Category: AlienVault (Page 6 of 7)

OSSIM Part 1: Getting Started

After getting our hands wet on AlienVault, another demand we have technically from clients is OSSIM. OSSIM here means Open Source Security Information Management – the open source variant of AlienVault. We can explore the differences in another post, but in this post, let’s get our hands dirty with this AlienVault cousin.

First of all, we are back where we started with VMWARE. I will assume we have a running vmware install, in our case its ESXi 5.1 and managing through SSH and Vsphere.

1) Create a Virtual Machine for OSSIM

It sounds more intuitive than it really is, but VMWare continues to annoy us. Here we just click on File->New->Virtual Machine. Do note for AlienVault it was an OVF image we deployed. For OSSIM, it will be an ISO image, so we first need to create the Virtual Host first.

Go through the wizard and we basically went for the typical installation. We got a little stuck at the Guest Operating System though. We were supposed to load the ISO from the datastore, so in this case, we just randomly selected a 64-bit OS under ‘Others’. Don’t think it will make any difference if we selected anything else, since OSSIM install will basically take over the OS.

2) ISO load up

Once created we need to get the ISO (650MB) into our machine. It’s quite annoying because I was running through a VPN and I tried to WinSCP or SFTP from my laptop to the host and from the host, copy it to datastore. However, the line keeps dying after 200mb transferred and I could never fix it. I don’t know why. Maybe there is a limit or something.

So we went the conventional route:

a) Put the ISO into the datastore – Click on the host (not the VM) and click on Configuration Tab. You will see a datastore there. Select it, right click> Browse Datastore. On the little tabs, click on ‘Upload files to this datastore’, and select your local OSSIM iso and upload it away.

It’s magnificently slow, but it seems to work, and all 600+ MB of the payload was sent into the datastore.

b) Right click on the new OSSIM VM>Edit Settings>CD/DVD Drive

You want to click on ‘Connect at Power on’ and also Datastore ISO File. Go ahead and browse the datastore and select the ISO image you just put into the datastore.

3) Start your engines

So load her up. It will boot into the OSSIM installation menu and basically we did all defaults, and allocated an IP address and let it install

4) Post Installation

We did face a problem after the installation. The OSSIM Console hung at with the ‘VMWARE’ logo and ‘waiting for connection’. We powered off the OSSIM, went back to the CD/DVD drive setting and remove the ‘Connect at power on’ option.

Voila.

The familiar face of the happy Alien greeted us and yes it takes pretty long to boot up just like her commercial cousin. Get a coffee, and we can then dive deeper into OSSIM.

Guarding Yourself From Internet Intrusions

I generally store all my customers’ project data in folders and back them up on a weekly basis. May was crazy as it was the first time for everyone filing their GST with Customs Malaysia. To cut to the story, I was so busy that I didn’t do any backups for three weeks in a row. Guess what? I got attacked! An extremely bad case of internet intrusion that made me cried tears of anguish.
I was ‘googling’ for something that I was researching on and went into a website that looked ‘harmless’. My laptop was on Norton Antivirus Program. No alert or red flag went up but 10 minutes later, I couldn’t access any of Excel or Word docs. There was an additional notepad document in each of my folders. I knew I’ve been attacked right away.

I opened the notepad to read the message – I need to know what virus I’ve been infected with to decide what my next move should be.

So, it’s Cryptowall 3.0. It’s one of the newer versions of ransomware and so far, no available ‘key’ available to decrypt. There are many others out there that have been decrypted by helpful forum-ers but not Cryptowall 3.0. They want money before my files can be decrypted. There’s never been proven that if you pay them, they would give you the key to decrypt the files and it is my belief that we should never encourage these people to bribe and threaten in this manner.

Rather than crying over spilt milk, time for me to assess how to restore and clean my laptop. This is what I did.

1) Restore
Restore from my backups that were three weeks’ ago. Unfortunately, the work that I had done after my last back-ups was a lot. Not good. However, Microsoft does have feature that is very useful – ‘Restore Previous Version’
If you right-click on each folder, there is an option to select the restoration date of your folders. It is a life saver in many ways – you may not get your latest but it saves you tons of hours of trying to figure out what you done on your documents for the past three weeks – in my case. So, it was an ardous task of right-clicking on ALL my folders and restoring them to the so-called ‘latest’ version.

2) Anti-virus program re-assessment
Many times, it could be our own fault that we don’t update the latest virus update. In my case, it is auto-updated. So, go figure. I checked that I was still on auto-update mode for the program but the virus attacked anyway. We need to know that t here are no virus-proof programs. Hackers come up with new viruses on a daily basis. If you visit AlienVault’s OpenTreatExchange (OTX) forum; the viral list grows everyday. It is to our own benefit to be preventive rather than reactive when it comes to being on the alert and to ensure that we have a reasonable Internet Security Application in place of work.

