary

Systems and application security is a multidimensional topic made up of many moving parts. The activities and actions of malware, the countermeasures required to mitigate the threats that malware poses, as well as the processes necessary to manage mobile devices all play a part. Adding cloud computing increases the scalability and interactivity of the organization’s infrastructure, but brings with it its own set of security concerns and issues that the security practitioner needs to understand and manage effectively. The security professional should be able to put all of these issues and concerns into context, understand their main goals, and apply a common sense approach to typical scenarios. The focus here is to maintain operational resilience and protect valuable operational assets through a combination of people, processes, and technologies. At the same time, security services must be managed effectively and efficiently just like any other set of services in the enterprise.

Sample Questions

1. “VBS” is used in the beginning of most antivirus vendors to represent what component of the CARO general-structure?

   1. Family
   2. Platform
   3. Modifier
   4. Suffix
2. W64.Root.AC is what variant of this malcode?

   1. W64
   2. AC
   3. Root
   4. C
3. W64.Slober.Z@mm spreads through what primary vector, according to Symantec naming conventions?

   1. Mass Mailer
   2. Windows 64-bit
   3. Windows 8/8.1
   4. E-mail
4. A SSCP discovers an antivirus message indicating detection and removal of Backdoor.win64.Agent.igh. What should the SSCP do to monitor to the threat?

   1. Use rootkit detection software on the host
   2. Update antivirus signature files
   3. Run a full host scan
   4. Monitor egress traffic from the computer
5. Malcode that infects existing files on a computer to spread are called what?

   1. Rootkit
   2. Worms
   3. Viruses
   4. Trojans
6. A Trojan that executes a destructive payload when certain conditions are met is called what?

   1. Data diddler
   2. Rootkit
   3. Logic bomb
   4. Keylogger
7. How does a cavity virus infect a file with malcode?he infected host using different antivirus software?

   1. Appends code
   2. Injects code
   3. Removes code
   4. Prepends code
8. Mebroot is unique because it modifies what component of a computer to load on system startup?

   1. Windows registry keys
   2. Kernel
   3. Master boot record
   4. Startup folder
9. SYS and VXD hostile codes are commonly associated with what type of threat?

   1. Trojans
   2. Userland rootkits
   3. Worms
   4. Kernel rootkits
10. A potentially unwanted program (PUP) refers to software that may include what? (Choose all that apply.)

    1. Monitoring capability
    2. End user license agreement (EULA)
    3. Patch management capability
    4. Ability to capture data
11. “0.0.0.0 avp.ch” is a string found within a Trojan binary, indicating that it likely performs this type of change to a system upon infection:

    1. Downloads code from avp.ch
    2. Modifies the HOSTS file to prevent access to avp.ch
    3. Communicates with a remote C&C at avp.ch
    4. Contains a logic bomb that activates immediately
12. What does it mean when a SSCP does not see explorer.exe in the Windows Task Manager on a host machine?

    1. It is normal for explorer.exe to not appear in Windows Task Manager.
    2. explorer.exe is likely injected and hidden by a Windows rootkit.
    3. explorer.exe does not need to be visible if svchost.exe is visible.
    4. Internet Explorer is open and running in memory.
13. If a SSCP attempts to analyze suspicious code using a VMware based test environment and nothing executes, what might be the next steps to take to further analyze the code?

    1. Submit the code to an online sandbox scanner to compare behavioral results.
    2. Modify advanced settings to disable hardware acceleration and similar components and execute the code again.
    3. Call VMware technical support for help in identifying the problem(s) causing the code not to execute.
    4. Run the malcode in a native, non-virtualized test environment to see if it is anti-VMware.
14. What does the “vector of attack” refer to?

    1. Software that can infect multiple hosts
    2. The primary action of a malicious code attack
    3. How the transmission of malcode takes place
    4. The directions used to control the placement of the malcode
15. What is direct kernel object modification an example of?

    1. A technique used by persistent mode rootkits to modify data structures
    2. A technique used by memory based rootkits to modify data structures
    3. A technique used by user mode rootkits to modify data structures
    4. A technique used by kernel mode rootkits to modify data structures
16. What kind of an attack is the following sample code indicative of?
17. ../../../

    1. Covert channel
    2. Buffer overflow
    3. Directory traversal
    4. Pointer overflow
18. What does a second generation antivirus scanner use to search for probable malware instances?

