![NewsPaper](images/Newspaper.png) |
Reaping a rich harvest - An
important phase of any security assessment is passive information
gathering. Unfortunately the security benefits associated with this
phase of an assessment are the least understood by many
organizations and are consequently dropped for cost-saving reasons.
|
![NewsPaper](images/Newspaper.png) |
The network detectives -
Given the nature of my security specialization, I often get
approached by clients requiring an immediate response to a
critical security concern or ‘compelling event.’ These
incidents typically range from threats of targeted business
interruption, through to investigation of successful host
compromises. |
![NewsPaper](images/Newspaper.png) |
Send in the clones - Did
you realise there's a lucrative black market in stolen and
"cloned" SIM cards? This is possible because SIMs are not
network specific and, though tamper-proof, their security is
flawed. In fact, a SIM can be cloned many times and the
resulting cards used in numerous phones, each feeding
illegally off the same bill. |
![NewsPaper](images/Newspaper.png) |
Preventing Trojan trouble
- While antivirus software has matured during this time and
is capable of dealing with the majority of previously known
or well-studied Trojans, the sheer number of new Trojan
development kits and increasing sophistication in 'silver
threading' techniques has ensured that they still present an
immediate threat to the corporate environment. |
![NewsPaper](images/Newspaper.png) |
Implementing Security -
You would think that these organizations, with their highly
skilled and sizable security departments, would be able to
handle almost any security problem thrown their way. While
they certainly have mature and established security
policies, and are aware of many of the pitfalls, their
problems tend to manifest themselves in the way their
security... |
![NewsPaper](images/Newspaper.png) |
Blind penetration testing
- A starting point for many of these discussions begins
with, “can you do penetration tests, and can you do it
‘blind’?” This is an interesting question, and a clear
indicator that the potential client has either watched too
many hacking movies or browsed through one of the mainstream
how-to-hack books. |
![NewsPaper](images/Newspaper.png) |
Workstation security - The
easiest way to compromise the integrity of an organization’s
data assets is through its desktops. This is because most
organizations use a homogenous environment and most fail to
secure this against attack. Yes, they usually deploy
specialist perimeter defence systems, including securely
configured internet-facing services, but... |
![NewsPaper](images/Newspaper.png) |
System security patching -
Patching systems can be incredibly time-consuming and affect
the stability of critical hosts. But not patching these
systems can leave the critical hosts in a state ripe for
compromise. While most organizations develop a strategy for
applying security patches, there are often long periods
where these critical hosts are not protected against... |
![NewsPaper](images/Newspaper.png) |
Relying on bad firewalls -
When protecting networked assets and business critical
infrastructure from attack, most organizations’ defensive
line begins with their firewall - unfortunately, all too
often it ends with it as well. Too many organizations see a
firewall as the suit of armor protecting their
infrastructure investment. A better analogy would be the
breastplate... |
![NewsPaper](images/Newspaper.png) |
Social engineering by proxy
- An area of security that regularly raises the hackles of a
corporate security department is the threat of social
engineering attacks. While most security staff can
understand the dangers of this type of attack, it is
extremely difficult to guard against, as the defense relies
heavily upon staff education procedures that are almost
impossible to... |
![NewsPaper](images/Newspaper.png) |
Evolution of perimeter defence
- The continual release of new software and hardware
technologies, each with ever increasing complexity and
broadening integration requirements, has assured that the
security arms-war will continue to force ever more
sophisticated counter-attack and protection orientated
systems into commercial organisations to counter past... |
![NewsPaper](images/Newspaper.png) |
The Trojan Defence -
While anti-virus software has matured
during this time and is capable of dealing with the majority
of previously known or well studied Trojans, the shear
number of new Trojan development kits and increasing
sophistication in “silver threading” techniques (the process
of inserting Trojan code within any another distributable
application so it cannot... |
![NewsPaper](images/Newspaper.png) |
IPS destined to replace legacy
routers - Whether the term is evolution or revolution,
corporate network managers must have noticed that change is
in the air. Just as network design changed with the cost
effective implementation of routers replacing legacy network
bridging devices, the design rulebook is once again under
revision. |
![NewsPaper](images/Newspaper.png) |
Communicating and
understanding risk - Before starting a security
assessment, a lot of work is often invested in getting legal
frameworks and confidentiality agreements in place between
all concerned parties. While I ensure that all reports
produced by me are clearly marked “strictly confidential”
and “client only”, I know for a fact that there is a high
probability that a copy... |
![NewsPaper](images/Newspaper.png) |
Custom Flaws for Custom
Applications - For a number of years now, I have
specialised in the security assessment of custom web
applications. It is with a little despair that I note this
is the one area of corporate security that has gotten
increasingly worse each year – not through any fault of my
own I hasten to add. While organisations have finally begun
to master the fine art... |
![NewsPaper](images/Newspaper.png) |
Doing it passively - An
important phase of any security assessment is passive
information gathering. During this phase, information is
gleaned from a variety of external (non-client) sources and
through data gathering techniques directed against the
infrastructure such that they would not normally be
identified as anything beyond typical network traffic. |
![NewsPaper](images/Newspaper.png) |
Exploiting Vulnerabilities
- One of the most common questions my clients ask me is what
tools will I use to carry out the security assessment of
their particular system or application. In some cases this
question may be driven by a fear that, owing to the fact
that my parent organisation is well known for producing
vulnerability scanning products, I would restrict my
investigation... |
![NewsPaper](images/Newspaper.png) |
Understanding the threat from
within - Understanding the Threat from Within I
regularly work with an assortment of international
organisations whose primary business interests are in the
Americas or Asia, but have satellite offices based in
Europe. Although many of these satellite offices could be
considered large by regional standards, they are obviously
secondary or ... |
![NewsPaper](images/Newspaper.png) |
An intrusive third-party -
Some clients will refer to ‘passive’ and ‘active’ phases of
testing, while others will refer to ‘non-intrusive’ versus
‘intrusive’. Although it is easy to make one-to-one
comparisons between the two nomenclatures, there are a
number of nuances that can be a source of misinterpretation.