3) Cleaning up my laptop
For those not in the know, there many forums available for poor ‘infected’ souls like us, who are willing to help clean up and make sure our laptops are running back in tip-top condition. It would be very foolish ( I repeat, foolish) to not do a proper clean-up after being infected as you may risk your files being encrypted again. Using Norton to clean-up is probably the bare minimum you should do; however, I wanted to be very sure. Speaking of forums, I have always gone to two forums which has helped me answer questions about all sorts of stuff about Internet Security & etc.
a) http://www.bleepingcomputer.com
b) http://forums.whatthetech.com/index.php?showtopic=129712&hl=
In my case, I decided to go to whatthetech. If you are a registered user of any of these forums, they will go through each step to help you. You can view my thread on how the clean-up process went from the link I’ve provided. No obligation to pay but donations are most welcomed by the folks that dedicate their time on the forums. (This article is not paid or asked by whatthetech).

4) Some things to take note
• Avoid P2P file sharing programmes; they are a security risk which can make your  computer susceptible to malware. File sharing networks are thoroughly infested with malware – worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages
may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. The best way to reduce the risk of infection is to avoid these types of web sites and P2P programmes
• Registry cleaners and optimization tools that claim to speed up your computer should be avoided, and are potentially dangerous. By running a registry cleaner you risk rendering your machine unbootable.
• Personal Data Sharing: Wild Tangent Games – Did you know that if you own an ACER laptop/desktop, Wild Tangent Games are PRE-INSTALLED? Apparently, ACER has a partnership with them. What you need to know is:-
The privacy policy of Wild Tangent Games; by default, will indicate that you had agree to advertisements by WildTangent, third parties and brand studies whereby you had allowed WildTangent Games to collect certain personal information.
This was discovered by whatthetech consultant that was helping me. So, if you own an ACER laptop, beware and uninstall all Wild Tangent Games. [Check out my piece about Personal Data and PDPA Malaysia – http://www.pkfavantedge.com/pdpa/the-iot-internet-of-things-my-personal-experience/]

5) Back-up Frequently
Back-up, Back-up, Back-up. I cannot emphasize the importance of this exercise. Back-up at least once a week; especially if you have done a lot of work that week. You may choose to back-up your personal and work items separately in terms of frequency, but back-up all your precious memories and work.
My viral attack drama ends here. I certainly do not wish this drama on anyone.

Be SAFE!!!

For Internet Security Applications advisory or PDPA training, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

The IOT (Internet of Things) : My Personal Experience

ThumbPrint

ThumbPrint

Unless you have been living in a cave or on a secluded island without internet connection, you may have come across the term ‘Internet of Things’ or IoT. According to Gartner, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

Living in an era where we have easy access to information at the tip of our fingers is now taken for granted. Going out of your home without your smart phone is absolutely unthinkable – well, at least for me. I can be connected with my friends & family members anytime and anywhere – it can’t get better than that right? Well, let’s re-think this carefully.

Security
I am a huge fan of Strava application. This mobile application uses GPS and mobile data to track your activity (be it cycling or running) – it tracks your mileage, exercise effort level (wattage), time taken to complete the activity and then, further provides data on your ranking against other Strava users on the same activity/route. As I cycle and run competitively as a ‘hobby’, Strava is a great way for me to track my improvements and also pit myself against my friends to be the Queen Of Mountain of a certain mountain anywhere in the world. Awesome! – well, maybe….

The great thing with Strava is that it is connected to Facebook. In fact, if you use your Garmin to track your activity, you can set up your Garmin to connect seamlessly to Strava on every activity tracked on Garmin. Notice the word I’ve used here: SEAMLESSLY. Yes, it is that easy. Friends on Facebook are able to know where I was or where I am currently at based on my post through Strava.  Now, my friends can like my activity and comment as well. Let’s just say that a friend of my Facebook friend intends to track me and know my current whereabouts, s/he can definitely find all that information via Facebook. If s/he intends to break-in to my home (assuming s/he knows where I live), can do so as well – because I am not at home – I’m still cycling back to my house. Dangerous? Am I inviting trouble? You bet! The internet of things have enabled different types of devices to be connected seamlessly and we love that; however, have we ever stopped to think of the danger that we’re opening ourselves up to? It doesn’t take much to be information technology savvy to track a person’s whereabouts.

We love to tell our Facebook friends where we are at by posting “Agnes Yew checked in at Mid Valley” or “Agnes Yew checked in at Madam Kwan, Mid Valley City”. Have you ever stopped to think that we’re providing information to people on our whereabouts willingly and this could be used to our disadvantage?

Time to stop and think…

Data Breach
Ashley Madison was recently hacked and it was let out that the hackers had access to its customer database and have posted the information on a public website for all to see. Ashley Madison is a discreet website which allows their customers to hook up with other folks who are interested in dabbling in a little fun outside the marriage bed. If you were a registered customer (married or attached) of Ashley Madison, you’ll be jumping or maybe peeing in your pants as the list of customers are now in the hands of hackers and shared on a public website.

