Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
12Activity
0 of .
Results for:
No results containing your search query
P. 1
Ethical Hacking Quarterly Newsletter Issue 2

Ethical Hacking Quarterly Newsletter Issue 2

Ratings: (0)|Views: 449|Likes:
Published by BT Let's Talk
The BT Assure Ethical Hacking Center of Excellence is pleased to introduce the second in a series of quarterly newsletters.
The BT Assure Ethical Hacking Center of Excellence is pleased to introduce the second in a series of quarterly newsletters.

More info:

Published by: BT Let's Talk on Sep 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/24/2013

pdf

text

original

 
 
SECURITY BEST PRACTICES
Security policy management
It goes without saying that one of the cornerstones of asuccessful security program is to have a strong securitypolicy which is well maintained, operationalized, andunderstood by the entire organization. Some informationsecurity officers, caught up in the day-to-dayimplementation of policies and procedures, lose sight of the need to maintain the policy. Whatever form securitypolicies take, whether a unified framework or a mesh of policies
, it’s important to plan u
pdates and awarenesstraining.
Set a schedule for reviewing security policy witha periodicity of no more than one year. With fastchanging threat sources, more frequent reviewsare recommended. Utilize records from anyincidents to ensure update of any controls whichproved inadequate in the previous period.Ensure consideration is given for changes intechnology, such as adoption of mobile in theinfrastructure.
Be sure the organization is aware of securitypolicy and the consequences for operatingoutside security guidelines. New hires,contractors, and others joining (even on atemporary basis) should be given training anddemonstrate understanding of security policyprior to being given access to informationresources. Refreshing the awareness of existingemployees, and ensuring understanding of anyupdates is also highly recommended throughannual awareness campaigns or training.
Executive commitment to security
IT security managers and practitioners know thedifficulties of making security part of organizationalculture: everyone knows
it’s
important, but often securityis pushed to the backburner in favor of projects andoperations. When business units or operational areaspush back on security, a statement of commitment toinformation security can often be the key to gainingpriority. Obtaining management commitment can seem soobvious that it can be overlooked as a given state. Toensure that security has the backing needed:
Identify the right level of management toapproach regarding a statement of commitment.Typically an upper-executive level is needed toensure cross-cutting authority over the manyareas which security affects.
Ensure that management understands security interms of protecting the business and mission,realistic impacts facing the organization, and theneed for a culture of security commitment. Asexecutive management does not always have asecurity background, take steps to describe risksin terms of business impact and address onlyvery credible threat sources.
Ask that statements of commitment have thewidest distribution throughout the organization tohelp facilitate cultural change across all areas,and avoid singling out any units which may havebeen resistant to security implementation.
Request that statements of commitment beupdated on an annual basis.
Ethical HackingQuarterly
Ethical Hacking Center of ExcellenceIssue 2: September 2012
 
