Building a SOC

For run Security Operation Center in your company you must create process, write procedures, hire a staff , etc. All these steps well described in thousand documents.

But what about technical components of SOC?

1. Video wall

Sure thing you need it for security events visibility. It could be LCD, Plasma or just a projector.

Usually you have more than 5 different security management programs (1-2 SIEMs, IDS management, system logs, etc) , so, you need method to show all these on display. You can't tile one display with all these windows - lack of resolution for huge amount of information.

I recommend to use very simple vb script ,created by friend of mine Roma Lazaruk, to switch between programs.

//JScript

var WshShell = WScript.CreateObject("WScript.Shell");

KL = true;

while (KL) {

WshShell.AppActivate(388);

WScript.Sleep(90000);

WshShell.AppActivate("2752");

WScript.Sleep(90000);

WshShell.AppActivate("3612");

WScript.Sleep(90000);

if (WshShell.AppActivate("notepad")) {

WriteWord();

KL = false;

}

}

It gives you possibility to see and read all security information on video wall and adjust visibility interval between programs. This script use PID numbers (for switching between different process with the same name like browser windows ) for program activation and you must run notepad.exe to kill the script.

2. Knowledge base.

Sharing knowledge between teem players save your time, increase team productivity and secure you from personnel turnover problem.

Sure thing the best engine for knowledge base is Wiki. More over you can create really secure knowledge base based on mutual ssl authentication with certificates on smart card and wiki single sign on (SSO) by user cn. For your convenience Andrey Dugin write a wonderful article about this in previous post!

Securing mediawiki

It is described here how to configure mediawiki for:
- use https with mutual authentication;
- use single sign on by client certificates.

At first, enable mod_ssl on apache:

a2enmod ssl

Then add to apache configuration file httpd.conf next strings:
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLCACertificateFile /etc/apache2/ssl/ca.crt

SSLCARevocationFile /etc/apache2/ssl/crl.pem

SSLVerifyClient require
SSLVerifyDepth 1

< Location />
SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "infosec" )
< /Location>

Then disable http-server on apache:

a2dissite default

and edit ports.conf:

#NameVirtualHost *:80 - comment or delete
#Listen 80 - comment or delete


After this restart apache:

apache2ctl graceful

To configure SSL authentication on mediawiki using certificate CN as username you need to add these strings in your apache config:

< Directory "/var/lib/mediawiki/">
Options None
AllowOverride None
Order allow,deny
Allow from all
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN} =~ m/.*serialNumber=$/
< /Directory>

Then you need to use SSLAuthPlugin.php from guide: http://www.mediawiki.org/wiki/Extension:SSL_authentication depends on your version of mediawiki and add in LocalSettings.php these strings:

#Load SSLAuthPlugin
require_once('extensions/SSLAuthPlugin.php');

#Feel free to use extra PHP code to munge the variables if you'd like
#Additionally if you wish to only map some of the name data, set this to true
#and either blank ssl_RN and ssl_email or comment them out entirely.
$ssl_map_info = false;

#Ssssh.... quiet down errors
#$olderror = error_reporting(E_ALL ^ E_NOTICE);

#Map Real Name from certificate
#Can be DN but is it right?
$ssl_RN = $_SERVER['SSL_CLIENT_S_DN_CN'];

#MW username is required to map to something
#You should beware of possible namespace collisions, it is best to chose
#something that will not violate MW's usual restrictions on characters

#Just using Firstname + Lastname (CN) from Certificate 'will' make collisions... but what to use?
#UN could be md5-hash of DN, but its ugly to use...

$ssl_UN = $_SERVER['SSL_CLIENT_S_DN_CN'];

#Map e-mail to something close?
#Will throw warnings if E-Mail is not set in certificate.
#If so, comment out the next three lines and set $ssl_email empty.
if ($_SERVER['SSL_CLIENT_S_DN_Email'] != )
$ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
else
$ssl_email = ;

#Turn error reporting back on
#error_reporting($olderror);

#Activate SSL Plugin
SSLAuthSetup();

security asceticism - getting list of subdomains

Hi folks.

During first step of security audit you need to get list of all sub-domains for a company domain name. How we can do it?

1. If target corporate DNS server support zone transfer (it's a security problem itself) it's easy:

#dig nameserver domainname axfr

#host -l domainname

2. DNS brute forcers - as a any brute force attack it's take a lot of time and it's always dirty work

3. My favorite way - ,sure thing, using google:

Just do a simple request

-inurl:www.ibm.com site:ibm.com

So, if google already indexed these domains you will find it in the list!

Sure thing, it works only with domains with web-servers on it.

Big Brother watching you or mobile phone security issues

Lets talk about mobile phone security. You are well qualified security specialist and never install suspicious application on you handset, so, you think you are secure? Have you heard about OMA-DM technology? OMA-DM stands from Open Mobile Alliance Device Management. Within the Open Mobile Alliance Device Management the standard for firmware handset updates is known as the Firmware Update Management Object (FUMO) This standard permits Firmware Over the Air (FOTA) technology. How it works - here you can find short description. But it was only first step of implementing such technology on the market.

