Webinject Crafting Goes Professional: Gozi sharing Tinba webinjects
Researched and co-authored by the F5 SOC and the F5 Security Research team Webinject crafting is a separate profession now. There are people who write webinjects and sell them to fraudsters, who use them to weaponize Trojans. Based on our analysis of several campaigns of Gozi and Tinba, the malware distributors seem to have bought their webinjects from the same webinjects workshop. Although those are different malware families attacking mostly different financial institutions, their webinjects seem almost identical. The tiny differences originate from the fact that the malwares report to different fraudsters’ servers and have fake HTML content customized for the specific banking targets. The main structure of this webinject version comprises several scripts that will initialize the BOTID, fetch external scripts that include the main fraud functionality, and remove the script element from the DOM to cover its traces. Figure 1: Tinba webinject Figure 2: Gozi webinject Figures 1 and 2 show the identical parts of the script and the differences in the additional scripts fetched from the command-and-control (C&C) server. Notice that the path structure on the C&C server gives a hint about the attacked country. In this example, the Tinba external script URL has a different domain name and geographical target area, “id” (Indonesia). The Gozi external script is also identified by geographical target area, but it is marked as subfolder name “di” (Indonesia). Analyzing the external scripts with fraud business logic reveals that same resemblance was present in the webinject. (See Figures 3 and 4.) Figure 3: Tinba JS content. Figure 4: Gozi JS content. The Gozi injection has customized, fake HTML content for a Polish bank, but other than that, most of the variables and functions bear the same names and the same logic. Script Overloading An interesting observation about webinjects from this vendor is that the same resource name on the server may result in different JavaScripts, which are differentiated by the “referrer” header. This means that while the URLs to be injected into the login page and the internal account page will have the same filename, different script content will be returned from the C&C server. The differences in script size are shown in Figure 5. Figure 5:JavaScripts differentiated by referrer header and size. More complexity to come The profession of webinject crafting is being reflected in Trojan campaigns against banks. We can only guess whether the resemblance between the webinjects is a result of a cooperation or of both fraudsters buying webinjects from the same third party. Either way, a great deal of fraud business logic is now implemented in JavaScript and contained in the webinjects. We expect the complexity of webinjects to increase, along with their roles in successfully committing malicious transactions. This trend is being closely monitored by our researchers. What remains to be seen is whether the “production” of these webinjects, which use shared rather than custom code, increases the risk that more organizations, and smaller organizations, may be attacked. Tested samples: Tinba md5: a01412b41e1837754be907d6989472e5 Gozi md5: e4d8cc25266ae39a5e5e87c7048f15f3 Mitigation F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 enables financial organizations working online to gain control over areas that were once virtually unreachable and indefensible, and to neutralize local threats found on customers’ personal computers, without requiring the installation of software on the end user side. This approach covers the entire install base. The entire solution is delivered from the F5 BIG-IP platform and therefore doesn’t require any integration or modification of the application. Rounding out its offerings, F5 provides professional services and advanced research capabilities in the field of cybercrime including malware, Trojans, viruses, and more. To learn more about F5 fraud protection, read the WebSafe datasheet as well as the MobileSafe datasheet. To learn more about the F5 Security Operation Center, read the F5 SOC datasheet.Gootkit Malware, New Targets around the World
During the last campaign of Gootkit malware, detected by F5 in February 2016, new targets were spotted while analyzing its configuration. Gootkit, identified in some cases as Waldek, is a banking Trojan that was first seen in the wild around April 2014. Gootkit is a JavaScript based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine. In this specific configuration, the malware recorded user actions when they are interacting with the login page, those recordings are assumed to be sent over email to the fraudster. While it was previously reported by “Proofpoint”, that the Gootkit malware started expanding its interest to other geographical areas and assumed that it will keep on this trend, we can currently witness this actual expansion forecast. By analyzing the malware configuration, we’ve noticed it targeting financial institutions from previous reports in Europe such as UK, France, Spain, Italy, Germany, Belgium, Luxemburg, Hungary, Bulgaria and Swiss banks. From latest investigation we’ve noticed that Gootkit has started to examine new areas around the world, from the Middle East, attacking financial institutions in Israel and Egypt, now also targeting banks in US and Canada, even found targeting Sri Lanka and New Zealand. Figure 1 Gootkit list of targets As with other financial Trojans, Gootkit performs preparations by using video recording functionality before it is launching actual attacks on financial institutions websites. The video recording documents user interaction with the bank’s website, while it can include several options, such as recording time and the frame rate of the video. After a record has been created the file will be uploaded to the C&C. Figure 2 Gootkit configuration targeting generic "bank" name Gootkit has an interesting traffic pattern, while communicating over HTTPS using port 80. We just can assume that it is intended to trick some weak firewall rules. Gootkit communicates with couple of domains defined hardcoded in the infection file. Figure 3 Gootkit Communication points In order to avoid detection, the malware rewrites itself under a different file name every hour while deleting the previous version of the file. To survive a reboot, it adds an “Autorun” registry key in HKEY_CURRENT_USER registry hive, under the \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, which will run the malicious file every time a user logs on to his Windows account. MD5 Sample: 1002c739e6152d917335c6f46d15e8c5 References: · https://www.proofpoint.com/us/gootkit-banking-trojan-jumps-channelDyre - No Rest for the Wicked
