Home
Follow us on Twitter

Sponsored Links

Regulatory Updates

Like it? Share it!

Follow us on Twitter
Ignorance is Risk- Prudently Manage by Measurement
Top 5 NCUA Examination Areas for 2010 PDF Print E-mail
Written by Jeromie Jackson   
Friday, 19 February 2010 21:24

 

NCUA Examiners

A panel discussion amongst NCUA Examiners from across the United States provided insight and guidance for focus areas for credit union assessments in 2010. The top five topics found themselves being repeated themes across the panel of examiners. Below summarizes the forum and provides guidance for how to prepare.

 

1. Risk Assessment

One of the primary focus areas is the risk assessment. I know many have had risk assessments in the past that have missed the mark when it comes to a deliverable that works, thus Risk Assessments are often seen as a resource drain as opposed to a value. By prioritizing assets, risks, and threats organizations can properly align resources. I really like the Octave Allegro and NIST methodologies. The regulators commented on the need to use a risk-based portfolio to determine what controls are prudent to be implemented to protect the information assets. The Risk-Portfolio is the primary deliverable whenever I conduct these- I generally translate these portfolios to a set of milestones to be charged at for the following year. They mentioned many organizations assessments are “becoming stale,” I believe much of this can be attributed to the lack of value many have received from their previous engagements.

 

2. Strategic IT Planning & Board Transparency

IT is a critical element to many organizational strategic plans. When not aligned large amounts of resources can be consumed while still not moving towards strategic goals. “Transparency,” was one of the words I heard from across the regulatory districts. I asked for clarification on what this meant, and received a few responses. First, they wanted to ensure that risks and incidents that have/are affecting the organization are communicated to the board. If incidents come up, and are not appropriately escalated, the board can not appropriately respond. Documentation showing the value of IT was also mentioned. If IT cannot demonstrate their effectiveness, how can the board determine if IT is functioning well? The third comment was related to dashboards & the concept of a telescope. As risks and incidents move up through the organizational hierarchy summarization and removal of technical jargon become required. Dashboards provide a way to rid the goals of technical jaron and to communicate the quality of IT to non-technical staff.

 

3. Controls Testing

“Focusing on controls,” was a focus of the group. Organizations often conduct penetration tests, vulnerability assessments, and social engineering projects to determine the effectiveness of their information security program. While these assessments are good for the organization, they do not necessarily directly correlate to the risk assessment and controls identified as prudent for the business. Going back to basics, utilizing a risk-based perspective, often these point solutions do not validate the documented controls are working as intended. The regulators put a significant focus on the percentage of controls that are tested. Security is cyclical and needs to be continually tested- the auditors have seen controls being define and not met.

 

 

4. Vendor Management

With all the focus towards IT optimization many are looking at leveraging third-parties to provide IT functionality at a reduced cost. Equally, many vendors provide unique services which need to be accessed through an outsourced solution. I have personally found many organizations who were vulnerable to issues a third-party has created. Co-Mingling of data, sniffing capabilities, lack of quality IT deployment, and non-comprehensive audit are just a few of the issues I've came across. Vendors generally have to go through a due-diligence review when engaging with a credit union, but many of these do not receive yearly review. A focus on the vendor management procedures of an organization will be another of the focus areas of the auditors this year.

 

 

5. Disaster Recover & Business Continuity Testing

Disaster recovery and business continuity are critical to the success of organizations under environmental or IT distress. Huge amounts of resources have been devoted to DR/BCP programs yet many do not test the program to an adequate level. Having a plan that is not tested provides many of the same risks as not having a plan at all. Regulators plan on honing-in on the DR/BCP plans of credit unions to ensure not only is it documented but equally tested to an appropriate level.

I have been assessing credit unions since 1994 and would love the opportunity to earn YOUR business. Please contact me when you're ready to discuss your organizations information security needs.

