Richard J. Bocchinfuso

Essay Assignment

You are the CISO of a large company. Using your own machine as an example, tell me how you would harden your own machine and how you would harden machines across the company, using ideas garnered from this class.

[google-drive-embed url=”https://docs.google.com/document/d/1R3qcJYeizUXoUgcyTjWJq5ijO6PPWsAooJ_cegPl4WQ/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 8 – Assignment 1″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

Final Exam

[google-drive-embed url=”https://docs.google.com/document/d/1XexEQY0nD5tzZXTnXDsEbe23zcFjt7c6iG_WEYPzPJo/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Final Exam” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

Discussion Post

Desktop Virtualization
Discuss whether desktop virtualization is a panacea.

No, virtualization (desktop or server) is not a panacea. While complex, attackers can exploit hypervisor technology by virtualizing an operating system and running the malware at a level below the virtualized workloads, at the hypervisor layer. This approach makes the malware very hard to detect and operating system agnostic. (Ford, 2018) This type of malware has become know as a virtual-machine based rootkit (VMBR). A VMBR installs a virtual-machine monitor (VMM) underneath an existing operating system (guest os or virtual machine) and hoists the original operating system into a virtual machine. (King & Chen, 2006)

Virtualization can be very helpful for malware analysis. Virtualization can provide isolation, it can create a trusted monitor so the hypervisor can watch how the system works preventing the hypervisor from being tampered with, and it can allow for rollback or disposable computing which can be very useful for malware testing. (Ford, 2018) While countless benefits are derived from virtualization, the hypervisor is just software, and like any other software, it can have vulnerabilities. If the hypervisor were to be exploited, it could provide an attacker with low-level system access which could have serious, widespread implications. Successful exploitation of the hypervisor would give the attacker full control over everything in the hypervisor environment, all virtual machines, data, etc. (Obasuyi & Sari, 2015)

The “cloud” makes extensive use of virtualization technologies. (Ford, 2018) For example, Amazon Web Services (AWS), is built on the Xen hypervisor. Given the security concerns mentioned above and associated with the hypervisor, you can see the concern given the scale and multi-tenancy of cloud providers. (Vaughan-Nichols, 2015) Let’s face it the cloud is one giant honeypot; it’s hard to say “if” and more likey “when” will a low-level exploit happen in the cloud. Only time will tell.

To bring it back to desktop virtualization I might argue that the security concerns with desktop virtualization exceed the security concerns with server virtualization, for one reason, linked clones. The use of linked clones is quite common in desktop virtualization, but with all virtual desktops sharing common executables and libraries, malware can metastasize with each virtual desktop instantiation, and this would not require a compromised hypervisor, but rather a compromised master image. The other thing which we need to consider is transparent page sharing and the potential manipulation of EXEs and DLLs in memory at the hypervisor level and the impact it could have.

References

Ford, R. (2018, June 11). Virtualization. Retrieved June 11, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTYvQ1lCNTI4ME0xMFYxL0RhdGEvbW9kdWxlLnhtbA

King, S. T., & Chen, P. M. (2006). SubVirt: Implementing malware with virtual machines. Paper presented at the , 2006 14 pp.-327. doi:10.1109/SP.2006.38

Obasuyi, G. C., & Sari, A. (2015). Security Challenges of Virtualization Hypervisors in Virtualized Hardware Environment. International Journal of Communications, Network and System Sciences, 08(07), 260-273. doi:10.4236/ijcns.2015.87026

Vaughan-Nichols, S. J. (2015, December 04). Hypervisors: The cloud’s potential security Achilles heel. Retrieved June 13, 2018, from https://www.zdnet.com/article/hypervisors-the-clouds-potential-security-achilles-heel/

Discussion Response 1

I enjoyed your post, would like to offer up some food for thought.

There are lot’s of good reasons for Desktop Virtualization, the catalysts that I see typically revolve around centralized command and control, with the desire for centralized command and control often being aided by regulatory and/or compliance requirements. Five or so years ago we were seeing a huge push towards desktop and application virtualization on platforms like Citrix Xen Desktop, Citrix Xen AppA, and VMware View but this trend seems to have slowed, it’s not hard to understand why.