Dyre malware requires little introduction as it had been the focus of many publications and it is a well-known threat in the financial malware world. One of the reasons for it being so infamous is the frequent changes the authors incorporate in the code. Recently, my colleague Gal Shilo and I noticed a few minor changes in Dyre’s configuration file. This triggered research that uncovered a significant evolution in the malware’s behavior. Windows 10 and Microsoft Edge Browser are Under Attack While Windows 10 is gaining momentum, Dyre creators don't miss the opportunity to target the early adopters by also infecting the Edge browser that ships with this OS. This is an example of the browser injection routine: Renewed Dyre Commands Dyre uses a windows pipe for inter-process communication, passing commands from the main module it injects into the “windows explorer” process to other processes. The commands are passed both to browsers launched by the user and stealthy worker-processes launched by the malware itself. In the new sample, most of the commands discussed in previous F5 research have been replaced and a few new ones have been added, along with new functionality. The following is a list of new commands and their functions: 0xF1”lli” – Get the botid name srvv – Get the C&C IP dpsr – Get the data POST server IP grop – Get the botnet name seli – Get the self-IP gcrc – Get the fake pages configuration gcrp – Get the server-side webinjects configuration pngd – Get the account information stolen by the pony module sexe – Among other jobs, it copies the droppee path and its content both to Dyre’s special structure and the configuration file on disk. It also tries to get the anti-antivirus module from the C&C. gsxe – Get the droppee path Additional Protection Layers Here is a list of new features designed to add protection from removal and detection: The pipe’s name is no longer hardcoded (e.g. "\\\\.\\pipe\\3obdw5e5w4"). It is now based on a hash of the computer name and windows OS version Although the purpose was to make the pipe harder to detect because it is unique per machine, the opposite was accomplished as the name can now be predicted for each machine. Anti-antivirus module – A new Dyre module dubbed aa32(or aa64 on 64 bit OS) by the malware, was observed. After receiving it from the C&C, it is injected to the “spoolsv.exe” process (the spooler service responsible for fax\print jobs). Its functionality is to locate anti-virus products on the machine and disable their activity (for example, by deleting their files or changing their configurations). Some of the spotted vendors include: Avira, AVG, Malwarebytes, Fortinet and Trend Micro. Looking for the product path in the registry: Encrypted strings – The hardcoded debug strings that used to make analysis much easier are now encrypted. They are decrypted only during runtime, so the static analysis reveals much less than before about the malware’s behavior. In former versions of the malware, a runkey was set in order to maintain persistency after a reboot. However, in this version, a scheduled task is ran every minute. Disable windows security center We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous. They also wish to keep the malware up-to-date with current OS releases in order to be “compatible” with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest. Sample MD5: 5f464d1ad3c63b4ab84092d2c1783151Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Maintain a Vulnerability Management Program which includes PCI Requirements 5 and 6. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network and Part 2: Complying with PCI DSS–Part 2: Protect Cardholder Data Requirement 5: Use and regularly update antivirus software or programs. PCI DSS Quick Reference Guide description: Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy. Solution: With BIG-IP APM and BIG-IP Edge Gateway, F5 provides the ability to scan any remote device or internal system to ensure that an updated antivirus package is running prior to permitting a connection to the network. Once connections are made, BIG-IP APM and BIG-IP Edge Gateway continually monitor the user connections for a vulnerable state change, and if one is detected, can quarantine the user on the fly into a safe, secure, and isolated network. Remediation services can include a URL redirect to an antivirus update server. For application servers in the data center, BIG-IP products can communicate with existing network security and monitoring tools. If an application server is found to be vulnerable or compromised, that device can be automatically quarantined or removed from the service pool. With BIG-IP ASM, file uploads can be extracted from requests and transferred over iCAP to a central antivirus (AV) scanner. If a file infection is detected, BIG-IP ASM will drop that request, making sure the file doesn’t reach the web server. Requirement 6: Develop and maintain secure systems and applications. PCI DSS Quick Reference Guide