PenTest Starterkit 1/2012

http://thecloudsecurityrules.com/node/2

starterkit 01/2012(3)

EDITOR’S NOTEStarter Kit 01/2012 (03)

Data AuditingThe January issue of Pentest Starterkit magazine is devoted primary to data auditing. As you noticed we changed profile of issue and now it will be all about auditing and standards. We hope we will present everything what can be useful for business clients.

This time we have only one article about mobile pentesting. Axelle Aprwille is writeing about mobile malware and how her company (Fortinet) product which help to protect your iPhone. She is describing dangers waiting for your mobile privacy and why it is so important to protect it.

Second part of this issue contain articles about data auditing. Carl Nightingale is talking about how to integrate risk management to company throughout. He is showing what attitude to risk management usually companies present and how to think-smarter about company data protection. Second article in this section by John B. Sapp Jr. is about risk management evolution. Today it is much more than firewall babysitting. Author is describing new methods of pentesting – dynamic URL analysis, manual penetration testing. Conclusion is that companies should include application security risk as part of an information security risk management. Last article in this section by Kiran Murthy is small handbook introducing employee to It security procedures and principles. Firs is defining what is Informacion Security Department and it’s goals. Than listing point by point principles of IT security departments in companies.

Next section is about cybercrimes. Sameh Sabry in his article is talking about dangers possible during printing and how to avoid it. Author is writing how is working Print Spooler service. In next article Mariusz Rzepka is discussing about new generation firewalls, comparing it to previous solutions. Last article in this section by Asad Syed is presenting cybercrime as global society problem. Author is considering size of this contemporary threat and possible solutions.

Last section of this issue is entitled Story and history. Rishi Narang is writing evolution of pentesting. Change is on both sides – clients and consultants. He separate pentesting in 3 eras and describe differences between different methods focused in different sides of data security. In last article Ken Xie is showing his professional way and how during that time changed It security trends, tasks and tools.

We hope this year everything will go better, our magazine as well.

Enjoy reading!Olga Głowala

& Pentest team

3starterkit 01/2012(3) http://pentestmag.comPage

http://pentestmag.comstarterkit 01/2012(3)

CONTENTSCONTENTS

MOBILE PENTESTINGiPhone’s security: beware of your best friend! by Axelle Apvrille

Mobile malware remains for the most part an unknown phenomenon to the general public. Many people are just unaware that it exists (“No, you’re kidding, my iPhone can’t get infected!”), and those who are aware mostly consider it as a minor issue: “there are only very few viruses on mobile phones”, a sentence which is equivalent to say “there are no risks”. While this is true that there are currently only a handful of different malware families for iPhones, the real question is not about their number, but how far they can spread and what damage they can do. On this matter, experience on other mobile platforms has taught us that a single sample in the wild may equal to thousands of infections. For example, on the Symbian platform, the CommWarrior and Yxes worms have propagated to hundreds of thousands of mobile devices: not that trivial!

DATA AUDITINGIT Security & Risk to data – the ever changing landscapeby Carl Nightingale

The world of corporate governance has brought added pressure and cost to organisations safeguarding themselves against external (and not forgetting the internal) threats. Sarbanes Oxley, PCI, Solvency, MiFID, (to name but a few) has forced organisations to take a closer look at how they apply control over their operations. Given the cost in the early days of organisations having to comply with the likes of Sarbanes Oxley (running into tens of millions for some larger FTSE based examples), organisations are turning to various frameworks (COBiT, COSO etc) and standards as a way of applying control over their IT landscape.

Application Security- An Executive Perspective of the Risk Realityby John B. Sapp Jr.

Practitioners of software security are part of an even more select group, representing not only the perspective of the general software developer, but typically possessing an even stronger mathematical focus, as well as an added sense of mission around the assurance of availability, confidentiality and integrity that are at the core of information system security.The business mind focuses on the practicality of profit making and generally has not always been comfortable with the community of software security assurance.