The second step is SCOMO - Software Component Management Object standard that permits Software Component Over the Air (SCOTA) technology. This technology was created for more granular and flexible management of each software components. With SCOTA, one or more piece of software could be changed without requiring update whole handset firmware. SCOTA is a best way to create phones' application stores, so, consumers can have access to the latest applications, without needing to replace devices.

The most interesting thing that all these technologies use http/https over IP and xml data format.

Sound cool, does it? But lets turn on our paranoia:

1. These technologies allow vendors, mobile or value added service providers (but not only them) to install or delete any application or data on your mobile phone.

2. This technology uses centralized management model , so, from the one management Center it's possible to legally control a huge botnet of mobile phones.

3. This technology could allow (or it could be already used) government to spy on citizens.

4. These system components could be penetrated by some "bad guys" and used for stealing your data or spying on you.

Talking about OMA-DM overall security conception - I' ve found only OMA Device Management Security Candidate Version 1.2 document. According to it OMA-DM protocol use to level of authentication: on transport layer (recommended to use TLS 1.0, SSL 3.0 ) and on application layer (OMA-DM use MD5 !).

Some useful information for Windows based smartphones you can find on msdn web site:

OMA Device Management Security Best Practice

OMA Device Management

How many phones support these technologies? There are two types of OMA-DM support: OMA-DM ready terminals (soft client already build-in) and terminals that need OMA-DM client to be installed by user to enable OMA-DM support. Some useful but a bit old information you can find here .

Big Brother is watching you! Stay secured!

Увеличения объема доступной виртуалке памяти в esxi3.5 или работа в esxi3.5 на хосте с 1 GB RAM

Куда нынче ИТ-безопаснику без виртуализации? А как быть при наличии старого железа?

Итак у нас есть физический сервер с 1 GB RAM и большое желание поднять на нем среду вируализации для запуска 1 виртуалки. (Вопрос зачем здесь виртуализация деликатно упустим: например для упрощения переноса системы или ее тестирования)

Итак какой гипервизор выбрать? Ответ прост esxi3.5 единственный из гипервизоров который согласиться работать на таком обеме памяти. esxi4 требует минимум 2 GB RAM. Итак установка прошла нормально. Виртуальный аплайнс смигрировал и вот теперь его нужно сконфигурить и запустить.

Только вот незадача ему не удаеться выделить более 256 М памяти! Казалось бы легкая и проворная esxi3.5 откушала более 700 метров. Итак как мы будем это бороть.

По умолчанию гипервизор резервирует 500 метров под управление WMами. Нам же с одной WMкой такого не нуно. Тюним: Идем в Configuration \ System Resource Allocation. Выбираем advanced находим VIM объект и ставим все параметры резервации на 256 метров

Затем переключаемся снова в простой режим из адванседа и правим системные ресурсы целиком, ограничивая их

и после всех этих танцев з бубном получаем столь необходимую нам память в общем размере 512 Мб и отдаем их виртуалке. вуаля

Security Configuration Guides

When auditors visit your company for checking overall information security level they usually shower you with questions about vulnerability and patch management process. And if you haven't one of these processes well established - I'm dead sure you will get serious deficiency in the audit results.

But what about system hardening process ( it could part of configuration management ) - do you have such process established? Do yo have security configuration standards for all yours OS, DB and application well developed and updated? If you will start doing this from a scratch you gonna waste hell of a lot time. To save your time I propose you list of links to the well known library of security configuration guides:

1. USA National Security Agency (NSA) - Security Configuration Guides
2. USA National Institute of Standards and Technology (NIST) - National Checklist Program Repository
3. USA Defense Information System Agency (DISA) - Security Technical Implementation Guides (STIGS)
4. Community: the Center of Internet Security (CIS) - CIS Benchmarks

Sure thing you can find a lot of such guides on vendors websites:

1. Apple Mac OS X Security Configuration Guide
2. Microsoft Security Configuration Guides and Wizards
3. Apache community Security Tips
4. Cisco IOS Security Configuration Guide

So, use it and stay secured!

PS. If you got more links and guides , pls add it in comments.

Using Google Alert for information security

So, we have spent hell of a lot of time and money installing different systems but how we can be sure that everything done good? Once in the morning you can find out that top today news is: your company has been hacked! I think, you must get worst news first. For this purpose you can write own web robot but from my point of view the simplest way is google alert service. How we can use it?

Create a search pattern like " my_company_name hacked OR compromised OR defaced " change option How often to as-it-happens, provide email and vuala - once google find something it gonna inform you.

More over you can use google alert service for checking your company web-resources for occasional leakage of confidential information. For this purpose create pattern like "site:my_company_web_site.com confidential OR secret OR internal use" or special pattern for documents that should not be published "site:my_company_web_site.com confidential filetype:doc OR filetype:cad". So, google will monitor your web sites instead of you and notify you.

Sure thing you can combine both methods for control of private data leakage over the internet, finding negative information about your company, advertisement about selling your protected data, etc.

Keep informed! :-)