description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. Secure coding practices for developing applications, change control procedures, and other secure software development practices should always be followed. Solution: Requirements 6.1 through 6.5 deal with secure coding and application development; risk analysis, assessment, and mitigation; patching; and change control. Requirement 6.6 states: “Ensure all public-facing web applications are protected against known attacks, either by performing code vulnerability reviews at least annually or by installing a web application firewall in front of public-facing web applications.” This requirement can be easily met with BIG-IP ASM, which is a leading web application firewall (WAF) offering protection for vulnerable web applications. Using both a positive security model for dynamic application protection and a strong, signature-based negative security model, BIG-IP ASM provides application-layer protection against both targeted and generalized application attacks. It also protects against the Open Web Application Security Project (OWASP) Top Ten vulnerabilities and threats on the Web Application Security Consortium’s (WASC) Threat Classification lists. To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change in control, as when an application is initially being deployed, or other triggers such as a quarterly report. The vulnerability scanner scours the web application, and in some cases actually attempts potential attacks, to generate a report indicating all possible vulnerabilities. This gives the administrator managing the web security devices a clear view of all exposed areas and potential threats to the website. Such a report is a moment-in time assessment and might not result in full application coverage, but should give administrators a clear picture of their web application security posture. It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not. Otherwise, many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings. Simply having the vulnerability report, while beneficial, doesn’t make a web application secure. The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since recoding an application is expensive and time-consuming and may generate even more errors, many organizations deploy a WAF like BIG-IP ASM. A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until developers have an opportunity to properly close the hole. Often, organizations use the vulnerability scanner report to either tighten or initially generate a WAF policy. While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate those vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised. For cloud deployments, BIG-IP ASM Virtual Edition (VE) delivers the same functionality as the physical edition and helps companies maintain compliance, including compliance with PCI DSS, when they deploy applications in the cloud. If an application vulnerability is discovered, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organizations to immediately patch vulnerabilities virtually until the development team can permanently fix the application. Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with BIG-IP ASM VE, organizations have full control over securing their cloud infrastructure. BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, making BIG-IP ASM the most advanced vulnerability assessment and application protection on the market. In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM protects the applications between scanning and patching cycles and against zero-day attacks that signature-based scanners won’t find. Both are critical in creating a secure Application Delivery Network. BIG-IP ASM also makes it easy to understand where organizations stand relative to PCI DSS compliance. With the BIG-IP ASM PCI Compliance Report, organizations can quickly see each security measure required to comply with PCI DSS 2.0 and understand which measures are or are not relevant to BIG-IP ASM functions. For relevant security measures, the report indicates whether the organization’s BIG-IP ASM appliance complies with PCI DSS 2.0. For security measures that are not relevant to BIG-IP ASM, the report explains what action to take to achieve PCI DSS 2.0 compliance. BIG-IP ASM PCI Compliance Report Finally, with the unique F5 iHealth system, organizations can analyze the configuration of their BIG-IP products to identify any critical patches or security updates that may be necessary. Next: Implement Strong Access Control Measures ps
The BYOD dilemma for financial firms
We have spoken a lot about BYOD on DevCentral, but it continues to be a significant issue for countless businesses! Financial firms in particular are, understandably, grappling with the trials of enabling flexible, mobile working whilst protecting their highly confidential data. We’ve talked at length about the view that BYOD can have a huge beneficial impact on businesses and it seems that the tide of consumer devices working their way into the office is showing no signs of turning. However, a lot of the information held by financial firms is highly sensitive, either commercially or personally, and can be used to find out private information or learn about deals which may have an effect on the market. Clearly this information leaking out of employees’ pockets is an unacceptable situation, which is why many financial organisations are seen to be stonewalling BYOD initiatives and preventing it from becoming more widespread. Unfortunately for these firms, preventing BYOD is looking like less and less of an option as employees disregard these blanket policies in order to more efficiently do their jobs. So what solution is there for financial businesses stuck between a rock and a hard place? It’s actually surprisingly simple: embrace BYOD. That doesn’t mean to say that there should be a laissez faire attitude to employees using unmonitored and unmanaged devices; far from it. What it means is that these businesses should put detailed and comprehensive policies in place and ensure that all devices which access the systems have mobile application management software enabled on them – controlling what can be accessed, and from where, at the application level. The BYOD policy and implementation should make clear what kinds of files are permitted on BYOD devices and have policy engines to enforce these rules. Computer Weekly has a good primer on what kinds of policies should be put in place which is worth taking a look at. BYOD is here already and it is up to businesses to ensure that its managed effective. Fortunately, it’s something that we’re well placed to help with.Complying with PCI DSS–Part 6: Maintain an Information Security Policy
