New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

OSSIR Information Systems Security Day 2017

March 20, 2017

OSSIR Information Systems Security Day 2017

The 2017 edition of the Information Systems Security Day (JSSI, a registered trademark of the’OSSIR !) took place on Tuesday, March 14, 2017 in Paris. This year's theme was « Data leaks: how to protect yourself, detect them, and manage them.

Intrinsec was pleased to be present and shares its report with you, thanking the organizers and presenters in passing.

The slides are available on the JSSI 2017 page.

Introduction: Information/Information Leaks – Jean-Philippe Gaulier

Jean-Philippe Gaulier is president of OSSIR and CISO within the IT department at Orange. After his introductory remarks as president of OSSIR, he took on the role of first speaker. He introduced the theme of this JSSI17, which focused on data breaches.

 

JP Gaulier emphasized the widespread circulation of information, which results from our presence on social networks (for example, major social networks such as LinkedIn, Twitter, and Facebook) and connectivity (the proliferation of devices for accessing the internet). With this constant influx of data, infrastructure and/or users become targets.

To illustrate his point, Jean-Philippe cited the most significant examples of data leaks:

  • Sony, Facebook, Twitter, Ashley Madison
  • Cases of Julian Assange, Edward Snowden, and Kim Dotcom (Megaupload)

According to Jean-Philippe, what do these data leaks have in common? Humans are at the heart of the data breach (whether they are the source, have to manage it, or are the victims). We're talking about personal data here: it's possible to identify an individual from their personal data (referring to the CNIL definition).

 

Jean-Philippe finally gave a mixed assessment of data leaks: there are more and more of them and despite some protection systems (training, authentication, detection, intrusion prediction, encryption, anti-virus, anti-spam, anonymization, monitoring, SOC, anti-malware, etc.), there is currently no miracle solution.

The Hidden Face of the XXE (XML eXternal Entity) – Charles Fol

Charles Fol, from the company Ambionics Security, presented us with XXE (XML External Entity) type attacks.

These relatively recent attacks exploit the rich functionality and ubiquity of XML: a language increasingly used not only for application protocols (SOAP, XMLRPC etc.), but also in office documents such as those from Office, etc.

It is possible to define entities in the DTD (the grammar associated with XML) that act as variables, allowing one frequently recurring element to be substituted for another in the XML document. These entities can also reference system resources.

Possible actions include: reading local files, recognizing internal computers, HTTP bouncing…

Several techniques can be combined to create increasingly powerful attacks. However, it is not easy to execute complex queries.

Following a question from the audience, the speaker points out that the only way to protect against this type of attack is to prohibit any external entity in the configuration of the XML parser.

GDPR Regulations: What Impact on Security? – Eric Barbry

Eric Barbry is a lawyer and director of the "Digital Law" department at the firm "Alain Bensoussan Avocats". He focused his presentation on the impact of the upcoming GDPR regulation on information systems security.

For this regulation, which will come into effect on May 25, 2018, the main impact lies in the fines that will be imposed on companies that have mismanaged data breaches: between €10 million (or 21% of annual revenue) and €20 million (or 41% of annual revenue). The way in which IT and data protection issues are addressed will therefore be crucial for CIOs/CISOs. According to Eric Barbry, there are several areas companies will need to focus on to comply with the law:

    • Securing the data
      • Data must be protected from the design stage ("protection by design"), meaning that technical and organizational mechanisms must be put in place within the company.
      • Protecting oneself by default ("protection by default"): from the outset, put oneself in a situation of over-protection of data (define internally a data access scheme, an authorization policy, access monitoring, etc.)
      • Securing data throughout the entire chain: from the CISO to the subcontractor via a code of conduct (measures such as encryption, pseudonymization, integrity, etc.)
    • Define a data breach response plan
      • This is a requirement of the new European law: every company must notify the relevant authority whether or not there is a risk. It is the CIO's responsibility to determine if notification is necessary (this implies a risk analysis).
      • Communicating during the data breach crisis
    • Conduct an impact analysis of the data breach, which the CNIL (French Data Protection Authority) will be entitled to demand.
    • Ensuring that the subcontractor is an ally in regulatory compliance (which implies that the company must assess what is happening at the subcontractor's site and establish common safety rules upstream)
  • Finally, a data governance system, in other words, defining who is responsible for the processing of information: a CIO, a CISO, a DPO.

Lessons learned from managing a major data breach – Stéphane Py

Stéphane Py holds the position of Chief Information Security Officer (CISO) within the IT department of Orange France. During his presentation, he shared his experience, as CISO, regarding the data breach that occurred in 2014.

