Monday, May 21, 2018

Double Submit Cookies Using PHP



Double Submit Cookies is another CSRF prevent method,this method is differ from last method that we’ve talkd about(Synchronizer Token gen) in Double Submit Cookies we use cookies instead of session ids.










using java-script we can load csrf token into form filed with hidden values. also in here we also check user submissions in back end,whenever user request a page he/she gets a totally random value, so he/she cant predict it and perform exploitation againts legitimate users







Download Example : https://github.com/achalapramuditha/Double_Submit_Cookies-PHP

Synchronizer Token Patterns Using PHP


Synchronizer token patternSynchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. SPT is using for prevent CSRF attacks from the attackers.Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.



To prevent CSRF attacks we can use simple method such as generating a random string in server side and append it to body of front end and check the both values when user submit web page. also we can use methods such as Check standard headers to verify the request is same origin.
Synchronizer (CSRF) Tokens
  • Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks
  • Characteristics of a CSRF Token
    • Unique per user session
    • Large random value
    • Generated by a cryptographically secure random number generator
    • Add token to session and check it in backend
  • The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
  • The server rejects the requested action if the CSRF token fails validation
in these example code i’ve used an openssl function to generate a secure random string,you can find it in source code.
This how its see after CSRF protection


Download Example : https://github.com/achalapramuditha/-SynchronizerTokens-php 


Tuesday, October 24, 2017

HOW DO YOU SPELL CREDENTIAL THEFT PROTECTION…EPP, NGAV, OR EPM?