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and the last entry is Maintain an Information Security Policy which includes PCI Requirement 12. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program, Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures and Part 5: Complying with PCI DSS–Part 5: Regularly Monitor and Test Networks. Requirement 12: Maintain a policy that addresses information security for all personnel. PCI DDS Quick Reference Guide description: A strong security policy sets the security tone for an entire organization’, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it. Solution: The spirit of this requirement is to ensure the adoption of a Corporate Information Security Policy (CISP). Although policy-based, F5 solutions don’t, by themselves, meet this requirement in context. F5 products facilitate adherence to the CISP, but they do not actually comprise a CISP. That said, F5 products can help organizations roll out business policies and security policies together. Applications needn’t be built and deployed in a vacuum; F5 technologies can be implemented in conjunction with corporate policies that address information security. Since the inception of the PCI DSS, organizations have been laboring to understand, implement, and comply with its guidelines. Often, achieving that goal requires deploying and managing several different types of devices. The BIG-IP platform enables organizations to understand inherent threats and take specific measures to protect their web application infrastructures and to satisfy many PCI DSS requirements. psComplying with PCI DSS–Part 5: Regularly Monitor and Test Networks
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Regularly Monitor and Test Networks which includes PCI Requirements 10 and 11. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program and Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures. Requirement 10: Track and monitor all access to network resources and cardholder data. PCI DSS Quick Reference Guide description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. Solution: The spirit of this requirement is to ensure appropriate systems generate logs, with implementation and monitoring of log aggregation and correlation systems. The ability to monitor and log all user sessions and requests for access to sensitive information, such as cardholder data and Social Security numbers, is critical to any security environment. F5 offers a suite of solutions that are session-based, not packet-based. With this full reverse proxy architecture, the BIG-IP platform has the ability to manage full user sessions, regardless of the transport mechanism or network, and match those user sessions to specific data actions, supplying log data and a full audit trail from the user to the data. This allows F5 application security devices to ensure the confidentiality, integrity, and availability of all application data on the network. All F5 products support remote logging, allowing logs to be pushed to secure networks and devices for archiving. In addition, the TMOS architecture can manage isolated, secure logging networks in conjunction with the application networks, using features such as mirrored ports, VLANs, and virtualized administrative access. Protecting network resources and application data 24 hours a day, seven days a week, without affecting network performance, is a core function and the foundation of all F5 security products. Requirement 11: Regularly test security systems and processes. PCI DSS Quick Reference Guide description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configuration. Solution: The spirit of this requirement is to ensure that the complying organization itself tests its security system and processes. Since F5 does not offer a penetration testing service, this is one of just two PCI DSS requirements that F5 products cannot significantly address. Next: Maintain an Information Security Policy psComplying with PCI DSS–Part 4: Implement Strong Access Control Measures
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Implement Strong Access Control Measures which includes PCI Requirements 7, 8 and 9. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2: Complying with PCI DSS–Part 2: Protect Cardholder Data and Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program. Requirement 7: Restrict access to cardholder data by business need-to-know. PCI DSS Quick Reference Guide description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on a need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. Solution: BIG-IP APM and BIG-IP Edge Gateway control and restrict access to corporate applications and cardholder data. Secure access is granted at both user and network levels on an as-needed basis. Delivering outstanding performance, scalability, ease of use, and endpoint security, BIG-IP APM and BIG-IP Edge Gateway help increase the productivity of those working from home or on the road, allowing only authorized personnel access while keeping corporate and cardholder data secure. For application services, the BIG-IP platform protects