JSSI 2011 conference report
Date : April 01, 2011
The 10th JSSI (Journée de la Sécurité des Systèmes d'Information) conference, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 22nd, 2011. A hundred attendees were at the conference. Here is a report of the presentations. The full agenda is available on the conference website (Presentation materials will be published soon on this site).
Cloud computing and security - Devoteam
This talk sums up the results of about a dozen security audits on SaaS solutions. These audits took place during 2010. The approach was to perform first an assessment of the various topics listed in the ISO 27002 standard, and then to perform a penetration test against the evaluated products. Although these results can not be generalized, they do highlight a number of interesting findings.
In the preamble, speakers show first that the cloud changes the way CSO and security are involved in projects:
- SaaS projects are often very fast in terms of studies and deployment. To adapt with this change, CSO must prepare in advance the requirements that will be applicable to this type of project.
- SaaS projects are often seen as the purchase of a solution (as opposed to a development) with a strong involvement of the purchasing department of the company. The CSO must however always be involved, in particular to assess the security implications of the clauses of the purchase contract.
- The technical requirements for security (typically based on the CIA criteria: Confidentiality, Integrity and Availability) must be re-thought to be mapped into appropriate security controls relevant to the context of "cloud" and outsourced services. For example traceability (a 4th criteria often added to the CIA criteria) is often difficult to ensure in the context of a "cloud" solution (do you have access to the logs of the cloud solution?).
One of the strongest finding, based on the audit results, is the fact that very often the company who subscribed to a SaaS service is not always aware that this service relies on a chain of suppliers (rather than a single supplier). Beyond the publisher of the SaaS solution, suppliers are typically the operator (who operates the solution) and the hosting infrastructure (which provides the infrastructure that hosts the solution). It is imperative to identify all these players and ensure that security requirements are addressed consistently by the entire chain of players:
- In 40% of the audits, some players were not known by the client.
- In 60% of the audits, the security measures were not implemented consistently by the various actors involved. For example the operator provided a 24 /7 alert service, but had only a "on business hour" support from its hosting service provider.
The other interesting findings are:
- The security maturity level of SaaS solution providers is still too low. These are often small teams that do not have advanced expertise in security.
- 100% of audits have identified deficiencies in the recovery plans for disasters impacting the computer room premises. The operator is often ready to deal with a single failure (a single client fails), but not with multiple failures (the computer centre is out of order).
In conclusion, the speakers indicated that it is actually possible to find really secure SaaS offerings. But most of the times these secure solutions are the ones that were designed to handle highly sensitive data. On the other hand, the level of physical security is generally very good (because the computing centre hosting the service has a very secure facility). They draw attention to the fact that the supervision and the control of the cloud service performance could induce a significant effort for the client. Finally they recommend to keep complete control on access management activities (who get an account, and with what privileges) and to absolutely avoid any "self-provisioning" approach in this area.
Large scale data anonymization processes - Bouygues Telecom
In some contexts, the test of applications requires data sets that may be difficult to generate from scratch and then, it is easier to build these test data from real operational data. This is the case for example if one needs a large customer database, or a complex and multi-coherent data set. To address this need, Bouygues Telecom has established a team specialized in the generation of data sets derived from operational data. This team:
- offers assistance to select and extract operational data,
- anonymises these data,
- and installs the test data in test bed environments.
The team expertise in the field of "test data engineering" is available for all Bouygues Telecom projects. Such dedicated team, in addition to guarantee a good data anonymisation (such data, which are often customer related, include personal and sensitive information), also has the effect of strengthening the security of production data because the "test data engineering" team is then the only team allowed to get access to production data.
CSO liability - François Herpe (lawyer)
This presentation, which was made by a French lawyer, addresses various questions often asked when it comes to computer security and law. The sum-up that we give below is very basic and just reflects our understanding of the responses from the speaker to these questions.
Does CSO have any financial, civil or criminal liability because of its function?
The general answer is no, unless the CSO has received a delegation of authority from the CEO, or has intentionally committed an offense.
Note: The speaker said that in France, a company is legally obliged to implement IT security measures to protect the company. This is "an obligation of means", and even more formally "an enhanced obligation of means"; the latter means that the company must be able to demonstrate that it actually had implemented these security measures (in the case of a "non-enhanced obligation", it would be on the opposing party to demonstrate the obvious lack of security measures used).
What CSO should do to protect personal data?
Companies have strong legal obligations with regard to personal data. These obligations have been widely documented by the French CNIL (Commission Nationale de l'Informatique et des Libertés = National Commission for IT and Liberty). The speaker consequently recommended referring to the documents published by CNIL. He mentioned in particular a CNIL notice titled "10 advices for the security of your information system".
Security vs. cyber-surveillance on individuals
We must find a balance between the legitimate needs of supervision (to ensure security) and the right of individuals for privacy. The recommendation of the speaker in this area is to establish within the company a charter that describes the uses that are permitted and the methods of monitoring used to control security.
