Book Review: Assessing Vendors

Assessing Vendors: A Hands-On Guide to Assessing InfoSec and IT Vendors

by Josh More
Publisher: Syngress
ISBN: 978-0124096073
Number of Pages: 95
Date Published: May 10, 2013 


As I've noted in several previous blog posts, I believe the concept of Vendor Management is one of the weaker links in the security chain at many organizations.  While this book doesn't necessarily show you everything you need to know to fix this problem, it does provide solid advice on proper due diligence for selecting vendors and products that you want to build a relationship with.

Josh More lays out a very practical framework for finding vendors that provide technology (products and/or services) that address the needs of your situation.  More's Vendor Assessment process contains nine phases to help those responsible for evaluating and recommending solutions in Information Technology and InfoSec.  The process is designed to help these individuals in fairly and quickly evaluating vendors, understanding how the vendor/sales atmosphere operates, and getting more value out of vendor contracts.

One of the biggest lessons I got out of the book was in properly defining the criteria used to assess and compare various solutions.  By selecting specific criteria to measure each vendor, you are ensuring a fair and systematic evaluation so that the final decision can be based on a true apples to apples comparison and backed up with data.  On page 17, More provides some great advice for deciding how many different criteria should be used in this process:

The limit is going to be the number of dimensions that you can hold in your head at any given time.  This way, as you assess systems, you don't have to bounce between modes of thinking too much.  This process, called "context shift," is a very common source of time loss when doing analyses.  If you are running down a large list for each candidate, you have to constantly change your mode of thinking and every time you do, it will cost you a little bit of time.  If your list is too short, you will be losing time thing of real-world scenarios that could be concerning but cannot be captured in your limited system. 

More provides several examples to address this issue, ranging from the C-I-A triad to the CISSP 10 Domains.  But I really liked the reference to the Parkerian Hexad on page 18, which is a short enough list to easily remember, but comprehensive enough to cover the majority of vendor/product assessments you will run into.

1. Availability
2. Possession/Control
3. Confidentiality
4. Utility
5. Integrity
6. Authenticity
   

I have to admit, this isn't the most exciting IT book out there, but I'm glad I read through it.  All in all, this one is a quick read weighing in at just under 100 pages, but sheds some light on what can sometimes be a very ad-hoc selection and purchasing process.

Best Practices

Great comment in this week's SANS NewsBites (Vol. 15 Num. 029) from Alan Paller, director of research at the SANS Institute.

[Editor's Note (Paller): As organizations discover there is economic liability for lax cybersecurity, and lawyers smell blood in the water, the recognition will dawn on policymakers that their reliance on high level "guidance" was a really bad idea and made government cybersecurity a terrible model for protecting the critical infrastructure and businesses.  This week the Australian Attorney General established a legal requirement that all agencies implement a small number of critical security controls. No company can pretend they don't know the basic controls they must implement. The U.S. government will do that, too, but, as Winston Churchill said so long ago, "Americans will always do the right thing - after exhausting all the alternatives." You can get a head start on doing the right thing if you can get to London on May 1-2 (http://www.sans.org/event/critical-security-controls-international-summit) or listen in on the briefing on April 18.  (http://www.sans.org/info/128297]


I found this comment somewhat ironic, given the recent twitter conversation with @joshcorman:

@cindyv for 1); stop dogmatically clinging to outdated "Best Practices", Dogma, and static compliance checklists.[cont]
— Joshua Corman (@joshcorman) April 2, 2013

Maybe "Best Practices" really aren't the absolute "Best" that we can do in every individual situation.  And can they really be called "Practices", if they aren't actually practiced? (i.e. repeated performance or systematic exercise for the purpose of acquiring skill or proficiency). Having cursory familiarity with an established checklist of known good security measures such as the SANS Critical Security Controls, does not qualify as practicing or best.  ;)

@sudosec @cindyv hasn't SANS migrated away from "the 20" ? Also, all controls need to subordinate to context of Risk Program
— Joshua Corman (@joshcorman) April 11, 2013

@cindyv @sudosec I need to look at their newest list; but my main point was the context/program is king
— Joshua Corman (@joshcorman) April 11, 2013

Also, check out Cindy's article about being Consumers of Security Intelligence here.

