STANDARDS, BLACK & WHITE, GREY, DANGEROUS

Standards – every department should have them… every organization should have them. Written, formally approved, and easily accessible Standards are the hallmark for consistency within a business.

For the Standard to be effective, it must be supported, and, indeed, promoted by all levels, including management. For example, if management does not treat the Standards as black & white, but adds grey to the Standard by allowing exceptions by decree, the Standard may as well not exist.

The goal when creating the Standard is to create it such that it is black & white by accounting for any possible grey. Laws, ordinances, regulations, etc use legal ease to accomplish the same task, but standards should be written in the most understandable language for the target audience, with industry jargon well defined. The Standard should include an exception process to deal with any grey that is later perceived. There may even be an ‘continuous improvement’ mechanism to remove later grey.

For several reasons, it’s difficult for management to say “no, follow the Standard” to someone wanting to ‘just do it’. Management may not understand the need for consistency within aother department. They may not understand the experience brought into play, the experience that spawned the need to create the Standard. They may see it as just another roadblock, not worth the effort in complying.

Here’s an example… The Standard dictated four tiers or environments which included production. The application was to be tested in three tiers prior to production. The experience that created the Standard was that skipping most of the tiers and going directly to production was more error prone, and on average cost more time than the few hours required to properly QA the application. Frequently when skipping testing, it goes to production, errors are found, it goes back to development, then back to production… and back/forth… when just doing it right would have yielded less app downtime, and/or faster time to production. On one occasion, the app screwed up the data, and the DBA had to restore a several hundred gigabyte database up to the point of the release. The customer lost several hours of data from the point of the release until the bug was caught / the app shut down. The sad thing is, in the heat of the moment, inexperienced developers don’t understand that although it’s counterintuitive, taking a few hours to follow the Standard is almost always the faster path to production than running to their manager to see if they can force a ‘just do it’ put it in production now situation.

SO, WHAT ARE STANDARDS ANYWAY? WHAT ABOUT POLICIES, PROCEDURES, ETC

Standards are a specific formalization of a Policy or a piece of a Policy. If a Policy does not exist, a Standard is a formalization of an implied or de facto policy.

Policies are general statements from management; ie, sometimes Policies are so general that they are ‘published’ via email. Note, Policies should be general, but can be formal and properly published.

Procedures describe, step by step, how something is done to implement a Standard or a piece of a Standard (or a Policy if the Standard does not exist).

Best Practice is a suggested way of doing something given a Policy does not exist.

An example…
Policy: “Patient records privacy shall be respected”
Standard: “Access to patient records shall be audited. Access shall be granted only to those that have a need to know”
Procedure: “To request access to a patient record, obtain a ‘PT Info’ form, fill out the top portion, the ‘level’ section, and the ‘justification’ section. Turn the form into the PT Records receptionist”
Best Practice: “Request information (as a consult) from the patient’s GP”

Creating a short example is difficult! Please contribute your example/s in the comments section below.

GREY, DANGEROUS?

So, when are Standards grey? In reference to a Standard, I’ve heard the statement… “how about some grey here, life’s not black & white”. That was uttered by someone that was not willing to take the few extra hours to follow the Standard, and the requested leeway was not in the company’s best interest.

As indicated above, organizational Standards need to be black & white, with the grey accounted for in the Standard.

I see industry Standards as being deliberately grey, with an auditor or examiner turning the grey to black & white. Would an examiner’s job be easier if the Standard were black & white?

An example for which I’ve been dealing is the PCI DSS Standard by the PCI Security Standards Council. PCI (Payment Card Industry) has a person that performs audits. This person, designated as a QSA (Qualified Security Assessor). S/he has the final say with regard to interpreting the Standard.

The PCI standard Standard, IMHO, is overly grey, to the point of being ambiguous in places. Because of this, the QSA appears to have been passing audits with no real effective encryption of credit card numbers (BTW, the Standard refers to credit card numbers as PAN [Primary Account Number]).

By ambiguous, I mean ‘data at rest’ & ‘data in transit’ in a database context. Let’s first look at a file context. These terms, in the file context are somewhat well defined. A file at rest is encrypted when the file is encrypted. If the file is encrypted, it’s also encrypted while in transit. If it’s not encrypted, it can be encrypted while in transit with network encryption protocols like HTTPS. But, even the file context is somewhat grey when defining ‘data at rest’. If there is an unencrypted file on a disk that has full disk encryption active on it, is the data in the file encrypted at rest? That’s the same problem with encrypting the database container*. It offers zero protection to anyone on the running system using standard tools to view/steal the data. No protection. Zip. Nada. None! (I might add: aucun, keiner, zilch!)