 | Endpoint | 
It’s 2017 and time to realize that cyber attackers have the advantage of time, resources and motivation. They are actively progressing to a point where they test new tactics using the same software you likely use to detect threats in the first place. Common Anti-Virus (AV) and Endpoint Protection (EPP) suites on the market are now leveraged for evading detection on the very desktops and laptops and servers you want to protect. While that is not new, the use of tools such as Shellter, OWASP-ZSC or Veil-evasion is changing the game. With these tools, hackers can easily take an exploit-capable payload and encode it, so that signature detection by anti-virus products and other signature-based detection approaches will fail to detect them. These shadow developers then test for detection using a few of the most prevalent AV scanners, often using the very online scanners that their targets use to protect their corporate assets.
This modernization of the attackers’ software development process has helped these miscreants to deploy some of the most polymorphic software kits available. While I am not trying to draw a direct connection to newer software development approaches such as DevOps, it is rather similar with these streamlined approaches hackers have adopted to evade detection. As a result, traditional static signature methods for detecting viruses, malware and APTs is past its prime.  Attackers are just too quick to generate a specific attack that they know you will likely not detect because it leverages a known vulnerability you likely didn’t patch and does so with an approach that is unique to you. On top of that, it was likely validated as undetectable by the AV suite you depend upon to protect what you hold most dear.
Not going to fall for the banana in the tail pipe
I know what you are thinking, you can do better than traditional AV offered in EPP suites, right? You are saying to yourself, “We are not an organization that gets lulled into a false sense of security. (Sorry Axel Foley.) We can install advanced, next-generation AV (or NGAV) that’s powered by the cloud and provides cyber analytics and threat intelligence.”
Of course you could do this.  But don’t fall into the hype. Why? There is a great quote by Chris Hoff about what to expect when you move your datacenter to the cloud that goes, “If your security sucks now, you will be pleasantly surprised by the lack of change should you embrace the cloud.” So applying this, if you like (or disliked) your endpoint security before, you are going to love a Next Gen platform delivered from the cloud. Ok I will admit, I might have hi-jacked that quote to help illustrate a point that just because its cloud deployed doesn’t mean it’s better.
What is important to note here is that using data analytics and intelligence sourced from a community to detect likely footprints of an attacker is indeed a great idea, as long as your analytics work 100% of the time and you have a 100% of the required data to provide the context (i.e. the log data containing the digital footprints) in the first place. While your NGAV anomaly detection-based system is “learning” what you do and figuring out what “normal is from abnormal,” you best keep your fingers crossed and hope on the double 100s always win. We all know hope is not a strategy. (Better check the tailpipe.)
A defense in depth strategy is necessary when it comes to protecting endpoints on a network. Therefore, the use of EPP or the security analytics in NGAV is a complementary addition to one of the key activities that all the security frameworks identify: hardening all of your systems. In its simplest terms, system hardening is about reducing the surface of vulnerability, or the potential for vulnerability, by first understanding all software and hardware, both authorized and unauthorized, on your network.  Then secondly, taking appropriate measures to have only what is needed to operate, and third continuously monitoring for vulnerabilities, making necessary updates to OS and application software and enforcing security policies such as password changes and timeouts.  While some of these activities can be debated as other forms of security controls beyond hardening, hardening is not a one and done activity. It should be considered a continuous process of ensuring a system (and its users) has only what it needs and nothing more to do its job.
AV products on the market today and the promises of NGAV do serve a purpose in providing another layer to aid in the protection of endpoints, but they are unfortunately weakened by only detecting what they know or have data coverage and ability to see. As a point of comparison, hardening with least privilege, app control with grey listing and credential theft protection reduces the attack surface far more significantly. Many cyber frameworks (including CIS critical controls framework) and industry analysts agree that implementing hardening is the most effective action to prevent malware. According to a recent Gartner report, “Endpoint hardening, including vulnerability, patch, privilege and policy management, and application control, is currently the most effective form of malware defense; however, most organizations are unwilling or unable to invest in the upfront effort required to reduce the attack surface.” (The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization, 22 September 2016).
Why is system hardening so important?
System hardening across all of your endpoints is a necessary step (or set of steps as previously outlined) starting first to get an understanding of all assets both HW and SW and then taking measures to reduce the attack surface through the reduction of the possible attack vectors.  Hardening activities do not tie you to known attacks, and in fact, do not look for specific attackers.  Hardening brings you back to the basics to protect access to what attackers aim to steal: “privilege.”  In fact, SANS’ most recent security survey identified the ultimate goal of attackers is credential compromise, and the reported noted privilege escalation caused the most impact. There is a step in the process of every attack that hackers strive to achieve: escalating privileges. The reason is simple, if the attacker has administrative level control over a resource, they stand a better chance to accomplish their objective.
The most common approach to gaining more privileges is by credential theft for an administrative or privileged user account. Malware targets the credential stores on Windows systems, such as harvesting credentials from the login process, the Windows SAM, various email systems, SSH terminal sessions as well as browser stored credentials. Some malware examples that carry out this harvesting are phishing email based HawkEye and the often file-less based and PowerShell assisted Mimikatz attacks.  With a hardening strategy in place, the attacker’s ability to execute a targeted attack using either of these “live off the land” style of attack vectors is severely diminished. Microsoft to their credit acknowledges this is a potential problem and has tried to solve this with Windows 10 Credential Guard, but it’s a partial solution and easy to get around.
We have spoken previously about the value of least privilege and about application control. Using these tactics can prevent many malware attacks from playing out.  However, having an “assume breach” and “defense in depth” mindset, combined with credential store protection as a further hardening measure (which has the ability to detect and block selectively at the application process level), gives you a way to severely deter and contain an attack at the point of intrusion. The attacker would not have the ability to obtain the required credentials to pivot to another system. By way of introduction, CyberArk Endpoint Privilege Manager offers credential theft protection that helps you to spell relief around credential theft.
To illustrate one of the more common credential theft attack vectors, I’ve included an example below of how a “living off the land,” file-less type of attack using PowerShell to load Mimikatz remotely is subsequently thwarted once CyberArk Endpoint Privilege Manager with credential theft protection is activated.
The dialog above depicts how PowerShell is used to load Mimikatz and then successfully grab credentials from the LSASS process on Windows.
Once CyberArk Endpoint Privilege Manager activates credential theft protection on the LSASS process, the same attack simply fails.
Every attempt made to harvest credentials is captured within the CyberArk Endpoint Privilege Manager Eventlog. The dialog above showcases how both detect and block events on LSASS were logged within the CyberArk Endpoint Privilege Manager console.
Configuring credential theft protection within CyberArk Endpoint Privilege Manager is simple, providing granular control over various credential stores as depicted in the dialog below.
If you are ready to get “back to basics” and see what credential theft protection can do for you, request a demo of CyberArk Endpoint Privilege Manager, the first Privileged Account Security solution for every desktop, laptop and server with credential theft protection built-in.

Editor’s note: Click here to listen to Laura Melton, senior information technology associate at Texas A&M University College of Architecture, about the importance of removing local administrator rights to strengthen endpoint security using CyberArk Endpoint Privilege Manager.

