viernes, 30 de enero de 2015

Algunos "Quickwins" en seguridad de la información

En algunas organizaciones existe una fe ciega en que el mejor camino para mejorar la seguridad es gastar más y más dinero en hierro y licencias. Más firewalls, más IDS y el WAF más caro. Sin embargo, en este post me gustaría repasar tres actividades básicas para mejorar la seguridad de una organización, que no necesariamente requieren comprar ningún hardware o software adicional.



La primera de estas actividades es el bastionado de los sistemas. Bastionar o asegurar correctamente un sistema no es una tarea complicada. Existen multitud de guías específicas sobre cómo bastionar sistemas concretos, pero incluso realizando un bastionado básico se puede incrementar en gran medida la seguridad de una infraestructura sin tener que invertir un esfuerzo desmesurado en ello. Los pasos básicos a seguir para bastionar un sistema son:
  • Elimina o al menos deshabilita los servicios de red y los programas innecesarios, dejando únicamente habilitados aquellos que son necesarios para que el sistema desempeñe su labor. De esta manera se reduce drásticamente la superficie de exposición del sistema.
  • Revisa los usuarios existentes en el sistema, cambiando contraseñas por defecto y minimizando los permisos de cada usuario de manera que tengan los mínimos necesarios para desarrollar sus actividades.
  • Documenta los servicios de red necesarios y los puertos usados por cada uno de estos servicios. Esta documentación será de mucha utilidad para diseñar las reglas a implementar en los firewalls de red.
  • Mantén el sistema actualizado al último nivel de parches de seguridad publicados por el fabricante. Esta actividad es básica para prevenir que un atacante utilice vulnerabilidades conocidas para comprometer la seguridad del sistema.
  • Instala y mantén un firewall en el servidor (puede ser el propio firewall de Windows o un IPtables en el caso de linux) permitiendo únicamente el tráfico entrante y saliente que sea estrictamente necesario. Filtrar el tráfico entrante permite garantizar que aunque algún servicio no necesario se haya dejado habilitado por error, éste no será accesible desde la red. Filtrar el tráfico saliente puede permitir mitigar el impacto causado por una infección de malware que intente abrir conexiones salientes, y prevenir la fuga de datos usando conexiones de red a servicios que el servidor realmente no requiere.

Otra actividad básica a desarrollar es definir, implementar y mantener un programa de gestión de vulnerabilidades adecuado para la organización.

Si queremos gestionar las vulnerabilidades de nuestros sistemas, debemos seguir los siguientes pasos básicos para su correcta gestión: detectarlas, clasificarlas, priorizarlas, asignarlas, resolverlas y verificar su correcta resolución: 

  1. Detectar: Hay múltiples fuentes o vías que debemos usar para detectar las vulnerabilidades existentes en nuestros sistemas. Las más comunes serán los avisos de alerta temprana de CERTs o de los propios fabricantes, los resultados de los escaneos de vulnerabilidades periódicos que se deberían realizar sobre la infraestructura y las aplicaciones y los resultados de las pruebas de penetración que se realicen.
  2. Clasificar: Una vez detectada una vulnerabilidad, el siguiente paso a realizar debería ser clasificarla según el riesgo que suponga para nuestra organización. Para ello, se deberían considerar factores como el impacto que podría suponer, y la facilidad de explotación. Dado que la resolución de vulnerabilidades es un proceso que puede llevar días, semanas o incluso meses, aquellas vulnerabilidades que sean consideradas más críticas deberían ir acompañadas de un plan de acciones compensatorias para mitigar el riesgo que suponen hasta que sean definitivamente solventadas.
  3. Priorizar: Una vez clasificadas según su riesgo, deberán priorizarse. Estos es, definir un tiempo límite en el que cada vulnerabilidad debería estar resuelta. El estándar de seguridad en datos de tarjetas de pago PCI DSS propone un mes de tiempo límite para las vulnerabilidades más críticas y tres meses de tiempo límite para el resto. En cualquier caso, tanto los niveles de clasificación como los tiempos de resolución deberían adaptarse a la realidad de cada organización.
  4. Asignar: El siguiente paso es asignarlas. Es decir, determinar de quien es la responsabilidad de resolver cada una de las vulnerabilidades dentro del plazo correspondiente.
  5. Resolver: El responsable de resolver cada vulnerabilidad deberá encontrar la solución a la misma, seguir el proceso de la organización para la gestión de cambios, es decir, probarla adecuadamente para descartar cualquier impacto negativo derivado de ésta y proceder a su resolución.
  6. Verificar: Por último, se debe verificar que la solución resuelva la vulnerabilidad de manera eficaz.



