Malware Attribute Enumeration and Characterization (MAEC) is the standard to represent malware by attributes. MAEC provides schema which can be used as a basis for creating malware repositories. It can also be used as the format to share malware information between applications. Basically, either Static and Dynamic analysis techniques are used to discover attributes of malware. Static analysis is performee by looking at the code and dynamic analysis is by at tracking the behaviour of system. Once the attributes are discovered with any of the techniques the applications can adopt MACE to report on discovered attributes of malware.
CWSandbox is one of tools which uses dynamic analysis techinque to report on detected malware. It is available for windows and yet to adopt MAEC.
ThreatExpert has tools for detecting malware on windows and does it by looking at changes in file system, memory, registry, and Outbound and SMTP traffic data. Here is the sample report form ThreatExpert memory scan from my system -
Full Scan Summary:
Scan details:
Scan started: Tuesday, November 30, 2010 20:15:23
Scan time: 01 minutes, 53 seconds
Number of memory objects scanned: 9356
processes: 60
modules: 3085
heap pages: 6211
Number of suspicious memory objects detected: 0
Number of malicious memory objects detected: 0
Overall Risk Level: Safe
Summary of the detected threat characteristics:
No suspicious characteristics detected.
Summary of the detected memory objects:
No suspicious memory objects detected.
For now, i could use the above tools and looking for other free tools which can be used to detect malware. Also looking out for tools which can report using MAEC schema format. Will keep this bolg updated on my findings. Adieos till then.
Sources -
http://maec.mitre.org
http://mwanalysis.org
http://www.threatexpert.com
Tuesday, November 30, 2010
Thursday, September 30, 2010
Vulnerability Assessment and Management
Vulnerability is weakness which can be exploited in a system. To find all the weaknesses in a system, Vulnerability scanning is performed. It involves running a program on one machine and then connecting via a network to machines that you choose to check.
This would help to find and fix weaknesses in systems before someone else finds it and decides to break in.
Vulnerability scanning is a part of Defense in depth strategy and would lead to
• Asset discovery.
• Provides necessary information to ensure that hosts with an enterprise are safe from known attacks.
• Provides enough data for tracking internal security posture over time.
Hence it is a key part of managing risk and will identify the risk of every system, not just the ones we know about.
To know the state of systems, we need to understand the weakness we are trying to defend against and where possible, remove those weaknesses. For this we need a source of all known vulnerabilities and what patches are available to address these vulnerabilities. This can be done by monitoring individual software manufacturer or get consolidated notifications from provider such as http://securitytracker.com.
The scanning can be performed either by deploying Vulnerability scanning application in the enterprise or by using SAAS services by VAM service providers such as http://securityspace.com or http://www.qualys.com.
When ever new update is released, system administrator should evaluate and determine its application for the organization and then install it.
NIST has defined various SCAP (Security Content Automation Protocol)standards which provides standard format to collect application/system attributes, performing assessments using specific tests and displaying results. When vendors follow these standards in providing its output, the results can be easily consumed by other products.
Some of standards that can be used with VAM are
CPE - Common Platform Enumeration, format to be followed for providing platform specific details such as attributes of OS.
CVE - Common Vulnerabilities and Exposures, a way to provide vulnerability and exposure information by product vendors.
OVAL – Open vulnerability and assessment language, which is an open standard from MITRE. It Enables automated assessment and compliance checking.
It provides standard schema for entire Assessment process
1. Data collection
Collect data bout the system under test. This would have oval system characteristics. There are oval definitions available for this.
2. Analysis
Collect and organize results from assessment. Oval definitions are available for this.
3. Results
Arrange detected data against defined machine states. Oval results schema is available for this.
Once the scanning is performed, useful metrics should be derived and reported on. Some of the metrics like percentage of vulnerable systems, Time from discovery to remediate, will benefit custodians and updated required enterprise policy to improve compliance.
Vulnerability scanning on regular basis generates a lot of data. Only by demonstrating that the data collected can be of real benefit will the enterprise come forward to deploy Vulnerability and Asset Management (VAM) application in the enterprise. New deployments of VAM should use security products which are certified with NIST standards.
References:
http://oval.mitre.org
Articles/papers from SANS reading room http://www.sans.org/
This would help to find and fix weaknesses in systems before someone else finds it and decides to break in.
Vulnerability scanning is a part of Defense in depth strategy and would lead to
• Asset discovery.
• Provides necessary information to ensure that hosts with an enterprise are safe from known attacks.
• Provides enough data for tracking internal security posture over time.
Hence it is a key part of managing risk and will identify the risk of every system, not just the ones we know about.
To know the state of systems, we need to understand the weakness we are trying to defend against and where possible, remove those weaknesses. For this we need a source of all known vulnerabilities and what patches are available to address these vulnerabilities. This can be done by monitoring individual software manufacturer or get consolidated notifications from provider such as http://securitytracker.com.
The scanning can be performed either by deploying Vulnerability scanning application in the enterprise or by using SAAS services by VAM service providers such as http://securityspace.com or http://www.qualys.com.
When ever new update is released, system administrator should evaluate and determine its application for the organization and then install it.
