Random Notes - mccright/rand-notes GitHub Wiki

My blog is at, Completosec Channel. This page is just for random, transient notes.

Review

Utilities

Process Hacker: [http://processhacker.sourceforce.net] (http://processhacker.sourceforce.net)
The Sleuth Kit® (TSK) & fls (the latest versions) http://www.sleuthkit.org/sleuthkit/ and http://www.sleuthkit.org/sleuthkit/man/fls.html
log2timeline toolkit http://plaso.kiddaland.net/usage/log2timeline Reference: "Mastering the Super Timeline With log2timeline" http://www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438
Plaso [& Super Timeline] http://plaso.kiddaland.net/ Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
SIFT Workstation [SANS Investigative Forensic Toolkit (SIFT) Workstation (VMWare Appliance)] http://digital-forensics.sans.org/community/downloads "Faster SIFT 3.0 Download and Install #DFIR #SIFT3" http://digital-forensics.sans.org/blog/2014/03/23/faster-sift-3-0-download-and-install-dfir-sift3 and "SANS Investigative Forensics Toolkit Documentation" https://media.readthedocs.org/pdf/sift/latest/sift.pdf and https://github.com/sans-dfir
jobparser https://github.com/gleeda/misc-scripts/blob/master/misc_python/jobparser.py and use it in line with jobs.sh https://github.com/chaoticmachinery/mass_triage_tools/blob/master/atjobs/jobs.sh
IOCFinder http://www.mandiant.com/resources/download/ioc-finder/ References: http://openioc.org/, "Investigating Indicators of Compromise In Your Environment With Latest Version of Redline" https://www.mandiant.com/blog/investigating-indicators-compromise-environment-latest-version-redline/
Redline: (http://www.mandiant.com/resources/download/redline "http://www.mandiant.com/resources/download/redline")
AuditParser (https://github.com/mandiant/AuditParser "https://github.com/mandiant/AuditParser")
triage-ir https://code.google.com/p/triage-ir/ Reference: "Incident Response with Triage-ir"https://isc.sans.edu/diary/Incident+Response+with+Triage-ir/18509
scapy http://www.secdev.org/projects/scapy/ You interact with Scapy using Python code.
Fuzzers
- taof http://sourceforge.net/projects/taof/files/ and
- jbrofuzz https://github.com/twilsonb/jbrofuzz
- Sulley https://github.com/OpenRCE/sulley and http://www.fuzzing.org/wp-content/SulleyManual.pdf and http://www.fuzzing.org/
Open-source .NET assembly browser and decompilers:
- IlSpy http://ilspy.net/
- dnSpy, forked from ILSpy https://github.com/0xd4d/dnSpy
Paimei (Referse engineering toolkit) https://github.com/OpenRCE/paimei
Some OS X forensics References
- A forensic evidence collection & analysis toolkit for OS X http://yelp.github.io/osxcollector
  - OSXCollector: https://github.com/Yelp/osxcollector
  - OSXAuditor: https://github.com/jipegit/OSXAuditor
- Want to learn more about OS X forensics?
  - Sarah Edward's mac4n6.com - The best presentations on Mac forensics http://www.mac4n6.com/.
- A couple of other interesting tools:
  - KnockKnock - KnockKnock is a command line python script that displays persistent OS X binaries that are set to execute automatically at each boot https://github.com/synack/knockknock.
  - Grr - Google Rapid Response: remote live forensics for incident response https://github.com/google/grr.
  - osquery - SQL powered operating system instrumentation, monitoring, and analytics (https://github.com/facebook/osquery).
Related:
- Apple Watch Forensics - A Quick Preview http://www.mac4n6.com/blog/2015/5/13/apple-watch-forensics-a-quick-preview and an associated presentation at https://drive.google.com/open?id=0B_qgg13YkpypUHBKeUhYcG5Kakk&authuser=0

Think About

Application Security

The applications that support all of our organization's operations incorporate security features that protect our customers‘ data in transit and at rest, and help prevent unauthorized access to our customers' sensitive information.

We invest in secure software practices throughout the entire software development/acquisition lifecycle. We train all members of the technical workforce about secure software concepts and activities, and support them with continuously-evolving reference materials and templates. We ensure that security and risk management requirements are made explicit in business analysis and application architecture, that testing incorporate validation of those requirements, that formal security testing is performed against application source code (static code security analysis) and against deployed applications (dynamic security analysis), and that we maintain interfaces to receive feedback from a range of inputs. A foundational goal of this work is to ensure that the applications hosting business activities resist hostile activities, emit safe outputs, and (as a last resort) fail in risk-appropriate ways.

User Access — In our identity directories, user passwords are hashed, and password policies are configured to include requirements for complexity, expiration periods, password history, and user lockouts. In high-security situations, user access is also limited to those using strong, two-factor authentication, or/and white-listed endpoints/endpoint-configurations, white-listed geo-location(s), white-listed time-of-day, white-listed source IP addresses, and so on. In some situations, for example, for some types of infrastructure and operations administrative roles, user access is limited to only those who have passed through a physical security perimeter at one of our secured corporate facilities.