Are mobile devices secure ? - EADS
This talk mainly covers the security of Android smartphones. The speaker identifies 3 distinct areas where security risks exist for smartphones:
- Risks induced by the market players (vendors, telecom operators, software developers). Unlike a PC, a smartphone remains heavily dependent on a chain of suppliers (e.g. the telecom operator, the "market place", etc ...), which induces specific risks. For example it is possible to imagine that a vulnerability exists in the operator infrastructure, or that a "Man In The Middle" attack against "market place" communications could be possible.
- Risks induced by the base software (Operating System and bundled software). The potential security vulnerabilities are numerous at this level. For example, the Android security model (based on hundreds of permissions) is not a robust model, and many vulnerabilities have been found in core components such as the "WebKit" component.
- Risks induced by the additional software. These pieces of software may be malicious, or inadequately secured (and therefore vulnerable). The analysis performed by the speaker on some applications shows that the security level is insufficient, ever because developers lack of knowledge about reliable security mechanisms (the mechanisms the speaker encountered were similar to those used 10 years ago in the PC world and have been abandoned since, because not robust enough), or because of lack of time.
The speaker continued his presentation by showing how an Android application could be analyzed (reverse-engineered).
In his conclusion, he said that security risks for Android (and smartphones in general) are multiple and that the user has little means to protect him effectively. We are still at the year one of the security for mobile devices and, in this area, all has yet to be built.
Activism, reputational attacks, rumors and economic war on the Internet - Emmanuel Lehmann (Consultant)
This presentation explains how a well organized "information warfare" campaign may allow an adversary to gain advantage over his opposite. He illustrates his view by detailing the efforts of Greenpeace to attack Nestle about the use of palm oil in Nestle products.
Security supervision usage for cyber-defense - Orange Business Services
Orange Business Services presented the SOC service (Security Operation Center) it set up to monitor the security of its internal infrastructures. The SOC service is operated by a dedicated team and runs 24/7.
To monitor a new project the SOC proceed in 3 steps:
- Specification of the project supervision needs, based on the project security objectives
- Design and deploy a monitoring solution (setting up of sensors, tuning of the supervision and first operation in "pilot" mode)
- Regular operation of the monitoring solution
Orange SOC project started in 2005. In terms of tools it typically uses IDS (detection sensors) to monitor network traffic, SIM/SIEM tools to analyze and correlate events, and "blackholing" (network flows redirection) and "cleanpipe" (dirty flow "washer") to react when an attack occurs.
The speaker explained in his conclusion that the key point for SOC success is to closely work with the business specialists of the project monitored by SOC. He also advised resisting to the temptation to deploy too fast (e.g. to much sensors added quickly to cover a very large perimeter); the integration should be gradual and controlled.
Web Application Frameworks Fingerprinting - Toucan System
This presentation explains what are the techniques and the tools available to remotely guess the software used by a website. Typically, the objective is to identify that a remote web server runs Apache, PHP and Joomla (as an example), and if possible, to guess the version or each of these software. If one of the software is not in the most recent version, it could then be possible to attack it by using the already known vulnerabilities of this software.
The fingerprinting techniques are the following ones:
- collect the information in the banners displayed by the web server,
- use a vulnerability scanner (e.g. Nessus, etc…),
- use tools specifically designed to perform web server fingerprinting (e.g. the "Sedusa" plugin for "Nmap").
The speaker more deeply covered a sub-category of the latter tools: the ones that look for well known static files in the web server space. This fingerprinting technique was presented in 2010 at the DefCon conference by the author of the "BlindElephant" tool (the DefCon slides are available on the conference web site). The detection technique relies on the fact that each web environment (WordPress, Joomla, Drupal, etc…) installs its own set of files on the web server. If you search for these files you could then guess which software is used.
BlindElephant is a tool difficult to enhance and consequently, the speaker choose another tool (which is less efficient but easier to enhance): WAFP (Web Application Finger Printing). He enhanced WAFP by adding the capability to fingerprint web frameworks such as Symfony, Cakephp and Struts.
In his conclusion, the speaker said he is still working on that subject and will send the results to WAFP author as a contribution. He finally mentioned that this fingerprinting technique will not always work (for example the "Zend" framefork does not have any static file, and consequently cannot be fingerprinted that way) and could be countered (if the standard files of the web environment used have been changed, then the detection will fail).
Conclusions
This 2011 edition of the JSSI conference was - as usual - very interesting.
- First, because the subjects covered (cloud, smartphones, legal aspects) are in line with the current concerns for security.
- Secondly, because all along the day there was a good balance between the presentations focused on lessons learned from projects (cloud, data anonymization, SOC) on one hand, and the presentations focused on the expertise (on techniques, organizational or legal matters) on the other hand.
This 10th edition of the JSSI conference confirms that this event organized annually by the OSSIR is one of the major events of the French-speaking conferences in the field of IT security. And we will of course be there again next year!