Why Environment Constantly Faces Insecurities?

There is no doubt that security is not a project, there is no end and we need to constantly evolve but does it seem to you that you may put more effort you expect? You would sense some doubt about why you are constantly running after fixing issues, but is this the way security works? 

No, although you may get bombed with market elements that you have to run but it is not true, the problem is in a different area… the choice is yours:

Gaining “Security” via constant “fire fighting” vs. “guaranteed security” via adequate system and network administration!

It is all about the way we manage and configure our tech environment, from infrastructure to end-user’s machines, from software to processes. That is the most observed cause of general failure with cyber security: tech team (usually IT department) is not well managing the system and network! 

The way we administer technology is the main driver of our security program, it can fail us or take us to the next level. If we are running all the time to catch up, if we are struggling with a smooth patch management process, if we do not know where are the risk at any given time, if we constantly introducing risk and insecurities to our system…all are because we do not manage our system and network properly. 

The simplest examples would be how we setup a software or hardware with default configuration and hoping that works! How we leave systems and network nodes unattended until they start screaming by indirectly breaking some elements and we always blame technology; we never ask ourselves how we manage the technology! 

Default configuration is not the only example but it happens more frequently because teach team is configuring a new system, software, hardware, script…sooner or later and this usually happens with no security in mind!

The Fine Art of Network Security Configuration: Micro Segmentation

Micro segmentation is the particle of an effective network segregation

Network security administration barely leverages a concept which basically has been there forever and could literally saves them forever when dealing with security of network services, and that is nothing but micros segmentation. 

I usually bring practical examples to my workshops so students are able to see and feel MS in real scenarios but as a brief explanation, micros segmentation is the technique of limiting a network node presence with only needed services and to the limited audience. 

Get rid of the flat network but simple techniques around Micro Segmentation!

This simple technique is so away from majority of network configurations these days where nodes are all connected together to a switch and the most segmentation is done via virtual LAN segmentation. Micro segmentation takes care of nodes within their micro virtual world of services and clients. 

MS turns most insecure network protocols to even more secure than a natively-secure-protocol, improve performance, and forever saves network from unknown attacks or malicious actors. Again, no specific tools is needed to implement this concept on a network of any kind, Linux, Windows, Mac… it fits with any infrastructure or technology, the only thing needed is the clear understanding of nodes, network services and their clients’ needs.

How to effectively audit any ISO 27001 process?

First of all, auditor needs to be a SME, not only to the security management system, but also specifically in regards to ISO 27001. The reason is related to the fact that “terminology” or “particular definition” of terms is important. 

Then there are three simple aspects of any process or policy document which should have been adequately addressed by piece of documentation, so we need to focus on those aspect to have an effective audit: 

  • Purpose 

Everything starts with statements regarding purpose of a policy, guideline, work instruction or procedure. There has to be clear definition of the purpose of any given process and as an auditor, one need to fully understand and even criticize it. 

  • Scope 

That is where the context comes in which is usually in deliberately overlooked by auditors! Focus on the scope but never criticize it. Always have the scope in your mind when trying to define the border of a process. 

  • Records 

Evidence is the main result of a process and must be addresses during audit. A survey without evidence does not have any values and it is not effective to the whole process evaluation, measurement or critic. 

By focusing on above 3 simple aspects of any ISO 27001 documentation, you will have an effective ISMS audit, whether internal or external. 

ISO 27001 Audit Tips and Tricks

the easy way to maintain an effective, low cost and smart ISO 27001 security management system

ISO27001/ISO27002: A Pocket Guide
Information is one of your organisation’s most important resources…

Even though there is no magic behind auditing a system based on ISO 27001, there are simple tricks which help you handle ISO 27001 or many other similar standards and frameworks, both as and auditor and auditee.

I would point only at one single tip if I wanted to direct you to just one important aspect of ISO 27001, and that is “Links”. The connection between different parts of standard is the key to kingdom! Understanding this key makes you super strong either as an auditor or as an auditee.

There are certain connections between different Clauses or even different Controls. Majority of ISO 27001 standard element are linked together and this simple means, as long as you follow links, you will reach a final destination for sure which is the flawless system with no broken links.

Main links are from relationship between SoA, Risk, Asset and Access

Links are important because if Clauses, Documents, Policies, Controls…are not connected and consistent, you will be noncompliance ultimately. No matter how hard you try to have a comprehensive, beautiful, technical…set of policies, ignoring links is a reg flag for any experienced auditor, they simply see the effect right away and after that all system looks synthetic!

Main links are between SoA, Risk, Asset and Access. These are foundations and without proper linkage, there is no way to maintain a healthy, consistent, auditable ISO 27001 security management system. Start with SoA, that document is not an index or table of contents! Flow from SoA to Risk Assessment, vice versa and multiple times until all controls has justification. Never compile Asset policies without conducting demonstrating and understanding the links with higher SoA and Risk, and then jump into Access as the baby and outcome of first 3 document.