06

10

14

TEAMManageing editor: Olga Gł[email protected]

Betatesters / Proofreaders: Massimo Buso, Ankit Prateek, Chris Cager, Rishi Narang, Johnatan Ringler, Iftach Ian Amit, Aby Rao

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Marketing Director: Ewa [email protected]

Publisher: Software Media Sp. z o.o.ul. Bokserska 1, 02-682 WarszawaPhone: +48 22 427 36 56www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

http://pentestmag.comstarterkit 01/2012(3)

Delivering Security – Awareness Training In Large Organizationby Kiran Muthy

Nevertheless, it’s a necessity which is often difficult to respond and address, due to lack of expertise and resources. This Article will show the needs for information security awareness and express the proto-type implementation of all study material and an Employee Security Handbook which will enable individuals to continue and purse with self-placed security awareness training. This training is endowed with an environment which will permit the entire user to simulate the security in number of case study scenarios. This will enable the staff’s to become proverbial and familiar with all the types of available countermeasures, any kind of boundaries that an employee may inflict and impose in which they are appropriate Organization systems and processes are geared to aggressively provide a vast multitude of services to customers.

CYBERCRIMEuPrint iHack by Sameh Sabry

The print spooler service was developed to make printing less of an aggravation and more of an automatic task by serving as a print order coordinator. As print orders are fed from applications to a printer in Windows, they actually go through the print spooler service first. The print spooler service manages the orders chronologically and tells the printer to prepare for work.The print spooler service recognizes the pages in a document that the user has chosen to print and how many copies of those pages to print. It then sends that order to the printer, usually starting from the last page so as to pile the pages in order.

Enterprise – UTM vs. Next-Generation Firewalls – Cutting Through the Noiseby Mariusz Rzepka

There’s currently a lot of chatter in security circles surrounding the term “next-generation firewall (NGFW).” The noise around this term is creating some slight market confusion and leaving CISOs wondering how this technology differs from market adoption of unified threat management (UTM). If you buy into the NGFW buzz, you may believe that an entirely new, innovative technology has emerged when in reality a NGFW is a subset of the existing UTM market, or even the evolution of the old firewall market. Nonetheless, customers are being bombarded with this new terminology, thereby creating confusion in the marketplace.

Unfolding of Cybercrime – 2012 and beyondby Asad Syed

Cybercrime comes in many forms and the common person’s association with this syndrome is referred to as Identity theft. Identity theft today is more than a digital threat that is capable of harming companies that have digital presence and home computer users. We very often refer to them as consumers. The problem today has grown beyond boundaries and reached epidemic levels to an extent even if someone who may not have a computer may still get engulfed in the aftereffects of Cybercrime. It is estimated that around 10 million Americans (3.39% of Population) and approximately 100,000 people in the UK (around 17% of Population) are victims of Cybercrime in the form of identity theft each year. This could statistically be translated as, 1 in 4 adults have either been victims or known someone who has been a victim of identity theft.

STORY AND HISTORYPenetration Testing – Evolution is Mustby Rishi Narang

Pentesting has always been divided in three types – Blackbox Testing, Whitebox Testing and Greybox. The fundamental difference between these types is the visibility to the code and the infrastructure configurations. Blackbox has no visibility; the whitebox testers have full visibility to the code of the application, and the underlying technology. It is kind of related to code reviews and testing. Wherein, the Greybox Testing has variations between the Blackbox and the Whitebox testing. Everyone has their take and opinion on the success and virtues of these different types, but my question is – Isn’t the pentesting model and approach, as it stands currently, is profoundly weak?

Securityby Ken Xie

I’ve always believed that security follows the evolution of the Internet. New internet applications give way to new threats. For example, technologies supporting cloudcomputing, Web 2.0 and mobile computing are bringing new security challenges to IT departments as they bring new vulnerabilities to the enterprise. I see UTM as the most appropriate solution capable of managing the risks resulting from the perimeter extension of the corporate network, as it can provide both network and content-based protection, but also offer granular access/profile policies based on users, enabling consistent security to the extended network perimeter.

CONTENTS

28

20

30

34

32

38

MOBILE PENTESTING

http://pentestmag.comstarterkit 01/2012(3) Page 7 http://pentestmag.comstarterkit 01/2012(3)

However, mobile malware is becoming a real phenomenon, which requires caution. While this is true that there are currently only a

handful of different malware families for iPhones, the real question is not about their number, but how far they can spread and what damage they can do. On this matter, experience on other mobile platforms has taught us that a single sample in the wild may equal to thousands of infections. For example, on the Symbian platform, the CommWarrior and Yxes worms have propagated to hundreds of thousands of mobile devices: not that trivial!