He first contextualized the crisis by specifying that it was a data theft from Orange's public customer area in January 2014, resulting in 800,000 data leaks.

Throughout his testimony, Stéphane then highlighted the important steps that marked the management of this leak, from the onset of the crisis to its resolution.

    • Two attacks occurred on the public customer portal, the first on January 12, 2014, and the second on January 15. On January 16, the technical teams discovered the data breach. The impact assessment prompted staff to switch to crisis mode. The customer portal section was closed, and a specific organizational structure, work procedures, and a crisis management hierarchy, of which Stéphane was a part, were implemented. Daily meetings were held, logistical arrangements were put in place (crisis room, meals, etc.), and action plans were launched.
  • A declaration to the CNIL was made promptly.
  • On the technical side, Stéphane launched an analysis of the attack and its consequences with a view to being able to communicate on several levels:
    • notify the customers concerned individually, but also all Orange customers, knowing that once this communication is established, the leak becomes public;
    • Internally, communicate the necessary information to all staff who are in direct contact with customers.
  • This communication was launched on January 29th and 30th. An AFP dispatch was released on February 2nd.
  • On February 6th, the teams emerged from crisis mode. A review of the experience has been initiated in order to draw up an assessment and identify areas for improvement.
  • Transition to post-crisis mode and handling of related issues (monitoring as the leak could encourage further attacks, addressing potentially related customer cases, filing complaints, etc.)

For Stéphane, three elements are ultimately crucial when managing a crisis related to a major data breach: preparation (the organizational and logistical aspects), pooling of effort (the entire company is affected, from technical teams to press/communication relations), and the constraint of deadlines which can be respected if the two previous elements are carefully addressed.

Data breach detection, crisis management, and action plan to return to normal operations. Marc-Frédéric Gomez

As requested by the speaker: this conference remains under restricted distribution.

Conference on Bug Bounty Programs – Guillaume Vassault-Houlière

Guillaume Vassault-Houlière, aka Freeman, presented the principle of bug bounty and the platform of his company, Bounty Factory.

Historically, security experts who detected vulnerabilities had only two options: privately contact the companies concerned or make the vulnerability public.

The first solution directly exposed the researcher to the company's reaction (which was often to file a lawsuit). The second solution could harm the company itself, by exposing it to the possibility of the vulnerability being exploited before it was patched.

The Bug Bounty concept is based on a win-win exchange (win-win): companies decide on the rules and scope of the research and the white hats They can use their skills to benefit organizations and be rewarded for each anomaly discovered.

Bounty Factory, presented by Guillaume, acts as an intermediary between vulnerability hunters and companies.

This model works well: the rules are well established and the rewards are based on results.

Following a question about the possibility of a researcher arranging with a company employee to be warned in advance of a vulnerability and share the reward, Guillaume emphasizes that trust remains the basis of this approach.

Offline extraction of secrets protected by the DPAPI – Jean-Christophe Delaunay

Jean-Christophe, a security expert at Synacktiv, presented DPAPI, which protects sensitive data in Windows environments. It is widely used (Windows identity manager, password managers in Internet Explorer and Google Chrome, Skype). Its presence and use are transparent to the user.

This library has been around for a long time (since Windows 2000) and has not undergone any significant structural changes. Its widespread adoption is mainly due to its ease of implementation for developers (primarily two functions: CryptProtectData and CryptUnprotectData) and the backward compatibility typical of Microsoft's strategy.

The speaker explained the technical details and questions related to the use of DPAPI: a secret is created from the user password; what happens when the password is changed? Is it possible to carry out attacks by rainbow tables ?

Tools exist for penetration testing and forensics: Passcape, CoreSecurity's impacket, mimikatz, DPAPIck, dpapilab, and dpapeace. The latter is based on work done on DPAPIck and dpapilab and allows, among other things, offline decryption of data protected by DPAPI.

 

Big data: security of Hadoop environments – Mahdi Braik

The objective of the speaker from Wavestone was to provide the clearest and most relevant overview possible of the work that remains to be done regarding Hadoop ecosystems in terms of security.

Hadoop is an open-source framework that enables the distributed processing of large datasets within a server cluster using simple programming models. Companies the size of Facebook, Yahoo, and Microsoft have invested heavily in this project, whose complexity poses a significant security challenge.

By analyzing each layer of the framework, Mahdi shows, for example, that no authentication mechanism is implemented by default on a Hadoop cluster. "Simple" authentication mode is used, as is the fact that the data is not encrypted (neither on the server nor during data exchange).

In conclusion, this is a project in full swing, but which still lacks maturity in terms of security.

Contact