NIST CYBERSECURITY FRAMEWORK 1.1

NIST CYBERSECURITY FRAMEWORK 1.1

INTRODUCTION

The Framework 1.1  offers an agile way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions. It applies to organisations relying on technology, whether their cybersecurity focus is primarily on Information Technology (IT), Industrial Control Systems (ICS), Cyber-Physical Systems (CPS), or connected devices more generally, including the Internet of Things (IoT). The Framework 1.1 can enhance the organisations in addressing cybersecurity as affects the privacy of other data. Additionally, the Framework’s 1.1 outcomes serve as targets for workforce development and evolution activities.

The Framework 1.1 is not a one-size-fits-all method to manage cybersecurity risk for critical infrastructure. Organizations will continue to have static risks with different threats and vulnerabilities, and also with risk tolerances. They also will vary in how they customise practices described in the Framework 1.1. Organizations can determine activities that are important to critical service delivery and can prioritise investments to maximise the impact of each dollar spent. The Framework 1.1 is aiming to reduce the risk and better managing cybersecurity threats.

The Framework 1.1 is a living document and will continue to be updated and improved as the industry responds to implementation. NIST will continue coordinating with the private sector and government agencies at all levels. As the Framework 1.1 is placed into higher practice, additional lessons learned will be integrated into future versions. It will ensure the Framework 1.1 which meets the needs of infrastructure owners and operators in a critical environment of new threats and also the solutions.

USAGE OF FRAMEWORK 1.1

An organisation can use the Framework 1.1 as a critical part of its systematic process for identifying, assessing, and managing cybersecurity risk. The Framework is not used to replace existing methods, but companies can use its current method, and that can overlap it onto the Framework 1.1 to determine loopholes in its current cybersecurity risk approach. The Framework 1.1 can be used as a cybersecurity risk management tool; an organisation can identify activities that are most central to critical service delivery and prioritise expenditures to maximise the impact of the investment.

It is designed to complement cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing application. The Framework  1.1 provides a means of articulating cybersecurity requirements to business partners and customers and can help identify gaps in an organisation’s cybersecurity practices.

The Framework 1.1 can be applied throughout the lifecycle phases of the plan, design, build/buy, deploy, operate, and decommission. The planning phase begins the cycle of any system and lays the groundwork for everything that follows. Overarching cybersecurity considerations should be declared and described as clearly as possible. The plan should be recognized that those requirements are to evolve during the remainder of the life cycle.

CYBERSECURITY USAGE FRAMEWORK 1.1

CONCLUSION

The Cybersecurity Framework 1.1 is intended to reduce risk by improving the management of cyber security risk to organisational objectives. Ideally, organisations using the Framework 1.1 will be able to measure and assign values to their risk along with the cost and benefits of steps taken to decrease risk to proper levels. The better an organisation can estimate its risk, costs, and advantages of cybersecurity strategies and actions, the more rational, useful, and valuable its cybersecurity approach and investments will be.

Over time, self-assessment and measurement should improve decision making about investment priorities. For example, measuring – or at least robustly characterising – aspects of an organisation’s cybersecurity state and trends over time can enable that organisation to understand and convey meaningful risk information to dependents, suppliers, buyers, and other parties. An organisation can accomplish this internally or by seeking a third-party assessment. If done correctly and with an appreciation of limitations, these measurements can provide a basis for healthy trusted relationships, both inside and outside of an organisation.

REFERENCE:

https://www.nist.gov/cyberframework

https://www.us-cert.gov/ccubedvp/cybersecurity-framework

AUTHOR

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/

MARA FRAMEWORK

MARA FRAMEWORK

Mobile Application and Reverse Engineering and Analysis Framework and it’s a tool that contains some major reverse engineering and analysis tools for Mobile Application testing and using this framework we can decompile a particular APK file and analyze the major issues in OWASP Mobile Top and this tool is been mainly used by the Penetration testers, security researchers, and application developers.

We can also use the various features of the APK file like

• APK Reverse Engineering
• APK DE obfuscation
• APK Analysis
• APK Manifest Analysis
• Domain Analysis
• Security Analysis etc.

