Michael Gregg

Protecting Critical Infrastructure

Critical infrastructure allows for all of the modern-day conveniences. The health of the nation depends on the infrastructure that provides electricity, moves and controls water, provides gas and oil, and ensures the operation of our transportation and communication networks. Process control systems monitor and control critical infrastructures as well as a number of other applications, such as automotive manufacturing plants and hospitals. This chapter explores how process control systems work, with an emphasis on the systems used by the oil and gas industry. These systems are commonly referred to as supervisory control and data acquisition (SCADA) systems. Most of the time when people are talking about process control systems they mention SCADA, although SCADA is a subset of the larger process control system. This chapter begins by examining process control and SCADA systems, followed by the reasons convergence is necessary, and the challenges and threats that face the organizations responsible for protecting the nations critical infrastructure. It makes apparent the benefits of a converged monitoring and detection solution providing a single pane of glass into both physical and logical threats.

Cross-site Scripting Fundamentals

This chapter deals with cross-site scripting (XSS), which is an attack vector that can be used to steal sensitive information, hijack user sessions, and compromise the browser and the underplaying system integrity. XSS vulnerabilities have existed since the early days of the Web. In 1999, inspired by the work of Georgi Guninski, David Ross published the first paper on XSS flaws entitled “Script Injection.” In 2005, the first XSS worm known as Samy attacked the popular social networking Web site MySpace. Today, they represent the biggest threat to e-commerce, a billions of dollars a day industry. This chapter further discusses AJAX that is a technology that powers interactive Web applications with improved user experience, greater usability, and increased processing speed. The core component of AJAX is the XMLHttpRequest object, which provides greater control on the request and the response initiated by the browser. DOM is a W3C standard that defines how to represent XML tree structures. It is important to understand the basics of XML and AJAX, as they are becoming an integral part of the Internet. It is also important to understand the impact these technologies will have on traditional Web application security testing.

Chapter 8 – Why PCI Is Important

This chapter covers everything from the conception of the cardholder protection programs by the individual card brands to the founding of the Payment Card Industry (PCI) Security Standards Council. PCI refers to the Data Security Standard (DSS) established by the credit card brands. Any company that stores, processes, or transmits cardholder data has to comply with this data protection standard. PCI is composed of 12 requirements that cover a wide array of business areas. All companies, regardless of their respective level, have to comply with the entire standard as it is written. The actual mechanism for compliance validation varies based on the company classification. The cost of dealing with data breaches keeps rising, as does the number of breaches. Companies that do not take compliance efforts seriously may soon find themselves out of business. Yet the companies that are proactive about compliance may be able to capture additional business from security-conscious consumers.

Protect Cardholder Data

The Payment Card Industry (PCI) Data Security Standard (DSS) requirement to protect cardholder data encompasses two elements—protect stored cardholder data and encrypt the transmission of cardholder data across open, public networks. The processes and activities necessary to meet these requirements and the specific subitems spelled out by the PCI DSS, are simply the implementation of some of the fundamental components of a sound information security program. In the arena of information security (Infosec), there are three fundamental tenets that form the basis for evaluating the effectiveness of the security controls that are employed to protect the data. These three tenets are confidentiality, integrity, and availability (CIA). The most effective means of insuring that stored cardholder data is not exposed to unauthorized parties (confidentiality) is the encryption of that data. Since encryption is such an effective and critical part of protecting data, this chapter discusses some of the details of encryption methods and the associated advantages and disadvantages.

Chapter 4 – XSS Theory

Publisher Summary XSS is an attack technique that forces a Web site to display malicious code, which then executes in a users Web browser. This chapter discusses in detail several types of XSS vulnerabilities. It also covers various exploits and attack strategies that may become quite handy when performing Web application security audits. It is important to understand that XSS is a broad subject that directly or indirectly affects every theology that interacts with it. The Web is tightly integrated. If attackers find a vulnerability in one of the components, the entire system is subjected to an attack reassembling a domino effect. Although there are ways to prevent the most obvious XSS issues from occurring, it is impossible to protect your Web assets completely. Therefore, Webmasters and developers need to always be up-to-date with the latest vulnerabilities and attack strategies. Document object model (DOM)-based XSS vulnerabilities can be persistent and nonpersistent. Persistent DOM-based XSS occurs when data stored in a cookie or persistent storage is used to generate part of the page without being sanitized. To prevent DOM-based XSS, the developer needs to ensure that proper sensitization steps are taken on the server, as well as on the client.