    1. Heuristic rules
    2. Malware signatures
    3. Malware signatures
    4. Generic decryption
19. What type of botnet detection and mitigation technique is Netflow used for?

    1. Anomaly detection
    2. DNS log analysis
    3. Data monitoring
    4. Honeypots
20. What kind of tool should be used to check for cross-site scripting (XSS) vulnerabilities?

    1. Rootkit revealer
    2. Web vulnerability scanner
    3. Terminal emulator
    4. Decompiler
21. What are the five phases of an advanced persistent threat (APT)?

    1. Reconnaissance, capture, incursion, discovery, and exfiltration
    2. Reconnaissance, discovery, incursion, capture, and exfiltration
    3. Incursion, reconnaissance, discovery, capture, and exfiltration
    4. Reconnaissance, incursion, discovery, capture, and exfiltration
22. What would a malware author need to do in order to prevent the heuristic technology used by antivirus vendors from detecting the malware code hidden inside of a program file?

    1. Use a runtime packer that is virtual environment aware
    2. Encrypt the malware files
    3. Decompile the malware files
    4. Use a runtime packer that is not virtual environment aware
23. What is a goat machine used for?

    1. Configuration management
    2. Hosting of network monitoring software
    3. Testing of suspicious software
    4. Creation of baseline images
24. Identify whether each of the following activities is strategic or tactical:
    • Defense in depth
    • Hardening systems
    • Senior management support
    • Backing up data
    • The formation of a CERT/CSIRT team
25. What is the correct description of the relationship between a data controller and a data processor role with regards to privacy and data protection (P&DP) laws?

    1. The processor determines the purposes and means of processing of public data, while the controller processes public data on behalf of the processor.
    2. The controller determines the purposes and means of processing of public data, while the processor processes public data on behalf of the controller.
    3. The controller determines the purposes and means of processing of personal data, while the processor processes personal data on behalf of the controller.
    4. The processor determines the purposes and means of processing of personal data, while the controller processes personal data on behalf of the processor.
26. According to the NIST Definition of Cloud Computing (NIST SP 800—145), what are the three cloud service models?

    1. Software as a service (SaaS), platform as a service (PaaS), and Internet of things as a service (TaaS)
    2. Software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)
    3. Software as a service (SaaS), business process as a service (BPaaS), and infrastructure as a service (IaaS)
    4. Security as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)
27. Which of the following are storage types used with an infrastructure as a service solution?

    1. Volume and block
    2. Structured and object
    3. Unstructured and ephemeral
    4. Volume and object
28. What is the Cloud Security Alliance Cloud Controls Matrix?

    1. A set of regulatory requirements for cloud service providers.
    2. An inventory of cloud service security controls that are arranged into separate security domains.
    3. A set of software development life cycle requirements for cloud service providers.
    4. An inventory of cloud service security controls that are arranged into a hierarchy of security domains.
29. Which of the following are attributes of cloud computing?

    1. Minimal management effort and shared resources
    2. High cost and unique resources
    3. Rapid provisioning and slow release of resources
    4. Limited access and service provider interaction
30. When using an infrastructure as a service solution, what is the capability provided to the customer?

    1. To provision processing, storage, networks, and other fundamental computing resources where the consumer is not able to deploy and run arbitrary software, which can include operating systems and applications.
    2. To provision processing, storage, networks, and other fundamental computing resources where the provider is able to deploy and run arbitrary software, which can include operating systems and applications.
    3. To provision processing, storage, networks, and other fundamental computing resources where the auditor is able to deploy and run arbitrary software, which can include operating systems and applications.
    4. To provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
31. When using a platform as a service solution, what is the capability provided to the customer?

    1. To deploy onto the cloud infrastructure provider-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    2. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The provider does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    3. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    4. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the consumer. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
32. What are the four cloud deployment models?

    1. Public, internal, hybrid, and community
    2. External, private, hybrid, and community
    3. Public, private, joint, and community
    4. Public, private, hybrid, and community
33. When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?

    1. a. Reservations
    2. b. Limits
    3. c. Clusters
    4. d. Shares

End Notes