The Security Mindset

by Süleyman Petek 17. Temmuz 2015 21:00
Everyone in your organisation, all the time should keep security in mind. Remember that you are as s

Everyone in your organisation, all the time should keep security in mind. Remember that you are as secure as your weakest link in the chain. Whatever latest technology you use, your firewalls, IDS, IPS, antivirus etc. your level of protection is as high as your weakest link.


Everyone may not have the same level of mindset however the developers and IT staff should be careful about this. Of course having a company-wide mindset is not easy and it requires continuous education. Education comes with the cost of money and time. Top management should also have the mindset in order to approve these expenses.

Let's consider a project manager or a business analyst or a scrum master. While planning for the project, nearly none of them allocates time and human resource for security issues. Being aware of these issues requires allocating time plan for fixing the security issues and also aligning with the secure coding standards. The majority of the developers concantrate on learning new technologies but unfortunately they are not keen on security or they are not aware of the seriousness of the topic. 

In general there are some principles that should be kept in mind:

Least Privilege
Sometimes used as POLP (Principle of Least Privilege) is
 limiting access to the minimum level that is necessary to complete the job.

Simple is More Secure
Simply getting rid of unnecessary functions, unused features as possible as it is.

Do Not Trust Users
When we tackle about user actions, being paranoid is a good security behaviour. Even if your administrators are not 100% reliable for you (An unhappy employee may be very harmful). Sometimes offline actions such as phone calls can be considered as an attack.(Social Hacking)

The Unexpected Always Happens
Preventing the attack before it happens is vital. People generally see the "Happy Path" in projects but the edge cases should be considered also.

Defense in Depth
Slowing down the attacker via layered defenses. "If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system." - OWASP


Obscurity
If you read the CEH preparation book, hacking starts with reconnaissance process. The more information you give the more hackers benefit. Limit the information you give as minimum.

Blacklisting & Whitelisting
"A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.

A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct conditions."

Tags: , ,

IT Security | Awareness | Web Security | Web Attack

Reverse Engineering 101

by Süleyman Petek 14. Temmuz 2015 23:43
The process of extracting the knowledge or design from anything human made. In fact the concept is n

The process of extracting the knowledge or design from anything human made. In fact the concept is not new. Before computers, in the time of industrial revolution, when the scientists were trying to resolve the atom or when doctors (are also still trying) were trying to explore the human body. The difference between computer reverse engineering and scientific reversing is that the first one is human made whereas scientific reversing is an exploration of a natural process.

Software is the most complex and popular element nowadays for reverse engineering. Like software engineering, software reverse engineering is a completely virtual process where you only have a CPU and your mind. Software reverse engineering unifies code inspection, problem solving and logical analysis.

In the meaning of security for instance, reversing can be used to identify encryption in the application and this way he can evaluate the level of protection for the application. Reversing is very important for IT security issues recently, as the increase of malicious software is unpreventable. And also crackers love it, as they analyze it to reproduce  without registration key ! 

Reversing can be useful  for software developers. Especially with the legacy, undocumented software, developers can use reversing to discover it. Some other case may be  to test the 3rd party code or even may be your competitor's code to find out how they are doing the work.


Namely, you can do the reversing in two scales:

  1. System Level Reversing
  2. Code Level Reversing
System level reversing involves obtaining information from operating system. Every application uses the operating system to interact with the outside world. Thats why it is really important for reversers to understand the operating system.
Code level reversing can be considered as an art. Reversing highly complex software requires a solid understanding of software development, CPU and operating system along with essential tools and techniques.

Some of you can ask if it is legal ? There is no clear cut answer to this question yet. Is it OK for others to see a competitor's intellectual property by reversing the product ? In my opinion, producers need to think about reverse protection, somehow you can see the reverse engineering as a benefit to show your product as it is working like a charm and harmless to people they use. It is up to you wherever you look from.