Caution is also required, because we are far from knowing everything about mobile malware and cybercriminals’ intentions. Actually, it is quite possible that we only see the tip of the iceberg as there could be much more mobile malware hidden under water. In fact, Fortinet occasionally discovers malware which have been out for a while, but remained unnoticed from all anti-virus companies. Finding mobile malware samples is particularly difficult because they evolve on networks, which are not based on the IP protocol and are controlled by telecommunications operators. Also, they are seldom reported by mobile users to telco operators or security companies.

At last, don’t trust statistics to evaluate the reality of mobile malware. Figures are too are difficult to ascertain for many reasons: they are split among

several operators; they vary a lot from one country to another, depending on which mobile applications are used; and they differ according to how one’s defines malicious applications.

So, even if it has not been affected yet, do not underestimate the potential vulnerability of your iPhone.

The iPhone ConnectionWhy would malware target iPhones in particular? From a cybercriminal’s perspective, the answer is short and simple: because it is a real consumer success, which can covert in a gold mine. Apple’s App Store generates millions of dollars, so one can confidently affirm that it will one day be abused and will unintentionally offer malware to the unsuspecting iPhone community. It has already happened to the Symbian and Android platforms, for which a few malicious applications were unintentionally signed. The damage this time is likely to be even greater than on other platforms, because of the iPhone’s popularity and the general belief that the Apple/Mac environment is safe.

iPhone’s connectivity is another important reason to attract new malware. iPhones are particularly easy to use to access the Internet. According to AdMob, one of the world’s largest mobile advertising networks, 40% of all online advertising requests come from iPhones, as of May 2010. This opens up the iPhone to a wider variety of

iPhone’s security:

Mobile malware remains for the most part an unknown phenomenon to the general public. Many people are just unaware that it exists (“No, you’re kidding, my iPhone can’t get infected!”), and those who are aware mostly consider it as a minor issue: “there are only very few viruses on mobile phones”, a sentence which is equivalent to say “there are no risks”.

beware of your best friend!

��

��

��

��

��

��

��

��

��

��

��

��

��

http://www.fiestyduck.com

DATA AUDITING

Page 10 http://pentestmag.comstarterkit 01/2012(3) Page 11 http://pentestmag.comstarterkit 01/2012(3)

There are many forms of security breaches taking various guises, and its because of this diverse array of types of attack, that organisations are

finding it challenging to protect themselves against. On the other hand, clever countermeasures are now available to help the fight against targeted or opportunistic forms of attack. So that’s OK you might say. However, these tools can be extremely costly to buy, implement and then maintain. It is having a blended mix of effective countermeasures and an effective risk management regime that organisations seem to struggle with, which I will now discuss.

The world of corporate governance has brought added pressure and cost to organisations safeguarding themselves against external (and not forgetting the internal) threats. Sarbanes Oxley, PCI, Solvency, MiFID, (to name but a few) has forced organisations to take a closer look at how they apply control over their operations. Given the cost in the early days of organisations having to comply with the likes of Sarbanes Oxley (running into tens of millions for some larger FTSE based examples), organisations are turning to various frameworks (COBiT, COSO etc) and standards as a way of applying control over their IT landscape. The problem comes when there is a misunderstanding between what the world of compliance and governance state you must comply with, and interpreting this as an appropriate baseline set

of controls for your organisation. Organisations spend hundreds of thousands having consultancies tell them things that they probably already know all in the name of compliance. They hand over a report, the client pays the invoice and that’s it until the next quarter. There is no doubt that there is value in having elements of your operations assessed by a third-party set of eyes, but it is how you then use this information which is critical.

I’ve been lucky to work in both the private and public sector in my career to date, and witnessed how organisations within these sectors have striking similarities surrounding issues addressing IT Risk across the organisation. Many organisations I’ve visited on my travels all understand risks to their day-to-day operations, but few understand how to integrate the management of risk into their organisation throughout.