As an auditor you should always look for broken links because also analysing and accepting a subject without finding conceptual link with other topic is nothing more than ignoring the main purpose of standard, which is a solid management system, not a set of individual files and unclear processes.

As an auditee try to find your broken links prior to audit. This does not require internal audit at all. This is more and more reviewing your key documents by someone who understand the links and concepts, not just memorizing Clauses.

Remember after having a system flawless of broken links, you have already started the easy way to maintain an effective, low cost and smart ISO 27001 security management system, something which has the potential to make money for your business rather than a hassle and expense.

About SECURETARGET

Once Upon A Time . . .

first logo SECURE TARGET

SECURE TARGET was one of the first independent group of professional freelancers in field of IT security, founded 1996 in Islamic Republic of Iran, when even using Internet in the country was a dream!

The freelance group directed by its founder, Kaveh Mofidi and initially named ‘Iran Security Consulting Group’, the first and the last mission of those cybersecurity entrepreneurs was delivering the right and accurate knowledge of computer security towards having a safe and secure CyberSpace. That objective made the foundation to disclosing security vulnerabilities through intensive research and active discovery. The result was compiling numerous hands-on training courses on ethical hacking by the motto “Security through hacking”, from internet portal security, to system, application and network security and hacking essentials. This strategy was replaced later by a new approach as non-disclosure or traditional “Security through obscurity” policy when group found out knowledge could be easily end up in hands of malicious users.

logo SECURETARGET

Members with decades of experience in principles of computer security and as a rare collection of IT professionals who worked so hard and relied on constant learning to enhance the quality of service, finally departed from the group due to lack of financial support; the effect of a extremely depressed economy at the top of technological sanctions on Iran which forced IT industry into its struggling mode, particularly and severely “Security” as an IT luxury.

Microsoft Windows Huge Text Processing Instability

SECURE TARGET (Security Advisory October 17, 2004)

Topic: Microsoft Windows Huge Text Processing Instability
Discovery Date: October 14, 2004
Original Advisory
External Links: VULDB, Full-Disclosure, BugTraq, SICHERHEITSLüCKEN, Addict3d, Ls, Der Keiler, Seifried, NetSys, Mail Archive, SecLists, Neohapsis, Checksum, Network Security, Virus, DoddsNet, ReadList, Mega Security, Security Trap, Virovvch, DevArchives

Affected applications and platforms:
Notepad, NotePad2 and MetaPad (Seems like all Text Processing Apps) / Microsoft Windows (All Versions)

Introduction:
It is not important, the limitation of opening large text file with “notepad” or similar products like NotePad2 (http://www.flos-freeware.ch) and MetaPad (http://liquidninja.com/metapad/); the point is just the way these tiny text processing apps open and handle large text files (talking about over the 200MB).
The way they handle huge text files, it is near possible for a fast modern PC to be completely unstable. This Instability may path to process injection because you cannot even kill the processes of these apps and they will remain “up and running” even when you logged off. So, it’s possible for a unprivileged user to simply hook to the remaining process of a privilege user and this lead to information disclosure (simply reading the content of the memory before swapping a large file which happens time after time, based on the file size) but may even lead to running privileged tasks based on the app they used for processing text.

Exploit:
It is different to exploit based on the application you choose for text processing; for windows default notepad.exe, it’ll be some like a huge DoS but for NotePad2.exe and MetaPad.exe it is possible to doing process injection (information disclosure and/or running privileged tasks).

Workaround:
The best way to work around this situation is just not to open large text files in windows! or wait a long time for completion of task.

Tested on:
Microsoft Windows XP SP1/SP2RC2/SP2 on Intel P4 2.4 with 1GB of RAM

Feedback:
Kaveh Mofidi [ Admin (at) SecureTarget [dot] net ]
Head of Secure Target Network

PerfectNav Crashes IE

Secure Target Network (Security Advisory February 25, 2004)

Topic: PerfectNav Crashes IE
Discovery Date: February 24, 2004
Original Advisory
External: Full-Disclosure, BugTraq, Security Tracker, xforce, SANS

Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1 and older versions

Introduction:
PerfectNav is designed to redirect your URL typing errors to PerfectNav’s web page. Bundled with the Free Ad Supported version of Kazaa Media Desktop 2.6. Likely to be found in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com. Likely to slow performance of Internet Explorer. Can download and execute arbitrary code as directed by its controlling server, as an update feature.
All of us knew about Hijackers/Browser Helper Objects; some of them may hijack your sessions but do you care crashing your web browser by a single blink?
When you use PerfectNav it is easy to crash your Internet Explorer (iexplore.exe) by any malformed URL like any thing you like: ? /? …
Run “iexplore.exe ?” or type “?” in your IE address bar and simply get the error message:
“An error has occurred in Internet Explorer. Internet Explorer will now close. If you continue to experience problems, please restart your computer.”

Exploit:
Easier to exploit than this bug? Just point out any malformed URL on your target and it will be crashing her/his IE.