Chapter 10 – Understanding and Taking Advantage of VoIP Protocols

Publisher Summary Understanding how VoIP protocols function is important as it helps debug problems, assists in generating attacks in a security audit, and helps protect one against attacks targeting one Asterisk system. It involves a set of guidelines, which are covered in various request for comments (RFCs) and describe, in detail, how a protocol functions. VoIP data is transferred using small user datagram protocol (UDP) packets. Developers follow and use these RFCs to assist in development to help build applications. There are multiple RFCs covering various VoIP protocols. These describe how signaling works, how audio and video data is transferred, and various other features. Reading and understanding these RFCs can help unlock the “magic” of how VoIP works. This chapter shows two major functions with Inter-Asterisk eXchange (IAX2) and Session Initiation Protocol (SIP) is signaling and passing the audio/video data. Signaling handles the call build up, tear down, and modification of the call. The two protocols handle passing the audio data and signaling differently. While SIP is a signaling protocol in itself and uses RTP to pass the audio/video data, IAX2 chose to build both into one protocol.

Chapter 2 – Botnets Overview

Publisher Summary This chapter provides an overview of the botnet. A botnet is the melding of many threats into one. The typical botnet consists of a bot server (usually an IRC server) and one or more botclients. Botnets with hundreds or a few thousands of botclients (called zombies or drones) are considered small botnets. In this typical botnet, the botherder communicates with botclients using an IRC channel on a remote command and control (CC particularly, finding ways to reduce the demand element could result in less use of botnets in whole classes of behavior.

Chapter 7 – Final Thoughts

Publisher Summary The security landscape is in flux, and functional, organizational, and skill convergence is driving the changes. This chapter provides an insight into future planning for whats needed in an organization to take advantage of the changing landscape of security. Security is becoming a mainstream element of the enterprise. It is becoming an enabler, not just a controller of enterprise actions. It helps mobilize information and information exchange. It helps reinforce trust across organizations and with partners. It is a set of highway ramps with rules of the road and enforcement that keeps the business viable and compliant. This subject demands attention by the entire management team, from the CEO and business unit managers to the CIOs and emerging new-style CSOs. It is hoped that this study provided you with the kind of information necessary to get all of these enterprise leaders engaged in the changes that are taking place.

Chapter 11 – Asterisk Hardware Ninjutsu

Publisher Summary Interfacing Asterisk with hardware can take some creativity. This chapter discusses the Asterisk hardware ninjutsu and uses serial communications. Serial is used quite a bit, but its only one means to connect to hardware. The hardware one might want to connect to and write an interface for Asterisk might be connected by universal serial bus (USB) or something you probe over a TCP/IP network. The core ideas are still the same. Connect to the hardware, send a command if needed, and format the output so it can be used with Asterisk. Based on the information supplied by the device, an action can be taken, if needed. These examples use perl (practical extraction and report language) since it is a common and well-documented language. As the name implies, it is used to “extract” information from the remote devices, perl also has some modules that assist in working with Asterisk (Asterisk::AGI), but just about any language can be used.

Chapter 6 – Protecting Critical Infrastructure: Process Control and SCADA

Publisher Summary Critical infrastructure allows for all of the modern-day conveniences. The health of the nation depends on the infrastructure that provides electricity, moves and controls water, provides gas and oil, and ensures the operation of our transportation and communication networks. Process control systems monitor and control critical infrastructures as well as a number of other applications, such as automotive manufacturing plants and hospitals. This chapter explores how process control systems work, with an emphasis on the systems used by the oil and gas industry. These systems are commonly referred to as supervisory control and data acquisition (SCADA) systems. Most of the time when people are talking about process control systems they mention SCADA, although SCADA is a subset of the larger process control system. This chapter begins by examining process control and SCADA systems, followed by the reasons convergence is necessary, and the challenges and threats that face the organizations responsible for protecting the nations critical infrastructure. It makes apparent the benefits of a converged monitoring and detection solution providing a single pane of glass into both physical and logical threats.