Por último, quisiera hablar de la concienciación en seguridad de la información dirigida a los empleados y proveedores de la organización.


Más de una vez he oído a profesionales de seguridad argumentando que las acciones de concienciación no son efectivas y que por mucha concienciación que se realice, el factor humano seguirá siendo el principal riesgo de cualquier organización. Mi opinión al respecto es que la concienciación sí es efectiva e indispensable,  aunque no por ello suficiente. Dicho de otro modo, es cierto que concienciar al personal no elimina los riesgos de seguridad que provienen de errores humanos pero sin duda los mitiga y en todo caso evita que los usuarios puedan escudarse tras el desconocimiento al perpetrar ciertos tipos de acciones que comprometan la seguridad de los activos de información de la organización.


Por supuesto, existen más acciones que se pueden llevar a cabo sin una gran inversión económica para aumentar el nivel de seguridad de las organizaciones, como por ejemplo segmentar correctamente la red, establecer procesos de desarrollo seguro, de gestión de cambios, de respuesta ante incidentes, etc. Sin embargo, los tres propuestos considero que son una excelente base por la que empezar a mejorar la seguridad de nuestra organización.

Industrial Systems: To patch or not to patch?

There are many peculiarities that must be taken into account when considering the safety of industrial systems and SCADA systems. One especially relevant is patching or updating the systems or software that they support. When through a security assessment of this type of system you get to the question: "And how do you carry out maintenance of systems to patch known vulnerabilities?” We can find very different answers. Some examples:
Option 1: Poker face
We do not apply security patches. It is not necessary since our industrial network is completely isolated, we rely in the ‘air GAP’ to protect our systems and anyway, most manufacturers use not publish security updates. On the other hand, sometimes the software upgrade also involves hardware change, so that budgetary constraints do not permit such updates.
This answer or other similars are quite common. And I do not think it is a crazy strategy to follow to not apply security patches when these conditions are met:
  1. A risk analysis was performed to clearly understand what the threats that may affect the non-patched systems and what impact could have such threats. Note that I do not mean to make a superficial risk analysis, but I mean analyzing risks in depth. That is, know exactly what vulnerabilities are not patched up, how it could be exploited by an attacker and what compensatory measures are implemented to mitigate the risk of no patching it. When considering the threats should pay particular attention to the perimeter of industrial systems, points of interaction with traditional networks and access points that are easily accessible by visitors or the general public.
  2. Once done this risk analysis, if the problems, costs or difficulties that result from applying the patches are greater than the risk of non-patching, it make sense don’t apply the patch.
  3. This decision should be carried out in an informed and conscious way by the risk owner.
On the other hand, it is clear that we must put pressure on manufacturers to implement vulnerabilities management processes in their products and this point should be a key criterion in the selection of these technologies.
Option 2: The quiet man
Well, it depends on the manufacturer, the device and the technician is responsible for the update. We don’t have actually documented, but we use different methods such as direct download of patches from the manufacturer’s website (who doesn’t publish a signed hash of the file for verification after download, or when they do, we don’t check it anyway). Sometimes, to save time, we even download the patches from our home where bandwidth is higher than in the office. We recorded it in our USB and connect to the network of industrial systems that is completely isolated from the IT network. You know, the famous ‘air gap’. Other times, is a partner or the manufacturer who comes with its USB or with his laptop and connect it directly to our industrial network to apply updates or perform any other maintenance task.
In these cases, as you can imagine, the problem is that the ' isolation ' ceases to be such as USB, portable CD or turn connects to our isolated network. With these practices our systems are exposed to so many threats. Some of them could be:
  • Malware that can cause performance problems or even a denial of service on these systems.
  • Advanced Malware can even allow remote control or data theft. Although a priori this seems impossible in an isolated network, today we can find numerous proofs of concept on how they could perform these attacks dodging the 'Air GAP ‘.
  • Fraudulent updates or patches downloaded from internet whose system changes can be different than expected.
  • Connections from third parties to our network using their own laptops which may have a lower level of our security. Also, if we do not control what activities performed in our systems can be a source of threat to be considered. Do not forget that it is very likely that our partners also work for our direct competition, so it is a source of risk to consider.
Option 3: The outstanding
In our organization we have documented and secure processes for carrying out the update of all our industrial systems. We have different systems to be informed when any new vulnerability is discovered which could affect our systems. A comparative analysis of the risks between upgrade or leave unpatched the systems is performed, so the risk owner can set the criteria used for deciding whether to patch and in which term it should be done. Once we decided that a patch should be applied, we obtain it from a secure source verifying its integrity and authenticity, we deploy it in our test environments to verify that the update will not compromise the functionality or security of systems and, only after this, and under our strict control and supervision, the update is deployed in production within the time limit set by the risk owner.
Well, if you obtain this answer, you can’t do anything else but congrats the client. However, I never found this answer yet.
Of course I'm simplifying the possibilities and using hyperboles in this article, but my goal is make you think about the fact that manage critical vulnerabilities are a key aspect to consider in security evaluations, especially when you are evaluating Industrial or SCADA systems. If you don’t update your systems, you will be accumulating vulnerabilities but if you update it in the wrong way, the update process itself can be a (big) risk source. Therefore, to plan, to document and to establish a continuous improvement process over the vulnerability management process should be in the agenda of any CSO who intends improve the security of his organization.