Failure to clarify the language, and consequently the
purpose ... |
![NewsPaper](images/Newspaper.png) |
Pentest Shocks - Although
I believe that a professionally delivered security
assessment knocks the socks off a classic penetration test (pentest)
for value and cost effectiveness, there are times when a
pentest is more than adequate for the client immediate
needs. This is commonly the case when they require a quick
“attackers” evaluation of a semi-independent website... |
![NewsPaper](images/Newspaper.png) |
This intrusion is no test
- When assessing the internal security of one of my clients, there is one area of their infrastructure and operational processes that continues to undermine the best perimeter defence
solutions – their test environments. Almost all IT and
Security departments underestimate the security significance
of their test systems. Whether the environment... |
![NewsPaper](images/Newspaper.png) |
Third-party or third-rate?
- The majority of the security
engagements I participate in are technical assessments and
penetration tests against the infrastructure or applications
directly owned by the client. Every so often, maybe one in
twenty, there is a requirement to assess the security of a
third-party system that the client maintains partial
interest in – but have no... |
![NewsPaper](images/Newspaper.png) |
Orientation from the start
- When assessing the security of any complex environment,
the first few hours are typically the most important.
Depending upon the client organisation and their general
security awareness, these first stages of the security
assessment are likely to throw up many of the
vulnerabilities or security issues that will dominate and
direct the next few days... |
![NewsPaper](images/Newspaper.png) |
Adding Application Security
- Having been focused upon the (in)security of web-based
applications for over 6 years and working closely with my
clients on securing them, it is refreshing to see that a
second wave of businesses are finally turning their
attention and allocating resources to deal with perhaps
their largest external security threat. |
![NewsPaper](images/Newspaper.png) |
Hooked by Phishing - A
pressing concern for many of my financial clients at the
moment relates to how they should be responding to phishing
attacks. While many of the largest retail banks have already
identified a number of phishing scams targeted at their own
customer base, some of the smaller or more specialist
financial companies who have not yet been targeted ... |
![NewsPaper](images/Newspaper.png) |
“rooting the box” - One of
the most interesting phases of any penetration test (or
pentest) is the actual exploitation of the discovered
vulnerabilities. Exploitation is used to not only
categorically verify that the vulnerability exists (and is
thus not a false-positive), but is also used as a stepping
stone to gaining visibility and potentially access to hosts
or data not initially... |
![NewsPaper](images/Newspaper.png) |
Hacking boxes too early to be
beneficial - As businesses attempt to improve their
development processes by accelerating their release
schedules, there is often a detrimental knock-on effect to
the security of the application. Whether the application is
web-based or compiled, internal or external, this pruning of
the development cycle to rush out the latest software
solution makes... |
![NewsPaper](images/Newspaper.png) |
Shattering client-side
applications - Over the last few
months I have had a number of discussions with clients and
participants at open forums relating to software
vulnerabilities, and what can be done for long-term
protection or risk management. A point often made by
participants is that “our biggest concern is that
Microsoft’s software is full of security holes”,... |
![NewsPaper](images/Newspaper.png) |
BlackBerry Security - One
of the most interesting things about providing penetration
testing services relates to the technologies that you come
up against and how they gradually change over time. Each new
technology requires a new set of knowledge to be absorbed by
a consultant and can often provide stimulating security
research potential. |
![NewsPaper](images/Newspaper.png) |
The 0-day Blues - As with
any technical consultancy, there is no escape from technical
presales activities – no matter what your position may be.
Consequently, after a prospective client has waded through
the reams of online service offerings and navigated their
way around the sales man, I often find myself involved in
the technical presales phases of scoping the... |
|
|