Tuesday, September 1, 2009

Breaking Information Security Controls – From an Offensive Point of View

Did your company implement controls?

I have a friend, Joker, who he is working for an ISO 27001 compliant company. Let’s call this company Fictional Enterprise. The IT Manager of Fictional Enterprise tries every effort to implement technological controls. Part of these controls include
  1. URL filtering – filter out community websites, such as Facebook, access from FE network
  2. IM archiving – record the IM conversation from and to FE network
Joker did an experiment to try overriding these two controls. He tried several methods.

  1. Use an anonymous proxy server on the Internet
  2. Build and use a SSLVPN gateway at home
  3. Build and use remote access technology at home

All three methods successfully override the controls.

Use an anonymous proxy server on the Internet - Joker launched a search at Google for "Anonymous Proxy". The first ten hits are all usable anonymous proxy services. Some of them are free of charge while some of them are paid service. Joker selected a paid service at USD 9.95 per month and found the service can successfully by pass the URL filtering software. The service use a SSL encrypted tunnel between Joker’s computer and the proxy server. He can access Facebook with the service, while Facebook is being blocked without the service.
With the service, actually the proxy can serve both web browsing and IM communication. Because of the SSL encryption, the (2) control cannot archive the IM conversations.
This proofs that using an anonymous proxy can easily bypass these two controls.

Build and use a SSLVPN gateway at home - Joker installed a Fortigate 60B appliance at home. The list price of the appliance is USD 995. Joker then configured the appliance to have dynamic DNS and SSLVPN features. Afterwards, he created a bookmark for Facebook. This is basically a HTTP redirect technique.

After that, every time Jokers would like to access Facebook from Fictional Enterprise, he login to his SSLVPN using dynamic DNS and click on the bookmark. However, this seems not supporting HTTP redirect for IM conversations.

Build and use remote access technology at home - Joker tried two remote access techniques.

The first one is easier to setup – he prepared a desktop computer running Windows XP Professional. The desktop computer enabled Remote Desktop and allowed Joker to connect from FE network. The browser and IM program are basically running from this desktop computer, hence bypassed all URL filtering and IM archive. The drawback is that the whole desktop is transmitted to Joker’s computer at FE network, switching between desktops is somehow not very convenience.

The second one is more difficult to setup – he prepared a computer running Windows Server 2008. He then activated Terminal Service with RemoteApp support. Afterwards, Joker defined Internet Explorer and MSN Messenger as RemoteApp applications and created shortcuts for them. This is more difficult to setup, but easier to use. This is because only the application window is bringing to Joker’s computer at FE network. Now, Joker can use the browser and IM application running remotely, at the same time seamlessly integrated to the desktop at FE network.

This proofs that using remote access technology can also easily bypass these two controls.

Controls should come after Control Objectives

Joker tried all methods to override controls. However, he is not violating any policy. This is because Fictional Enterprise does not have a good way to develop and announce policy. The implemented controls do not have control objective.

Information security policies are the documented control objectives that form the foundation of IT governance. It seems that Fictional Enterprise still a long way to go, instead of a paper-compliant company.