Page 25 of 40

Enter The Monkey

February 7, 2016 / pkfavantedge / 0 Comments

To all our readers,

PKF Avant Edge wishes all of you a very prosperous Chinese New Year!

Every year, every business everywhere in this region grinds to a halt, this year being even worse than normal. Most times, we have the first four days of the new year cutting across the weekends. This year is the perfect storm. The Chinese New Year starts on a Monday.

This means for the first four days at least until Thursday, businesses won’t open. The fifth day, Friday is considered the wealth day, so some traditional businesses may open, but I don’t expect anyone to be closing huge sales. It would probably be more like a 3 hour lunch time kind of thing. Then it would be weekend, and after that, people will start dragging into the offices the following Monday.

For businesses like ours, we all know and concede that February is almost like a flat month. Not much sales, not much activities, and A LOT of holidays. But after this, the new year begins, and we are looking forward to the year of the Monkey. Yes, we expect enormous challenges especially in terms of ongoing projects and getting new ones, but everyone is in the same boat. With the continuing currency crisis and ongoing impasse in our government dealing with accusations of corruption, we are certainly at the crossroads in 2016 not just politically, but socioeconomically as well.

But enough of the harangue, let’s for the next few days put work and worries aside and look forward to a time with the young ones, family and the giving and receiving of Ang Pows!

Gong Xi Fa Chai!

The Usage of the PCI-DSS logo

January 26, 2016 / pkfavantedge / 4 Comments

Over recent weeks, we’ve been getting a lot of inquiries of PCI-DSS as it looks to pick up in Malaysia. From banks to financial institutions, to insurances, to data centers, BPOs and even software developers, this little compliance standard seems to be touching every part of the every verticals, as Malaysia (and the world) looks towards a society focused on cashless transactions.

More and more, in my meetings with partners and customers, we are seeing the usage of PCI-DSS Logos, and PCI-DSS Compliant symbols in their websites, in their presentation slides and marketing collateral. Unless it comes with a statement to it, for instance you are directly referencing the PCI-SSC in its logo usage, our suggestion is this: Stop using those logos. The SSC has already sent out a circular way back in 2011 addressing the profusion of these “I am PCI-Compliant”, PCI-compliant website seal, PCI-Certified Level 1 Logo etc..and they are basically saying: Unless you are a QSA, you are not allowed to use any of these logos for your own purposes.

Instead, we suggest to either have a link to your certification copy directly from your QSA. Many QSAs provide that and they can attest your compliance easily. This could be a link to the AoC (rare but like AWS, is possible), or simply a seal provided by the QSA (not PCI-DSS Logo seal), if your QSA provides it. All attestation should be QSA specific and not led to believe that the PCI-SSC directly endorses the site or company as PCI-DSS Certified.

I suppose this is to deter companies from falsely advertising their status. As we know, PCI-DSS is based on scope and location. By putting a PCI-DSS logo, it might lead customers to believe that the particular business process (for instance Manage Services) is PCI certified, whereas the actual certification is only on Physical Data Center services (example). Furthermore we have seen unscrupulous software companies advertising their solutions as ‘PA-DSS’ certified along with the logo, but when sold to our customers, is actually the version that is NOT certified, and therefore, our customers paid for something that is non-existent.

Be careful! And stop using PCI-DSS logo indiscriminately!

Here is the full statement direct from the PCI Council:

ASV scans – who needs it?

January 22, 2016 / pkfavantedge / 0 Comments

One of the often asked questions we face after dealing with PCI-DSS (Payment Card Industry Data Security Standards) for the past 5 years is also often the simplest. Who needs to do ASV scan?

ASV stands for Approved Scanning Vendors. These are the guys that has been approved to do public scans for PCI clients, by the PCI-SSC (that’s like the Jedi council made up of Master Card and his minions.) Anyway, the ASV scans apply only on external facing IP addresses IN SCOPE.

This is very confusing, because often, our clients will give us a small set of IP, or either a gargantuan set of IPs like 10.x.x.x (yes, that’s an internal zone, so that’s where the education begins), or some give us their entire C class of their ISP.

Technically, the scope is defined by the merchants or service provider (NOT the ASV or QSA). However, if you are undergoing a full PCI program, we will obviously have more knowledge on your network and we can help you define your scope appropriately. Else, if you are a cold call ASV client, we will generally rely on your scan scope provided to us and scan those IP or IP ranges. We prefer you to provide us a set of IP host address, although we can technically do a network range, but the pricing might vary more.

So who needs to do it?

Anyone undergoing PCI.

Who has a public IP address. This includes not just servers, but routers, VPNs, network devices and even POS devices. If you are an ecommerce company, then you will likely have public IP address. If you are a retailer and using IP based POS, then these need to be included. If you have DNS, mail servers that belong to you, then those need to be included.

Whether you are a level 1 merchant or a level 4 merchant, whether you are a level 1 or 2 service provider – you need the ASV scan. The only companies that don’t require it are companies who have no internet capability. This is rare, but lets say a mom and pop grocery store who uses dial up POS provided by the acquirer or a knuckle buster.

Else, if you are undergoing PCI, you best get ready for the ASV scan.

