Wednesday, October 29, 2014

The Learning Series: Lesson 1 Access Control List - Be specific, Be precise!

As many of you know this blog is staffed by volunteers and various individuals that have experience in computer forensics, network forensics, malware deconstruction, operating systems and other areas of expertise. SLC Security Services LLC (the sponsor of this blog) has been working to really define some of the goals of this project and one of the main items on the to do list was to provide some tutorials and write ups for network administrators and security staff to assist them with various items that may be of help when securing their networks and infrastructure.

One of the first things we notice during audits is that many corporates fail to use ACL's (access control list) effectively. When properly used and ACL may mean the difference between simply having a single machine compromised and have customer data stolen. I think we all can agree that rebuilding a single system is a better use of company resources than rebuilding an entire site or multiple sites and ACL's are one way to ensure that a simple exploited system does not result in a much larger disclosure or compromise of PHI/PII or credit card data.

When we audit most companies one of the first things we usually notice in about 90% of our audits is that administrators rarely if ever setup the correct ACL's on their systems. ACL's are a last line of defense in ensuring that even if a box is compromised that the data residing on that system cannot leave your infrastructure without you knowing about it. In about 70% of audits we have performed over the last year we have identified either incorrectly implemented ACL's, no ACL's in place at all or a major lack of understanding of the corporate network layout so ACL's are implemented only to block specific items.

Let's take a POS example of one place that ACL's should ALWAYS be implemented. POS systems by their design only have to communicate over the network to a few different servers. You would want to allow only the communication from the POS system to only the system and services required for operation and everything else should be blocked. One recent remediation after a compromise indicated that the traffic leaving the network was being sent out over the HTTPS protocol to the Internet through a proxy server that was setup externally. There were several places in which an ACL would have stopped an automated or hacker dead in their tracks had the proper ACL's been implemented on the network switch and router that was sitting between the POS system network and the Internet. The POS system in this case had a VPN client enabled on it that was an SSL VPN so blocking HTTPS entirely would not have worked but restricting HTTPS traffic with an ACL to the single host that the POS system needed to talk to would have closed those ports and not allowed the credit card data to leave the POS network. The POS system needed only to talk to 3 other IP addresses on 2 other services for proper operation. The first question we ask was why there were no ACL's on the network switches and the customers response was we didn't feel it was neccesary.

After the audit I can tell you that every location is not secured with the proper ACL's. Had the ACL's been implemented from the start this client would not have had to notify their customers of the breach and we would not have had to go in a reverse engineer a pretty nasty attack.

Some general rules:
1. Only allow these systems to talk to known systems required for proper operation. Block everything else.
2. Use multiple layers of ACL's on switches, routers and firewalls. This will ensure that if one device is compromised that there are backups to prevent traffic from leaving the network that is not authorized.
3. Know what traffic is going where. Open up services one at a time and only for the required network destinations. There should be no blanket rules allowing HTTP for example. Why would a POS system need to access the Internet? It doesn't and if it does it would only access a vendor site for updates so only allow that single system to get to the vendor sites for updates and block HTTP access to everything else.
4. Block anything not being used. Deny should be the default rule with all ACL's. Sure it takes time to build complicated ACL's in your network but it helps to keep your network secure and your machines from talking to machines that are not authorized.

We hope you have gotten something useful out of this article. Feel free to comment or ask questions and we will try and help individuals and answer any questions you may have.

This article was written by Kevin Wetzel lead investigator for SLC Security Services LLC. Mr. Wetzel has been an investigator for over 20 years and has specialized in computer forensics, private fraud investigations and computer security services for corporations, government and individual clients. Mr. Wetzel is a member of SLC Security Services LLC and is a contributor to this blog.

No comments:

Post a Comment