data on the ADN as it is communicated to the user and other service architectures. The BIG-IP platform can scan, inspect, manage, and control both incoming and outgoing data—in messaging requests such as headers (metadata), cookies, and POST data, and in message responses in metadata and in the response payload. BIG-IP APM, BIG-IP Edge Gateway, and BIG-IP ASM, along with the TMOS operating system, all work together to create a secure, role-based data access path, prohibiting malicious users from bypassing role restrictions and accessing unauthorized data. Lastly, BIG-IP ASM can help make sure web pages that should only be accessed after user login/authentication are only accessible to users who have been properly authenticated. Requirement 8: Assign a unique ID to each person with computer access. PCI DSS Quick Reference Guide description: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Solution: The entire F5 product suite addresses the issue of unique user identification and management and acts as an enforcement mechanism. For identification, BIG-IP APM, BIG-IP Edge Gateway, and BIG-IP ASM all work on the user session level, managing a single user session throughout its duration. This is accomplished using various tools, such as secure cookies, session IDs, and flow based policies. For authentication, BIG-IP APM and BIG-IP Edge Gateway communicate with nearly all user ID and authentication systems via RADIUS, Active Directory, RSA-native, Two-Factor, LDAP authentication methods, basic and forms-based HTTP authentication, SSO Identity Management Servers such as Siteminder, and Windows Domain Servers. They also support programmatic user authentication via secure keys, smart cards, and client SSL certificates, allowing near-infinite authentication combinations across public and enterprise credential services. Transport security is accomplished through TLS/SSL. The BIG-IP platform can offload SSL computations from the back-end application servers, providing data security and network flexibility. A BIG-IP ADC is a full SSL proxy, allowing it to inspect and protect data passed to the application over SSL before re-encrypting the data for secure delivery to the application or back to the user. In addition, BIG-IP APM’s detailed reporting gives organizations the answers to questions such as “Who accessed the application or network, and when?” and “From what geolocations are users accessing the network?” Reporting capabilities include custom reports on numerous user metrics, with statistics grouped by application and user. Requirement 9: Restrict physical access to cardholder data. PCI DSS Quick Reference Guide description: Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems, or hardcopies, and should be appropriately restricted. “Onsite personnel” are full-and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration, usually up to one day. “Media” is all paper and electronic media containing cardholder data. Solution: A hardware security module (HSM) is a secure physical device designed to generate, store, and protect digital, high-value cryptographic keys. It is a secure crypto-processor that often comes in the form of a plug-in card (or other hardware) with tamper protection built in. HSMs also provide the infrastructure for finance, government, healthcare, and others to conform to industry-specific regulatory standards. Many BIG-IP devices are FIPS 140-2 Level 2 compliant. This security rating indicates that once sensitive data is imported into the HSM, it incorporates cryptographic techniques to ensure the data is not extractable in a plain-text format. It provides tamper-evident seals to deter physical tampering. In fact, the HSM in BIG-IP is certified at 140-2 level 3. By being certified at level 3, the HSM has a covering of hardened epoxy which, if removed, will render the card useless. The BIG-IP system includes the option to install a FIPS HSM (on BIG-IP 6900, 8900, 11000, and 11050 devices). Additionally, the FIPS cryptographic/SSL accelerator uses smart cards to authenticate administrators, grant access rights, and share administrative responsibilities to provide a flexible and secure means for enforcing key management security. PCI Cardholder Data Environment with F5 Technologies Next: Regularly Monitor and Test Networks psComplying with PCI DSS–Part 2: Protect Cardholder Data
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Protect Cardholder Data which includes PCI Requirements 3 and 4. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network Requirement 3: Protect stored cardholder data. PCI DSS Quick Reference Guide description: In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable, for instance, [by] obfuscation [or] encryption. Solution: The spirit of this requirement is encryption-at-rest—protecting stored cardholder data. While F5 products do not encrypt data at rest, the BIG-IP platform has full control over the data and network path, allowing the devices to secure data both in and out of the application network. F5 iSession tunnels create a site-to-site secure connection between two BIG-IP devices to accelerate and encrypt data transfer over the WAN. With BIG-IP APM and BIG-IP Edge Gateway, data can be encrypted between users and applications, providing security for data in transit over the Internet. BIG-IP APM and BIG-IP Edge Gateway can also provide a secure access path to, and control, restricted storage environments where the encryption keys are held (such as connecting a point-of-sale [POS] device to a secure back-end database to protect data in transit over insecure networks such as WiFi or mobile). With BIG-IP Application Security Manager (ASM), data such as the primary account number (PAN) can be masked when delivered and displayed outside of the secure ADN. BIG-IP ASM also can mask such data within its logs and reporting, ensuring that even the administrator will not be