Saturday, 20 February 2016

Book Review: Securing Systems: Applied Security Architecture and Threat Models

I bought this book pretty much the week it came out but as it wouldn’t load onto my third gen Kindle I ended up reading the first hundred or so pages before getting sidetracked and forgetting about it.

However, a few weeks back a friend mentioned it again and so it went back to the top of my reading list. The same friend, who to be fair is biased and is actually referenced in this book, has always been a huge fan and advocate for how Brook approaches threat modelling so I was really looking forward to this.

Threat modelling is one of those arts in security that really benefit from experience and I'm always interested in learning more on how different people practice it. Like most I've read what I'd consider to be one of the original volumes from Microsoft on the topic by Frank Swiderski and Window Snyder, the more recent Threat Modelling for Security by Adam Shostack and have the PASTA book (Risk Centric Threat Modeling) by Tony Uceda Velez and Marco Morana lined up for reading in the next few months.

The book is split into three sections; the first covers some background on key threat modelling concepts and the author’s approach to threat modelling, the second covers some worked examples using the approach and the final section finishes off on governance and programme considerations.

The first section starts off with a chapter giving some background in relation to security assessment, threat modelling and introduces some of the core concepts and processses that the author considers key to his approach to threat modeling, including the ATASM (Attack, Threats, Attack Surfaces, Mitigations) approach and the concept of a credible attack vector. This chapter also gives an overview of the types of threat agents/actors that exist and how to analyse them in terms of capability, activity level and sentiment and then moving on to considering risk tolerance within your organisation.

The next chapter covers an introduction as to why enterprise architecture exists, provides some guidance on creating diagrams to support threat modeling before moving onto covering the concepts of architecture patterns and starting to work through some key concepts for threat modelling including data flow analysis, component identification and decomposition.

The book then moves onto a chapter covering risk management, which I skimmed but was thrilled to see Jack Jones and the FAIR model referenced (and noticed he’s quoted on the back cover too). Even if people don’t intend to go “full FAIR” on their analysis, I’ve always considered the FAIR risk model to be a great approach to decomposing risks and any use of it is always good in my opinion! This chapter really focuses on establishing more detail on the credible attack vector and just good enough risk rating (JGERR) concepts that the author uses. I was really happy to see the author drawing attention to personal bias and the difference between a individual's personal risk appetite and the organisation’s appetite. Both of these of so often ignored in info sec risk discussions that it's great to see then come up here even in high level coverage of the topic.

The last chapter in this section walks through the ATASM process in more detail, covering each step with a simple example based on a traditional three tier web application. This is probably the chapter that will interest a lot of people most as it’s very much focused on how to approach treat modelling using the structure proposed by the author and tees up the worked examples perfectly. I have to say that this chapter is a really easy read and nice approach to threat modeling, with there being less focus on coming up with very structured bullet point approaches in lieu of just putting some fundamental principles to approaching an assessment.

The book then moves to the second part, which is focused on taking the concepts outlined in the first part and walking through of a couple of examples, starting first with a classic three tier web application, then expanding this to include a greater enterprise view, a back end data analytics application, before moving tact and covering endpoint AV, mobile and cloud. This really is the best section of the book as working through examples is really still the best way to get your head around threat modelling and these practical worked examples are often missing from books on the topic. Also, this section does a great job of covering one of the most often asked questions; how far should you decompose an application during analysis. I really liked the idea the author puts forward of a defensible component, which he defines as "the level at which the security controls and their implementation in and around that particular component can be easily understood”. These example chapters read exactly like you’re in the room with the author and he’s just chatting away. Which is both good and bad for me. For some reason I find it harder to read this style as it’s very much a stream of consciousness, rather than a very highly structured format. Maybe I’m just a simple creature who needs more structure...  however, equally it gives an insight into the process and mindset, and also is about as good as actually sitting next to him!

Personally I would have a liked a greater focus on examples or approaches to the diagramming of the threat models as for me this can often be one of the biggest stumbling blocks for people and should be a key artfact of the analysis. Also, as the author focuses so much on the nuances of levels of decomposition of analysis, for me it would have been great to show some examples of the different levels in diagrams. However, interestingly the author covers this to some degree at the end of the book by highlighting that he really aims to use whatever documentation is available already as the basis for the threat model in order to avoid trying to make security seem like a special discipline. However, unfortunately for me I find that it's most often the case that this documentation doesn't exist in the first place for many systems I've assessed! (Never a good starting point... )

The last part of the book changes tack again and looks beyond the process of performing threat modelling and looks towards governance and management of an assessment program. This is a great addition to the book as it’s easy to start doing security assessments, but inevitably you hit the problem of scale and need to figure out how to not be a blocker but also not let projects slide. Unless you can overcome this even the most positive starts will start to deteriorate either through not covering all systems, or reducing the scope and coverage of the systems resulting in ultimately no added value to the development/system team. It also covers some key lessons like the importance of building relationships within the organisation and touches on the common mistakes of people seeing the architect role as a linear promotion for good engineers, which misses the key soft skills required to be a success as an architect. For me, this is the kind of material that really should be considered mandatory for CISM type certifications, and really gives a realistic view of how security programs run and need to be run.