So to summarise the process:

a) Define which addresses are in scope and are PUBLICLY assessible. His includes any IPs that are filtered by firewall.

b) Provide these IPs to the ASV vendor and the ASV will provide a range of source IPs to whitelist. We get some questions: why do we need to whitelist? Why can’t you guys just do the testing without whitelisting? Because ASV scans are not expensive, and we need to get it done fast, so we generally don’t have time to 100% simulate a slow burn attack that most actual attacks might face, who can afford to do that because they are not charging you and they are actually trying to get in.

c) Allow the ASV to do their job. We often get clients giving us like 20 IP addresses, ask us to scan and n half a day demand for a report. Here is the difference between those peddling free unlimited ASV scans vs actual ASV scans = the free unlimited scans do not come with manual verification of findings. So you get say 40 vulnerabilities listed in a colorful chart – you generally need to go through these 40 and address them one by one (whether its an actual vulnerability of not!). For us, we take a few days to plow through the vulnerabilities and remove the false positives by doing a manual verification process, which might include manually checking if, say the system is actually providing an actual information, or it could just be a fingerprinting of OS that got screwed up. That way, we can hash that 40 down to say 10 or less, and makes it less of a chore for you. So beware of ‘Free’ ASV. Nothing in life is Free. Except sunlight and air. And that too is being charged in some countries.

d) Once its done, we release a preliminary report and go through with you what needs to be done. Generally all medium – high issues need to be addressed. In most cases we see are SSL related issues. If it is, good news is that you can move your mitigation plan to June 2018 and buy some grace period. All we require is a formal mitigation plan and we will pass the ASV.

e) ASV needs to be done every quarter.So technically, your ASV report has an expiry (of 3 months from the scanned date). But in some instances, ASV providers such as Control Case allows you to define the quarter in a more precise term. The moment the PO arrives to us, we start counting the quarter. For instance, if it starts today (say date X), then the first quarter will end 3 months from today (say, date Y). You can scan at ANY time in this quarter and it will be good up to the date of Y. So technically, you can scan right at the end of the first quarter (pass Q1) and immediately when you go into Q2, start scanning for Q2. Depending on your ASV provider, your mileage may vary but we’ve worked with a few before and it seems to be a pretty consistent interpretation of quarters.

The ASV scan is by far, one of the least complicated things in PCI. However, don’t underestimate the effort. We had clients who thought one week was plenty enough to do ASV and they missed their quarter scan because we need CLEAN results. If we cannot get clean results (all medium-high issues solved), we cannot pass the ASV. If we cannot pass within the deadline, you miss your Quarter and there is no turning back. It will cause you to have problem when you re-certify for the coming year for PCI-DSS.

Good luck, and start early!

Alienvault Update: Setting Up Logging

October 14, 2015 / pkfavantedge / 0 Comments

I know we sort of touched on this a few weeks back, but due to the new updates, we will need to revisit this again.

First of all, AlienVault can collect logs in a variety of ways:

a) Device sends logs = this is a classic syslog server set up. Previously we had to go through the rustic rsyslog set up etc in order to get the systems to talk to us. Not anymore. With the new updates, AV sets up easier, faster and less typing needed.

b) AV collects logs = there are several ways AV does that. One is through database plugins, where AV talks direct to the database and gets information from tables. Another way is through Windows Management Istrumentation (WMI), Security device event exchange (SDEE for CISCO).

c) AV collects through HIDS (where you install host intrusion agent for windows and LINUX)

We are going to explore the normal ways which is through a) and c). The B) method is a little advanced and we’ll look at it separately.

For basic logging, get your device to first send logs over to AV.

You will find it hard to believe, but this can be fantastically difficult, especially if your client is not up to par in terms of technicality. One example is that they are not even knowledgeable of their own network. Usually we do just a packet inspection on our interface and if I don’t see stuff coming in from your device, I handoff to you.

Except we don’t.

In PKF Avant Edge, we take responsibility even when it’s clearly NOT our responsibility. It’s silly but unfortunately it’s in our DNA to solve problems even if its not ours.

We have some experience where we troubleshoot for our clients up to firewall policies to be enabled, routing to be enabled etc. if I get 1RM everytime I hear a client say, “No firewall, no ACL! There is no filtering, problem is on your side”, I will be a millionaire. No kidding. It helps that our background is in NOC (network operations centre), so we don’t get bullied too often by network admins.

Once AV receives the logs, all we need to do is to go to ASSET -> Detail and in the tab ‘Plugins’, click on it and select the plugin to enable. Once done, your system is being monitored automatically. There should be a ‘receiving’ under the plugin. To be sure, you can go to command line and type avdevicelog (assuming you’ve put in the alias as suggested in previous post) and you should see a folder with the IP addresses of the systems you are receiving logs in. Go to the folder and just tail -f the file there.