 

 

Jeromie Jackson- CISSP, CISM

COBIT & ITIL Certified

President- San Diego OWASP

Vice President- San Diego ISACA

SANS Mentor

LinkedIn: www.linkedin.com/in/securityasessment

BLOG: www.jeromiejackson.com

Twitter: www.twitter.com/Security_Sifu

 

 

 

 
 
Razor Burns and Identity Theft PDF Print E-mail
Written by Jeromie Jackson   
Thursday, 07 January 2010 03:43

Razor_Burn

As many of you know, I have been spending a lot of time on compromising physical security countermeasures. While looking for a good electric toothbrush to convert into an vibrating lockpick I came across a set of woman's electric razors. A few hours later I had a modified vibrating lockpick.

 

Razor_lockpick

I present my video on The Master Lock vs. a Lady's razor. Overall the device worked fairly well. I was able to compromise most of the locks I am generally able to Rake Pick, but I was not able to circumvent my better locks. It was a great experiment, and if you don't have a manual pick-gun I would recommend adding it to your picking arsenal. You can find the full video of how it was constructed, and sample picking by clicking on the above graphic.

 

 
Last Updated on Wednesday, 20 January 2010 20:06
 
Red Team Physical Security Penetration Test PDF Print E-mail
Written by Jeromie Jackson   
Wednesday, 16 December 2009 18:21

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen.

 

Spy Pen

 

 

Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away's were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

 

First Floor Enterance

We did not have all the equipment to clone HID cards, thus our attack did not include cloning HID cards, however it is very easy. If you're interested I recommend checking out RFIdiot. Also, to see how vulnerable HID cards are I recommend checking out this video from Padget that shows a simple cloning device. For a fairly expensive, long-range HID Reading capability check out is more elaborate long-range HID/RFID cloning setup.

 

At approximately 12:30AM we arrived on-site. The back-door is protected by a HID proximity system. Shoving a wire hanger covered in a piece of paper through the door we attempted , and were able to, trip the motion sensor. “CLICK,” went the pins keeping the door closed, but the doors did not open. The plunger/break-away bar was still keeping the door locked. We hit the street-side door and attempted to pick a Schlage lock a minute or two. The amount of police traffic was too high- we left the door. Having severely compromised the organization during the day, my cohort was ready to call it a night. Having a “get out of jail free card,” and being up at 1AM, I wasn't so eager to give up. I went back home, bent up every round bar I had. I needed something I could shove through the door, turn it, and then use it to pull the plunger, opening the door.

 

Break-in-bars

I had that may fit through the door, and off I was for another hit on the building. I called my cohort and told him I would call him back in 30 minutes, successful or not. We needed a strong enough bar we could push through the gap in the doors, and then turn to use to pull he plunger closed. Eight minutes on the back door, and “POP,” I was in! The bent wire above with the needle-nose pliars was the tool that breached the door. I called my accomplice, “I'm In!!!,” I told him and he was on his way to help complete the job.

 

Awaiting Backup

Making it into the first floor, due to poorly installed exterior doors, I called my buddy and called the troops in. After calling my wife, letting her know it was going to be a long night, I waited. All the doors in the hallway, except the stairwell, were locked. Not even the bathrooms were left unlocked. After approximately 15 minutes I hear someone yanking on the doors, then I hear radios going off. “It looks like someone tried to shim the door, there are fresh scratch marks,” I heard across the radio transmissions. Burrowing under the first floor stairwell with my bent bar, coat hanger, and get-out-of-jail-free letter, I shivered for over 15 minutes. I couldn't call my buddy as there wasn't service under the stairwell. After approximately 15 minutes the noise had ended- the police had left as nothing was tripped in the facility. We had entered the building and had 5 hours until security would be returning the following morning. My next blog will document getting into the interior offices and compromising the datacenter. Make sure to follow me on Twitter!
Last Updated on Wednesday, 16 December 2009 18:23
 
Securing Data Centers by Breaking Into Them PDF Print E-mail
Written by Jeromie Jackson   
Monday, 28 December 2009 18:17

The locks on the building were of good quality.  They were 6 pin Schlage tumbler locks that incorporated 1 or more security pins.  Here's what the internals of a lock look like:

Lock

Theoretically any lock of this type is pick-able.  Raking is the first technique we used, unsuccessfully.  We then began trying to single pick the pins.  Over 30 minutes went by between the two methods used.  While impatiently waiting I looked around, hunting for other avenues into our goal.

