Configuring Yubikey for SecurityOnion.

Configuring Yubikey for ssh logon into SecurityOnion

Yubikey is a small usb token that generates one time pads (OTP). The token can be used to enable two factor authentication to SecurityOnion.
- Something you know: password
- Something you have: yubikey

I used the documentation from Yubikey as a reference.
Link to their documentation
https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html

Prereqs
1. Ensure that GCC compiler is installed. It should be already installed if you are using the SecurityOnion ISO.

Install the PAM module for YubiKey

sudo add-apt-repository ppa:yubico/stable
sudo apt-get install libpam-yubico

Configuration for Yubikey Token

<user name>:<yubikey token ID>:<yubikey token ID>: ….

A user name can be associated with multiple yubikey's.
To find the yubikey token id, it is the first 12 characters of the ID. Just open notepad and tap the yubikey and the ID will paste and display onto the screen. You can also visit the Yubikey demo website.

https://demo.yubico.com/

Generate the mapping file. The file can be located anywhere.
Recommended mapping file location ~/.yubico/authorized_yubikeys

Go to the home directory
$ cd auth
$ then mkdir .yubico
$ cd .yubico
$ vim authorized_yubikeys

Append and save the following mapping line into the file

auth required pam_yubico.so id=16 debug authfile=~/.yubico/authorized_yubikeys

pam_unix.so configuration

Save the mapping line into the file Append try_first_pass parameter to the pam_unix.so

vim /etc/pam.d/common-auth  

auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass

Edit the sshd configuration file to disable challenge response passwords.
This should already be disabled by default if installed through the SecurityOnion iso.

Hardware for Security Onion

Hardware requirements for Security Onion 

The Security Onion wiki is the best resources in learning about the hardware requirements for Security Onion.

When building my personal deployment of Security Onion, I used the wiki as a starting point. Due to my limited budget, I built a box which in hindsight was underpowered. Since this deployed in a home environment, I was willing to incur some packet loss.

CPU
I recommend at a minimum installing an i3 Intel Core or equivalent. A preferred processor will be i5 Intel Core or higher. For my installation, I used a AMD Athlon 5350 2.05 Ghz Kabini Quad Core Processor. For my network, the CPU selected is underpowered. There are times when my htop showed CPU scores greater than 4, which for a quad core processor means it is at full utilization and there are processes waiting for available threads. (Note: Since the upgrade to Bro 2.4 the CPU utilization seems to have gone down)

Memory
The more the better. For networks under 50 Mbps the minimum requirement will be 8GBs of RAM. However, if the network is 30 Mbps or greater, I recommend bumping up the memory to 16 GBs. Otherwise there is a significant risk for packet loss.

Storage
Depends on your storage requirements and amount of traffic going through. For example, if corporate policy limits data storage to 30 days then there is no need to purchase enough storage for 90 days. Be mindful of scripts that run in Security Onion that will purge data once a specified threshold is met. The default is 90%. I have it personally set for 80% for additional buffer.

NIC Card
The Security Onion wiki recommends Intel. I recommend Intel as well due to the availability of drivers across a wide variety of platforms. I personally chose TP-Link. Although, I have had no problems, nonetheless I recommend Intel. Not all NIC cards are created equally.

Power Supply
Do not underestimate the importance of purchasing an efficient and reliable power supply. Since this box will be running 24x7, I recommend buying a 80 Plus Silver and above. In the long run this will result in a lower power bill. More importantly, purchase a power supply from a reputable manufacture such as Seasonic, Antec, and Corsair.

Defensive measures against Identity Thieves

No doubt you have already heard by now that the nation's second largest health insurance provider, Anthem has been breached. For victims, Anthem is providing credit monitoring and identity protection services. But is that enough? In short no.

Summary of the Personally Identifiable Information (PII) Lost

• Names
• Birthdays
• Medical ID
• Social Security Numbers (Worth $$$)
• Street Addresses
• Email Addresses
• Employment Information
• Income Data

The information lost in this breach is concerning. This is significantly more harmful and valuable to an attacker than a breach involving credit card numbers. Credit cards numbers can be easily revoked and changed by the issuer. Social Security numbers cannot be easily changed and for the most part will stay with you for the rest of your life.

As a victim what can you do? Krebs on Security has a great writeup about credit monitoring services regarding their benefits and limitations. (1) It short if free credit monitoring is offered it doesn't hurt. As an analogy credit monitoring is similar to a burglary alarm. Once an alarm is tripped the premises has already been breached and the burglar is in. Similarly credit monitoring will not prevent identity theft but will help with detecting unauthorized attempt.

I highly recommend everyone to place a credit freeze with all three credit bureaus. A credit freeze prevents your credit file from being opened while it is in place. While a credit freeze will not prevent criminals from stealing your identity it does make it significantly harder to open a line of credit. For additional, FTC has a good faq webpage. (2)

Graphic summary - adapted from Bejtlich's Enterprise Security Lifecycle
(3)

References
1. http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
2. http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
3. The practice of network security monitoring: understanding incident detection and response, By: Bejtlich, Richard.

Market reaction to breach on Anthem

Yesterday on February 5, 2015 news broke out that Anthem was breached. The markets have been muted in terms of reaction to the breach.

On the day news of the breach broke out ANTM dropped 0.32% or lost roughly 11-12 million dollars in market capitalization. The day after the breach their shares have dropped 1.12% or roughly 40-41 million dollars in market capitalization.  

Getting started within Information Security

Often within the organization I am currently working for I receive questions about getting started within information security.

Having just started an IT rotation within infosec, I find this flattering. Nonetheless, the following are a couple of observations in order to succeed in this field.

1. Passion for information security. To become a competent information security professional there needs to be passion within the field.

2. Extending learning beyond the job. Putting 40 hours per week in this field will not suffice. The adversary is certainly putting more than 40 hours per week. Just doing 40 hours is the minimum in order to tread water.

3. Participating and contributing to the community. There are many groups out there focused on security such as your local ISSA or OWASP chapter. In the DC region there is NOVA hackers and unallocated space. Looking through meetup.com can be a good way to network and learn from other security professionals in the area.
 
4. Keeping up with the current literature and trends. Going to information security conferences to learn about research and the current threat threat environment. Reading books and papers to brush up on skills and knowledge. No Starch Press, Syngress, and Wiley are good publishers of infosec books.

5. Do a few things well. This advice was provided in the first week of graduate school by my adviser. Pick an area to focus and do it well. This advice also applies to organizations and teams as there are many fields and specialties within information security.