Let’s look at a few of the challenges with desktop virtualization. From a security perspective, you now have the east-west traffic to be concerned, this is the traffic taking place on the same physical hardware, not ingressing or egressing the physical hardware (north-south traffic) so network security protocols don’t really work. This was a general hypervisor problem which has been addressed, but a concern nonetheless. Next, we have the unpredictable performance profile of end-user usage, one user performing an I/O intensive process has the ability to impact all other users on that physical system. Then there is the con of centralization, the risk, a shared component outage has a much larger blast radius. All of these contributing factors make desktop virtualization fairly costly.

New technologies like SasS and browser-based apps, the rich user experience of HTML5, the ease of cross-platform development, the BYOD push, etc… seem to have slowed the desktop virtualization craze. Desktop virtualization is still happening, but it seems to have slowed. I use virtual desktops all the time for remote access or to run thick apps, but the virtual desktop is used more like an application rather than as a day-to-day shell from which I work. IMO as long as there is Java and the umpteen versions of Java, compatibility issues between apps and Java version, etc… we will have a need to use the virtual desktop to solve these issues. VDI also allows us to take think client applications and quickly centralize them, although I know many people who have done this who wish they just did an app rewrite rather than spending the time build VDI.

I agree with the VirtualizedGeek, that DaaS is a better solution than VDI for those of us need a cloud-based Windows desktop. (VirtualizedGeek, 2014) The article is a bit dated and today many of us use AWS Workspaces or another DaaS solution for this very reason. I also agree with Ben Kepes that “Desktop as a Service is last year’s solution to last decade’s problem.” (Kepes, 2014) The bottom line is the move toward mobile and web apps will continue so while VDI may not be dying I don’t expect it to flourish.

References

Kepes, B. (2013, November 06). Death To VDI. Or DaaS. Or Whatever It’s Called This Week. Retrieved June 17, 2018, from https://www.forbes.com/sites/benkepes/2013/11/06/death-to-vdi-or-daas-or-whatever-its-called-this-week/#3e4c3295096a

Rouse, M. (2018, June 17). What is east-west traffic? – Definition from WhatIs.com. Retrieved June 17, 2018, from https://searchsdn.techtarget.com/definition/east-west-traffic

VirtualizedGeek. (2014, February 18). VDI is dying so what now? Retrieved June 17, 2018, from http://www.virtualizedgeek.com/2014/02/vdi-token-ring/

Discussion Response 2

Enjoyed the post, great read as usual, always like the emotion in your writing.

I have one rule about technology, it is to never make a technology decision based on “saving money”. When the primary value proposition is “you’ll save money” it almost always tells the story that there is no other value proposition that is meaningful enough to be a motivator. I have yet to meet someone who made the decision to implement VDI for cost savings that are happy they made the decision. I have met those who had to do it for regulatory and compliance purposes who likely spent and continue to spend more on their virtual desktop infrastructure than they would have spent deploying desktops, these folks still may not be happy but they are committed to the technology to solve a business problem that they have yet to find another solution to.

Desktop virtualization has been around for a long time, Citrix the undisputed leader in the space started in 1989 with the development of their protocol called ICA (Independent Computing Architecture). In the late 1990s Citrix release MetaFrame 1.0 to match the release of Microsoft Terminal Server. Citrix capitalized on the weakness of Microsoft RDP protocol and MetaFrame and the ICA protocol became the defacto standard for multi-tenancy at scale. The mainframe and mini-computer world was used to multi-tenancy but Citrix had brought multi-tenancy to the micro-computer and Wintel platform. This market pivot actually has close parallels to the cloud pivot we are seeing in enterprise computing today. In the 90s and early 2000s consumers listened to vendors, today consumers listen to the community, the biggest voices are those consuming the platform at scale, fortunately for Citrix this wasn’t the case as they rose to market prominence. There is no doubt that today Netflix holds as much weight on a new user using AWS as AWS itself, Netflix is the 900-pound consumer gorilla and their lessons learned are consumer lessons, not the lessons of AWS who want you on the platform. The Netflix lessons are extremely relevant to the cloud, but they are also relevant to a move to multi-tenancy in any way, VDI being one example. I think we are quickly moving past the days where “a guy with a huge handlebar mustachio with a cape on the back of a wagon” can espouse a cure-all. And for those willing to buy, well, in today’s day and age it feels more like natural selection than someone being bamboozled.