THE WHYS AND WHEREFORES OF AUTOMATING PRIVILEGED TASKS


 | Security and Risk | 
task can be defined as:
noun 1.  A piece of work that needs to be done regularly.
verb  2.  Assign a piece of work to.
IT operations teams are often inundated with menial, regular and repetitive tasks (e.g. trigger events, running daily monitoring activities and starting services) that can not only be damaging to the business when done incorrectly, but also hinder productivity. By limiting the number of tasks assigned to IT and enabling greater access to automation capabilities, performance and productivity can be significantly improved. In parallel, it’s important to protect your environment from risks such as the abuse or misuse of privileged access (insider threats), service outages caused by human error (typos) and third-party/remote vendor vulnerabilities (external threats).
Automation can be defined as:
noun 1.  The technique, method, or system of operating or controlling a process by highly automatic means, as by electronic devices, reducing human intervention to a minimum.
I recently addressed the importance of locking down the remote vendor attack pathway, as this is often an easy target for cyber attackers. By automating privileged tasks (any task to be performed by a privileged user), you can lessen potential vulnerabilities in process workflows both utilized by internal users and remote vendors alike. Once you fully automate a privileged task, you’re not only simplifying privileged account security processes, but also helping to ensure your remote vendors (who might have access to critical servers, endpoints and applications) will not inadvertently make an error that could lead to a serious security risk.
Additionally, in the DevOps world, orchestration tools are automating tasks across workflows, taking this role from IT operations and vendors – even for some systems that are no longer in existence. In the on-premises world, organizations still rely on vendors and support staff to perform tasks on an ad-hoc, often sporadic basis. Ideally, organizations should allow all of these tasks to be performed while a complete and correlated audit trail is generated automatically.
CyberArk solutions enable audit and operations teams to monitor and record the task management and automation of related activities as well as promote user accountability across the board. Users can automate maintenance and provisioning of tasks, (re)start and stop services, and only launch the applications or clients necessary to perform the task at hand – and nothing else. Users can also automate deployments through remote SSH command execution on target systems in both on-premises and cloud environments – all while maintaining the highest security standards. This functionality enables users to place restrictions on what privileged users are allowed to do with an organization’s most critical assets.
So How Does it Work?
Let’s walk through a simple example. A local Windows Server Administrator account has been on-boarded into the CyberArk Vault, and the usage of this privileged account has been limited to only a handful of allowed operations.
Full access to the server is not permitted, the user can only manage a list of services running on that server.
The user selects “Restart Service” and is then prompted to select the service to be managed, which can be pre-populated or added as a part of a drop-down list to further limit the control the user has over this account and the server.
 
After the user clicks ‘OK,’ the service will restart. Through the CyberArk Privileged Session Manager, a full audit trail is created capturing the completed actions by each privileged user. Any abnormal behavior, abuse of privileges or any other privileged activities associated with that privileged task will be on record and immutably stored in a tamper resistant vault. Sessions can be monitored in real time or later reviewed by a member of the audit team to improve security and support compliance regulations.
Whether your tasks ‘need to get done regularly’ or they’re something you ‘assign a piece of work to,’ it’s in your best interest to introduce automation controls. The example above shows how easily this can be done. Organizations today mostly exist in a ‘do more with less environment’ so it’s a best practice to automate simple privileged tasks to keep a high level of security and enable IT operations teams to focus on workloads that deliver more value to the organization.
Learn more about privileged task automation and management by watching our on-demand webinar, “Curse of the Typo! Automate Repeated Tasks to Improve Efficiency and Reduce Risk Around User Mistakes.”  You can review the on-demand version of the webcast at any time.