I have seen various approaches to managing risk, mainly dependant upon available budget and appetite. The private sector trend is to rely upon the results of a statutory audit to determine any exposure across their IT landscape and to drive remediation. The public sector has tighter controls surrounding their systems (mainly for accreditation purposes) which requires them to undertake health checks (vulnerability assessment) to again assess vulnerabilities which could compromise the security of their systems and data. Both though have a common thread being that they have an external

IT Security & Risk to data“Data loss!”; “Industrial Espionage”; “Security Breach!” – Terms which we’ve heard of before, but unfortunately are becoming increasingly popular given the disturbing levels disclosed recently. The new world of ‘Cyber Security’ is facing an increasing rise in awareness across organisations as the risks associated to these threats are realised.

– the ever changing landscape

DATA AUDITING


review carried out and a report detailing the findings delivered at the end of the work.

It’s the lack of process following what happens with this report after it’s been delivered that seems to cause difficulties. Typically it’s sent for the attention of the IT Security Manager/CISO who probably had the task of engaging and organising the external review in the first place. Whilst this seems a logical approach, there is one party which is generally unaware of the work that has probably taken place, who should have been involved from the start – the business.

Given the recent downturn in the economy, there has been a changing shift (especially in the private sector with high-profile tabloid examples of compromised data loss) in the how organisations are approaching managing risk. This is, in the main, driven by a reduction in budgets, e.g. IT Security now seeing vulnerabilities identified from a vulnerability assessment/penetration test as being owned now by the system owners from the business – and promptly throwing those issues over the wall for them to deal with (if they have budget to do so) resulting in the risk remaining untreated.

It is to this extent that the tone and accountability for managing risk within an organisation must (and must be seen to) come from the top. Management (and the Board) must embrace the need to understand risk and how it affects them, their organisations and also shareholders. I’m currently working within the public sector, and given the constraints I’ve already mentioned above, we’ve introduced a holistic approach to both business and IT risk across the organisation.

Typically we receive a nice glossy report from the external health check company detailing our security vulnerabilities in typical generic form. What has failed to happen in the past is the process of interpreting these industry-good-practice, generic findings into relevant risks pertinent to our organisation and business. Instead we simply have looked at what we can and can’t do for various reasons. The vulnerabilities we were not able to fix, for whatever reason (cost v benefit), were simply left and ignored. Security through obscurity – the ostrich head in the sand.

A work stream was initiated to identify Business System Owners (BSO’s) and Technical System Owners across the organisation. The aim here to bridge the divide that had developed between the business and IT. A formalised Health Check process was introduced specifying the key roles and accountability. This allowed the

business representatives a window of opportunity to be exposed to the health check process required for system accreditation purposes. They now had visibility of the health check plan too which allowed them to budget for any remediation necessary. Moreover, it brought the business closer and allowed them to gain an understanding around not just IT Security risks, but general IT risks to their critical systems and data.

A consequence of the above, was a natural move to manage IT security risks, that once would have gone unnoticed, onto various risk registers within the business and IT (for formal review) – to then feed into appropriate IT strategies resulting by way of sparking process change (to introduce mitigating controls potentially) or introducing technical changes to the system (Figure 1). This was crucial given the size of our estate (some 1,700 servers) and not forgetting the varying degrees of legacy equipment on the estate which was out of support and was too old and out of date to simply apply the latest security pack releases – thus, driving ways for us to look at the entire system and start thinking about what mitigating controls existed, or, what mitigating controls could be introduced.

A natural progression was to feed IT security vulnerabilities that were deemed high-risk into trains of work concerning tech refresh programmes. These programmes addressed the risk of exposure of a security breach to our operations by updating the infrastructure where appropriate – thereby ensuring that risks residing upon the business or IT risk register were deemed treated and closed.

The task to achieve this was to engineer an effective method of raising the profile of security vulnerabilities

Figure 1. Our Stairway-to-heaven. 1General Computer Controls

DATA AUDITING

Page 12 http://pentestmag.comstarterkit 01/2012(3)

which could result in the organisation being compromised, but ensuring that they are articulated appropriately to the target audience. That was critical. IT Security seemed to have been deemed a thorn-in-the-side for some time. Considered a dark arts practice by certain elements of the business. A topic that most new very little about. This perception had to change. The introduction of the BSO’s and including them in the health-check process proved fruitful in dissolving this.