Generally, many products are protected by copyrights and patents. Patents are the stronger protection against copying since they protect the ideas behind the functioning of a new product whereas a copyright protects only its look and shape. Often a patent is no more than a warning sign to a competitor to discourage competition.

Tags: ,

IT Security

Secure Software Development Lifecycle

by Süleyman Petek 13. Temmuz 2015 23:00
Security should be a part of your DNA while building  a software system.

Security should be part of your DNA while building a software system. Here below a short list for acronyms.

Information Security Risks: The probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur.

Software Security: A way to defend against software exploits by building software to be secure.

Application Security: A way to defend against software exploits  after deployment is complete.

Return Of Security Investment in Security (ROSI): The total amount of money that an organization is expected to save in a year by implementing a security control.

The core components of Secure SDLC process are:

  • Clear and detailed requirements of business
  • Security requirements 
  • Threat modelling (Early in the security design phase, threat modelling should be done in order to identify the potential threats that exist specific to the application.)
  • Design
  • A policy for secure coding
  • A framework for secure coding (OWASP may be a resource here)
  • Segregation of environments (Dev/Test/Staging/PreProd/Prod)
  • Static and Dynamic Analysis of the code
  • Change management
  • Release management

To mitigate the probability of writing insecure code, a few steps should be included in the SDLC. Since writing secure code is vital for minimizing the occurrence of vulnerabilities, it is worth elaborating on this topic for the benefit of executives. This step in development is too often misunderstood or deemed to be of secondary importance compared with production deadlines. It is worth to review the basic steps of writing secure code and at some point it may look as an attractive return on investment.

Secure coding needs some key factors:

  • Top level management buy-in
  • Security architect engagement
  • Segregation of duties
  • Backups
  • Monitoring and logging of events
  • Patch management
  • Password management (authentication-authorization)
  • Session management
  • Input validation
  • Output encoding
  • Exception management (Fail safely)
  • Developer training (Create awareness, educate)
As you see the cost of a bug during SDLC, the security issues should be considered and fixed as early as possible.



What can you lose if you don't ?
  • Reputation
  • Data
  • Money
  • Time
And never forget that risks are for managers, not for developers !


Tags: , ,

IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

Web Application Security 101

by Süleyman Petek 11. Temmuz 2015 14:25
Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis ha

Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis has been increasing day by day. At first we adopted to read newspapers from web, then we started to make our basic financial operations over web from our banks' web sites. The shopping a.k.a "e-commerce" madness followed these. Buying your plane tickets, betting, dating etc. there has been a huge cyber world over there. This is nice until here however you should be aware of your security and privacy in this cyber world. Nowadays mobile applications are very popular, we can not say they will replace web applications but we should notice the power of mobile also. 


Web applications have brought with them a new range of security vulnerabilities. There is a rising awareness that security is an important issue for web applications. Most of web sites say that they are secure because they use SSL. Increasingly, organizations also cite their compliance with Payment Card Industry (PCI) standards to reassure users that they are secure.  In real life, unfortunately the majority of web applications are insecure, despite the widespread usage of SSL technology and the adoption of regular PCI scanning. Here is an example saying that "Half of firms hit by web application security breaches".

There is a non-profit world wide organization called OWASP (Open Web Application Security Project). There are many materials there to learn about application security. Especially OWASP Top 10 may be a very meaningful start for the newbies. It is about the most critical web application security flaws. The latest one was released in 2013.


Web applications face a fundamental problem in order to be secure. The client is outside the application’s control, users can submit arbitrary input to the server side application. The application owners/coders must assume that all input is potentially malicious. The majority of attacks against web applications involve sending crafted input to the server to cause some unexpected event.

Unfortunately SSL can not stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker’s data in transit. 

Some key factors to the problems are

The developers are not aware of the issue, they should be educated for secure coding.