NIST has defined various SCAP (Security Content Automation Protocol)standards which provides standard format to collect application/system attributes, performing assessments using specific tests and displaying results. When vendors follow these standards in providing its output, the results can be easily consumed by other products.
Some of standards that can be used with VAM are
CPE - Common Platform Enumeration, format to be followed for providing platform specific details such as attributes of OS.
CVE - Common Vulnerabilities and Exposures, a way to provide vulnerability and exposure information by product vendors.
OVAL – Open vulnerability and assessment language, which is an open standard from MITRE. It Enables automated assessment and compliance checking.
It provides standard schema for entire Assessment process
1. Data collection
Collect data bout the system under test. This would have oval system characteristics. There are oval definitions available for this.
2. Analysis
Collect and organize results from assessment. Oval definitions are available for this.
3. Results
Arrange detected data against defined machine states. Oval results schema is available for this.
Once the scanning is performed, useful metrics should be derived and reported on. Some of the metrics like percentage of vulnerable systems, Time from discovery to remediate, will benefit custodians and updated required enterprise policy to improve compliance.
Vulnerability scanning on regular basis generates a lot of data. Only by demonstrating that the data collected can be of real benefit will the enterprise come forward to deploy Vulnerability and Asset Management (VAM) application in the enterprise. New deployments of VAM should use security products which are certified with NIST standards.
References:
http://oval.mitre.org
Articles/papers from SANS reading room http://www.sans.org/
Wednesday, August 18, 2010
Incident Response Requirement of Massachusetts's Data Protection Law
Summarizing points form the Presentation of Joh Moynihan on Mass Law focusing on incident response -
The Mass Law -201 CMR 17 is effective from March 1, 2010. It applies to any entity collecting "personal information (PI)" of Massachusetts residents. In order to comply with it all entities processing Massachusetts resident’s personal information should have preventive measures in place. The law imposes severe penalties for violations. It requires having Incident Response Plan and applies to handling employee and customer records, avoid internal threats for employee or vendor data.
There are Administrative, Technical and Physical Requirements to comply with the law.
The organizations should adhere to administrative requirements by performing assessment of internal and external risk, have written Information security program, and develop policies to protect PI. This can be accomplished with ongoing employee training, having incident response plan, formal disciplinary standards, and third party controls.
Adherence to technical requirements requires that the PI to be encrypted, have updated virus protection and firewalls, have controls for password protection and measures to disable account after failed logon attempts. This can be accomplished with monitoring to detect unauthorized access, having patch management, and access controls in place.
Adherence to Physical requirements requires restricted physical access to PI, monitoring of areas housing PI and applies to both electronic and paper records.
It’s evident from the requirements that having an incident response plan is essential. It must be organized in a timely and efficient manner with engagement from independent participants. Organizations should adapt to change and evolve toward a pro active approach to data protection.
The Mass Law -201 CMR 17 is effective from March 1, 2010. It applies to any entity collecting "personal information (PI)" of Massachusetts residents. In order to comply with it all entities processing Massachusetts resident’s personal information should have preventive measures in place. The law imposes severe penalties for violations. It requires having Incident Response Plan and applies to handling employee and customer records, avoid internal threats for employee or vendor data.
There are Administrative, Technical and Physical Requirements to comply with the law.
The organizations should adhere to administrative requirements by performing assessment of internal and external risk, have written Information security program, and develop policies to protect PI. This can be accomplished with ongoing employee training, having incident response plan, formal disciplinary standards, and third party controls.
Adherence to technical requirements requires that the PI to be encrypted, have updated virus protection and firewalls, have controls for password protection and measures to disable account after failed logon attempts. This can be accomplished with monitoring to detect unauthorized access, having patch management, and access controls in place.
Adherence to Physical requirements requires restricted physical access to PI, monitoring of areas housing PI and applies to both electronic and paper records.
It’s evident from the requirements that having an incident response plan is essential. It must be organized in a timely and efficient manner with engagement from independent participants. Organizations should adapt to change and evolve toward a pro active approach to data protection.
Saturday, July 31, 2010
DSCI Best Practies Meet
From the DSCI(Data Security Council of India) Best Practices Meet I attended this week (28th July 2010), some of the quick notes I would like to share are here.
DSCI has come up with 2 frameworks
- DSCI Security Framework (DSF)
- DSCI Privacy Framework (DPF)
Both DSF and DPF have Best Practices to be followed to achieve data protection. DSF focuses on Security related to Application,Infrastructure,Business Continuity etc., and DPF is based on global privacy best practices and frameworks.
Implementing DSF would help companies to achieve compliance with ease. I am sure that if all of the relevant Best Practices in each of the 9 disciplines of DSF are implemented in organizations, compliance objective would be met without any question. The benefits of implementing DSCI framework was also presented in a session and it was interesting to know how it helped in increased business profits. My quick notes ends here i would request you to visit http://www.dsci.in for more details.
DSCI has come up with 2 frameworks
- DSCI Security Framework (DSF)
- DSCI Privacy Framework (DPF)
Both DSF and DPF have Best Practices to be followed to achieve data protection. DSF focuses on Security related to Application,Infrastructure,Business Continuity etc., and DPF is based on global privacy best practices and frameworks.
