This is the Security “The Pain Pill” because only a few of us take vitamins.
Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts.
If you would like to learn about Social Engineering in our live class Thursday May 17, 2012 at 19:00 Central time, wait till class and type your name here
This post with the video is here
This is part of Expanding Security’s partnership with Hackin9 – the full article will appear in the May issue.
Security communications and why you should trundle
Trundle – to move slowly and heavily, typically in a noisy or uneven way.
When I do a security assessment I trundle. Why? Mostly to protect the people for whom I work. They expect me to be the Security Nazi. If I am not doing security, they certainly will not. If I am stupid enough send my passwords in email, they will think it is appropriate behavior.
I am the guy who has the Elite Attache by Zero Halliburton with a combination that is not 007. I bring my original contract documents locked in this case. I bring a random list of words from which to choose a password. I hash the secret values and write the password once. I am the nut who encrypts the password keys for the project. I am the one who thinks this is just not enough. I am not paranoid! Everyone is after me. Most importantly, my customers know I am deadly serious about security and when I tell them there is no way around this security measure, THEY LISTEN!
What will you get from this article?
- If you are a decision maker for penetration testing, you should expect this level of paranoia.
- If you are a tester you should be able to improve your process.
- If you are a student all of these security terms should make sense.
We will talk about the tools you use for protecting data, the data you should protect, and the business processes that you must put in place.
TOOLS OF THE TRADE
The requirements for tools are: cross platform capability, easy to use, and able to increase security as needed. The basic tool set for secure communications are: a hashing tool, file encryption, whole disk encryption, and VPN software.
Hashing tool for files and passwords
We need good passwords. Good passwords are random. I suck at randomness. I use the next best thing. On site with the customer, I pick the names of people from the meeting and what they were drinking. If they had a beer, coffee, or nothing I use those values as an input to the hash. I use a hashing tool and my random word list to pick something easy to remember, but something long enough to make brute force computationally painful.
In the rules of engagement we agree not to transmit the password digitally ever. We agree to use out of band communication. If my team is distributed, we do a quick phone call. No VOIP. No Skype. Well a cell phone is not very secure, so we make it a short call.
In a word: Mandylion. (http://www.mandylionlabs.com) If you are like me, you need to track many passwords for many customer engagements. You also need a place to put your own passwords. For $250 for 5 password containers and a cradle, it is not a bad solution. Yes, above I did say I wrote my password for the project down. So a fire-rated safe is a requirement.
I do not like password software as a rule. Compromised machines under the attacker’s control are not a very good place to hide a password. Screen capture by adversaries are a possibility, so again I say hard password containers are the best.
You are going to send data. The customer is going to send credentials. You are going to send reports. I like anything that is easy to use for my customer that uses AES encryption.My top two tools are Truecrypt and Axcrypt. They both have their place. Your customer will only tolerate one.
Whole disk encryption
When you are transmitting big files, sometimes you cannot rely on the software and you need hardware. I like hard keys and hard disks with their own dedicated encryption chipsets. The advantage of hardware encryption from a processing standpoint makes sense. My computer is already doing a great deal of processing; why burden it with more tasks? I have not been able to find any other tools at the price of Buslink. (http://www.buslink.com/) These multi-key encryption tools are expensive, but when you have multi-terabyte files to protect, I do not know of a reasonable substitute.
You and I both know there are software tools that do the same thing as hardware. When I last checked, there were 30 vendors. I like the cross platform capability of hardware, and there are no licensing requirements and no contracts.
When you are done with your project, you need to clean up. Rookies / Noobes will be tempted to use a degausser on external drives. Sure it will wipe the data. You get a bonus with degaussing. The hard-drive arm will crash into the platter, and there is no reuse. So I take the opposite position for disk wiping as I do for whole disk encryption; software is better than hardware for the conservation of hard-drives.
If you are running an Apple with O.S. 10 or better you get some really great built-in disk erasure tools. The last disk I wiped was a 250GB external. It tool 9 hours for one overwrite with zeros. The U.S. DOD 5220-22 option is 7 overwrites and Yes it takes 7 times longer. If you are a total security nut and want to resell the drive on an auction site, the Guttman method is 35 passes. It will take 14 days for 80GB. (http://en.wikipedia.org/wiki/Gutmann_method)
This is very customer dependent and very platform dependent. Some customers want you attacking as if you are the real black-hat. Others want to bring you closer so they can inspect your traffic. Still others will leave it up to you.
If you get the choice, SSH is a reasonable tool for VPN. Putty is a free, easy client. On our team we try to use industrial strength SSH client/ server. Secure CRT is one of the few vendors who makes a cross-platform client and server that customers are willing to trust.