APK REVERSE ENGINEERING:

• Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
• Disassembling Dalvik bytecode to java bytecode via enjarify
• Decompiling APK to Java source code via jadx–gui

APK DEOBFUSCATION:

We can extract the APK and analyze the code using Jadx-gui and it shows the codes that has been available for a selected APK File

APK ANALYSIS:

• Parsing smali files for analysis via smalisca
• Dump all assets, libraries and resources
• Extracting certificate data via openssl
• Identify methods and classes via classyshark
• It Extracts the Manifest File in XML format
• Scan for apk vulnerabilities via androbug framework
• Analyse the APK for Potential malicious behavior like androwarn

APK MANIFEST ANALYSIS:

• It Extracts the Intent and exported activities
• It Extracts the Manifest Files and services
• Extract exported services
• Checks if the APK is debuggable
• Checks if the APK allows Databackup
• Check if the APK receives any binary SMS

DOMAIN AND SECURITY ANALYSIS:

Domain analysis is been fetched from the WhatsWeb and the security analysis is checked from the OWASP mobile TOP 10 Checklist

INSTALLATION:

I have downloaded the MARA Framework from Github and listed the option in the framework

We need to launch MARA framework by using the command ./mara.sh

OPTIONS IN FRAMEWORK:

Here In the particular folder of MARA Framework you can see the option by the command of ./mara.sh

And I have downloaded a vulnerable app and configured in the Mara framework

APK ANALYSIS AND REVERSE ENGINEERING:

And after the analysis of the APK it gets saved in the particular folder as given in the below screenshot

Particular Folder that has been saved on the PC is by the below screenshot

Here the decompiled files get saved on the MARA-Framework folders and by viewing this files you can check for the required issues by the vulnerable APK-file.

CONCLUSION:

A multiple set of test tools will be necessary for a more thorough and comprehensive testing process .I have given an overview of the MARA Framework setup process and how it can expedite your android app reverse engineering and static analysis process.

BriskInfosec holds utmost experience in Mobile App Penetration Test to identify potential vulnerabilities and insure coding practises in android application

To know more get in touch with us

AUTHOR

Rajesh

Security Researcher

BriskInfoSec Technology and Consulting PVT LTD

Find @ https://www.linkedin.com/in/rajesh-karunakaran-4aa392102/

YSO – Opensource MOBILE SECURITY FRAMEWORK

YSO – OPENSOURCE MOBILE SECURITY FRAMEWORK

YSO is the Mobile Security Framework and they are capable of performing Static and Dynamic analysis on mobile Applications and Its supports only APK (Android) and IPA (IOS) files and they are various tools used to decompile, debug and code review in mobile app testing and it consumes lot of time and by this framework we can able to check over various mobile issues like

• Insecure Data Storage
• Insecure Communication
• Insecure Authentication
• Certificate Pinning
• Backup Data’s Enabled etc.

The above issues are the major mobile issues that are occurred in a common way

In Static Analysis it used to detect automated Code review, insecure Permissions, Configuration issues, and it also detects over insecure code like SSL overriding, SSL bypass, weak crypto, obfuscated codes, improper permissions, hard coded secrets, improper usage of dangerous APIs, and leakage of sensitive/PII information.

In Dynamic Analysis is slightly difficult to configure it mainly runs on the VM or on a configured devices and detects the issues at run time and Further analysis is done on the captured network packets, decrypted HTTP traffic, dumps, logs, etc.

This tool is highly scalable by which you can add your custom rules in easy use and you can use this framework results as a source to detect the mobile application issues manually and finally the overall report gets saved on the required folder that you are selected.

Requirements:

• Python 2.7
• Django 1.8

• Oracle JDK 1.7 or above http://www.oracle.com/technetwork/java/javase/downloads/

Notes:

• On Linux and Mac, install Oracle Java and make it the default one.
• iOS IPA Binary Analysis requires MAC OSX and you need to install Command line tools for MAC OSX

  http://osxdaily.com/2014/02/12/install-command-line-tools-mac-os-x/

STATIC ANALYSIS APK RESULTS:

CERTIFICATE ISSUE:

Static Analysis in IOS result:

CONFIGURING STATIC ANALYZER:

Tested on Windows 7, 8, 8.1, Ubuntu, OSX Marvicks

Install Django version 1.8

Pip install Django==1.8

Here I have installed Django in Linux

Django is one of the Web application Framework that used to make the process easier because it has some automated tools in-build so it executes the result at short interval of time

YSO Framework Configuration in Linux:

I have configured the YSO Framework and configured the server and

Configuration Link: http://127.0.0.1:8000/

Once you have entered this URL in your browser U’ll get a Page as follows

YSO EXECUTION ON BROWSER:

Here In this Framework you can upload a particular APK file OR IPA File that you are going to test and it executes the result as in the above figure

CONCLUSION:

From this Blog we have discussed above the installation, Configuration and working Method of YOS Mobile application Framework and we also discussed the results executed for a particular APK or IPA files.