SANS 2013 Orlando

SANS 2013 was great, but I'm certainly glad to be back home.  It was a long week of sitting in conference rooms from sun up to sun down listening to some of the brightest instructors in InfoSec.  I really enjoy the quality of the conferences that SANS provides.

GIAC Intrusion Analyst (GCIA) Job Task Analysis (JTA)

It was an honor to be selected to participate in the JTA session.  The JTA is a way for GIAC to double check the correlation of their certification exam scores to the actual job skills that SANS is trying to teach.  I flew in a day early to take part in the exercise. I enjoyed the opportunity and hopefully get to help out again in the future.  And, I got to meet Judy Novak.

SEC504: Hacker Techniques, Exploits and Incident Handling

This is the fourth class I've taken from SANS, so I pretty well knew what to expect.  SEC504 covered a lot of material, but much of the material felt familiar to me already, just more depth and insight into the attack techniques that are readily available.  For a lot of the attacks out there today, there really aren't very many good defenses.  So I guess numero uno on the list for things I learned at SANS 2013 isn't really something new, but something old and very foundational to InfoSec.  
 - Use common sense to limit who has access to systems and data in your environment.
 - Baseline your environment so that you know what is "normal" in terms of ports being used and processes running on your systems.
 - Don't reuse the same password for local administrator accounts across your organization.
 - Use host-based firewalls to prevent compromised systems from being able to easily pivot to other systems on the same subnet.
 - I also picked up a Teensy to play around with for physical testing.

Now I just have to get busy studying for the GCIH exam... 

APT: It is Not Time to Pray, It is Time to Act - Dr. Eric Cole

Dr. Cole is an excellent speaker and easy for me to pay attention to.  His tone and cadence in his presentations are very academic, but at the same time very candid and realistic.  He doesn't come across as somebody that is trying to wow you with his vast knowledge of InfoSec.  He seems to genuinely care about the material he is presenting and willing to do whatever it takes to make that material interesting and tangible to his audience.  The content of the keynote for SANS 2013 wasn't so much about all of the APT hype as it was a very focused warning of the need to master the basics of InfoSec before we will really be able to win against the attackers.  

Dr. Cole outlined 5 steps to improving security posture and being able to react to indicators of compromise more efficiently.

1. Identify Critical Data - Align critical assets with threats and vulnerabilities to focus on risk.  Using Risk Based Thinking - What is the risk? Is it the highest priority risk? Is it the most cost effective way of reducing the risk?
2. Align the Defense with the Offense - The areas that defense currently focuses on are not the same as what the offense is focusing on.
3. Know thy Organization - You Cannot Protect What You Do Not Know About.  Organizations need accurate up-to-date network diagrams and network visibility maps, focus on configuration management and change control.
4. Defense in Depth
    a) Inbound Prevention
    b) Outbound Detection
    c) Log Correlation
    d) Anomaly Detection
5. Common Metrics - Use the 20 Critical Controls!

Vendor Expo

Eh, not much to say here other than some vendors had some boths set up with some trinkets and trash on display.  And now my inbox and voicemail are full of messages that I don't really need.

Social Zombies: Rise of the Mobile Dead - Kevin Johnson

Yeah, I know social media is out to get me.  Really, duck face?

Introduction to Windows Kernel Exploitation - Stephen Sims

This is one area that I have no experience with.  Stephen did a great job of taking a difficult subject and explaining it so that I could follow along.

How to Become a SANS Instructor - Eric Conrad - Lunch-n-Learn 

Eric has an interesting story about how getting involved with SANS boosted his career and opened up the door of opportunity.  I've thought about signing up for the Mentor program, maybe this was persuasive enough to get me to send in the application?

ADHD and Samurai - John Strand and Kevin Johnson

The Active Defense Harbinger Distribution (ADHD) is pretty cool.  It is a Linux distro built around the idea of making life difficult for the bad guys.  It focuses on Annoyance, Attribution and Attack.  Some of the fun features include infinitely recursive directories, seeding honeytokens with call-home commands so that you can locate where your data has be exfiltrated, and setting up the signed Java applet attack in Metasploit to actually exploit the attacker.  There is a great write up of Paul Asadoorian and John Strand's RSA presentation here.