I really enjoyed this book and apart from more diagram examples, I can't fault it. It makes a great addition to the threat modeling resources available and I'd highly recommend that anyone involved in security read this.

One of my favorite parts of the book were a couple of simple nuggets of wisdom that attest to someone with real experience in security. There were three or four bits that particular resonated with me, but there were probably many more so for that alone, I’d highly recommend this book.
Additionally, what is a really nice touch is how the author continually highlights that no one person’s opinion or interpretation is complete and actively encourgages people to provide feedback if they think he even missed anything in the worked examples! In a professional where everyone is an expert, thought leader or evangelist, that level of humility is a refreshing change.

Links:
Amazon: http://www.amazon.com/Securing-Systems-Applied-Security-Architecture-ebook/dp/B00XKX1FK8/


Wednesday, 10 February 2016

Book Review: Hadoop Security

As a follow up to my basic into to Hadoop with Hadoop 2 Quick Start Guide, I wanted to get more detail on the security features available in the Hadoop ecosystem and this sounded like it fitted the bill and was recently published (June 2015) so figured it would be pretty up to date.

One thing that I immediately liked about the book is that apart from a very brief few pages of an intro to security concepts, it get straight into things, which for me is always a good indication taht there won't be much padding in the book.

The book first starts off with a section on security architecture starting with a basic look threat modelling for distributed systems, which is a nice touch as really threat modelling should be part of any security architecture discussion and even touching on this at a high level is great, as is puts the whole book in context.

The next chapter moves onto general security architectures in a Hadoop environment, covering network level segregation, OS level security and an overview of the different types of Hadoop node roles. This was a great start to the book as immediately it starts working through the different nodes, what user roles need access to them, what nodes can be segregated from direct access and how at a high level they interact for data loads and job submission.

The final chapter of the architecture section finishes up with an overview of Kerberos, which while initially seemed a bit strange, it becomes obvious why later on as Kerberos plays such a key role in Hadoop security. If you need to get up to speed quickly on Kerberos, I’d highly recommend Kerberos: A Network Authentication System… it’s a quick and easy read that I read over ten years ago and it’s still as good now as it was then.

The next section deep dives more into authentication and at this point the book gets straight into the hands on configuration guide, covering detailed configuration steps required to map Kerberos principles into the Hadoop world, how to map to local users, how user groups work in Hadoop and mapping to LDAP groups. The chapter then moves on to cover the various authentication protocols in use across the Hadoop ecosystem, before explaining the differences between simple and Kerberos authn and then a nice dive into token auth, including the flows of how delegation tokens are created to allow various systems to impersonate users. The chapter finishes off with a fully worked Kerberos authn configuration guide, which to be fair I skimmed over as I don’t need that level of detail at the moment.

The next chapter moves onto authz covering HDFS ACLs and extended ACLs and various service level authorisations before moving on to MapReduce (1 and 2) and YARN, and Zookeeper ACLs, HBase, and Oozie. There’s a few nice worked examples here of the effects of authz restrictions and what errors users will see when their access is restricted.

The book then moves on to cover Sentry, which is Apache’s attempt to centralise authz within the Hadoop ecosystem, which after reading through the previous few chapters it’s obvious it’s needed! The basic architecture on which Sentry works is covered and how it integrates with the various applications and then walks though how to configure each application to use Sentry. Again a very practical oriented approach is taken here with a lot of detail on the configuration steps.

The last chapter in this section covers the logging available by default in each of the various applications and their basic config. This is a quick chapter and really just goes to show the configuration aspect, rather than any analysis approaches to the logs.

The third section of the book moves onto data security, specifically to cover encryption of data in transit and at-rest, starting with great coverage of how HDFS file encryption works. What was particularly good in this chapter was the strong emphasis it places on the key management and also making the reader conscious of potential lack of encryption on temporary data such as logs. The second half of the chapter covers encryption of data in transit, mainly focusing on the configuration of SSL/TLS in the various applications in the ecosystem.

The next chapter is a short one and looks at security of data as it is loaded into the Hadoop ecosystem, covering both the confidentiality and integrity of the data, but mainly focusing on confidentiality/encryption. The following chapter then covers how client access of data in the Hadoop environment can be performed securely, focusing of course on the edge nodes and how users interact with them, through command line RPC or APIs. From an architecture perspective, I found this chapter particularly helpful as it does a good job of describing the trust boundary that will exist in most deployments and how this should be architected securely.

The last chapter in this section covers Cloudera Hue and to be honest I just skimmed this one as it wasn’t relevant to me.