able to see it. Requirement 4: Encrypt transmission of cardholder data across open, public networks. PCI DSS Quick Reference Guide description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks, so it is important to prevent their ability to view this data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person. Solution: The modular BIG-IP system is built on the F5 TMOS full-proxy operating system, which enables bi-directional data flow protection and selective TLS/SSL encryption. All or selective parts of the data stream can be masked and/or TLS/SSL encrypted on all parts of the delivery network. The BIG-IP platform supports both SSL termination, decrypting data traffic with the user for clear-text delivery on the ADN, and SSL proxying, decrypting data traffic on BIG-IP devices for content inspection and security before re-encrypting the data back on the wire in both directions. The BIG-IP platform, along with the F5 iRules scripting language, also supports specific data string encryption via publicly tested and secure algorithms, allowing the enterprise to selectively encrypt individual data values for delivery on the wire or for secure back-end storage. The BIG-IP® Edge Client software module, offered with BIG-IP APM and BIG-IP Edge Gateway or as a mobile application, can encrypt any and all connections from the client to the BIG-IP device. Customers have customized and installed BIG-IP Edge Client on ATMs and currency or coin counting kiosks to allow those devices to securely connect to a central server. In addition, two BIG-IP devices can create an iSession tunnel to create a site-to-site connection to secure and accelerate data transfer over the WAN. iSession tunnels create a site-to-site secure connection to accelerate data transfer over the WAN Next: Maintain a Vulnerability Management Program psComplying with PCI DSS–Part 1: Build and Maintain a Secure Network
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. Over the next several blogs, we’ll explore how F5 can help organizations gain or maintain compliance. Today is Build and Maintain a Secure Network which includes PCI Requirements 1 and 2. PCI DSS Quick Reference Guide, October 2010 The PCI DSS requirements apply to all “system components,” which are defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP servers. Applications include all purchased and custom applications, including internal and external web applications. The cardholder data environment is a combination of all the system components that come together to store and provide access to sensitive user financial information. F5 can help with all of the core PCI DSS areas and 10 of its 12 requirements. Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data. PCI DSS Quick Reference Guide description: Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. All systems must be protected from unauthorized access from the Internet, whether via e-commerce, employees’ remote desktop browsers, or employee email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Solution: F5 BIG-IP products provide strategic points of control within the Application Delivery Network (ADN) to enable truly secure networking across all systems and network and application protocols. The BIG-IP platform provides a unified view of layers 3 through 7 for both general reporting and alerts and those required by ICSA Labs, as well as for integration with products from security information and event management (SIEM) vendors. BIG-IP Local Traffic Manager (LTM) offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller (ADC) designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scalability, performance, and persistence. Running on an F5 VIPRION chassis, BIG-IP LTM can manage up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors and buffer sizes when under attack. It protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. The BIG-IP platform, which offers a unique Layer 2–7 security architecture and full packet inspection, is an ICSA Labs Certified Network Firewall. Replacing stateful firewall services with BIG-IP LTM in the data center architecture Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. PCI DSS Quick Reference Guide description: The easiest way for a hacker to access your internal network is to try default passwords or exploits based on the default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is akin to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools that show what devices are on your network, can make unauthorized entry a simple task if you have failed to change the defaults. Solution: All F5 products allow full access for administrators to change all forms of access and service authentication credentials, including administrator passwords, application service passwords, and system monitoring passwords (such as SNMP). Products such as BIG-IP Access Policy Manager (APM) and BIG-IP Edge Gateway limit remote connectivity to only a GUI and can enforce two-factor authentication, allowing tighter control over authenticated entry points. The BIG-IP platform allows the administrator to open up specific access points to be fitted into an existing secure network. BIG-IP APM and BIG-IP Edge Gateway offer secure, role-based administration (SSL/TLS and SSH protocols) and virtualization for designated access rights on a per-user or per-group basis. Secure Vault, a hardware-secured encrypted storage system introduced in BIG-IP version 9.4.5, protects critical data using a hardware-based key that does not reside on the appliance’s file system. In BIG-IP v11, companies have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive. The Secure Vault feature can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. Secure Vault encryption may also be desirable when deploying the virtual editions of BIG-IP products, which do not support key encryption on hardware. Next: Protect Cardholder Data ps