Here are some of the publically available Netflix lessons with some personal commentary. I love these lessons learned and I use them in different contexts all the time. (Netflix Technology Blog, 2010) (Townsend, 2016)

1. Dorothy, you’re not in Kansas anymore. It’s going to be different, new challenges, new methods and a need to unlearn much of what you are used to doing.
2. It’s not about cost savings. Focus on agility and elasticity.
3. Co-tenancy is hard. Architecture and process matter more than ever.
4. The best way to avoid failure is to fail constantly. This is one that many enterprises are unwilling to accept. Trading the expectation of uptime for the expectation of failure and architecting to tolerate failure.
5. Learn with real scale, not toy models. Buying a marketecture is not advisable, you need to test with your workloads, at scale.
6. Commit yourself. The cost motivator is not enough, the motivator has to me more.
7. Talent. The complexity and blast radius of what you are embarking on is significant, you need the right talent to execute.

The consumption and effective use of ever-changing and complex services require us to think differently. Netflix consumes services on AWS and because they don’t have to build hardware, install operating systems, build object storage platforms, write APIs to abstract and orchestrate the infrastructure, etc… they can focus on making their application more resilient by building platforms like the Simian Army (Netflix Technology Blog, 2011) and other tools like Hystrix (Netflix Technology Blog, 2012) and Visceral (Netflix Technology Blog, 2016). The biggest problem with technologies that seemingly make things simpler is that the mass-market consumer looks for cost saving, they look for things to become easier, to lessen the hard dollar spend, to lessen the spend on talent, etc… and they don’t redirect time or dollars to the new challenges created by new technologies, this is a recipe for disaster.

References

InfoQ. (2017, February 22). Mastering Chaos – A Netflix Guide to Microservices. Retrieved June 17, 2018, from https://youtu.be/CZ3wIuvmHeM

Netflix Technology Blog. (2010, December 16). 5 Lessons We’ve Learned Using AWS – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/5-lessons-weve-learned-using-aws-1f2a28588e4c

Netflix Technology Blog. (2011, July 19). The Netflix Simian Army – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/the-netflix-simian-army-16e57fbab116

Netflix Technology Blog. (2012, November 26). Introducing Hystrix for Resilience Engineering – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/introducing-hystrix-for-resilience-engineering-13531c1ab362

Netflix Technology Blog. (2016, August 03). Vizceral Open Source – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe

Townsend, K. (2016, February 17). 5 lessons IT learned from the Netflix cloud journey. Retrieved June 17, 2018, from https://www.techrepublic.com/article/5-lessons-it-learned-from-the-netflix-cloud-journey/

Essay Assignment

In an essay form, develop an example of an XSS vulnerability and an exploit which displays it. You will be expected to include a snippet of code which illustrates an XSS vulnerability and also provides some general discussion of XSS vulnerabilities.

[google-drive-embed url=”https://docs.google.com/document/d/1bdAAfGcwrgux3_DYSNcyIbWBvUGIDzyRMDYtLuv1u2g/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 7 – Assignment 1″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

Web Vulnerabilities Module Assignment

[google-drive-embed url=”https://docs.google.com/document/d/1-mA202z2ANNYRwkeK_LE-vOWVR-ioXGF9TD9TLRRVqk/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 7 – Assignment 2″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

Discussion Post

Discuss how testing of ani-malware should be conducted.

The only absolute rule seems to be, don’t conduct anti-malware testing on your production systems. Testing of anti-malware should be performed in an isolated malware testing environment, and care should be taken to ensure that the system is completely isolated. For example, if you construct a malware test lab using a hypervisor and virtual machines, but keep the virtual machines on your production network, well, let’s say that’s not isolated. If correctly set up and configured hypervisors and virtual machines can be a testers best friend.