The final section of the book covers some use cases nicely, outlining scenarios with business and security requirements, before walking through how to architect and configure the right mix of controls to meet the requirements. For me I would have loved more examples here as this is more at the level I’m working at, rather than the technical configuration. But still, great to see it presented in this way.

Overall, this was a great book that to be fair goes into a lot more depth in terms of technical configuration settings than I needed. This can make it a tough read if you’re just looking for the high level, however, if you’re setting up a Hadoop cluster then this should be your go-to book.

However, it also works great at the level I was looking for as it's got a strong focus on architecture considerations and puts the security functionality into context rather than just explaining the feature sets available. You just may need to skim some of the more detailed sections like I did!

Links:
Amazon: http://www.amazon.com/Hadoop-Security-Protecting-Your-Platform/dp/1491900989/
Safari: https://www.safaribooksonline.com/library/view/hadoop-security/9781491900970/


Monday, 25 January 2016

AWS Certified Solution Architect Associate Exam

Been an age since I've done any exams so decided before Christmas that I may as well try and use some of the AWS exams to formalise my knowledge a bit.

First one I picked was the AWS Solution Architect Associate and passed it this morning so figured I'd give some feedback on how I found the exam.

In terms of material I used, apart from obviously just using AWS practically and reading quite a few books over the last year on AWS, the main material I used for exam prep was the ACloudGuru training courses.

I went through all the ACloudGuru AWS associate level training material (Architect, SysOps, Developer) and the AWS Solution Architect Professional material before doing the Architect Associate exam. That's probably not necessary but I listen to a lot of material in the car so managed to get through all of them over the last two months. At the price point the ACloudGuru exams are at (very inexpensive), I would recommend that you buy all of them. The quality of the material is very high, they're interesting to listen to, they highlight a lot of exam specific questions and also are updated very frequently, which due to the pace as which new products and services are released on AWS, is essential for these exams.

I also used the official practice exam that costs $20, and this was actually worthwhile as it was reasonably close to the real exam.

So, onto the exam itself..

If you're not familiar with it, it's a 60 question, 80 minute proctored computer based exam. Similar to all the ones you've probably done before in IT in that sense.

Coverage of topics was pretty much in line with what the ACloudGuru courses stated, and with a strong emphasis on EC2, S3, the security responsibilities of users vs AWS and a lot on which combinations of AWS services to use in different scenarios. A few question on RDS, DynamoDB, Route 53 and some billing/management questions.

About 80% were scenario questions, with around three or four lines to read in each scenario. Nearly all were choose two/three of the following four answers, rather than choose one. These are more like the scenario questions you get in the practice exams, but more awkward and complex.

The remaining 20% were straight forward questions like you’d see in the ACloudGuru examples.

Most questions were effectively based on application of the knowledge you get in the Udemy/ACloudGuru course. e.g. If you know private subnets don’t include routes to the Internet, you can rule out certain answer options that include systems on the Internet accessing instances on these subnets.

The wording I thought was very poor and appears designed to catch you out, rather than test your knowledge, which always annoys me. You spend more time reading the scenarios to try and figure out what they’re actually asking, instead of clearly understanding what the requirements are and answering the question based on this. Of course, it could be said that this is probably close to having to actually interpret people’s attempts at giving you requirements in real life… :-)

Also, I noticed the fonts change in the exam questions (even when it isn’t designed to indicate a different context), which indicates pretty poor quality control on the user experience and creation of the questions (guessing copy/paste between materials).

There was at least one question where all the answers were incorrect, but two of the four answers were so completely wrong that it could only have been the other two (incorrect) answers.

In terms of timing, I got through all 60 questions in 55 minutes but had marked around 17 questions for review. I took another 10 mins for reviewing those and finished up with around 15 minutes to spare. Normally I get through these types of exams in around 60% of the time allocated so this was about right based on previous exams.

I would say though that marking questions for review is very strange for me and marking almost 30% is really high as I normally don’t ever bother reviewing any. However, some of them were so strange that I needed to re-read them at least three/four times and even then it still wasn’t entirely clear what they were asking in a few of them.

In terms of confidence in my answers.. I really couldn’t have said at the end if I passed or not, or even if I got 40% or 90%.. In the end I got 81%, which wasn’t too bad as I realized after that I’d gotten two obvious questions wrong.

To be fair, as an Architecture related exam, it’s actually does focus on application of knowledge of AWS, rather than just regurgitating lists of answers learned off. So in that sense I think it's actually a really good approach to take for this kind of exam.

However, I think it could definitely do with tightening up on the quality of the question wording as that’s key if you want the exam to be focused on application of knowledge, rather than just pick the right list of answers.

Overall, I'd definitely recommend doing this exam, especially as it gets you to learn bits of AWS that you may not use on a day to day basis yourself, and with how quickly new services pop up, this can't be a bad thing..

I'll definitely drive on with these and just need to figure out if I want to do all of the associate level exams now or just go straight to the Solution Architect Professional exam...