Sunday, October 26, 2008

Microsoft Emergency Security Update (Ouch)
- Can't Patch Control Systems?
- Sockstress TCP Vulnerability Issues Next?

On Thursday 10/23, Microsoft spiced up our lives with a emergency security update (i.e. Microsoft Security Bulletin MS08-067 – Critical) to address a “wormable” vulnerability specifically exploiting “Server” service via remote network remote procedure calls (RPC). Similar to Blaster, unmitigated vulnerable machines can be directly attacked at a network level and immediately, completely compromised. This particular problem is also extremely exploitable once understood; security firm Immunity was able to craft a working exploit within two hours after the release of the security fix.

Don’t Neglect Control Systems- especially Critical Infrastructure. While many business network environments are going through the test and deployment process (not without some problems – e.g. some reported breakage of IPSEC), there’s also a need to be thinking about critical infrastructure as it increasingly is depending on Microsoft based solutions. These type of problems underscore how the network environment and it’s management infrastructure are such an important and fundamental starting point for establishing and sustaining a defined, effective, defense-in-depth security posture. Many may assume that the environments are well separated by definition; however, when you don’t get the control system network right (or at least sufficient), it undermines everything else being done in the name of security.

Beyond layered network segmentation with strict boundary communication controls as a vital starting point, basics that are increasingly expected include protective network chokepoints (firewalls, gateways, etc), and secure information transfer facilities (DMZs, Data Diodes, NIPS, etc). Other important steps often overlooked include basics such as server system hardening and endpoint protection measures (e.g. AV, HIPS, white listing, etc). As more is done in the name of security, the solutions themselves need to be managed and protected in a scalable manner- perhaps with a distinct network security management environment- also with commensurate protection.

Having well formed mitigations in place in control system settings will help directly address risks from emergent security problems such as this and be in a good position when facing related regulatory scrutiny. Typical business network environments are strikingly different – often quite porous and flat, with less definitive countermeasures- and therefore pressing forward with patches and security updates on a regular basis across a substantial IT foot point. These are very different environments only suited for very specific, understood and controlled interactions - having solid network security controls between the two environments is an essential part a well articulated cyber security architecture.

More- DHS Control Systems Security Program, Idaho National Laboratory offers the following tools:

What's Next- Sockstress Issues? How about long standing weaknesses involving TCP network stack vulnerabilities recently gaining attention with "Sockstress" that can be exploited to cause reachable systems to lockup, denial-of-service (DOS)? Indications are that even an attack at one packet per second can take systems down - e.g. dialup Internet. Because this is a state based attack, can't use spoofed packets but even small bot farms are sufficent to carry this attack out.
> Vendors fixing bug that could crash Internet systems Computerworld, Norway - Oct 2, 2008
> SecurityNow! Episode 164: Sockstress - Oct 2, 2008

Tuesday, October 21, 2008

Cyber Security Awareness Month In Full Force
-Threats to Security Never Sleep!

Every year my group helps support a company wide awareness campaign and that coincides with National Awareness month. Videos, games, posters, online question and answers... and of course booty with some great top prizes (ipods, security system, etc). Yes, enthusasim isn't enough- folks need to enage and submit correct answers to be in drawings. As for the goodies being drawn, we continue to get much of it just for the asking from our suppliers ahead of the event (explaining our internal campaign and asking "would they like to help us out", etc ) - no strings.

Nationally, many "free" resources continue to be developed by non-profits and governmental sources. Some the best of these online sources follow and are worth taking note of as this month winds down.

> National Cyber Security Alliance
Top 8 Cyber Security Practices

  1. Protect your personal information. It's valuable.
  2. Know who you're dealing with online.
  3. Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure.
  4. Be sure to set up your operating system and Web browser software properly, and update them regularly.
  5. Use strong passwords or strong authentication technology to help protect your personal information.
  6. Back up important files.
  7. Learn what to do if something goes wrong.
  8. Protect your children online.
> EDUCAUSE's Online Cyber Resource Kit

> MS-ISAC Multi-State Information Sharing and Analysis Center
- webcast, Cyber Security Tool Kit, etc.

- more information, phamplets, etc

Saturday, October 18, 2008

Neat DHS/NCSD Cyber Security Vulnerability Assessment Tool (CSVA) + CS2SAT

Last updated 8-2-2009
DHS’s National Cyber Security Division (NCSD) has been working to develop an objective, comprehensive cyber security vulnerability assessment (CSVA) tool for some time and revving through Betas. Using a simplified methodology, the CSVA is aimed to quickly assess an organization, facility or system’s cyber vulnerabilities and recommend options with extensive helpful explanations and examples. Critical infrastructure sectors are encourage by DHS to use this tool to analyze their cybersecurity posture.

I recently got my hands on and fired up CSVA BETA 5 - some thoughts:

  • Best if performed with prepared team and good facilitation. Cyber security knowledgeable folks familiar with the assessment environment can get a running, upfront start.
  • An initial determination is made regarding if a Business Network or a Control System is being assessed and adjusts approach- very good!
  • Truth over harmony needed here folks - some questions are combination issues and not all the answers to pick from fit well. Pick the most conservative answers and capture views in comments to get through the process.
  • Credibility bolstered in assessment process with a virtual informed third-party (DHS/NCSD) cooked in.
  • Can save assessment, go back and make adjustments for what ifs or actual improvements and see results.
  • Strives to leverage concepts from recognized cybersecurity standards and guidance- e.g. ISO,COBIT, NIST, etc
  • Offers great benefit lift ratio for effort required. Being "free" helps too!

Bottom line. The CSVA journey is a short, easy trip and the results are well worth it. The tool offers a solid approach to further develop shared understanding of cybersecurity posture with various stakeholders to build on and prioritize improvements, For more information or a copy of the tool, contact the Critical Infrastructure Protection / Cyber Security Program within the DHS National Cyber Security Division at
Next- the CS2SAT.
For those needing to go beyond the CSVA’s high-level approach and focus on more specific risk particulars- factoring in consequences, network topology, requirements, etc - there’s the Control System Cyber Security Self Assessment Tool (CS2SAT) Haven't looked at it yet but planning to give it a whirl at some point - list pricing, e.g., $1800, is waived ("free") for many energy organizations.

Update 8-2-2009 - Per DHS, the CSVA will be integrated into upcoming versions of the CS2SAT . The latest Version 2 of the CS2SAT is now specifically configurable to address NERC CIP, SANS, etc for assessment activities. Works a lot like the CSVA - but focused on control system space for now (until CSVA transitioned). DHS is very committed to the CS2SAT approach- given freely at one day Industrial Control System cyber security courses - worth checking out.