Lockpicking

While standing there, I noted the screws in the window were on our side of the door!  After unscrewing a screw we found the shank appeared to be long enough to go through he door.  Removing the other 9 screws, and a weather seal, out came the window, and we were on the 3rd floor.  From our reconnaissance earlier in the day we knew there was motion sensors run the length of the hallway.  Crawling over to the closest door, in order to evade the sensor, my partner began picking the interior door on the office.  After 20 minutes, without progress, we decided for him to make the LONG crawl down the hallway to where we had identified a poorly installed door that exposed the plunger.  Popping the plunger with a “Lucky-7,” house number from Home Depot, the door was opened.  He came around to the other door closer to me, opened the door, and I crawled my way over to the now opened interior door.

With no interior motion sensors we had free reign in the office.  We obtained several documents containing social security #'s and other confidential data.  Taking several tables that were available we stacked them and I jumped over the drop ceiling into the datacenter- mission completed!  We took some video, gathered evidence, and left a note for our point of contact on a monitor in the datacenter.  Everything was put back the way it was originally, the window in the hallway door was re-installed, and we made our exit through to the stairwell onto the main street- a clean getaway!

Our contact arrived at 7:30 the following morning, just as every other day.  He went to his desk, found nothing out of the ordinary, and worked through the morning.  Around noon he had to enter the datacenter for a task that needed physical access to one of the servers.  He looked over to the monitor and found our note: “Dear <Point of Contact>, Please call us to discuss your physical security.  Jeromie & Eric.”

I will be following up with several articles about circumventing several physical security devices such as HID Proximity cards, some good info and sources for lock picking, creating lockpicking tools, and definitely more on my infosec penetration testing as well.  Be sure to follow-me on Twitter!
Should you need any security assessment, regulatory compliance, web-application testing, social engineering, or red-team engagement, I would certainly appreciate the opportunity to earn your business!
Last Updated on Monday, 28 December 2009 18:20
 
20,000 Social Security Numbers Compromised in Physical Security Breach PDF Print E-mail
Written by Jeromie Jackson   
Tuesday, 15 December 2009 21:14

 Physical_Security

 

An organization in California recently found a note in their data center one morning. It said “Dear Administrator, Please Call XXX-XXX-XXXX in order to discuss last night's physical security breach.” "This has to be a joke," the administrator thought. The organization has security guards, cameras, motion sensors, and interior locks on everything including the bathrooms. No alarms were tripped, no sensors showed any error or warning conditions.

The organization had hired us to conduct an Internal & External Vulnerability Assessment & Penetration Test, along with a Physical Security Penetration Test. The goal was to see if we could physically penetrate the organization and reach the data center in the middle of the night. This is a brief synopsis of our methodologies, the attack, and take-aways. This will be a multi-part Blog. Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 

Remote Reconnaissance

Our initial site discovery was conducted on line. By reviewing information available on the Internet we were able to identify employees, vendors, high-level building information, and areas of interest and concern. Senior titles and emails were acquired. These could be use for a variety of email and phone based social engineering ruse. Maltego is an awesome graphical way to analyze information on the Internet, and relationships between content. It was used to graphically, and quickly, assess relationships the organization holds with business partners, associations, and manufacturers.  Below are a couple of screenshots from  Maltego.

 

Maltego-1 Maltego-2

Maltego-3

Google Maps showed the businesses in the immediate area. Identifying how big the street was, the types of adjoining and nearby businesses, and the type of neighborhood helped determine foot traffic levels at night, the amount of car traffic, etc. A review of the physical location via Google Site Maps Street View showed the rear of the building would have less visibility than the street-facing stairwell. There is an apartment complex behind the building- this may heighten the amount of potential people monitoring/seeing the building throughout the night.

 

Reconnaissance Day

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen. Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away's were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted was the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

My next blog will be about the hit the following night, I'm just about done writing it.  Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 
Last Updated on Monday, 28 December 2009 18:21
 

Valid XHTML and CSS.