Now, consider the database context. You can have data ‘at rest’ on the disk, it can be ‘in transit’ from the disk to the database engine, where it is manipulated by the engine. It can be ‘data at rest’ in the database buffers and remain ‘at rest’ there for several days depending on how busy the system is. To further add to the ambiguity, the data in a database is “logically” at rest when you INSERT or UPDATE… it’s not moving through a network, which most would call ‘in transit’. It’s ‘at rest’ “in the database”. One would view the ‘data at rest’ with a SELECT statement. Maybe we should get rid of some of the ambiguity by calling that data ‘data in use’, which the Standard does not address.

The specific example of the ambiguity: The PCI Standard requires credit card numbers to be encrypted ‘at rest’ and while ‘in transit’. The standard does not define ‘at rest’ nor ‘in transit’, and thus the standard allows credit card numbers to be encrypted with a type of encryption that encrypts the database containers (obviously ‘at rest’), and TLS/SSL when transferred through the network (obviously while ‘in transit’). That combination of encryption is ‘transparent’ to anyone querying the database.

Because the standard is grey or even ambiguous with what ‘data at rest’ is in a database context, many systems that exist today are subject to all kinds of attacks that query the database, and are protected from attacks that would reverse engineer the contents of offline database containers. This means that the Standard would not have prevented ANY of the known attacks to date. Because of that ambiguity, PCI does not guide an organization into being more secure against the most common attacks, ie, weak DBA passwords, cross site scripting, cross site request forgery, social engineering of DBA’s, privilege escalation, etc. A vulnerability that would exploit offline unencrypted database containers is so, so rare, that it does not even have a name.

So, what use does database container encryption protect? A side-effect of this type of encryption is that backups are encrypted, but backups should be explicitly encrypted by other means.  I assert that this type of encryption is dangerous in the sense that it’s being used to pass an audit/certification that is supposed to mean that there is real protection for customer data. Because the Standard is too grey, so much so that it is ambiguous, the Standard is really just theater.

Do you know of any database attacks that have been used used to attack database containers? Please comment below.

DANGEROUS? CAN IT BE FIXED?

If the PCI Standard required credit card numbers to be encrypted with end-to-end encryption (or as near the holy grail of end-to-end as is practical) utilizing industry accepted asymmetric key encryption, would that make the PCI Standard more black & white with regard to encryption? Would that offer more protection than the current standard? Would that mean less Theater? Your thought?



* The encryption that encrypts database containers in Oracle and Microsoft SQL Server is called TDE (Transparent Data Encryption).

Troy Frericks.
blog 6-Mar-2016
=
Copyright 2015-2016 by Troy Frericks, http://dba.frericks.us/.
#

TWO-FACTOR AUTHENTICATION

Everyone that touches data in an enterprise is responsible for the security of the enterprise’s data. Not only is that the DBA, but it’s also software support staff, developers, and end users. As the DBA has the most visibility of the data, and the DBA is trained in data security, s/he is usually the point person for implementing (and providing advice regarding) data security. At least that’s the way it’s been in every shop I’ve been in over the past 30 years. 

As I’ve had a strong interest in security since the VAX VMS C2 certification days, my past articles have touched on security. Future ones will most certainly. So will this one!

DEFINITION


Two-Factor Authentication (2FA) is the process of identifying a person based on two of the following three factors: 1) something you know, 2) something you have, and 3) something you are.


TANGENT, MORE DEFINITIONS


  • Three-Factor Authentication is the process of identifying a person based on all three of the following three factors: 1) something you know, 2) something you have, and 3) something you are.
  • Multi-Factor Authentication (MFA) is the process of identifying a person based on more than one of the following three factors: 1) something you know, 2) something you have, and 3) something you are.



WIKIPEDIA

Contrast the above definition of 2FA with the Wikipedia definition of ‘two-factor authentication’. Keep in mind that Wikipedia articles are changed daily, so it would not be appropriate for me to comment on specifics of the article, but I believe you’ll see some interesting differences between Wikipedia and the above.


THE FACTORS

The ‘something you know‘… the presumption is that this is something that you and only you know (ie, you imagined it). It’s something that you then communicated to a second party so that the second party could use it to authenticate you. Or vice versa (ie, it may be created by the second party and sent to you for the purposes of authentication). This is commonly referred to as a shared secret, or a password. 


I do NOT include the following things in the category of ‘something you and only you know

  • credit card number
  • social security number
  • bank account number
  • your mother’s maiden name

Keep in mind that you frequently disseminate this information in your normal course of business. For example, your bank account number is at the bottom of each check you write. Also, note, there are a lot of people focused on stealing your information, and are frequently successful. Even from supposedly secure sites. Case in point: the 2015 OPM Breach

The ‘something you have‘… the presumption is this is something you and only you physically have, and you can prove it. An example is a small keyfob with a computer built into it which generates a sequence of numbers known only to the device and the second party. The device changes to the next number every few seconds (or on every press of a button). You prove you have the device by typing in the number displayed on the device. Passing authentication of this factor happens when the second party agrees with the number you typed.