[Some] Challeges for today's CISOs

The life of CISO could be really hard. His responsibilities include to predict and to protect the organization of all the risks that may affect the security of their information assets, detect and respond appropriately to security incidents, manage security infrastructure of their organization, manage all lifecycle of technical vulnerabilities and ensure compliance with laws, regulations and standards of information security.
If all this is not complex enough, they must to do it with a short budget because is really difficult to predict or even to calculate the ROI of security investments. And it’s here where we can find the ‘security paradox’: if there are no security incidents in the company, it’s because the good job of the CISO or just because there are not real threats and the company is wasting money in security? And in this crisis times, if senior management does this question, we can imagine how it will finish the most of the times.
In my opinion, the best way those CISOs can justify its budgets if by doing a risk analysis presenting the ROI as risk reduction. However, the result of the risk analysis should be presented in the senior management language; $$$. They need to establish a financial quantitative value to each risk, justifying it correctly and considering the business context of the risk. And this is other complicate point because not ever is easy for the CISO to have the information and knowledge about the business context to correctly translate security risks into business risks. And this drives us to another problematic topic in the CISOs world; too much data but lack of information. CISOs (or their teams) must to manage a lot of events from security devices, systems and applications, vulnerability scanning results, Pentest results, new vulnerabilities, new techniques, new technologies, new vendors, new standards, regulations and laws, etc..
Be able of manage all this amount of data and convert it in useful information is one of the big challenges that must afford information security departments today. To centralize, correlate and analyze on time this data is an important first step to convert it in useful security information.
Generate alerts to react on time when security incidents happen or to analyze the trends to detect anomalies is going one step further and we can say the security information is becoming security intelligence.
But this is not enough. CISOs need to do one additional step and transform the security information and intelligence into business intelligence, being able of establish quick and correct relationships between security risks and business risks. So, the true challenge for the CISO is be able to report on real time to senior management what are the business risks providing update information to them to make correct decisions having information about all the risks of their business (information security, physical security, financial risks, operational risks, etc..).
Once CISOs will have solutions to make this transformation of security data into business intelligence in an efficient way their life will be easier since their budgets will be self-justified. Or looking it from the other perspective, the senior management will have enough information to establish proper information security objectives and so, the will be able to assign the appropriate budget for the achievement of this goals.
So, in conclusion, a good CISO must be correctly balanced between technical and management skills, as well as to have a good understanding of the business being able to communicate with technical and business people meanwhile he is responsible or the information security topics where what happens today has nothing to do with what will happen next year, or what is the same, in two weeks.