Implementing DSF would help companies to achieve compliance with ease. I am sure that if all of the relevant Best Practices in each of the 9 disciplines of DSF are implemented in organizations, compliance objective would be met without any question. The benefits of implementing DSCI framework was also presented in a session and it was interesting to know how it helped in increased business profits. My quick notes ends here i would request you to visit http://www.dsci.in for more details.
Wednesday, June 30, 2010
Complex Event Processing
Complex Event processing(CEP) provides a means to gain actionable information from various events coming from desperate systems in real-time or near real-time. Increase in the number of attacks has increased the need for real-time processing of events and hence need for CEP system/product. Detection of attacks/vulnerabilities has shown that additional details are required to aggregate, correlate and analyze apart from the individual events coming out of various systems. Most products in market for event processing support query language which supports pattern matching, joining events on arbitrary criteria and creating time-based windows. Like other security deployments,i see that it is a challenge to deploy it for enterprises, handling many events from multiple streams of data and monitoring queried events to detect abnormalities in real time. And so, would also need some one who is expert and focused to make use of information derived from CEP systems.
Sunday, May 30, 2010
SIEM for Compliance and Risk management
Security Information and Event Management technology is driven by compliance and security needs in enterprise. Another factor for its use is for monitoring activity from different applications/devices/technology software’s for internal and external threat and fraud detections. The output form these technology can be used for automation of IT to meet Compliance and Risk Management needs.
Compliance management can be achieved from log management capability of SIEM technology and it is known as Security Information Management (SIM). This involves collection of logs from various devices/applications in the enterprise to a central location, analyze log data and provide the capability to generate useful reports meeting compliance requirements. The generated reports can be mapped to the IT procedures in organization as first step in achieving It automation. As SIM is compliance oriented it is also a means to store and archive logs for later investigations and for data retention requirements.
Risk management can be achieved from real-time monitoring and incident management capability of SIEM technology and its known as Security Event Management (SEM). This involves collection of events from various devices/applications within scheduled short intervals, correlating the related events, applying filters if required and generating alerts which can be monitored for analysis and addressed with in short duration of time.
Exploiting the capabilities from data mining and analytics to meet SIEM requirements is now the vision of some of the leading SIEM technology vendors. It’s evident that having SIEM technology which can scale, collect data from all applications, meet regulatory compliance reporting requirements, improve threat management and incident response capabilities is essential factor for automation of Compliance and Risk Management in enterprises now and in future.
Compliance management can be achieved from log management capability of SIEM technology and it is known as Security Information Management (SIM). This involves collection of logs from various devices/applications in the enterprise to a central location, analyze log data and provide the capability to generate useful reports meeting compliance requirements. The generated reports can be mapped to the IT procedures in organization as first step in achieving It automation. As SIM is compliance oriented it is also a means to store and archive logs for later investigations and for data retention requirements.
Risk management can be achieved from real-time monitoring and incident management capability of SIEM technology and its known as Security Event Management (SEM). This involves collection of events from various devices/applications within scheduled short intervals, correlating the related events, applying filters if required and generating alerts which can be monitored for analysis and addressed with in short duration of time.
Exploiting the capabilities from data mining and analytics to meet SIEM requirements is now the vision of some of the leading SIEM technology vendors. It’s evident that having SIEM technology which can scale, collect data from all applications, meet regulatory compliance reporting requirements, improve threat management and incident response capabilities is essential factor for automation of Compliance and Risk Management in enterprises now and in future.
Friday, April 30, 2010
Fundamentals of Risk Management
Here are some details I got to hear from a session on Leveraging Technology for Risk Management. The talk was a part of NASSCOM tech series and Mr. Vijay from KPMG was an excellent speaker talking about risk management.
As in one of his slides, the fundamentals of risk management are to
Know your risks
Know your Obligations
Know your Systems
Tie them up together and leverage technology for risk management.
He also talked about use cases on risk management and how it was overboard. One quote i recollect is ' What's the point in risk management if the result of analysis is not used!'.
He emphasized how risk management can really help organization in mitigating risk. Steps to initiate risk management would be to start small, merge physical and system access identities, get incidents and slowly respond to them globally, Security should be monitored on global basis.
To conclude on my understanding, many organizations now realize the need for Risk management. To what extent the technology can be leveraged in meeting risk management objectives would depend on the strategic plan and steps initiated to taken in this direction.
As in one of his slides, the fundamentals of risk management are to
Know your risks
Know your Obligations
Know your Systems
Tie them up together and leverage technology for risk management.
He also talked about use cases on risk management and how it was overboard. One quote i recollect is ' What's the point in risk management if the result of analysis is not used!'.
He emphasized how risk management can really help organization in mitigating risk. Steps to initiate risk management would be to start small, merge physical and system access identities, get incidents and slowly respond to them globally, Security should be monitored on global basis.
To conclude on my understanding, many organizations now realize the need for Risk management. To what extent the technology can be leveraged in meeting risk management objectives would depend on the strategic plan and steps initiated to taken in this direction.
Subscribe to:
Posts (Atom)