Wednesday, November 28, 2012

Essential Definitions

[Added direct links to sources]

These definitions together as a group collectively represent important fundamentals - underpinnings - to cloud security, cloud audit, and cloud compliance. If you've heard me speak... you've heard me stick to this script. It hasn't changed. The message is the same. The application and context in which I use them happen to be cloud computing.

Security goals
The five security goals are confidentiality, availability, integrity, accountability, and assurance.
SOURCE:  SP800-27-RevA            
Security
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.  Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
SOURCE:  CNSSI-4009
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE:  SP 800-53; SP 800-53A; SP 800-18SP800-27-RevASP 800-60; SP 800-37; FIPS 200FIPS 19944 U.S.C., Sec. 3542 
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE:  FIPS 140-2 
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
SOURCE:  CNSSI-4009
Availability
Ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-53; SP 800-53ASP800-27; SP 800-60SP 800-37FIPS 200; FIPS 19944 U.S.C., Sec. 3542 
The property of being accessible and useable upon demand by an
authorized entity.
SOURCE:  CNSSI-4009
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
SOURCE:  SP 800-53SP 800-53ASP 800-18SP800-27SP 800-37SP 800-60FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
SOURCE:  FIPS 140-2 
The property whereby an entity has not been modified in an unauthorized manner.
SOURCE:  CNSSI-4009
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.  This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE:  SP800-27
Assurance
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE:  SP800-27 
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE:  SP 800-37SP 800-53A 
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE:  CNSSI-4009
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
SOURCE:  SP 800-37SP 800-53SP 800-53ASP 800-18SP 800-60CNSSI-4009  FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-66; 44 U.S.C., Sec 3542
Continuous Monitoring
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.  The process includes: 1)  he development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
SOURCE:  CNSSI-4009

Monday, November 5, 2012

CoDeSys + digital bond + Shodan = US-CERT Warning


Big Picture:

[1] Company makes flawed code for control systems. [2] Security company exploits code and releases free tools. [3] Hacker search engine compiles list of more than 500,000 control systems. [4] Researchers identify increased activity attempting to exploit critical infrastructure.

Brief Details and Links:

CoDeSys is a development platform created by 3S. This package is used to program controllers in an impressive 261 companies. The products include everything from factory automation to critical infrastructure SCADA systems. An interested party, a SCADA security company named digital bond, created and released two tools. The first tool is a command-shell utility (codesys-shell.py).  This allows an unauthenticated user the ability to perform privileged operations, sans password. The second tool is a file transfer tool which allows for reading and writing files on controllers with a file system (codesys-transfer.py). Shodan, a powerful exploit search engine, has already identified more than 500,000 reachable Industrial Control System (ICS) devices. Given that the Shodan search engine can be scripted, how long do you think that it takes an interested python coder to identify, exploit, root, and establish control? Create a module for Metasploit?

Some Quick Lessons:
  •  Build secure access controls into sensitive systems.
  • Isolate sensitive systems from the Internet.
  • Have your products third-party tested by professionals.
  • Assume security measures you build into your products are going to be used by your customers. They will be tested. Hopefully by you.
  • Especially if security isn't your core competency or product set, have your products third-party tested by professionals. Even if it is.... have your products third-party tested by professionals.