I do NOT include apps (authenticators) or SMS in this category of ‘something you and only you have‘. See below for an example of SMS issues. Apps frequently reside on a system that might be compromised, and hence in the control of bad actors… meaning it’s not something ‘you and only you have‘ as the bad actor is able to obtain a copy. I know of a company that uses ‘RSA SecureID Software Token Application’ (ie, an application) to access a VPN connection to the enterprise. Shame on you RSA for even offering such a weak security product! See “WEAKNESS” below.

The ‘something you are‘… the presumption is this is something you and only you are. An example is a fingerprint (on a live and attached finger). Other examples are characteristics of your eye (retina), voice print, hand print, DNA, etc.


This ‘something you are’ factor is not widely implemented due to lack of technology to determine more than one aspect of the factor to insure it is ‘something you and only you are’. By ‘aspect’ I mean (using the fingerprint example), measuring the temperature of the fingerprint, determining a pulse rate at the fingerprint, measuring capacitance at different points of the fingerprint, etc… all this to insure the finger was not severed, overlaid over a live finger, or otherwise faked. There is much discussion on the internet as we hash through some of the technical details of defining what is needed to say for certain this factor is actually something you are. This factor will become more common in the near future as better technology becomes available.

BAD EXAMPLES


  • ATM cards use 1928 era magnetic media. They are easily duplicated; ATM cards to not make a good ‘something you and only you have‘. Note, the PIN, albeit four digits, is the second ‘something you know‘ factor. 
  • SMS is frequently claimed to be something you and only you have. This misconception is probably because most people read SMS on their phone, and they have the phone. I used to read my SMS messages on-line via Google Voice, without having the phone near by. SMS is not something you have. It may be available to technicians & hackers. Here’s an example… a developer places an app in the Amazon App Store. A PayPal user installs the app on his Android phone, clicking OK when prompted (acknowledging the app’s access levels). The app keylogs the user using Chrome to go to PayPal, so it knows the userID & password. The app covertly notifies the bad guys. Once notified, the bad guys tell the app to http proxy a connection to PayPal. The app connects the bad guys to PayPal, enters the userID & password, intercepts the SMS “second-factor”, enters the “second-factor”, deletes the SMS, and turns control via http proxy to the bad guys… all covertly. Updated SMS and phone number based identity continue to be a concern. Another way to look at SMS is that SMS can be considered an “out of band” second factor, which is better than just using a single factor. But, I highly recommend when doing security, you do it right. Don’t use an “out of band” factor when two of the three factors provides premium security for very, very, little cost.
  • Having a computer call you to deliver a recorded PIN may be claimed to be something you and only you have. Without rehashing the above paragraph (with regard to a phone call), consider how the call forwarding feature could be used to circumvent this claimed second factor. Do you really have to have your phone to receive your phone call? The situation would be even worse if the automated phone call was recorded by your voice mail.

WEAKNESS



Apps on the same device used to login is not really a second factor. Consider the ‘RSA SecureID Software Token Application’ application mentioned above. Here is how connecting to a VPN happens... 1) Launch the soft token application, enter a password/pin, click the ‘copy’ button. 2) launch your VPN software, click the paste button. Note, steps 1 & 2 are on the same computer. Now, consider a computer with an arbitrary code execution vulnerability. Enough said?

Google Authenticator suffers the same problem. Here’s a fix. Obtain an Android phone that you can dedicate to being a second factor. Flash it to the latest OS. Install Authenticator on it. Put it into ‘airplane mode’ and leave it that way. You can now add all your accounts that allow Authenticator to be your ‘second factor’. Note, given that Authenticator is time dependent, the Authenticator time offset will need to be updated a few times a year. See the Authenticator settings. You will have to turn wifi on for about 15 seconds when updating the offset. (My wish is that the time would be updated via the GPS clock!).

Many web sites (companies) make it difficult to implement two-factor authentication, or
don’t offer it at all. The weakest link is ‘what if I forget my
password’. See Brian Krebs’ 2015 Christmas Eve
experience. A bad guy called PayPal’s help desk claiming to be Brian. PayPal’s
support asked some questions that the bad guy was able to
answer from public databases. They then proceeded to turn off two-factor
authentication and reset the password. Comment below how PayPal can fix
their customer service’s security problem.

The
above “support issue” is really a “people issue”. People also implement technologies. If you’ve
not had specific and purposeful security training, or not even actively
participated in a ‘pen test’, then you have no business implementing
security technology without at least consulting someone that knows
better. Ok, off my soapbox. My wish is that all companies implement security training for all employees, and specific and detailed training for those employees that deal directly with security.



ALTERNATIVE AUTHENTICATION METHODS




CONCLUSION


Two-Factor Authentication, commonly implemented as ‘something you know‘ and ‘something you have‘, is the best we have to protect our data. It must be implemented correctly… both the architecture and the policies/procedures/best practices.


Please comment on the use of apps as a second factor. Do you use them? How?


If you know of a significant site that does two-factor authentication, please comment. Also, add a note about their customer service.


Troy Frericks.
blog 3-Jan-2016
=
#