  • The executive management generally care on the dead-lines, not the security of the application. So the developer just try to be as fast as he can do, bypassing the security issues.
  • The resources and the time is limited, the market is too aggressive, executives are somehow right. But security is not an issue  to underestimate. The company can lose money and prestige because of insecure applications.
  • The threats are evolving rapidly.
  • To sum up;

    World Wide Web has evolved from basic static information repositories into highly functional applications that process sensitive data and perform powerful actions with real-world consequences. Most web applications face the core security problem that users can submit arbitrary input. Every aspect of the user’s interaction with the application may be malicious and should be regarded as such unless proven otherwise. All the signs about the current state of web application security shows that although some aspects of security have indeed improved, entirely new threats have evolved to replace them. The overall problem has not been resolved on any significant scale. Attacks against web applications still present a serious threat to both the organizations that deploy them and the users who access them. 


    Tags: , ,

    IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

    What is ISO / IEC 27001 ?

    by Süleyman Petek 6. Temmuz 2015 22:42
    Briefly, it is an information security standard. ISO stands for : International Organization for Sta

    Briefly, it is an information security standard widely accepted all over the world.
    ISO stands for : International Organization for Standardization and
    IEC stands for : International Electrotechnical Commission.
    The standard described in it, specifies an Information Security Management System (ISMS). From a top down approach, a bunch of activities concerning the management of information security risks. 

    ISMS : An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

    ISO / IEC 27001 is derived from BS 7799 Part 2, published in 1999.  BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005.  It was extensively revised in 2013, align with the other ISO certified management systems standards and dropping the PDCA concept.


    Hence it is the successor of ISO / IEC 17799, it also includes the concepts like "Quantifiable", "Reusable" and "Scalable". The framework warrants that the security arrangements are aligned to keep in line with changes to the security threats, vulnerabilities and business impacts. In such a dynamic field, a key advantage of ISO / IEC 27001 is flexible and has a risk-driven approach as compared to PCI-DSS

    Quantifiable : Third parties can measure the metrics and the standard is eligible to  assess the assets, measure the risks.

    Reusable : Whichever part you want can be repeated. Gaining the support of the executives and educating the workers results with minimized risks.

    Scalable : The standard can be used for a pilot department, then the surface can be extended.In case extra audits can be plugged in or out.

    The framework structure is like below :

    1. Introduction
    2. Scope
    3. Normative references
    4. Terms and definitions 
    5. Context of the organization
    6. Leadership
    7. Planning
    8. Support
    9. Operation
    10. Performance evaluation
    11. Improvement
    Accredited certification to ISO /IEC 27001 demonstrates that an organisation is following international information security best practices.

    Benefits:

    • Supports compliance with relevant laws and regulations
    • Reduces likelihood of facing fines
    • Protects your reputation
    • Provides reassurance to clients that their information is secure
    • Cost savings through reduction in incidents
    • Demonstrates credibility and trust
    • Improves your ability to recover your operations and continue business as usual
    • Confidence in your information security arrangements
    • Improved internal organization
    • Better visibility of risks amongst interested stakeholders 
    • Meet customer and tender requirements
    • Reduce third party investigation of your information security requirements
    • Get a competitive advantage
    • Improved information security awareness
    • Shows commitment to information security at all levels throughout your organization
    • Reduces staff-related security breaches


    For certification, you will find an authorized partner and they will assist you. In general there are 3 steps :

    1. Gap analysis, where they will look your existing information security management system and compare it with ISO/IEC 27001 requirements.
    2. Formal assessment, reviewing your organization’s preparedness for assessment by checking if the necessary ISO/IEC 27001 procedures and controls have been developed.
    3. Certification, if you have passed the formal assessment you will receive an ISO/IEC 27001 certificate, which is valid for 3 years.

    Tags:

    What is PCI DSS ?

    by Süleyman Petek 3. Temmuz 2015 21:46
    Payment Card Industry Data Security Standard aka PCI DSS

    Payment Card Industry Data Security Standard a.k.a PCI DSS is a set of policies and procedures for fine tuning the cards that you use instead of money.  

