JSSI 2011 conference report

The 10th JSSI (Journée de la Sécurité des Systèmes d'Information) conference, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 22nd, 2011. A hundred attendees were at the conference. Here is a report of the presentations. The full agenda is available on the conference website (Presentation materials will be published soon on this site).

 

This talk sums up the results of about a dozen security audits on SaaS solutions. These audits took place during 2010. The approach was to perform first an assessment of the various topics listed in the ISO 27002 standard, and then to perform a penetration test against the evaluated products. Although these results can not be generalized, they do highlight a number of interesting findings.

In the preamble, speakers show first that the cloud changes the way CSO and security are involved in projects:

One of the strongest finding, based on the audit results, is the fact that very often the company who subscribed to a SaaS service is not always aware that this service relies on a chain of suppliers (rather than a single supplier). Beyond the publisher of the SaaS solution, suppliers are typically the operator (who operates the solution) and the hosting infrastructure (which provides the infrastructure that hosts the solution). It is imperative to identify all these players and ensure that security requirements are addressed consistently by the entire chain of players:

 The other interesting findings are:

In conclusion, the speakers indicated that it is actually possible to find really secure SaaS offerings. But most of the times these secure solutions are the ones that were designed to handle highly sensitive data. On the other hand, the level of physical security is generally very good (because the computing centre hosting the service has a very secure facility). They draw attention to the fact that the supervision and the control of the cloud service performance could induce a significant effort for the client. Finally they recommend to keep complete control on access management activities (who get an account, and with what privileges) and to absolutely avoid any "self-provisioning" approach in this area.

 

 

In some contexts, the test of applications requires data sets that may be difficult to generate from scratch and then, it is easier to build these test data from real operational data. This is the case for example if one needs a large customer database, or a complex and multi-coherent data set. To address this need, Bouygues Telecom has established a team specialized in the generation of data sets derived from operational data. This team:

The team expertise in the field of "test data engineering" is available for all Bouygues Telecom projects. Such dedicated team, in addition to guarantee a good data anonymisation (such data, which are often customer related, include personal and sensitive information), also has the effect of strengthening the security of production data because the "test data engineering" team is then the only team allowed to get access to production data.

 

 

This presentation, which was made ​​by a French lawyer, addresses various questions often asked when it comes to computer security and law. The sum-up that we give below is very basic and just reflects our understanding of the responses from the speaker to these questions.

 

The general answer is no, unless the CSO has received a delegation of authority from the CEO, or has intentionally committed an offense.

Note: The speaker said that in France, a company is legally obliged to implement IT security measures to protect the company. This is "an obligation of means", and even more formally "an enhanced obligation of means"; the latter means that the company must be able to demonstrate that it actually had implemented these security measures (in the case of a "non-enhanced obligation", it would be on the opposing party to demonstrate the obvious lack of security measures used).

 

Companies have strong legal obligations with regard to personal data. These obligations have been widely documented by the French CNIL (Commission Nationale de l'Informatique et des Libertés = National Commission for IT and Liberty). The speaker consequently recommended referring to the documents published by CNIL. He mentioned in particular a CNIL notice titled   "10 advices for the security of your information system".

 

We must find a balance between the legitimate needs of supervision (to ensure security) and the right of individuals for privacy. The recommendation of the speaker in this area is to establish within the company a charter that describes the uses that are permitted and the methods of monitoring used to control security.

 

 

This talk mainly covers the security of Android smartphones. The speaker identifies 3 distinct areas where security risks exist for smartphones:

The speaker continued his presentation by showing how an Android application could be analyzed (reverse-engineered).

In his conclusion, he said that security risks for Android (and smartphones in general) are multiple and that the user has little means to protect him effectively. We are still at the year one of the security for mobile devices and, in this area, all has yet to be built.

 

 

This presentation explains how a well organized "information warfare" campaign may allow an adversary to gain advantage over his opposite. He illustrates his view by detailing the efforts of Greenpeace to attack Nestle about the use of palm oil in Nestle products.

 

 

Orange Business Services presented the SOC service (Security Operation Center) it set up to monitor the security of its internal infrastructures. The SOC service is operated by a dedicated team and runs 24/7.

To monitor a new project the SOC proceed in 3 steps:

Orange SOC project started in 2005. In terms of tools it typically uses IDS (detection sensors) to monitor network traffic, SIM/SIEM tools to analyze and correlate events, and "blackholing" (network flows redirection) and "cleanpipe" (dirty flow "washer") to react when an attack occurs.

The speaker explained in his conclusion that the key point for SOC success is to closely work with the business specialists of the project monitored by SOC. He also advised resisting to the temptation to deploy too fast (e.g. to much sensors added quickly to cover a very large perimeter); the integration should be gradual and controlled.

 

 

This presentation explains what are the techniques and the tools available to remotely guess the software used by a website. Typically, the objective is to identify that a remote web server runs Apache, PHP and Joomla (as an example), and if possible, to guess the version or each of these software. If one of the software is not in the most recent version, it could then be possible to attack it by using the already known vulnerabilities of this software.

The fingerprinting techniques are the following ones:

The speaker more deeply covered a sub-category of the latter tools: the ones that look for well known static files in the web server space. This fingerprinting technique was presented in 2010 at the DefCon conference by the author of the "BlindElephant" tool (the DefCon slides are available on the conference web site). The detection technique relies on the fact that each web environment (WordPress, Joomla, Drupal, etc…) installs its own set of files on the web server. If you search for these files you could then guess which software is used.

BlindElephant is a tool difficult to enhance and consequently, the speaker choose another tool (which is less efficient but easier to enhance): WAFP (Web Application Finger Printing). He enhanced WAFP by adding the capability to fingerprint web frameworks such as Symfony, Cakephp and Struts.

In his conclusion, the speaker said he is still working on that subject and will send the results to WAFP author as a contribution. He finally mentioned that this fingerprinting technique will not always work (for example the "Zend" framefork does not have any static file, and consequently cannot be fingerprinted that way) and could be countered (if the standard files of the web environment used have been changed, then the detection will fail).

 

 

This 2011 edition of the JSSI conference was - as usual - very interesting.

This 10th edition of the JSSI conference confirms that this event organized annually by the OSSIR is one of the major events of the French-speaking conferences in the field of IT security. And we will of course be there again next year!