Thoughts on DLP in modern business…

What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.

The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.

First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.

Modern information/data is stored in different locations now, some examples:

- ERP/CRM data.

- Email, Office files, PDF documents.

- SharePoint and similar portals.

- Laptops, USB memory sticks, and portable hard disks.

Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:

- DLP is not controlling physical ports (USB, serial, firewire ports..Etc).

- DLP is not DRM nor Encryption.

- Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3^rd parties or leak them out either intentionally or unintentionally.

- Internal users do most of the hacks/leaks.

- Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3^rd party.

- If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.

- How you will classify data as corporate and how you will classify data as none-corporate.

- Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.

- How data will be shared with 3^rd party and secured outside the organization’s control circle.

- Monitoring, logging and alerting, and feeding other 3^rd party security applications that are used by the security team.

- What about endusers experience, do we need any input from users?

- What about data in the cloud?!

As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.

Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.

The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz

Part1: The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz

http://goo.gl/FtWbi

Part3:http://autodiscover.wordpress.com/2012/09/10/the-new-file-serverpart3-using-file-classification-adrms-microsoft-winserv-2012-mvpbuzz/

http://goo.gl/A4JlC

In Part 2 of this blog series, We will continue our exploration of the new File Server functionality, In order to complete our journey we will stop by one of my favourite but less fortunate features, Active Directory Rights Management Server.

Active Directory Rights Management Server or AD RMS has been around for several years, and for hidden and secret reasons it wasn’t adopted by a lot of customers, although I believe it is one of the most important features of Windows Server.

What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:

• Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential – read only” that can be applied directly to the information.
• Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
• Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

More Information: http://technet.microsoft.com/en-us/library/cc771627(v=ws.10).aspx

In this blog we will install AD RMS on a new Windows Server 2012 machine, this machine will be used later in my next blog post for Data Classification and policy enforcement.

Installing Active Directory Rights Management Server in Windows Server 2012:

The AD RMS setup has been dramatically improved, in the old days it was hard, and even the improved setup experience in Windows 2008 is no match for the improved setup in Windows Server 2012, and as you can expect everything is controlled by the server manager so to install AD RMS, open the Sever manager and Select Add Roles and Features, from there select AD RMS, Once installed, the Server Manager will tell you that there is pending configuration

In the following screen, select the perform additional configuration:

and in the welcome screen click next:

In the AD RMS Cluster, and since this is the first server, we will create a new cluster:

In the Configuration Database, I will use internal Database, this is a lab environment but make sure to have the proper SQL installation in place if you are using the ADRMS setup in production:

In the Service Account, type in a designated service account, this is a normal account with special permissions (if you are installing the AD RMS on a DC”for testing”, this account must be a member of the Builtin “Administrators” group:

In the Cryptographic mode, Select mode-2 it is much more secure:

In the Key Storage, I will choose to use AD RMS to store the Key:

In the key password, supply a password to protect the key:

In the AD RMS Website, Select the Web Site that will host the AD RMS web services:

In the Cluster Address, Specify the FQDN that will be used my the clients to communicate with the AD RMS Server and the transport protocol, I will keep it simple and choose the HTTP, however you might want to use HTTPS since it is more secure:

In the Server Licensor Certificate name, specify a name for the certificate, and click next:

In the AD RMS service registration, register the AD RMS SCP unless for mysterious reasons you want to do it later:

In the installation summary, review the installation and click install:

Congrats, once finished you then you completed the AD RMS installation, you can configure templates and additional configuration.

In the next blog post, we will see how we can use the AD RMS and Data classification infrastructure to protect valuable and confidential data, on file shares.

The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz

Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz

http://goo.gl/dRHro

Part3:http://autodiscover.wordpress.com/2012/09/10/the-new-file-serverpart3-using-file-classification-adrms-microsoft-winserv-2012-mvpbuzz/

http://goo.gl/A4JlC

I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.

for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.

But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.

The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.

let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:

• if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
• if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
• Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.

Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.

In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.

(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).

NTFS permissions and the new Device Rules:

I have now a normal file share that is shared with the finance admin group:

This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.

Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).

Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:

If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:

We Will see the new security permission wizard:

The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.

If you click Add a Condition , you will get a new line of condition to control the access:

now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:

My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” :

Now, The final Security permissions will be like:

Now let us try it:

I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:

if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:

But if he tries from another machine from the allowedFinancePC group, he will have read permissions:

Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.

 

In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.

In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.

Alarm about the Disttrack/Shamoon Malware

got this handy email from TrenMicro, would like to share it with you:

Disttrack/Shamoon Malware Overwrites Files

Last week reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A via pattern file 9.328.04.

Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

How it works:

Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It drops two primary components:
TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. It then overwrites disks with a small portion of a JPEG image found on the Internet. Once overwritten, these files can no longer be restored or opened.
On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer. It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.

How to identify an infection:

Unlike most malware, which rarely destroy files or wipe the Master Boot Record, Shamoon cripples the victims computer once it has stolen the data and is rendered unusable. However PC virus logs will still be able to indicate whether an infection has occurred.

#Lync #OCS #ucoms Restricted OCS Deployment ports requirements and firewall rules details

we have been working with the OCS PG last week in preparing a detailed table for ports requirements and firewall configuration for restricted OCS deployments.

the difference in this table that we have detailed as much as we can the different communication ports and firewall requirements for all of the segmented including internet, internal and enterprise voice communications.

we also detailed the ports and communication paths so it can be reader-friendly for the Security/Firewall engineers.

the wiki assumes that servers are deployed in the same VLAN and separated by a very restricted firewall configuration, Edge is deployed in the DMZ and again restricted firewall configuration is required.

currently the document still being reviewed, but if you are interested in following it you will find it on the wiki, here http://social.technet.microsoft.com/wiki/contents/articles/ocs-2007-r2-firewall-port-settings.aspx, we will be publishing another one for Lync as well linked to the wiki.

we will validate the wiki this week at a customer location and we will publish the updates later.

Reference: http://www.shudnow.net/2009/08/29/office-communications-server-2007-r2-audiomedia-negotiation/

Thanks to Tom, Rick and Rui for their support during creating this wiki.

well done ya kimooooooooooo

اختراق www.thejobsmasters.com

زي ما قولت في مواقع كتيييييييييير للاسف مليئة بالثغرات الامنية

اول موقع ننوه عنه النهاردة هو www.thejobmasters.com الموقع فيه ثغرات SQL injection و الكود البرمجي يتيح استخدام Cross site scripting مما يكشف البيانات الموجودة في قاعدة البيانات ، و هذا شئ خطير نظرا لانه يتيح الحصول على معلومات سرية غير متاحة الا للمشتركين حيث هذا الموقع يقوم بالتوظيف و قاعدة بياناته مليئة ، الثغرات تتيح الدخول بدون استخدام كلمة سر و الدخول بأي حساب سواء موظف او شركة

احب ان اقول انه الثغرة تم اكتشافها بوساطتي و سيتم طلب تأكيدها من اصدقاء مستقلين في الفريق العربي للبرمجة

المعلومات و التحذير جاء بغية التحذير لا اكثر و لا اقل و تنبيه مستخدمي الموقع و اخذ حذرهم بعدم وضع معلومات سرية او شخصية ، و ليس لي اي مصلحة مالية او مادية و انا لا انتمي لاي شركة تمارس نشاطا مضادا للموقع

اتمنى من مبرمجي الموقع ان يقوموا بتحسين كود الموقع عبر ال Variable sanitation و ال User input validation

شكرا

http://www.google.com.eg/search?hl=en&q=sql+injection&meta=

http://www.google.com.eg/search?hl=en&q=Cross+site+scripting&meta=

 

 

مواقع عربية بعيوب برمجية تسمح باختراقها

امممم

برضوا الكورسات نفعت لانه زي ما انتوا عارفين فانه اتجاهي في الشبكات هو امن المعلومات رغم عملي في ال infrastrucutre و ال messaging