It seemed the norm that by having an IT framework in place or by simply applying a standard was deemed sufficient (whether that be COBiT for a wider view of the control across the IT landscape or even a build standard, such as CIS, for a server build). The fact is this will only get you so far on your journey – the secret is to introduce a model that brings the business and IT elements of your operations closer together; to communicate effectively. To set company-wide appropriate policy (and then ask yourself how accessible is it? how is the awareness of this managed?)

The secret, it seems, is to start to think-smarter as to how you and your organisation face up to the ever changing challenges you face in the world of IT Security. With increased pressure to manage reduced budgets better, we are finding ourselves having to modify our internal processes surrounding the identification of risks; the management of, and an appropriate and effective escalation process to boot too. It’s about having an effective IT Assurance function in place which has a holistic view across your organisation which can protect your business and lead to a reduction in your compliance costs through controls optimisation in response to both internal and external threats.

Our IT systems are becoming increasingly more complex too in an attempt to streamline our operations in the drive for efficiencies. Given this, organisations are turning to automated techniques in order to combat the threat to our data (e.g. introducing computer aided auditing techniques to provide a greater degree of assurance over the integrity of data across your business critical systems, in an attempt to relieve the admin burden that governance typically brings). Furthermore, these off-the-shelf tools that are available can be multipurpose. For example, you may have installed ACL or IDEA to look at your data. This tool can, and has, been used to also assist with data migration and conversion projects in addition to supporting your statutory audit process too (general ledger scans for example), or to meet regulatory requirements to exercise control over the referential integrity of your data.

Conclusion…So, a considered approach is required to the level of investment compared to the assessed risk to your systems and data being compromised. Your assessment of risk should be a continuous, dynamic process of collating, updating and analysing information throughout it’s lifecycle. It is about how you approach the manner of governance and the oversight of your IT function, including the level of interaction with executive management, the Board and, not forgetting, your Internal Audit function regarding the results of monitoring activities and identified significant IT control weaknesses to your organisation.

Summary…

• Increase in types and amount of cyber attacks on organisations (see Times article by Iain Lobban, GCHQ [31st October 2011])

• The volumes of data being held within companies is growing and therefore increasing the risk if compromised

• Data is now being held in more complex systems which by their very own nature hold security vulnerabilities which you may not be aware of and could be easily exploited by an attacker if not properly controlled

• Instances where data is being manipulated outside of the main application e.g. spreadsheets (so lack of control over data integrity)

• International Standards on Auditing (ISA’s) suggest gaining more assurance by using CAAT’s methods, leading to an increased number of controls now being automated compared to manual

• Introduce an assurance function that has a holistic view across your IT landscape and the output of which is accessible by senior management

CARL NIGHTINGALECarl Nightingale is an IT Risk and Compliance practitioner and educator in the �eld of IT risks and controls across the IT landscape. He started as a Programmer implementing IT systems all over the world, and then moved into the Financial Services sector working for a Big-4 consultancy where he focussed his attention on IT Controls and Governance. He currently provides a range of consulting, training and education support to help organisations and individuals with the challenges of IT Risk and Controls.

http://www.gtbtechnologies.com

DATA AUDITING


Practitioners of software security are part of an even more select group, representing not only the perspective of the general software developer,

but typically possessing an even stronger mathematical focus, as well as an added sense of mission around the assurance of availability, confidentiality and integrity that are at the core of information system security.

The business mind focuses on the practicality of profit making and generally has not always been comfortable with the community of software security assurance. Thus, even as the alliance between business and IT has flourished, and especially in recent years as enterprises have grown and differentiated themselves into multiple lines of business with numerous layers of managerial hierarchy, responsibility for software development and software security has tended to be pushed deep into

individual lines of business – far from the province of executive business decision makers.

Transformation from Legacy to CyberWeb applications are becoming more prevalent and increasingly more sophisticated, and as such they are critical to almost all major online businesses and in recent years, Web applications have grown dramatically popular, with organizations converting legacy mainframe and database systems into dynamic Web applications using technologies such as PHP, Ajax, JavaScript, JSP, Java, ASP, ASP.NET, Cold Fusion, Perl, Flash and Ruby etc. As with most security issues involving client/server communications, Web application vulnerabilities generally stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer.