Personal data is very much valued by consumer marketing companies and anyone who has access to a database has the upper hand to sell that information. I’ve been bombarded with these annoying SMS(es) on properties going on sale and what not every day. Yes, every day. I have to add these numbers under SPAM. It’s annoying as I don’t know where and how they got my mobile number. It could be when I got on the internet and signed up for some newsletter and I did not read the fine print and,or, I did not un-check a box to unsubscribe.

The Personal Data Protection Act in Malaysia was gazetted in 2010 and has been in enforcement from April 2013 on-wards. PDPA is supposed to protect consumers whereby companies holding our personal data are obligated to set up policies and a structured framework to ensure that the data is stored safely and not be leaked out. In my opinion, Malaysia is still in its infancy in comparison to US or EU, in terms setting up a stringent DPA (Data Protection Act) framework. Companies are not investing in being PDPA compliant unless they are required to by the Ministry. At the moment, the Finance, Telecommunications and health industry players are required to be PDPA compliant.

As a Malaysian consumer, we have every right to be concerned if companies managing our personal data are not enforcing a certain measure of security to ensure that our data is safely kept. Companies in Europe and US are willing to invest huge dollars in a Security Information Event Management (SIEM) solution to manage internet threat intrusions. At the moment, the Multimedia and Communication Ministry has not published any data on companies in Malaysia that are allocating budgets for SIEM or some sort of Internet Security application.
Time to stop and think….

How to Be Safe
I want to be safe. I want my family members to be safe as well. What measures am I taking to make sure that only people I want to know about me, know about me?
• I and my family members do not post our actual profile pictures on Watsapp, LINE and Facebook.
• I clean up my friends’ list in Facebook every three months. ‘Friend of Friends’ will be deleted.
• I read and uncheck boxes when I sign up for newsletter/etc. online. I read the fine print.
• I do not post my Strava activity until I get home – Announcing that I am Queen of Mountain can wait.
• I do not ‘check in’ to any location using Facebook. Yes, I may miss getting some discounts from that restaurant or shop by not checking in but I really don’t think it is worth letting people know where I am at.
• I block all sms’ numbers that are marketing in nature and park them under SPAM.

Different folks may have different appetites of risk tolerance towards being bombarded by SPAM or wanting to let the world know what they are doing or where they are at. The effort level you put into ensuring that you and your family members are safe is a choice and for me, is a very important choice.
Stop and think…..

For PDPA Training/Advisory or Internet Security Applications, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

PDPA Training – Tropicana Medical Centre

tropicana-medical-center-logo

We had the privilege recently to conduct our PDPA Assessment Training to Tropicana Medical Centre – to almost 40 people over 2 sessions. We touched on several topics, including a live demonstration of using software for hacking and personal data collection through the internet. Furthermore, we went through the Personal Data Protection Act – and more importantly how to implement into companies.

Each companies have different implementation – each has different DNA and risk profile. The important thing is not to just use PDPA Act as a blanket implementation, but tie the requirements of PDPA (or the spirit of it, as we say) to known standards – the General Accepted Privacy Principles (GAPP) from AICPA and the Health Insurance Portability and Accountability Act (HIPAA), as well as the well known ISO27001 and PCI-DSS for IT controls.

IT Controls are generally important to the implementation of PDPA due to the fact that in most companies, information has been digitised and stored in some database or some logical storage (as opposed to metal cabinets as days of old).

Aside from those, we went through a very useful demonstration of Alien Vault, as a way to control assets, secure the network and monitor traffic to ensure information is not breached.

AlienVault Setup 2: Deploying into your network

Deployment of AlienVault generally will depend on your network complexity.

For us, we only have an AIO (All In One). While this is great, the lack of sensors make network visibility limited. Basically we can see traffic within the network segment we are connected to. Another issue here is that everyone can see/ping the AV server, which generally isn’t too great. Let’s call this the Invasion Approach. Everyone sees the Alien Ship invading the network.

Another scenario would be to segment your network and deploy remote sensors in each segment and sends back data to a secure segment – we call this the Mother Ship Approach, where these little alien ships send back information to the big mother ship in space – like that Independence Day movie.

Another scenario would be to have multi-server, multi-sensors. We will call this the Divide and Conquer strategy. This makes the whole SIEM infrastructure harder to compromise, lowering its visibility to other devices and also distributes workload over different areas.

Remember – anyone hacking into the SIEM has access to a whole lot of informatin so its worth defending.

For our deployment scenario, we are deploying it for IDS, network vulnerability and asset management purposes – and will be doing it on a SPAN port in our main switch.

Now, let’s get some information.

For more details on Alien Vault products and services, please drop us an email at alienvault@pkfmalaysia.com

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