و نظرا لانه انا بقيت مسئول عن امن المعلومات في كل المشاريع التي اتولاها بشك اساسي و عملي ك security auditor  و مؤخرا ك penteration tester  فقد وجدت الكثير من المواقع العربية التي تحوي ثغرات برمجية قاتلة تسمح باختراقها

لذا فسيكون جزء من البلوج خاص بالتبليغ عن مثل هذه المواقع لانه للاسف راسلت بعضها و لم يستجيبوا لذا لم يتبقى لنا الا ان نحذر المستخدمين العرب لكي يتجنبوها

المعلومات التي تنشر في هذا القسم للتنويه العلمي و انا غير مسئول عن اي شخص يسئ استخدام هذه المعلومات

 و غرضي هو تنبيه المستخدمين لعدم استخدامهم هذه المواقع نظرا لحساسية ما تحتوية من معلومات

و نراكم في اول موقع باذن الله

 

يا حلولي MITM

للاسف مايكروسوفت خيبت ظني مش عارف للمرة الكام بعد الكام

بم اني بدرس كورس ال certified Ethical hacker  اليومين دول عقبال عندكم فالواحد وجد الكثير و الكثير من الافكار التي يستطيع ان يجربها في المعمل

و عجبتني فكرة ال MITM اوي و قررت تجربتها

استعملت اول اداة مشروحة في اول سطر الا و هي ال Smbrelay

اداة بسيطة جدا جدا جدا مجرد مشتغلعا تقف زي الزنهار على بورت 139 اللي بيتم عمل ال authentication عليه

اما بتحاول تدخل على اي سيرفر في الكومبيوتر تلقائيا يقوم بارسال اليوسر نيم و الباسوورد زي الاهبل كده علشان تدخل عليه

الاداة دي بتقف بقا و تقدر تحتفظ باللوجين ده لنفسها لكي يمكنك استعماله لاحقا

راجع

http://www.xfocus.net/articles/200305/smbrelay.html

تاني يا ميكو

طب اعمل فيكي ايه

 

كيف يعمل NAT-T

ال NAT هو تكنولوجي واسعة النطاق يتم من خلالها اتاحة الاتصال بالانترنت لعدة اجهزة من خلال اي بي واحد فقط
او يتم استخدامها بعمل ستاتيك NAT يتم فيه عمل ترجمة ثابتة لكل الترافيك الصادر و الوارد لجهاز معين على الشبكة الداخلية من على الراوتر او الفايروول لاتاحة خدمة على هذا السيرفر للانترنت مثل ويب او ميل سيرفر
ظهرت مشكلة عويصة في ال NAT مع استخدام ال IPSEC و هي ان ال NAT يقوم بتغيير الاي بي و البورت الموجودان في هيدر الباكت و نظرا لانه ال IPSEC يقوم بوضع الاي بي في الPAYLOAD الخاص به و الذي لا يوافق الاي بي الموجود في ال IKE الذي هو اي بي ال NAT DEVICE فانه الجهاز على الطرف الاخر يقوم بعمل DROP للباكت
المشكلة الاخرى هي ال TCP CHECKSUM و التي تقوم بالتأكد من صحة الباكت المرسلة
في العادي يتم وضع الاي بي و البورت في هيدر ال TCP و في الوضع العادي تقوم ال NAT DEVICE بتغيير الاي بي و البورت اما في حالة استخدام IPSEC فانه يتم تشفير هذا الهيرد باستخدام ال ESP و بم انه الهيدر مشفر لا تستطيع ال NAT DEVICE تغيير الهيدر و بالتالي يكون ال CHECKSUM غير مظبوط و يتم عم DROP للباكت
كيف تم حل المشكلة؟
تم عمل ال NAT-T و التي تقوم بعمل UDP HEADER يحتوي ال ESP HEADER و بالتالي تستطيع ال NAT DEVICE ترجمته
ايضا يتم وضع الاي بي للجهاز المرسل في خانة ال ORIGINAL IP و تركها كما هي و بالتالي يمكن التأكد من ال CHECKSUM