The Samurai Web Testing Framework (WTF) is also a nifty Linux distro with a series of tools to assist in web app pen testing.

Hacking You Friends and Neighbors For Fun - Joshua Wright 

Very entertaining.  If you haven't seen this talk yet, check out the slides here.

InfoSec in the Financial World: War Stories and Lessons Learned - Bryan Simon

Bryan make the case for improving the information sharing of financial institutions with regards to adversaries, attacks and defense strategies.  Ironically, on his way to the conference, half his slides were yanked by his legal department so that he wasn't able to share some of the stories he wanted to.  The best part about this session were all of the conversations that started up afterwards.

NetWars Tournament

Wow, this was my first time at Netwars.  I wasn't really sure what to expect here.  All I can say is, there are some wicked smart people at SANS and I need some more practice.

Just Some Notes On TCPDump Filters

Well I'm sitting here in Orlando at the SANS 2013 conference.  I have a few hours until registration opens up and I was looking through some of my notes from previous SANS conferences.  Here are some tcpdump examples and notes I had accumulated while studying for the GCIA exam.  Some of these are examples I've found from various other sources* and some of them I added for my own reference.  Enjoy!

Expression	Description
[x:y]	start at offset x from the beginning of packet and read y bytes
[x]	abbreviation for [x:1]
proto[x:y]	start at offset x into the proto header and read y bytes
p[x:y] & z = 0	p[x:y] has none of the bits selected by z
p[x:y] & z != 0	p[x:y] has any of the bits selected by z
p[x:y] & z = z	p[x:y] has all of the bits selected by z
p[x:y] = z	p[x:y] has only the bits selected by z
The usual rules about operator precedence apply; nesting things inside brackets is probably a good plan. you'll probably want to put the filter into a file or at least single-quote it on the commandline to stop the shell from interpreting the metacharacters. !([:])&
Parts of an IP Packet
ip[0] & 0xf0	High order nibble: IP version (4 = IPv4, 6 = IPv6)
ip[0] & 0x0f	Low order nibble: Header Length (Common Value = 5, Multiplier 4, 20 byte header)
ip[1]	Type of Service/QoS/DiffServ
ip[2:2]	Total length of datagram in octets
ip[4:2]	IP ID number
ip[6] & 0x80	Reserved (Evil bit)
ip[6] & 128 != 0	Evil bit set (RFC 3514 defines the evil bit as April Fools joke)
ip[6] & 0x40	Don't Fragment bit
ip[6] & 0x20	More Fragments bit
ip[6:2] & 0x1fff	Fragment Offset (number of 8 octet blocks)
ip[6:2] & 0x1fff != 0x000	Fragment Offset is not 0
ip[6:2] & 0x3fff != 0	Look for ALL fragmented ip packets
ip[6] &0x20 = 0x20 or ip[6:2] &0x1fff != 0	Look for more fragment bit set or fragment offset greater than 0 (Look for ALL fragmented ip packets)
ip[6] &0x20 = 0 and ip[6:2] &0x1fff != 0	Look for more fragment bit not set and fragment offset greater than 0 (Last fragment packets)
ip[8]	TTL
ip[9]	Protocol
ip[9] = 0x01	1 = ICMP
ip[9] = 0x02	2 = IGMP
ip[9] = 0x06	6 = TCP
ip[9] = 0x09	9 = IGRP
ip[9] = 0x11	17 = UDP
ip[9] = 0x2F	47 = GRE
ip[9] = 0x32	50 = ESP
ip[9] = 0x33	51 = AH
ip[10:2]	Header Checksum
ip[12:4]	Source IP
ip[16:4]	Destination IP
ip[20..60]	No IP Header Options
Parts of an ICMP Packet
icmp[0]	Type
icmp[1]	Code
icmp[2:2]	Checksum
icmp[4...]	Payload
Parts of a UDP Packet
udp[0:2]	source port
udp[2:2]	destination port
udp[4:2]	datagram length
udp[6:2]	UDP checksum
Parts of a TCP Packet
tcp[0:2]	source port
tcp[2:2]	destination port
tcp[4:4]	sequence number
tcp[8:4]	acknowledgement number
tcp[12]	header length (Multiplier 4)
tcp[13]	tcp flags
tcp[14:2]	window size
tcp[16:2]	checksum
tcp[18:2]	urgent pointer
tcp[20..60]	options or data
Other Examples
(tcp[13] & 0x02) != 0	Contains SYN (maybe other stuff as well)
(tcp[13] & 0x03) = 3	SYN / FIN
ip[12:4] = ip[16:4]	Land Attack
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)	Winnuke
(tcp[13] & 0xe7) != 0	Things other than ACK/PSH
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)	Initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)	Intervening fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)	End of the fragment train
(ip[0] & 0x0f) != 5	Has IP Options (or is truncated, or is just some sort of freak...)
((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && ((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff))	Ping-O-Death (any oversized IP-transported data...)