    As they define in their website "The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process  including prevention, detection and appropriate reaction to security incidents."


    When you think of your daily life,

    • you work for money for a month
    • at the end of the month you earn your salary and it is transferred to your account
    • you pay your bills online
    • you use credit card / debit card while you are at a cafe/bar restaurants etc.
    • you use credit card while you shop online
    • bla bla
    Did you notice that you do not see the money physically indeed ! You just see numbers on your screen whether on a mobile phone or website of your bank. As a customer of your bank, you should be confident about your privacy and security. 

    Comparing the old days, the way thieves work changed a lot. When a was a child, Lucky Luke was protecting the bank from the Dalton's.

     


    Now life is easier but somehow life is easier for the thieves also. So you need a proven security guidance. When you comply with PCI DSS, 

    1. Your customers will believe that they are secure as they have money related work with you
    2. This trust will make a positive feedback in your business
    3. Your partners will feel also trusted
    4. Having reputation among business partners will also bring the new partners and new customers 
    In order to comply with PCI DSS you need these below, there are 6 main goals and 12 requirements are issued :


    Say that you have done all of them above, then what is next ? The answer is audit. You will be audited by a  QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor) who are authorized by PCI. In some cases, the company is not ought to be audited on place, they can prove their compliance via SAQ (Self-Assessment Questionaire).

    Major payment card brands has created their own security guidelines based on PCI DSS, for instance Visa is like below.


    For further information you can check this out.

    According to the document, the PCI DSS applies to "all entities involved in payment card processing - including merchants, processors, financial institutions and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data."

    The standard defines cardholder data (CHD) and sensitive authentication data (SAD) as follows:

    Cardholder Data

    • Primary Account Number (PAN)
    • Cardholder Name
    • Expiration Date
    • Service Code

    Sensitive Authentication Data

    • Full track data (magnetic stripe data, or its equivalent on a chip)
    • CAV2/CVC2/CVV2/CID numbers
    • PINs/PIN blocks

    If you're confused about how to get started with this process, then contracting a qualified assessment firm can help you to pinpoint any areas of improvement in your existing security policies.


    Tags: , ,

    IT Security

    Yazılım Projelerini Yönetmek

    by Süleyman Petek 3. Temmuz 2015 20:45
    Yazılım projelerinde çok sıklıkla karşılaşılan, projenin tahmin edilen maliyetten daha yüksek m

    Yazılım projelerinde çok sıklıkla karşılaşılan, 

    projenin tahmin edilen maliyetten daha yüksek maliyete çıkması, 

    proje bitiş tarihinin tahmini tarihe yetişmemesi ve 

    finalde ortaya çıkan ürünün en başta tasarlanan prototipe nazaran daha az kaliteli ve daha az fonksiyonel olması durumu, 

    hepimizin başına geliyordur ya da gelecektir. Burada asıl mesele, bu rutini yaşamadan başarılı olabilmektir. Bu rutin sorunla başa çıkabilmek için şu 4 adımın mutlaka uygulanması gerekmektedir:

    1) Planlama ve Tahmin

    2) Ölçme ve Kontrol

    3) İletişim, Koordinasyon ve Liderlik

    4) Riski yönetmek


    Aslında bütün projeler aslında birbirine benzer (yönetim anlamında)

    -Projeden beklentiler belirlenir

    -Yapılacak aktiviteler planlanır

    -Kaynaklar atanır

    -Sorumlular belirlenir

    -Yapılacak işler koordine edilir

    -İşin ilerleyişi izlenir

    -İletişim sağlanır

    -Risk faktörleri belirlenir ve önlenmesi için yapılması gerekenler belirlenir

    -Yanlışları düzeltici aksiyonlar alınır (gerekliyse)


    fakat yazılım projelerini daha zor ve kompleksleştiren faktörler, yazılım projelerini diğer sektör projelerinden ayırt etmektedir ki bunlar :