LOCKING DOWN THE REMOTE VENDOR ATTACK PATHWAY THROUGH PRIVILEGED ACCOUNT SECURITY


 | Security and Risk | 
Remote vendors are everywhere, and they’re not limited to help desk services, storage and application service providers or other IT-focused MSP’s. Let’s not forget about the other vendors a company typically works with – law firms, public relations firms, HVAC, trucking companies, supply chain vendors, services companies – the list goes on. Organizations both large and small grant third-party vendors with access to their network and applications as a necessary means to do business. However, in doing this, they also introduce a potential new pathway for cyber attacks.  This pathway can be especially vulnerable given that the security controls for third-party vendors are not typically held to the same standards as those followed internally by an organization.
Locking down privileged credentials for remote vendors is a critically important step in minimizing the attack surface. A recent report showed that 67 percent of organizations had experienced a data breach that somehow tied back to a third-party vendor. This is a clear indication that attackers continue to look at third parties as an easy way to gain a foothold into a network, move laterally, escalate privileges and eventually gain access to their target assets. Before engaging with third-party vendors, organizations should fully vet each one and consider the potential risks the vendor might introduce to their business.
Mitigating Risks Associated with Remote Vendors
The first step in mitigating risks associated with remote vendor access is an obvious one – identify all third parties that have access into your internal systems. This can represent a complex ecosystem for some organizations. The number of vendors given access to systems and applications continues to increase year-over-year widening the threat landscape for attacks – and somehow remote vendor access management is still not considered to be of high priority for many organizations. CyberArk has a free tool that discovers privileged user accounts and credentials provisioned by your organization as well as those created by third parties (that perhaps you didn’t even know existed).
Organizations should be able to safely provide their remote vendors with access to the resources they need without exposing any user credentials, and at the same time, without introducing too many hoops for them to jump through. Storing passwords, SSH keys and other associated credentials with your third-party privileged accounts in a single, secured vault is how you can provide the required level of access without burdening the end user. Keeping a close eye on all privileged activity within your environment is accomplished through session isolation, monitoring and recording.  Doing this both secures and assigns all internal and external users with a baseline-level of accountability. More importantly, by adding this separation layer between the end user and target systems, you enable your users to successfully complete their tasks without directly accessing critical systems. To the end user, everything appears to be totally normal, but if an attacker were to get into the network, they wouldn’t be able to move laterally across the environment or spread harmful malware to an organization’s systems.
Putting the Right Tools in Place
What about those regular and mundane manual tasks that can be inadvertently damaging to the business? Remember that recent public cloud outage where a routine debugging exercise went haywire leading to a six hour meltdown caused by one simple little typo? Automated privileged task management (both in the cloud and on-premises) safeguards your remote vendors and internal users alike by automating manual, sometimes critically sensitive privileged tasks while simultaneously improving workflow productivity. How would you respond to high-risk commands and tasks that can lead to a mix up like above example? With the right analytics tools in place, you can pre-define default, high-risk commands that are unique to your organization and automatically notify the necessary security teams to take action when those commands have been executed. Furthermore, these tools can help you to detect and even disrupt in-progress attacks through both heuristic and advanced behavioral-based threat detection capabilities.
The CyberArk Privileged Account Security Solution can help minimize the threat associated with third party vendor management. Controlling and auditing each vendor’s access can be resource-intensive, causing meaningful activities to get lost in the shuffle. Therefore, it’s recommended to start with the areas that have the highest risk, such as access, privileged access and critical assets. CyberArk enables organizations to securely lock down remote vendor access and put the necessary security controls in place to enable third parties to safely complete tasks.
Learn more by downloading the Securing Remote Vendor Access with Privileged Account Security white paper. See how CyberArk can help to identify vulnerabilities in your organization and how you can better secure your privileged accounts against targeted attackers.