TCP Flags (Control Bits)
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
FIN = Finish
SYN = Synchronize
RST = Reset
PSH = Push
ACK = Acknowledgment
URG = Urgent
ECE = Explicit Congestion Notification Echo
CWR = Congestion Window Reduced
Filter	Flags	Binary      Hex	Description
tcp[13] = 0x01	---- ---F	0000 0001 = 0x01	FIN only
tcp[13] = 0x02	---- --S-	0000 0010 = 0x02	SYN only
tcp[13] = 0x03	---- --SF	0000 0011 = 0x03	SYN-FIN
tcp[13] = 0x04	---- -R--	0000 0100 = 0x04	RST only
tcp[13] = 0x05	---- -R-F	0000 0101 = 0x05	RST-FIN
tcp[13] = 0x06	---- -RS-	0000 0110 = 0x06	SYN-RST
tcp[13] = 0x07	---- -RSF	0000 0111 = 0x07	SYN-FIN-RST
tcp[13] = 0x08	---- P---	0000 1000 = 0x08	PSH only
tcp[13] = 0x10	---A ----	0001 0000 = 0x10	ACK only
tcp[13] = 0x12	---A --S-	0001 0010 = 0x12	SYN-ACK
tcp[13] = 0x14	---A -R--	0001 0100 = 0x14	RST-ACK (it happens)
tcp[13] = 0x18	---A P---	0001 1000 = 0x18	PSH-ACK
tcp[13] = 0x20	--U- ----	0010 0000 = 0x20	URG only
tcp[13] = 0x29	--U- P--F	0010 1001 = 0x29	URG-PSH-FIN (nmap fingerprint packet)
tcp[13] = 0x38	--UA P---	0011 1000 = 0x38	PSH-URG-ACK interactive stuff like ssh
tcp[13] = 0x40	-Y-- ----	0100 0000 = 0x40	anything >= 0x40 has a reserved bit set
Tcp[13] = 0x80	X--- ----	1000 0000 = 0x80	CWR only
tcp[13] = 0xC0	XY-- ----	1100 0000 = 0xC0	Both ECN flags set
tcp[13] = 0xFF	XYUA PRSF	1111 1111 = 0xFF	FULL_XMAS scan
tcp[13] & 1 != 0	---- ---F	0000 0001 = 0x01	FIN set
tcp[13] & 2 != 0	---- --S-	0000 0010 = 0x02	SYN set
tcp[13] & 4 != 0	---- -R--	0000 0100 = 0x04	RST set
tcp[13] & 8 != 0	---- P---	0000 1000 = 0x08	PSH set
tcp[13] & 16 != 0	---A ----	0001 0000 = 0x10	ACK set
tcp[13] & 32 != 0	--U- ----	0010 0000 = 0x20	URG set
tcp[13] & 64 != 0	-Y-- ----	0100 0000 = 0x40	ECE set
tcp[13] & 128 != 0	X--- ----	1000 0000 = 0x80	CWR set

*Some examples are from
http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt and reformatted into a table.  This site also has some other useful info and examples.