TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

BlogNewsSCMagazine

  SC Magazine
Between 2001 and 2004, Gunter contributed to the UK edition of SC Magazine and had a monthly column called "Consultants Corner".  The column discussed the security observations he made while conducting penetration testing for some of the worlds largest financial institutes.

Listed below are the column pieces he wrote - saved here on this Web site for posterity (and education).

NewsPaper Reaping a rich harvest - An important phase of any security assessment is passive information gathering. Unfortunately the security benefits associated with this phase of an assessment are the least understood by many organizations and are consequently dropped for cost-saving reasons.
NewsPaper The network detectives - Given the nature of my security specialization, I often get approached by clients requiring an immediate response to a critical security concern or ‘compelling event.’ These incidents typically range from threats of targeted business interruption, through to investigation of successful host compromises.
NewsPaper Send in the clones - Did you realise there's a lucrative black market in stolen and "cloned" SIM cards? This is possible because SIMs are not network specific and, though tamper-proof, their security is flawed. In fact, a SIM can be cloned many times and the resulting cards used in numerous phones, each feeding illegally off the same bill.
NewsPaper Preventing Trojan trouble - While antivirus software has matured during this time and is capable of dealing with the majority of previously known or well-studied Trojans, the sheer number of new Trojan development kits and increasing sophistication in 'silver threading' techniques has ensured that they still present an immediate threat to the corporate environment.
NewsPaper Implementing Security - You would think that these organizations, with their highly skilled and sizable security departments, would be able to handle almost any security problem thrown their way. While they certainly have mature and established security policies, and are aware of many of the pitfalls, their problems tend to manifest themselves in the way their security...
NewsPaper Blind penetration testing - A starting point for many of these discussions begins with, “can you do penetration tests, and can you do it ‘blind’?” This is an interesting question, and a clear indicator that the potential client has either watched too many hacking movies or browsed through one of the mainstream how-to-hack books.
NewsPaper Workstation security - The easiest way to compromise the integrity of an organization’s data assets is through its desktops. This is because most organizations use a homogenous environment and most fail to secure this against attack. Yes, they usually deploy specialist perimeter defence systems, including securely configured internet-facing services, but...
NewsPaper System security patching - Patching systems can be incredibly time-consuming and affect the stability of critical hosts. But not patching these systems can leave the critical hosts in a state ripe for compromise. While most organizations develop a strategy for applying security patches, there are often long periods where these critical hosts are not protected against...
NewsPaper Relying on bad firewalls - When protecting networked assets and business critical infrastructure from attack, most organizations’ defensive line begins with their firewall - unfortunately, all too often it ends with it as well. Too many organizations see a firewall as the suit of armor protecting their infrastructure investment. A better analogy would be the breastplate...
NewsPaper Social engineering by proxy - An area of security that regularly raises the hackles of a corporate security department is the threat of social engineering attacks. While most security staff can understand the dangers of this type of attack, it is extremely difficult to guard against, as the defense relies heavily upon staff education procedures that are almost impossible to...
NewsPaper Evolution of perimeter defence - The continual release of new software and hardware technologies, each with ever increasing complexity and broadening integration requirements, has assured that the security arms-war will continue to force ever more sophisticated counter-attack and protection orientated systems into commercial organisations to counter past...
NewsPaper The Trojan Defence - While anti-virus software has matured during this time and is capable of dealing with the majority of previously known or well studied Trojans, the shear number of new Trojan development kits and increasing sophistication in “silver threading” techniques (the process of inserting Trojan code within any another distributable application so it cannot...
NewsPaper IPS destined to replace legacy routers - Whether the term is evolution or revolution, corporate network managers must have noticed that change is in the air. Just as network design changed with the cost effective implementation of routers replacing legacy network bridging devices, the design rulebook is once again under revision.
NewsPaper Communicating and understanding risk - Before starting a security assessment, a lot of work is often invested in getting legal frameworks and confidentiality agreements in place between all concerned parties. While I ensure that all reports produced by me are clearly marked “strictly confidential” and “client only”, I know for a fact that there is a high probability that a copy...
NewsPaper Custom Flaws for Custom Applications - For a number of years now, I have specialised in the security assessment of custom web applications. It is with a little despair that I note this is the one area of corporate security that has gotten increasingly worse each year – not through any fault of my own I hasten to add. While organisations have finally begun to master the fine art...