Application Security:

Software development has a long and storied history. In the 1940s, software development was considered the exclusive practice of mathematicians and individual or group creators of programming languages, operating systems and specialty algorithms.

An Executive Perspective of the Risk Reality

Figure 1. The Web App Security Timeline

http://en.citadel.co.il

DATA AUDITING


Nevertheless, it’s a necessity which is often difficult to respond and address, due to lack of expertise and resources. This Article will show the needs for information security awareness

and express the proto-type implementation of all study material and an Employee Security Handbook which will enable individuals to continue and purse with self-placed security awareness training. This training is endowed with an environment which will permit the entire user to simulate the security in number of case study scenarios. This will enable the staff’s to become proverbial and familiar with all the types of available countermeasures, any kind of boundaries that an employee may inflict and impose in which they are appropriate Organization systems and processes are geared to aggressively provide a vast multitude of services to customers. The size and complexity of any Organization infrastructure should be couple with a highly visible corporate image, makes security a paramount consideration. Security requirements flowing from these business issues include controlling access at network and application levels, preventing threats and monitoring for security breaches.

To meet these challenges, a culture for security should be fostered at all levels. The information to which employee should have access at organization is critically important to organization and its customers. Security practices and procedures on occasions might take time and effort and may make it necessary for an employee to voluntarily forego some of employee’s usual personal prerogatives. But employee’s compensation for the inconvenience is the knowledge that the work employee should accomplish at organization, within the framework of sound security practices, contributes significantly to organization. The employee of Organization thus have the responsibility of safeguarding

Delivering Security Awareness Training In Large Organization

Information security is a very critical issue for entire large organization with considerable dependency upon the information technology.

Objective1. What is information security? 2. What is the organisation security scheme? 3. What are the organisation security policies and how organisation translates to practical, day-to-day activities? 4. What are organisation processes? 5. What regulations apply to business operations? 6. How does security awareness impact the employees’ in day-to-day activities?

Main goal is to solve the practical problem experienced by organization as well as to understand and the result achieved from all the viewpoint of employees, However results can’t be generalized, but they are of use in organization in planning as well as delivering Information security awareness training programs.

http://www.pandasecurity.com

CYBERCRIME


The answer to the above mentioned questions is YES. A Vulnerability in Print Spooler Service Could Allow Remote Code Execution whereby a

computer could be fully and remotely compromised!

What is The Print Spooler Service?The print spooler service was developed to make printing less of an aggravation and more of an automatic task by serving as a print order coordinator.

As print orders are fed from applications to a printer in Windows, they actually go through the print spooler service first. The print spooler service manages the orders chronologically and tells the printer to prepare for work.

The print spooler service recognizes the pages in a document that the user has chosen to print and how many copies of those pages to print. It then sends that order to the printer, usually starting from the last page so as to pile the pages in order.

uPrint.. iHACK..

I print and you hack? Is that what you are trying to say Sameh? Am I in danger having a printer close to me?

Figure 1. Vulnerability Severity Rating and Maximum Security Impact by Affected Software Figure 2. Metasploit Startup Screen

CYBERCRIME


If you buy into the NGFW buzz, you may believe that an entirely new, innovative technology has emerged when in reality a NGFW is a subset of the existing

UTM market, or even the evolution of the old firewall market. Nonetheless, customers are being bombarded with this new terminology, thereby creating confusion in the marketplace. Network security leaders do recognize the benefits of security integration, but do they need a NGFW? Do they need a UTM solution? Or, is there even any difference between the two?

Lifting the Hood on “Next-Generation” Firewalls If we look under the hood at the technology, it quickly becomes clear that NGFWs are not as new as they are marketed to be. Next-generation firewalls are generally described as a product that tightly integrates firewall and intrusion prevention systems (IPS), as well as VPN technologies and robust application control capabilities. All of these features have historically been offered by many security products.

One of the most touted technologies in NGFW products is an application visibility and control capability. This is being promoted as one of the most significant advancements in security technology since the introduction of the stateful firewall. But is it really so innovative? The simple explanation for application control is the ability to detect an application based

on the application’s content vs. the traditional layer 4 protocol. Since many application providers are moving to a Web-based delivery model, obviously the ability to detect an application based on the content is important, but not especially innovative. Considering this, it is easy to determine that the proposed innovation is nothing more than taking traditional firewall controls and applying them to applications based on layer 7 versus the original layer 4 method. This is important, but not worthy of a new firewall category. Like other technologies that started as industries and were reduced to features – such as NAC and DLP – NGFW capabilities such as application control are critical parts of the firewall, but nothing more.