    -Yazılımın aslında doğasının kompleks oluşu

    -Yazılımın değişkenliği

    -ve Yazılımın görünmeyen aslında soyut bir ürün olması

    Maalesef ki ülkemizde yazılım yöneticiliği yapanlar halen işe inşaat mantığıyla bakıyorlar, şöyle ki, geç kalmış bir inşaata takviye eleman ekleyerek bir miktar hızlandırabilirsiniz işi, ancak bu mantık yazılım projelerinde tam tersi etkiye neden oluyor genelde.(Bkz. The Mythical Man - Month , "Adding manpower to a late software project makes it later ."Bu olayın bir diğer güzel örneği de anne-doğum örneği, yani 1 anne 1 çocuğu 9 ayda doğuruyorsa, 9 anne 1 çocuğu 1 ayda doğuramaz, yazılım projeleri de aynen böyledir. Aslında inşaat için de bir yerden sonra aynı şey geçerlidir, hızlanması gereken bir inşaata gereğinden fazla takviye işçi sağlanırsa bu sefer işçilerin inşaata yaklaşamaması tehlikesi muhtemeldir.(İnsan kalabalığından kaynaklanan istenmeyen durum). 

    Yazılım için bu adam eklemenin yarardan çok zarar getirmesini, PMI in da anlattığı gibi iletişim kanallarının her bireyle, logaritmik artması sebebiyle de destekleyebiliriz. PMI der ki iletişim kanalları=n(n+1)/2, n burada ekibin sayısını temsil eder. Bir de buna ekibe yeni katılan elemanların öğrenme eğrisinin de ters logaritmik artışını eklersek, sanırım olayın ciddiyeti daha da anlaşılır olur.

    Peki ne yapmalıyız, neler yapılsa böyle olmaz dersek, aslında kesin bir çözüm olmamakla beraber, takımın ve şirketin yapısına göre farklı alternatifler denenebilir, bu aralar çok popüler olan çevik yöntemler buna bir örnek olabilir mesela. (Eğer yönetim desteği varsa ve ekip çok kalabalık değilse (5-8 kişi)).


    Tags: , , , ,

    Project Management

    Big Data Gerçekleri - 2

    by Süleyman Petek 3. Temmuz 2015 20:41
    "Big Data nın mevcut BI dan ne farkı var ?" Big Data (Büyük Veri) konuşulan bir çok ortamda bu

    "Big Data nın mevcut BI dan ne farkı var ?" 

    Big Data (Büyük Veri) konuşulan bir çok ortamda bu soruyu sık sık duyabiliyoruz. Ya da "Şimdiye kadar kullandığımız araçlar ile büyük veriyi analiz edemez miyiz ?" şeklinde de değiştirebiliriz bu soruyu. Şimdiye kadar kullanılan BI metodolojisinde temel prensip, kurumsal bilgilerin merkezi bir veri deposunda toplanması üzerine idi, veri daha çok offline modda işleniyordu.(OLTP dediğimiz online dataların Warehouse dediğimiz denormalize ortamlara aktarılması)

    Big Data da ise şöyle belirgin farklar vardır

    • Veri merkezi bir yerde değildir, dağıtık bir şekilde bulunmaktadır
    • Veriyi işleyen fonksiyonlar veriye gider, veriler işlenmek için fonksiyona gitmezler
    • Verinin belirli bir biçimi olmayabilir, biçimlendirilmemiş veri de kullanılabilir
    • Offline veri ve real time (anlık) veri beraber olabilir
    • Teknoloji ağırlıklı olarak paralel process üzerinde yürümektedir

    Tags: ,

    Big Data | Tech

    Big Data Gerçekleri

    by Süleyman Petek 3. Temmuz 2015 20:27
    Big Data (Büyük Veri) hakkında gördüğüm şu resim beni çok etkilemişti.Gerçekten bu konunun şu anda t

    Big Data (Büyük Veri) hakkında gördüğüm şu resim beni çok etkilemişti.