YSO Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We’ve been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. YSO Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications.

BiskInfosec provides the best mobile Security solutions. For further doubts and security solution advices reach us @ Contact@briskinfosec.com

AUTHOR

RamKumar

Security Engineer

BriskInfosec Technolagy And consulting PVT LTD

follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/

Owasp Mobile Top 10 M4 – Insecure Authentication

In this post, we are going to discuss the insecure Authentication which holds the Fourth position in Owasp Top 10 mobile Risks. Android apps are facing this vulnerability when the app fails to identify the user, allowing an anonymous user to login and using default login credentials. This category includes session management issues, privacy issues related to authentication, and issues where user identification tokens are compromised. Even if the mobile app uses a weak password policy to simplify entering a password, it suffers from insecure authentication.

To exploit this vulnerability, we have different approaches like attacking activities, Brute-force attack, user enumeration and checking password policy.

Attacking Activities:

In Android apps, everything is activities if you are in login screen it’s an activity if you are in profile screen its other activity so we can able to bypass the authentication by forcing the app to show the profile activity without giving username and password. To exploit activities we need to use a drozer framework which we have already discussed in earlier blogs.

first, we need to know what are the activities are available in insecure bank app for that we need to give the below commands

dz> run app.activity.info -a com.android.insecurebankv2

From the results, we come to know that that are 5 activities which are exported and first two are related to the login process.

 Fig. 1

 Com.android.insecurebankv2.LoginActivity is for login page screen (Fig 1.) and the com.android.insecurebankv2.PostLogin activity (Fig 2) is the screen which triggers when the user logged in. so we need to use the com.android.insecurebankv2.PostLogin activity to bypass the authentication. By using drozer let we start the activity by giving the below commands

dz> run app.activity.start  --component  com.android.insecurebankv2 com.android.insecurebankv2.PostLogin

 Fig 2.

 finally, we have bypassed the login page now we can do the transfer, changing the password or viewing the statement is possible. A brute-force attack is also possible but if the app has any brute-force protection mechanism it makes hard to attack. for example, if the app gets often login request it will block the user and it will restrict the access for a while. and there is another issues like Username Enumeration which occur when a user logged and for the second time when he/she too going login in app it shows the username and also when app gets the correct username and the wrong password that time it may show password of the username is wrong so it will conform us the username, it mostly happens in WordPress logins in web applications.

How to Fix:

• Don’t export unnecessary activities or use permissions when the activity is exported
• Implement two-factor authorization if called for the sensitivity of your application
• Disable anonymous accounts
• Implement strong password policy and don’t store the password in local storage

In this post, we have discussed how to attack activities using the drozer tool, and how the way android apps are vulnerable to owasp’s insecure authentication, and how to fix the vulnerability.

Reality of Manual account hijacking

       A vast majority of research focuses on automated and/or botnet exploits, which makes sense when considering the number of victims affected. However, a research team from Google and the University of California, San Diego chose a different path, looking at "manual account hacking." Exploits that are rare -- less than nine incidents for every one million people who use Google daily. "However, the damage manual hijackers incur is far more severe and distressing to users and can result in significant financial loss," the researchers mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users.

Types of account hijacking

To start, there are two types of account hijacks:
● Automated account hijacking:  
Attacks that try to compromise user accounts via botnets or spam networks. This attack uses automated tools, attempting to maximize the attacker's ROI by scamming a small amount of money from thousands of victims.
● Manual account hijacking: 
The bad guys hijack accounts looking for ways to steal money, ransom applications or data, leverage contact information for future attacks, or use sensitive personal data against the victim.
To explain the difference between automated exploits and manual attacks, the paper mentions, "Manual hijackers spend significant non-automated effort on profiling victims and maximizing the profit -- or damage -- they can extract from a single credential."

 Image: Google

The graph to the right depicts the relationship between number of accounts hijacked and the "depth of exploitation." It seems we can be thankful the more prevalent automated exploits are less exploitative.