FIVE THINGS TO KNOW ABOUT RANSOMWARE


 | Security and RiskVideos | 
With WannaCry barely in the rear view mirror, ransomware was back in the spotlight with a new malware dubbed NotPetya. We can expect to see new ransomware strains as advanced attackers continue to evolve their tactics, and the ramifications on business will be significant if proactive measures are not taken. In previously posts, we’ve deconstructed ransomware and offered mitigation tips. To protect your organization, it’s important to be informed and have baseline knowledge.
Here are five things to know about ransomware:
  1. What is ransomware? Ransomware is a type of malicious software, or malware, that denies access to files and data until a ransom is paid. There are two distinct types of ransomware. The most common is crypto ransomware, which encrypts sensitive data and files until a ransom is paid. The other type, locker ransomware, locks a device, completely preventing the victim from using it. In most cases, ransomware encrypts personal files, blocking users from accessing them. Victims are given instructions on how to pay the requested ransom, and only after doing so, are they given a decryption tool that will unlock the files.
  2. How does ransomware encryption work? A well-designed ransomware strain will typically use an asymmetric encryption algorithm, which leverages a pair of keys – one public and one private. The data that is encrypted with the public key can only be unlocked by this matching private key and vice versa.
  3. How do victims pay cyber ransoms? Ransoms are typically paid in the cryptocurrency Bitcoin due to its anonymity and difficulty to trace.
  4. How much is a typical ransom? Requested ransom amounts can vary wildly. In the WannaCry attacks, victims were asked to pay between $300 to $600 via BitCoin to have their files unlocked. This may not seem like much, but it’s important to consider the other, more severe, costs resulting from such attacks due to downtime caused by lack of access to systems. Shockingly, it was recently reported that South Korean web hosting provider paid $1 million in bitcoins to hackers after a Linux ransomware infected its servers and encrypted the websites data hosted on them.  A big jump from the amount the Hollywood Presbyterian Medical Center reportedly paid last year.
  5. How do I mitigate risk? Ransomware prevention measures can seem particularly daunting as administrator rights are not always required for some of today’s advanced strains of malware to compromise an end users’ machine and infect the endpoint. This means that while privilege management can play a role in mitigating risks, many strains of ransomware can encrypt data using standard user rights. So even if an organization has removed local administrator rights, this doesn’t necessarily mitigate the risk. However, testing at CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights, was 100 percent effective in preventing ransomware from encrypting files.
Watch this CyberArk Brief and learn how to proactively protect against ransomware.

PRIVILEGED ACCESS MANAGEMENT: A MATRIX APPROACH FOR ACCOUNT RANKING AND PRIORITIZATION

 | Guest Blogs | 
Throughout the course of my six years in helping KPMG clients with their Privileged Access Management programs, there has rarely been a simple answer to the critical questions of exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account. The ways an organization can control privileged accounts using a solution like CyberArk can vary greatly (e.g. vaulting, password rotation, brokering, etc.).
A common approach to password management includes treating all vaulted credentials with the same level control measures; this is typically a symptom that indicates a lack of a risk-based approach to assigning criticality to accounts. Alternatively, we also see cases of wild inconsistencies in the way passwords are managed, typically leaving it up to the individual platform owners to pick and choose the right security controls for them. This typically an indication of a lack of defined PAM standards that can be applied enterprise-wide. When developing strategies and roadmaps for KPMG clients, our teams apply an “Account Criticality Matrix” to help answer these questions. This matrix is designed to help standardize the way we rate and weigh the criticality of a given account.  It includes a set of predefined criteria that we tailor to meet the unique needs of each organization. Example criteria in the Account Criticality Matrix include:
*   Number of individuals that have access to a given privileged credential
*   Frequency of account usage
*   Potential to access sensitive data
*   Scope of privilege across single/multiple systems or platforms
*   Control level granted
Based on the numerical scoring derived from the Account Criticality Matrix, we then begin to build a profile of what an organization would consider a “high-risk” account versus a “low-risk” account.  This profile helps on numerous fronts.  First, it allows for consideration of account types that typically would not be considered as true “privileged” accounts.  For example, many application or service accounts are inadvertently excluded from management in organizations due to a lack of understanding of enterprise privileged account definitions by the application owner.  In the absence of pre-defined account prioritization criteria, those owners are left to decide what constitutes a “privileged” account or not.  Many will opt for the latter without prescribed guidance.  The matrix will allow an organization to take any account type and provide a standardized metric to determine whether it meets the criteria to be integrated into CyberArk.
The second benefit is the standardization of account controls across the organization based on the calculated account criticality.  Depending on licensing and hardware limitations, recording all privileged accounts may not be feasible.  Based on a pre-defined policy, an organization could mandate that only “high” rated accounts require dual control and PSM recording, but periodic password rotations of “medium” rated credentials are sufficient.
Thirdly, combining knowledge of “high” severity accounts and implementation effort can provide a window to prioritization of the path of integration.  When various stakeholders ask why the decision was made to start with default local accounts first and not their specialized application, you can point them not only to the fact that those accounts rated as high based on the user base, scope of privilege, and access granted, but also because the implementation effort was lowest for those accounts.

Art Chaisiriwatanasai is a Director within KPMG’s Chicago office and is a member of their IT Advisory – Cyber practice. Art has in-depth experience in information security focusing on privileged access management, security operation center implementations, vulnerability management, risk assessment, and incident response initiatives.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. [Printed in the US].The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.