The Anti-Malware Testing Standards Organization (AMTSO) had developed and documented all sorts of testing guidance from Principles of Testing to Facilitating Testing. The key here is that the testing method must be safe and it must use methods which are generally accepted (consistent, unbiased, transparent, empirical, etc.) (AMTSO, 2018)

The use of generally accepted tools and toolkits for malware research, testing and analysis can easily overcome certain testing obstacles, allowing the analyst to focus on the testing methodology rather than the acceptance of a specific testing tool or platform. Safely conducting testing and ensuring that you are not endangering yourself and others is the burden of the analyst; the complexity of the technologies being used to construct isolated environments and the malware itself can make this complicated, so there is plenty of room for error.

My two favorite toolkits for malware testing are:

• Flare VM (Kacherginsky, 2017) is essentially a PowerShell script that used BoxStarter and Chocolatey to turn a >= Windows 7 machine into a malware analysis distribution by quickly loading all the tools you need to do malware analysis.
• REMnux is a Linux distribution for malware analysis and reverse-engineering. Like Flare VM, REMnux contains a set of tools to perform malware analysis and reverse engineering. Because REMnux is built on Linux (an open source operating system), it can be deployed using an install script like Flare VM or via a virtual machine (VM) image which packages the OS and tools making it easy to download, deploy and use.

There are a plethora of security-focused Linux distributions like Kali Linux, Backbox Linux, and the distribution which I use, Parrot Linux. All of these Linux based security-focused distributions offer some of the tools required for malware analysis, but none are focused on malware analysis like REMnux.

Anti-malware is a requirement; it is the last line of defense. Simple malware scanners, heuristics, activity/anomaly-based detection, is not enough. Next generation anti-malware and real-time scanning and discovery is a necessity. Malware can be identified using real-time detection technologies by monitoring activities like:

• Attempts to alter restricted locations such as registry or startup files.
• Attempts to modify executables.
• Opening, deleting or editing files.
• Attempts to write to or modify the boot sector.
• Creating, accessing or adding macros to documents.

Not all anti-virus and anti-malware is created equal. avtest.org conducts independent analysis on the efficacy of anti-virus and anti-malware solutions, services like this can be an excellent resource for those looking to make the right decision when selecting anti-virus and anti-malware solutions.

I love this quote: “People have to understand that anti-virus is more like a seatbelt than an armored car: It might help you in an accident, but it might not,” Huger said. “There are some things you can do to make sure you don’t get into an accident in the first place, and those are the places to focus because things get dicey real quick when today’s malware gets past the outside defenses and onto the desktop.” (Kerbs, 2010)

References

Adams, J. (2016, June 8). Building a Vulnerability/Malware Test Lab. Retrieved June 6, 2018, from https://westoahu.hawaii.edu/cyber/building-a-vulnerability-malware-test-lab/

AMTSO. (2018, June 6). Welcome to the Anti-Malware Testing Standards Organization. Retrieved June 6, 2018, from https://www.amtso.org/

Kacherginsky, P. (2017, July 26). FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! « FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! Retrieved June 6, 2018, from https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

Kerbs, B. (2010, June 25). Krebs on Security. Retrieved June 6, 2018, from https://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

REMnux. (2018, June 6). REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware. Retrieved June 6, 2018, from https://remnux.org/

Williams, G. (2018, June 6). Detecting and Mitigating Cyber Threats and Attacks. Retrieved June 6, 2018, from https://www.coursera.org/learn/detecting-cyber-attacks/lecture/xE8ns/snort

Discussion Response 1

Good post. IMO it’s essential when discussing anti-malware to consider attack vectors. While anti-malware heuristics are getting better, aided by deep learning, the primary attack vector remains the user, and it seems unlikely that a change in trajectory is on the near-term horizon. Attackers use numerous attack vectors, and when I think about the needle used to inject the virus I think about examples such as:

• Spam: Where email or social media are the delivery mechanism for malware.
• Phishing, Spear Phishing, Spoofing, Pharming: Where attackers impersonate legitimate sources or destinations to trick unsuspecting victims to sites that capture personal information, exploit them, etc.

I use the examples above as a way to convey that exploitation often begins with the exploitation of an individual, this happens before the malware infects their system. A lack of knowledge, skill, vigilance, a sense of trust, etc. are all too often the root cause of an issue.