Data at Rest — We encrypt a range of sensitive categories of data and carefully constrain access to the encryption keys. We strictly control access to bulk private data to those having a formal business need to know and who have been approved by the company data owner/steward. We store sensitive bulk data on platters that our company owns and manages, in state-of-the-art data center environments. (finish this...)

Data in Transit — All non-public data communications on untrusted networks are secured using protocols such as HTTPS/TLS, Secure FTP, and Secure RTP.

Is this a useful model? Started from a list at: http://www.five9.com/cloud-security-office

Other Topics

Infrastructure activity trails (identities, network, endpoints, flows, events/activities, geoIP).
- Risk detection ('IDS/IPS,' analysis, event correlation, alerting/alarming, reporting)
Integrating risk management into the software development/acquisition/assembly life-cycle (traditional or any flavor of agile).
NAC (add 'proximity' to qualities identified/measured)
Mobile workforce (security architecture, security metrics, forensics, security posture, risk appetite [MDM?]).
- What about iOS?
- What about Android?
- What about Windows?
Integrating risk management into virtualized environments.
Cloud (risk issues, required qualities, controls, 'transparency,' risk assessments)
Risk management governance.
Risk management leadership.

Interesting related quote about metrics:

 "...measured data does not need to be perfect, 
  provided that it contains the information required, 
  is adequately correct and practically measurable."

From “Risk-Driven Security Metrics in Agile Software Development.” R.M.Savola, S.Fruhwirth, & A.Pietikainen, 06-28-2012, p. 1682, Journal of Universal Computer Science. http://www.jucs.org/jucs_18_12/risk_driven_security_metrics/jucs_18_12_1679_1702_savola.pdf

Also from the same paper/same page, a table of key security metric concepts:

 +------------------------+---------------------------------------------+
 |Security Objective (SO) | High-level statements of intent to counter  |
 |                        | identified threats and/or satisfy identified|
 |                        | security policies and/or assumptions.       |
 +------------------------+---------------------------------------------+
 |Security Requirement    | Requirement, stated in a standardized       |
 |(SR)                    | language, that is meant to contribute to    |
 |                        | achieving the SOs.                          |
 +------------------------+---------------------------------------------+
 |Security Control (SC)   | Means of managing risk, which can be        |
 |                        | administrative, technical, management, or   |
 |                        | legal in nature.                            |
 +------------------------+---------------------------------------------+
 |Security Correctness    | Assurance that security controls have been  |
 |                        | correctly implemented in the SuI, and the   |
 |                        | system, its components, interfaces, and the |
 |                        | processed data meet the sec. requirements.  |
 +------------------------+---------------------------------------------+
 |Security Effectiveness  | Assurance that the stated SOs are met in the|
 |                        | SuI and the expectations for resiliency in  |
 |                        | the use environment are satisfied in the    |
 |                        | presence of actual security risks.          |
 +------------------------+---------------------------------------------+
 |Security Efficiency     | Assurance that the adequate security quality|
 |                        | has been achieved in the SuI, meeting the   |
 |                        | resource, time and cost constraints.        |
 +------------------------+---------------------------------------------+
 "SuI" (System under Investigation)

Additional model:

Trustworthy Financial Services Infrastructure & Operations

How We Keep Your Data Secure

The ______ Security organization is responsible for securing our infrastructure, applications, and operations against security breaches and associated unforeseen events.

Infrastructure Security

Security Standards — Secures our infrastructure by standards & guidelines established by the ISO 27001/27002, COBIT, PCI-DSS, and Cloud Security Alliance (CSA).

Access Control — Our infrastructure and operations are regularly audited using the SSAE 16 (previously SAS 70) standard, which means we utilize stringent identity, security and continuity controls such as two-factor authentication/access control including RSA SecurID at our network perimeter, and proximity card/badge plus biometrics at the perimeter of sensitive facilities like data center & supporting network rooms, along with 24/7 security monitoring, video monitoring, and more. We also use process safeguards to ensure that employee access is controlled appropriately.

Security Patch Updates — We update our systems based on our patch management policy and internal operating level agreements to ensure all systems have the very latest critical security and antivirus patches.

Vulnerability Management — Our real-time intrusion detection and vulnerability management software runs around the clock to immediately identify and respond to any threats

Managing risk in the context of a long time-horizon.

See the "Global Risks 2014 - Ninth Edition" Insight Report from the World Economic Forum. [http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf] (http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf)

Especially part 2, pages 38-49. It is a short read on risks associated with -- among other topics -- the way the Internet is evolving, risks associated with "trust," and "managing risk" in the context of a long time-horizon.

Also: "Global Risks 2015 - Tenth Edition" http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf.

And for 2016: "Global Risks 2016 - 11th Edition" [http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf] (http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf)

And for 2017: "Global Risks 2017 - 12th Edition" http://www3.weforum.org/docs/GRR17_Report_web.pdf

And for 2018:
"The Global Risks Report 2018 - 13th Edition" http://www3.weforum.org/docs/WEF_GRR18_Report.pdf

And most recently:
"The Global Risks Report 2019 - 14th Edition" http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

My blog, Completosec Channel