Steal email credentials and profile the victim

The first step is stealing a victim's account login information. The paper mentions the most sought-after account is email followed by online financial accounts. For this discussion, the focus will be limited to email-account hijacking.
Once attackers have the login information, they decide quickly whether the account is worth further effort. The paper explains, "If the brief account value exploration yields promising results, the hijackers spend an additional 15 to 20 minutes per account sifting through emails, and finding ways to monetize the account."
The hijackers are hoping to find emails holding financial or personal data they can use on the current victim or improve their chances of exploiting the victim's contacts by making the scam email supposedly from the victim seem more realistic.
The profiling portion of the attack was of special interest to the researchers. They mention, "This systematic assessment phase and the fact that certain accounts are not exploited suggest that manual hijackers are 'professional' and follow a well-established playbook designed to maximize profits."
The researchers offer more evidence that well-organized groups are behind manual account hijacks:
● The individuals seemed to work according to a tight daily schedule. They started around the same time every day, and had a synchronized, one-hour lunch break. They were inactive over the weekends.
● All individuals followed the same daily time table, defining when to process the gathered password lists, and how to divide time between ongoing scams and new victims.
● They were operating from different IPs, on different victims, and in parallel with each other, but the tools and utilities they used were the same. They also shared certain resources such as phone numbers.
More validation for experts who contend online-crime syndicates are run with business-like precision.

Exploiting the victim's contacts

Most individuals, at one time or another, have received an email where someone is in trouble and needs money. Almost at once the scam is dismissed because the email -- an automated account hijacking attempt -- makes little sense. However, manual account hijacks are different. Being non-automated, attackers can inject material to personalizing the scam email.
The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have:
● A story with credible details to limit the victim suspicion.
● Words or phrases that evoke sympathy and aim to persuade.
● An appearance of limited financial risk for the plea recipient as financial requests are requests for a loan with concrete promises of speedy repayment.
● Language that discourages the plea recipient from trying to verify the story by contacting the victim through another means of communication, often through claims that the victim's phone was stolen.
● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.

Defense strategies

The research paper then describes what email providers can do to prevent manual account hacking. Sadly, there are precious few for-sure user defenses other than second-factor authentication -- if it is available use it. Two-factor authentication will thwart the bad guys.

How Secure is Your Mobile Worker?

How well do you know your mobile worker? Understanding the mobile worker’s perceptions and behaviors will offer a better view on the potential security implications your organization must manage. Cisco recently released a new global infographic and white paper, the Cisco Connected World International Mobile Security study. They explore the mobile worker’s view points concerning working remotely, connecting to corporate, and their sense of security. Some of the findings are worth reflecting on to help you set the course for your mobile security efforts.
There is no question that the movement to mobile personal devices in the workforce has been well recognized. A recent response to this trend includes almost half of employers offering to fund workers to buy their own devices. Allowing the “chose your own” device alternative will attract and retain talent and reduce costs (see recent IBSG BYOD research), but what are the security implications?
There are a few striking data points to call out:

• 63% of users download sensitive data on their devices. The frequency significantly increases in some countries which should alarm people doing business internationally if there are no precautions taken to secure the downloaded data. Imagine your financial data or product road maps being downloaded on an unprotected personal device.
• Most believe remote access is a privilege. Yet in some countries they believe it’s a right as a worker. This establishes high expectations for IT to support and secure the devices including, but not limited to, extensive help desk calls.
• Most users are diligent when a pop-up appears and will read through the details and determine what it really means. Yet, many workers from select countries generally tend to be less careful and accept warning pop-ups without reading the details which increases the risk that hidden malware will be downloaded. Hackers depend on this social mining effort.
• 60% of users admit to engaging in risky behavior on a device (for example, personal or company-owned) while connected to corporate resources. This suggests that more security enforcement technology would benefit the prevention of data breaches and/or loss.

So, who really owns the mobile security issue? Mobile workers do not take full responsibility for a safe device with 84% believing that their IT will protect them from threats no matter what device is used. Sometimes IT’s perspective on this dependency is expressed with disbelief. An example of this issue was observed at BlackHat from a security professional during a demonstration we presented a couple weeks ago.
During the demonstration, we were showing how a user who inadvertently clicked on a phony URL sent in an email. That click triggered to phone an alert to a hacker that an “innocent” user is accessing the phony Internet site. The user unknowingly offered login credentials to their bank account. The hacker begins to record the users’ keystrokes to use later for malicious purposes. A security professional from BlackHat chimes in during the demonstration with the comment, “Dumb User.” The demonstration later showed how the combined effort of Cisco ISE and SIEM (Lancope) with unique TrustSec enforcement can identify and control the malicious activity with a single policy (for example, by segmenting and restricting users traffic close to the edge—on a network switch). The surprise to the security experts watching the demonstration was the concept that the network switch provided this enforcement.
Bottom Line: Most mobile workers have good intentions but do rely on IT to step in.
It would be great hear from you on your impressions of these recent findings and whether you are a mobile worker or an IT professional.
Please refer to Cisco’s security response for the mobile workforce: Secure Access