Today’s Security RisksBy analyzing the attack landscape, we can determine that attacks are both application aware and application agnostic at the same time. This means that attacks seek out legitimate applications to carry their wares, but are not targeted only to specific applications. For example, we can assume a peer-to-peer (P2P) application is more likely to carry attack content vs. a known commercial application. But, attacks have been carried by legitimate business applications as well. In fact, some of the most notable attacks have carried their threats via some of the most widely used commercially-available applications, including Facebook and Twitter.

Enterprise

There’s currently a lot of chatter in security circles surrounding the term “next-generation firewall (NGFW).” The noise around this term is creating some slight market confusion and leaving CISOs wondering how this technology differs from market adoption of unified threat management (UTM).

UTM vs. Next-Generation Firewalls – Cutting Through the Noise

http://www.networkworld.com/community/node/46753

http://www.networkworld.com/news/2009/040609-all-together-now-unified-threat.html

CYBERCRIME


Cybercrime is a unique form of a man made digital threat crafted upon his dependence on the digital gadgetry in this day and age. On one

side, we have made communication and information dissemination quicker and efficient along with countless benefits that we enjoy today with smart devices in our hands. On the contrary, we seldom realize that the lurking dangers of this digital evolution is somewhere in the shadows of the benefits that we reap, unless one among us is caught into the dark side of this evolution. We refer to this as Cybercrime.

Cybercrime comes in many forms and the common person’s association with this syndrome is referred to as Identity theft. Identity theft today is more than a digital threat that is capable of harming companies that have digital presence and home computer users. We very often refer to them as consumers. The problem today has grown beyond boundaries and reached epidemic levels to an extent even if someone who may not have a computer may still get engulfed in the aftereffects of Cybercrime. It is estimated that around 10 million Americans (3.39% of Population) and approximately 100,000 people in the UK (around 17% of Population) are victims of Cybercrime in the form of identity theft each year. This could statistically be translated as, 1 in 4 adults have either been victims or known someone who has been a victim of identity theft. To add to this as per the published crime

statistics, Identity theft is the fastest-growing white-collar crime across the world today.

Identity theft is just one face of Cybercrime. Cybercrime happens in many forms that most of us may not even realize it as a crime. Upsurge of online child pornography across geographic borders involving criminal gangs for money is another form of Cybercrime that goes undetected by ordinary consumers most of the time.

Stealing of private, confidential and proprietary information and/or data from personal and corporate computers is another major threat that will go on for a long time to come. A wonderful web resource by name Datalossdb.org formed by a group of volunteers and project curators who scour news feeds, blogs, and other websites looking for data breaches and maintaining a statistical count of data loss breaches from present and past in a web based application. A look at the statistics collected by this resource tells us that we are in no way near to the victory post in this war. Both consumers and businesses are losers in this fight. For lack of knowledge on the subject of Cybercrime and on the security controls makes consumers often the victim of Cybercrime, who ultimately stands to lose valuable data, money, and time as the consequence. Companies have to spend a substantial portion of their profits into their security departments to secure their digital assets from Cyber

Unfolding of Cybercrime – 2012 and beyondCybercrime is becoming a synonym for disaster in one’s digital life. Humans as well as companies are equally affected by this syndrome and fear its devastating effects. Let us take a quick dive into this world and understand what is actually going on, how much worse it could go and what could be done to protect us from the onslaught of this menace.

http://Datalossdb.org

STORY AND HISTORY


Pen-test as per Wikipedia is a method of evaluating the security of a computer system or network by simulating an attack from a malicious

source, known as a Black Hat Hacker, or Cracker. This article doesn’t wish to target anyone, but will like to reflect a one side of reality of Pen-Testing scenario of the real world and is always open for discussions.