You can never be completely ready for the customer, but be ready on your side. Two big gotchas in VPN are protocol ID 47 (for GRE and PPTP) and protocol ID 50 / 51 plus port UDP 500 (for IPSEC). These are the protocols and ports being blocked on your end by firewalls.
DATA TO PROTECT
What are you encrypting? Packet captures, virtual attack images, databases, and all output of tools and business process documents. Any data that could be used to do an attack or the reports that discuss the weaknesses of your customer must be encrypted. It must be encrypted at rest and in transit. It must be encrypted and protected for longer than it is useful to anyone.
You need to prove that what you did is only what you did and not what a true attacker did while you were doing your test. Screen shots get the customer’s attention. These screenshots will only be to convince the executive to spend money on fixing the problem. The technical person that the executive relies on to do the action needs more than screenshots. Packet captures are that something more. They provide the raw data. But this raw data is perfect data for the evil outsider to use to know what worked.
When you start your activities, start your capture. When you stop you capture, log the capture name. Now you need to protect this data with file encryption.
Databases and Tool output
Many tools will offer you flat files to transmit or use as input to another tool. Metasploit can be configured for a number of database back-ends. Commingling of customer data is a no-no. A simple rule is one database per customer. I know this really puts a cramp in your style, but suck it up. Protect the data.
I do not think you should use a physical host with software installed. It is too messy to clean up afterwards when you have finished your test. Start with a clean image. Do your testing. You will end up with a dirty image that has customer data in it. You may refer back to this image when you are writing your report. Keep it encrypted and on a separate drive. (I know before I said hard disk encryption is best, but it may be cost prohibitive.) Truecrypt has a hidden partition feature so that if someone steals the drive they think “format free disk space” not “let us see what is on the disk.”
All this sounds like a lot of work?
So far this is all punishment and no reward; or as my dad would say, “all stick and no carrot.” (http://en.wikipedia.org/wiki/Carrot_and_stick)
Let us go back to the previous data point of packet captures. If you captured packets in the virtual machine, they are encrypted. When you encrypt them in the virtual machine and pull them out for your summary or report, they remained encrypted for the entire time. This is critical to all your business processes.
Here is the good part: If you use whole disk encrypted virtual machines and you keep all your tools’ outputs inside the virtual machine until you need the report output, you are protected. This means everything: packet captures, virtual images, databases, all output of tools and business process documents.
Client scope request and data
Here is the problem- Clients are not going to do what you want. They are going to do what they want. The client looks at your contract and wants to make adjustments. Scope data is valuable to the attackers. You have two choices. Teach them your encryption process or communicate in abstract terms. The first idea is fraught with pain unless you are a patient teacher and willing to spend the time. The second idea may be easy for your clients, but it opens you up to passing data in the clear.
A third option is to state your policy in an email signature block and remind the client at the beginning of the contract and at reasonable intervals.
You get to customize your process to fit the job and your customer.
Now we have a chance to protect the client’s data. Sending the report from your mail server to theirs means there are at least four possible copies. If you and they have a data retention policy and a backup mailbox policy, you will have two copies you know about and two copies you don’t know about. You have a copy in your sent mail. Your server might backup the outbound email. Their server might backup a copy and they might never delete it. If you use a self-executable like Axcrypt, you can protect it in all four places.
From cradle to grave or start to finish ALWAYS keep it secure. Whatever process you decide to implement, this is your trust that the customer has placed in you. Don’t abuse that trust.
Business process documents
These documents tell the customer what to expect as encryption behavior from your team. Keep instructions as clear as possible. For example, give simple statements such as, “We will not send the password via email or text message.” I do an hour long discussion with my customers followed up with a detailed email and website to ensure clear communication. Be ready to explain your process. Instructions are never as clear as we think they are.
Closing out the report and putting away the data
Hand all the data over in encrypted form. Burn a DVD of the project report data and your captures for backup with all data encrypted under a superkey. Move the superkey to a physical vault. Delete the keys from your digital vault. Wipe the disk where the working image was copied.
Your customer will fight you
The goal is to convince your customer that they need even more security for communications about the test. All along the way, from the first discussion about penetration testing to the final report, all this data needs to be handled delicately. We need to deal with the expectation of privacy, how we are perceived by the customer to treat their data, and the level of trust they are placing in our ability to deliver. For the majority of my customers it is unlikely that I will convince them to take security as seriously as I do. No they are not going to set up PGP, digital signatures or a secure drop box. Yes they want to use email. Ask yourself realistically, what are your customers willing to do?
Don’t know how to do these activities? Come to our free class! 2012-05-17 CENTRAL time 19:00:00