Workaround:
The easiest way to work around this vulnerability is just removing PerfectNav from your computer. For information that may help you prevent this problem from reoccurring, click on the link below.
http://www.pestpatrol.com/msperfectnavsupport.asp
If the problem persists, please contact eUniverse.com Inc. and alert them of the problem.
Note: To have PestPatrol automatically detect and remove PerfectNav and its components from your computer, you have to buy PestPatrol!

Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) on Windows XP Service Pack 1a

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net)
Secure Target Network (Security Consulting/Training Group)

New IE Thread crashes by WU

Secure Target Network (Security Advisory December 31, 2003)

Topic: New IE Thread crashes by WU
Discovery Date: December 30, 2003
Original Advisory
External: Full-Disclosure

Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1

Introduction:
Any time you open your Windows Update (WU / wupdmgr.exe) and go to “Scan for Updates”; it takes a couple of minutes (based on your system and Net performances) for Microsoft scripting tasks to gather information from your fixing/patching data on your machine.
A security bug exist because when you are in the period which WU scanning your host, you cannot open any New IE windows from some applications and opening this new window just takes time, as long as WU ending its scanning, and it means hanging.
First, it is a security bug because it faces with availability of a component on a windows box. Second, it happens when you open a new IE window from these two situations below:
1. Opening a new IE window by clicking on a hyper link in OE.
2. Opening a new IE window by clicking on a hyper link in IE.
Remember that for facing with this issue, you shouldn’t have an old IE Thread opened from OE or IE before.

Exploit:
This bug may not provide an opportunity to threat a windows box machine with attacks and exposures but it may cause DoS anyway.

Workaround:
The easiest way to work around this vulnerability is just let WU finishing its scanning and then work with IE and OE as usual.

Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) and Outlook Express 6.00.2800.1123 on Windows XP Service Pack 1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
Secure Target Network (Security Consulting/Training Group

Microsoft Outlook PST Exposure

Secure Target Network (Security Advisory August 31, 2003)

Topic: Microsoft Outlook PST Exposure
Discovery Date: August 28, 2003
Original Advisory
External: Zone-h, Security Tracker, openwall, Full-Disclosure
Affected applications and platforms:
All versions of Outlook on any Windows platform

Introduction:
everyone work with .pst files, storing and managing his/her Outlook Data transparently under Microsoft Outlook. A default folder takes care of these data files at:
%windrive%\Documents and Settings\User Profile\Local Settings\Application Data\Microsoft\outlook
And all of your data may encrypt and maintain as outlook.pst (or archive.pst when you just archive your old data).
When you add something to your outlook items (appointments & meetings, tasks, notes, …), your data file probably increases in size but when you delete some items (any size, large or small piece of data), the data do lost from your eyes but usually, does not erase from .pst files.

Exploit:
As you can probably see, this may effect in a wide range of exposure attacks; no escalation of privileges or any other system compromise directly happen. So, anybody with physical access to your computer would be the reader of your Outlook Items (any task, appointment and …) and any private information there.
By the way, this may lead to a worth situation, when you just restore a backed up copy of these .pst files and try to recover your lost data, but there is something different in backups, because you didn’t copy a refreshed one.

Workaround:
the easiest way to work around this vulnerability is physical security countermeasures but for your backups, try to “compact” items before backing up:
1. Fileàfolderàproperties of “your desired folder with data files”àGeneral tabàAdvancedàCompact Now
2. FileàData File ManagementàsettingsàCompact Now

Tested on:
Outlook 2000 SP3 (9.0.0.6627) on Windows 2000 SP4
Outlook 2002 (10.2627.2625) on Windows XP Professional SP1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research


Affected applications and platforms:
All versions of Outlook on any Windows platform

Introduction:
everyone work with .pst files, storing and managing his/her Outlook Data transparently under Microsoft Outlook. A default folder takes care of these data files at:
%windrive%\Documents and Settings\User Profile\Local Settings\Application Data\Microsoft\outlook
And all of your data may encrypt and maintain as outlook.pst (or archive.pst when you just archive your old data).
When you add something to your outlook items (appointments & meetings, tasks, notes, …), your data file probably increases in size but when you delete some items (any size, large or small piece of data), the data do lost from your eyes but usually, does not erase from .pst files.

Exploit:
As you can probably see, this may effect in a wide range of exposure attacks; no escalation of privileges or any other system compromise directly happen. So, anybody with physical access to your computer would be the reader of your Outlook Items (any task, appointment and …) and any private information there.
By the way, this may lead to a worth situation, when you just restore a backed up copy of these .pst files and try to recover your lost data, but there is something different in backups, because you didn’t copy a refreshed one.

Workaround:
the easiest way to work around this vulnerability is physical security countermeasures but for your backups, try to “compact” items before backing up:
1. Fileàfolderàproperties of “your desired folder with data files”àGeneral tabàAdvancedàCompact Now
2. FileàData File ManagementàsettingsàCompact Now

Tested on:
Outlook 2000 SP3 (9.0.0.6627) on Windows 2000 SP4
Outlook 2002 (10.2627.2625) on Windows XP Professional SP1

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research