If you see ‘No’ under the receiving data, don’t worry. AV sometimes gets confused as well. Just check the actual logs if it’s in there. Furthermore, go to avagentlog and cat agent.log | grep <pluginid>. You should see quite a fair bit of things here. For instance:

Oct 14 08:48:52 VirtualUSMAllInOne ossim-agent: Alienvault-Agent[INFO]: Plugin[1686] Total lines [14457] TotalEvents:[14457] EPS: [0.00] elapsed [10.01] seconds

This shows that Alienvault is seeing a total lines 14,457 and processing these as events. It means its working.

For an idea where its mapping, go to /etc/ossim/agent and more config.yml. You should see the device-log file mapping for example

– /etc/ossim/agent/plugins/vmware-esxi.cfg:
DEFAULT: {device: 192.168.0.38, device_id: 29b1cd29-70ac-11e5-a5e9-000c93c2e358}
config: {location: /var/log/alienvault/devices/192.168.0.38/192.168.0.38.log}

If you see logs coming in but no events, remember – Logs become events become alarms.

That probably would mean your plugin isn’t interpreting the logs properly, and it’s time to dive into creating a plugin or modifying a plugin.

We recommend to copy the plugin and create a new plugin altogether.

For instance, when our Juniper logs had additional dates in there due to an intermediate logger, we created a new plugin, but used the old Juniper plugin and just changed the regex to handle the new fields and it worked terrifically.

Remember a new plugin also requires a new corresponding SQL file, which are found in avsql (if you use the alias we suggested).

Writing plugins is another article. For now, you have successfully set AV up to receive logs, create events and create alarms. No need to set up rsyslog command line anymore and no need to enable those plugins through the alienvault-setup menu. Just go asset->Details->Plugins and you are good to go!

AlienVault Update and Some Tricks

October 13, 2015 / pkfavantedge / 0 Comments

It’s been a while since we updated on AV, and that’s because we’ve been busy with some POCs and Installations.

Since the last post, quite a lot has changed about AV – and all to make it a lot easier to set it up. Before we go into a detail post on it, here are some extra tricks in creating some helpful shortcuts:

Create in /etc/bash.bashrc

alias avsql='cd /usr/share/doc/ossim-mysql/contrib/plugins'
alias avplugins='cd /etc/ossim/agent/plugins'
alias avdevicelog='cd /var/log/alienvault/devices'
alias avagentlog='cd /var/log/alienvault/agent'
alias avhidslog='cd /var/ossec/logs/alerts/'
alias ossimlog='cd /var/ossim/logs/'
alias configyml='more /etc/ossim/agent/config.yml'
alias ossecdecoder='cd /var/ossec/alienvault/decoders/'
alias ossecrule='cd /var/ossec/alienvault/rules/'
alias avarchivelog='cd /var/ossec/logs/archives/'

Each of these basically will have a lot of use, and you will be going back and forth if you are implementing AV or troubleshooting it – so its best we set these aliases early.

What these mean is that instead of typing cd etc etc, we just type in avsql, avplugins etc to go to their respective directories.

AVSQL = this leads to the sql directory for the plugins, where you will need to go when you implement a plugin and put in the cfg and sql file..

AVPLUGINS = this is where you need to go for the cfg file for the plugin

AVDEVICELOG = very useful directory. Basically any log devices (devices sending logs to AV), will appear here. This is big move away from the traditional rsyslog setup whereby we need to go through all the crazy set up = over here, we just enable the plugin on the asset detail page -> Plugins and voila, it’s auto set up for you. I must say, this is well done, AV for making it less painful.

AVAGENTLOG = this is for troubleshooting the HIDS or even plugins. Agent.log should show whether your plugins are working or not. Just cat agent.log | grep <pluginid> for an idea whether the plugin is correctly loading.

Now, this is a quick one, but the new version 5.2 is out already and it really solves some issues.

Here is a snapshot!

Underlying OS upgrade

AlienVault USM and OSSIM v5.2 include an update to the underlying operating system to improve general performance, stability, and reliability. The AlienVault OS is based on Debian, which will update from Debian 6 ‘Squeeze’ to Debian 8 ‘Jessie’. All libraries, kernel, and software will be updated; therefore the update option is only available from the AlienVault Setup menu (both online and offline), not from the web interface. Note: Please read the instructions prior to upgrading.

Improvements for USM only:

Rapid report delivery
- Updates to existing reports will now be delivered separately from platform updates. The new reporting framework will allow for more frequent updates and improvements to report used to prove compliance and measure security status.
Reporting improvements
- Simplified user interface in reports list and report module list
- Enhanced visual design of PDF and HTML report output
- Ability to “print” pages in the UI for customers so that customers can share information with other team members without giving them access to the system
Audit-ready compliance reports
- Based on feedback from auditors and compliance experts, AlienVault delivers over 30 new audit-ready reports for PCI-DSS 3.1 and HIPAA to answer the most common questions from auditors.
OTX reports
- Identify emerging threats targeting you environment by reporting on events that contain suspicious IP addresses from the OTX IP Reputation database and report on events generated from IOC’s that have been identified in OTX pulses.

PKF AvantEdge

Page 25 of 40

Enter The Monkey

The Usage of the PCI-DSS logo

ASV scans – who needs it?

Alienvault Update: Setting Up Logging

AlienVault Update and Some Tricks

Recent Posts

Categories

Calendar

Disclaimer