New NIST draft document - Computer Security Incident Handling Guide

NIST released a new draft document on Computer Security Incident Handling. This is the second version of the original document that was released in 2008.

This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. 


It is a great reference document for folks trying to implement a new program and for folks to tweak their existing program.

Here is a list of major recommendations:

• Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security.
• Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications.
• Organizations should document their guidelines for interactions with other organizations regarding incidents.
• Organizations should prepare generally to handle any type of incident and more specifically to handle common incident types.
• Organizations should create written guidelines for prioritizing incidents.
• Organizations should use the lessons learned process to gain value from incidents.

The document is available from the following link

http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

NIST requests comments on this document by March 16th, 2012. If you would like to submit comments, submit it to "800-61rev2-comments@nist.gov" with "Comments SP 800-61" in the subject line.

Registry Decoder - A new registry analysis tool

Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

It is much similar to Harlan's RegRipper. It can perform the analysis on the live system as well as the saved hive files. To acquire the currently in-use registry files, Registry Decoder creates a System Restore Point on the target machine. This ‘freezes’ and generates a read-only backup of the current registry files.


In the current version, the offline component is able to process a number of evidence types including:

1. Individual registry files
2. Full disk images
3. Partition images
4. Databases created by the online acquisition component of Registry Decoder

The analysis tasks it performs include:


1. Hive Viewing
2. Hive Searching
3. Plugins. Currently has 30 plugins
4. Hive Differencing to find the differences between two registry hives
5. Reporting


The online acquisition component can be accessed at: http://code.google.com/p/regdecoderlive/ and the offline analysis component accessed at: http://code.google.com/p/registrydecoder/.

Some of the screen shots from my system are below:

Club Penguin data loss

Club Penguin is an online gaming site that offers a virtual gaming world for kids. It also offers the players an option to kind of social network, which  made it very popular among the kids.

Dataloss DB recently published a data loss involving this gaming site, where 309 usernames, e-mail addresses, passwords and IP dumped on the pastebin site by hacker(s).

The links to the dataloss db and the pastebin sites are below. If your kids have accounts in Club Penguin, I highly recommend changing the passwords immediately.

http://datalossdb.org/incidents/5050-309-usernames-e-mail-addresses-passwords-and-ip-dumped-on-web-by-hacker

http://pastebin.com/Bzxpc1RF

InfoSec - Weekly Roundup

• Mandiant released a new version of their popular memory analysis tool, Redline. Redline accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Read the related blog post below

        https://blog.mandiant.com/archives/1996

• NSRL database is being updated. "The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations. Link for the NSRL database is below.

          http://www.nsrl.nist.gov/

• FTC recently reported that Facebook has agreed to settle charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. Check the below link from FTC for more information.

          http://www.ftc.gov/opa/2011/11/privacysettlement.shtm

• The big risk item people are talking about is the Carrier IQ key logging software installed on many phones, which allows the carriers to gather many details of you browsing habits. More information is available at the below links.

          https://threatpost.com/en_us/blogs/demo-carrier-iq-agent-android-120111

          http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/?mod=snippet

Impact of malware - Scientific American magazine article

Scientific American magazine published an article on the impact of malware and what we can do about it.

Here are some of the comments from the article.

"We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it."
"Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options."

This is a very interesting article and if nothing else, it helps spread awareness. I have reported in my blog multiple times how the main stream media is covering the new way of attacks and privacy issues. Now, other types of media started covering these issues as well. The more aware general Internet users about these issues, better prepared they would be.

The article link is below:

http://www.scientificamerican.com/article.cfm?id=a-cybersecurity-nightmare

Vulnerable web applications

One of the readers asked about vulnerable web applications pre configured for research and testing purpose. Here is the list I have used in the past:

• Moth http://www.bonsai-sec.com/en/research/moth.php

• Stanford SecuriBench  http://suif.stanford.edu/~livshits/securibench/

• OWASP WebGoat  http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

• Mutillidae  http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

Consumer reports - Companies to spend $130 billion on cybersecurity in 2011

A recent new item in Consumer Reports caught my eye.

"U.S. companies will spend more than $130 billion dealing with data breaches this year, according to a study by the cybersecurity research firm the Ponemon Institute."

Over the last few years, there has been a steady increase in cyber attacks and breaches. Organizations have started to admit the fact that they are being attacked on a regular basis. Newspapers carry regular news items that show how vulnerable organizations and individuals are to such attacks.

So, apart from the people who did the bad thing, who else benefits from this?

Obviously, it benefits a whole group of people who helps these companies and individuals do the clean-up work. From the people specializing in the corporate communications, people involved in providing legal advice, people involved in forensic investigations, people involved in fighting these cases in court, and people involved in making sure that such incidents don't happen again.

Now, for folks looking for jobs and looking to enter these fields, it is a great opportunity to master these skills.

Some of the hot skills, companies in US and other parts of the world looking for are:

• E-Discovery
• Forensic investigation
• Incident Response
• Malware Analysis
• Incident Monitoring
• Security Operations

Risk Management - two new standards

ISO 27005:2011

The newly released international information security risk management standard, is now available for everyone.

ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001, it is designed to assist the satisfactory implementation of information security based on a risk management approach.
The standard is now fully aligned with the International Standard for risk management, ISO 31000. ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization, generally known as enterprise risk management.


ISO 27005:2011 ISRM, can be downloaded from the IT Governance web site.

www.itgovernance.co.uk/products/1852 .


NIST Special Publication 800-30

NIST relesed a draft guide for conducting risk assessments.

"The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action to take
in response to identified risks. In particular, this document provides practitioners with practical
guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other."

This standard is in a public comment stage, all are welcome to comment on this standard.

The standard can be downloaded from the below NIST web site.

http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

 

New PCI Document - Identifying and Detecting Security Breaches

PCI council has published a new document titiled "Identifying and Detecting Security Breaches". The topics include:

• Common Vulnerabilities and Malware
• Signs of an Incident
• How to Detect a Security Incident
• Implementing and Reviewing Logs
• Logs and PCI DSS Compliance
• Basics of Incident Management
• Top Challenges
• Visa’s “What To Do If Compromised” Procedures

The document link is below:

http://usa.visa.com/download/merchants/webinar-identifying-and-detecting-breaches-08172011.pdf?Aug202011

Google Code University - Learn Application Security fundamentals

Google Code University publishes many online materials, where you can learn about programming and application security. You can find topics in the area of programming languages, web programming, web security, databases, Linux, etc. 

They have also released many tools in this area, the latest being web application named Gruyere. This is similar to OWASP WebGoat or Mutillidae.

The tool shows  how web application vulnerabilities can be exploited and how to defend against these attacks. Some of the vulnerabilities that you will be exposed to include Cross-site scripting (XSS), Cross-Site Request Forgery (XSRF), Cookie Manipulation, Cross Site Script Inclusion (XSSI), Path Traversal, Denial of Service, Configuration Vulnerabilities, and specific vulnerabilities affecting AJAX. 

It is a great tool to learn application security.

Links:

Google Code University :  http://code.google.com/edu/

Gruyere web application : http://google-gruyere.appspot.com/#0__hackers