I just recently started taking a Coursera course called “Usable Security” and one area they focus on is HCI (Human-Computer Interaction). They stress how important it is for the designer to make the safeguards understandable and usable, not by the minority of experts but by the majority of casual users. They use two specific examples, at least so far. The first example is a medial cart with a proximity sensor. On paper, the proximity sensor seems like a great idea, but it turns out the doctors didn’t like it, so they covered the proximity sensors with styrofoam cups making the system less effective than the prior system which required the doctor to lock the computer after their session and a reasonable login timeout. The second is the SSL warning system in Firefox, the warning you get about an expired or unsigned certificate, sighting that most people don’t know what this means and add an exception without much thought.

Over the years I have observed the situations like the above with anti-malware software. The software slows the system down, do the tech user disables it or the anti-malware software reports so many false positives that the tech user disables it. The bottom line is there no replacement for human vigilance. I wonder if we can get to a place where the software can protect the user from himself or herself. Whatever the solution, I believe it will need to be frictionless, we aren’t there yet, but maybe someday.

References

Golbeck, J. (2018, June 10). Usable Security. Retrieved June 10, 2018, from https://www.coursera.org/learn/usable-security University of Maryland, College Park

Texas Tech University. (2018, June 10). Scams – Spam, Phishing, Spoofing and Pharming. Retrieved June 10, 2018, from https://www.ttu.edu/cybersecurity/lubbock/digital-life/digital-identity/scams-spam-phishing-spoofing-pharming.php

Discussion Response 2

All good points.  Seems almost inconceivable that a tester would be testing something for which they have no knowledge, but of course, we know this is often the case (and this goes way beyond anti-malware software).

You bring up a good point regarding what the tester is testing for. I think we have seen the era of “total security” products that cover everything from firewall to anti-malware, this is likely born from necessity and the need to move from reactive defensive anti-malware focused on scans to provocative strategies which attempt to keep the malware out rather than just focusing on detection and remediation after the fact. I think we are seeing systems emerge today which leverage data mining and deep learning to better protect users. With the level of sophistication being used in both malware and anti-malware I can’t imagine the role of the tester getting any easier. We live in interesting times and on a positive note, I think we can anticipate that they will only get more interesting.

Discussion Response 3

Good post. We’ve certainly seen some leaders in the security field have their ethics and motives questioned, most notably Kaspersky Lab (Volz, 2017). I have to admit in the case of Kaspersky Lab it’s hard to not wonder if this isn’t just a bunch of legislators who may have a bigger struggle with ethics and motivation than Kaspersky Lab does, this is a slippery slope. We live in a global economy and having read what Kaspersky Lab volunteered to do, I can’t wonder if this move may have some marketing flare associated with it. avtest.org has consistently rated Kaspersky Lab anti-malware among the best in the industry (AV-TEST, 2018). Is it possible that the Kremlin could have an influence on Kaspersky Lab? I suppose it is (Matlack, Riley & Robertson, 2015), but do I think this was the motivation for the legislation, not likely.

References

AV-TEST. (2018, April 06). AV-TEST – The Independent IT-Security Institute. Retrieved June 10, 2018, from https://www.av-test.org/en/award/2017/

Matlack, C., Riley, M., & Robertson, J. (2015, March 19). Cybersecurity: Kaspersky Has Close Ties to Russian Spies. Retrieved June 11, 2018, from https://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-kaspersky-has-close-ties-to-russian-spies

Volz, D. (2017, December 12). Trump signs into law U.S. government ban on Kaspersky Lab software. Retrieved June 10, 2018, from https://www.reuters.com/article/us-usa-cyber-kaspersky/trump-signs-into-law-u-s-government-ban-on-kaspersky-lab-software-idUSKBN1E62V4?utm_source=applenews

Essay Assignment

How does anti-malware software detect viruses? What techniques are available, and how do they differ?

[google-drive-embed url=”https://docs.google.com/document/d/1-5Gmk97WZQ5eKVcsoXGSzJ8VJIklMxLA7U-onkgc5-I/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 6 – Assignment 1″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]

Viruses and Virus Detection Module Assignment

[google-drive-embed url=”https://docs.google.com/document/d/1tgs93eHUzrPxTmzt2hOQt6XA9naQ3SKi7yvEd1df8w8/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 6 – Assignment 2″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]