Pentesting has always been divided in three types – Blackbox Testing, Whitebox Testing and Greybox. The fundamental difference between these types is the visibility to the code and the infrastructure configurations. Blackbox has no visibility; the whitebox testers have full visibility to the code of the application, and the underlying technology. It is kind of related to code reviews and testing. Wherein, the Greybox Testing has variations between the Blackbox and the Whitebox testing. Everyone has their take and opinion on the success and virtues of these different types, but my question is – Isn’t the pentesting model and approach, as it stands currently, is profoundly weak?

There has been a global change on how the pentesting is perceived by both sides of the table – the clients, as well as the consultants. In many facets, pentesting is no more in sync with an act of a hacker, or cracker; rather it is a checklist that the compliance team has to follow – the PCI, the HIPAA, blah blah. It was a deed of a handful of security professionals but is now falling into hands of anyone who are employed by

the security services firms & has a tool set to execute over a set of IP addresses. Now, what’s the deal here with the pentesters and what’s happening? The actual geeky work of a security professional has been taken over by the ‘reliable’ tools, and the professionals are responsible for executing them, verifying the findings, and generating reports accordingly. Tools like Nessus, App Scan, Nmap, Metasploit, Core Impact etc. are pretty much self-sustaining in the pentesting environment and soon they will even deliver a well drafted report as per the template supplied in any format you plan.

Last time I was reading an article, and there someone has posted an image which touches the darkness that PenTesters seldom fall into (Figure 2). No offenses from

Penetration Testing – Evolution is MustAll the CXO, security enthusiasts know this term – Pentest (Penetration Testing). What is pen-testing and how has it evolved all these years? Is it catching up with the hackers of this century, or now this trend is just side tracked?

Figure 1. Whitebox blackbox

STORY AND HISTORY


I first became interested in security when I was studying in China but, since we were still in the age of pre-Internet, the security challenges were very

different. Securing IT assets was indeed much easier back then since networks were closed. As the Internet went mainstream and corporate networks opened up, it created the need for connection-based security that would protect networks without slowing down network performance. This shaped my initial vision for security.

I started my first network security company, Stanford InfoSystem Inc., in 1993, and designed my first software firewall product there. As network speeds increased, I realized the performance limitations of software-based firewalls. My vision for security began to further take shape with NetScreen where I led the development of the industry’s first ASIC-accelerated firewall/VPN appliances, which forever changed the security market landscape. While high-performance connection-based security addressed the requirements of the market at the time, it became obvious to me that firewalls and VPNs alone could not stop content- and application-based attacks such as viruses, intrusions, spam and malicious Web content that were on the rise. That led to the next phase of my vision.

When starting Fortinet at the end of 2000, I pioneered the concept of Unified Threat Management (UTM). My

technology vision was to solve the next-generation of security challenges with the development of a custom-built high-performance network and content security platform. With my brother and co-founder, Michael, and a dozen sharp engineers, we worked around the clock to architect and build the world’s first ASIC-accelerated UTM security systems, introducing the first FortiGate systems in May 2002.

In ten short years, more than over 100,000 enterprises of all sizes, in all sectors and geographies, have adopted our UTM solutions. For 19 consecutive quarters Fortinet has led the UTM market, which has become the most important segment in the security industry. According to IDC, the UTM market already surpassed the firewall/VPN market and represents the fastest growing segment within the network security market, with a projection to reach $3.2 billion in 2014. The success of UTM, coupled with Fortinet’s ASIC-based approach, has validated my vision of providing enterprises with complete content protection against all types of threats without crippling their network performance or administrative resources.

Attacks today are sophisticated and often blended in nature, requiring multiple security technologies. UTM solutions are best suited to address those complex Internet threats because they integrate an array of security technologies and services, such as firewall, VPN, intrusion prevention and antivirus.

Security

Network security has, and probably always will, follow the changes in the Internet. Over the past 20 years, this is what I’ve seen realized.

In the next issue of

If you would like to contact PenTest team, just send an email to [email protected] or [email protected] . We will reply a.s.a.p.

Auditing & Standards

Available to download on February 8th

Soon in Pentest!• Daniel O‘Donor• Jared Carlstersen• Longinus Timochenco• Andrzej Nowodworski

http://www.secure-bytes.com

PenTest Starterkit 1/2012

Documents

Transcript of PenTest Starterkit 1/2012