NewsPaper Doing it passively - An important phase of any security assessment is passive information gathering. During this phase, information is gleaned from a variety of external (non-client) sources and through data gathering techniques directed against the infrastructure such that they would not normally be identified as anything beyond typical network traffic.
NewsPaper Exploiting Vulnerabilities - One of the most common questions my clients ask me is what tools will I use to carry out the security assessment of their particular system or application. In some cases this question may be driven by a fear that, owing to the fact that my parent organisation is well known for producing vulnerability scanning products, I would restrict my investigation...
NewsPaper Understanding the threat from within - Understanding the Threat from Within I regularly work with an assortment of international organisations whose primary business interests are in the Americas or Asia, but have satellite offices based in Europe. Although many of these satellite offices could be considered large by regional standards, they are obviously secondary or ...
NewsPaper An intrusive third-party - Some clients will refer to ‘passive’ and ‘active’ phases of testing, while others will refer to ‘non-intrusive’ versus ‘intrusive’. Although it is easy to make one-to-one comparisons between the two nomenclatures, there are a number of nuances that can be a source of misinterpretation. Failure to clarify the language, and consequently the purpose ...
NewsPaper Pentest Shocks - Although I believe that a professionally delivered security assessment knocks the socks off a classic penetration test (pentest) for value and cost effectiveness, there are times when a pentest is more than adequate for the client immediate needs. This is commonly the case when they require a quick “attackers” evaluation of a semi-independent website...
NewsPaper This intrusion is no test - When assessing the internal security of one of my clients, there is one area of their infrastructure and operational processes that continues to undermine the best perimeter defence solutions – their test environments. Almost all IT and Security departments underestimate the security significance of their test systems. Whether the environment...
NewsPaper Third-party or third-rate? - The majority of the security engagements I participate in are technical assessments and penetration tests against the infrastructure or applications directly owned by the client. Every so often, maybe one in twenty, there is a requirement to assess the security of a third-party system that the client maintains partial interest in – but have no...
NewsPaper Orientation from the start - When assessing the security of any complex environment, the first few hours are typically the most important. Depending upon the client organisation and their general security awareness, these first stages of the security assessment are likely to throw up many of the vulnerabilities or security issues that will dominate and direct the next few days...
NewsPaper Adding Application Security - Having been focused upon the (in)security of web-based applications for over 6 years and working closely with my clients on securing them, it is refreshing to see that a second wave of businesses are finally turning their attention and allocating resources to deal with perhaps their largest external security threat.
NewsPaper Hooked by Phishing - A pressing concern for many of my financial clients at the moment relates to how they should be responding to phishing attacks. While many of the largest retail banks have already identified a number of phishing scams targeted at their own customer base, some of the smaller or more specialist financial companies who have not yet been targeted ...
NewsPaper “rooting the box” - One of the most interesting phases of any penetration test (or pentest) is the actual exploitation of the discovered vulnerabilities. Exploitation is used to not only categorically verify that the vulnerability exists (and is thus not a false-positive), but is also used as a stepping stone to gaining visibility and potentially access to hosts or data not initially...
NewsPaper Hacking boxes too early to be beneficial - As businesses attempt to improve their development processes by accelerating their release schedules, there is often a detrimental knock-on effect to the security of the application. Whether the application is web-based or compiled, internal or external, this pruning of the development cycle to rush out the latest software solution makes...
NewsPaper Shattering client-side applications - Over the last few months I have had a number of discussions with clients and participants at open forums relating to software vulnerabilities, and what can be done for long-term protection or risk management. A point often made by participants is that “our biggest concern is that Microsoft’s software is full of security holes”,...
NewsPaper BlackBerry Security - One of the most interesting things about providing penetration testing services relates to the technologies that you come up against and how they gradually change over time. Each new technology requires a new set of knowledge to be absorbed by a consultant and can often provide stimulating security research potential.
NewsPaper The 0-day Blues - As with any technical consultancy, there is no escape from technical presales activities – no matter what your position may be. Consequently, after a prospective client has waded through the reams of online service offerings and navigated their way around the sales man, I often find myself involved in the technical presales phases of scoping the...
   



 
     
    Copyright 2001-2007 © Gunter Ollmann