 
Tony Danna, Principal Consultant 
 
Tony Danna is a PrincipalConsultant with the EthicalHacking team and has specializedin information security for 15 years.Tony is a veteran of hundreds of international security assessments
and authored the team’s network
assessment methodologies. Hepreviously served as the leadsecurity engineer at a Fortune 500company and created and instructed a curriculum at alocal college for Information Security. We spoke with Tonyabout some of the critical issues facing application ownersand the technology industry.1. This year has revealed a number of sophisticatedcyber weapons such as Flame, Gauss, and Madiactively used for espionage or sabotage of major operations in Middle Eastern states. Do you believesuch weapons will be adapted for use againstinternational corporations in the next few years?This is really just an evolutionary stage that we are in.Malware is growing like mobile apps, with an iPhone in
everyone’s hand.
Seeing as how they appear linked and,while mostly focusing on banks abroad, there have beeninfections against systems here in the US at large well-known companies. And really these are gaining such afoothold because their cousins have historically beensuccessful within existing corporations. I see this beingmore of a wake-up call for corporations, both domesticallyand internationally since they are the playground and test-bed for things to come. The bigger issue remains: thisshows the evolution of what conflict and diplomacy on ageopolitical stage can and will become. So in the next fewyears, it will be hard to tell, but I think [the threat will growin] leaps and bounds even in the next year and not just for corporations.2. Mobile malware has exploded across a variety of devices in the last few years while professionals aredemanding to
bring your own device
. Do you believethe risk can be balanced with the desire for flexibility?
I don’t think it is really about flexibility but rather the risk
around the whole BYOD trend that everyone likes to talk
about. It really isn’t addressing the real issue with mobile
apps or those devices everyone likes to
bring
’.
The rootissue is that mobile application security is no differentfrom a web application
s security and the way they shouldbe developed and secured. Mobile apps are built aroundthe fact that the device owner is in possession and theassumption that physical access is a given. But if mobileapps were addressed and developed in the same way asweb applications with the assumption that the client is infull control of the attacker, then the risks to these devicesby just installing an app would not be so high3. In your experiencing testing web applications, youencounter hundreds of unique threats andvulnerabilities.
Do any stand out in your mind as ‘highrisk but easy to fix’ that organizations should remedy
right away?
This is a trick question, right? I’d go with input validation
for $200, Alex. Why input validation? Because somethingas simple as a Web Application Firewall (WAF) can bevery effective at validating input and blocking all viableexploits in the interim until the longer-term fix isimplemented. Using something like mod_security thatsees all requests, you can set parameter-based white-listsand do a really good job of sanitizing input reaching theapplication and backend databases; obviously the closer 
to the application code, the better. I won’t go as far as tosay secure code isn’t the best solution
, but if malicious
input can’t reach the application or the backend database,
then there are no exploitation vectors, given that theserver-
side code isn’
t in scope. Not the ideal SDLCanswer for input validation but if the result is the validatedinput and it is needed quickly, then there is nothing wrongwith the right tool for the right job.4. Many IT managers and resource sponsors seesecurity as a cost of doing business, much likeinsurance. How do you view information security froma financial perspective?Great analogy
i
nsurance. It’s a gamble for both parties.
Except if a breach or data-loss occurs,
you can’t really sayit wasn’t fiscally feasible when you’re in business with
data to protect and are responsible to many partiesregarding that protected data. Financially, it is just that, acost of doing business. You need servers, electricity for them, H
VAC so they don’t melt together 
. Nothing shouldbe different about the data they hold or transactions theyprocess.5. What do you think is the most serious or commonmisconception about Information Security today?The reliance on vendors for patches to serious issues.Vendors are becoming more and more reluctant toconfirm vulnerabilities when proper disclosure is made,much less address it in a timely fashion. If a vendor 
doesn’t release a patch, the road ends.
  A close second would be that security is reactive andputting out fires just when
the auditor 
is in, akin toteaching kids only what they need to know to pass acertain test; it
doesn’t give a complete view
fn a field of knowledge and stifles the intended experience.
WHITE HAT SPOTLIGHT
 
 
 
Ethical hacking tests conducted across a wide variety of leaders in the financial industry yielded interestingstatistics regarding the frequency and type of vulnerabilities commonly faced. For instance, in thisquarter across the industry the most common vulnerabilityremains the marking of session ID cookies. Other verycommon risks include disclosure of sensitive informationon screens and in error messages, such as showing fullaccount numbers on a client browser session or technicalinformation about a web server in HTTP error pages
.
Cross Site Scripting, or XSS, remained the leader in highrisks detected this quarter, though it was nearly matchedby a rise in high risk information disclosure through theuse of the
HTTP ‘Get’ method
.
 
Many of the high risk items prevalent this quarter wereembedded missteps in code or software engineeringthanks to insufficient or improperly applied secure codingpractices
. Loss of data due to HTTP ‘Get’ for example, is
completely avoidable if guidelines properly require the use
of ‘Post’ for sensitive transactions. Corr 
ecting code errorscan be a costly and difficult undertaking, especiallycompared to the cost of avoiding the problem.Insufficient development policy was also responsible for the majority of medium security risks this quarter, withmany applications missing critical features. Developmentpolicy should ensure that all applications feature securityfunctions such as:
Logout function on all user pages
Password change capabilities
Account locks for failed password attempts
Session time-outs
Password aging and expiration.The Ethical Hacking team offers gap analysis services for coding guidelines and policy to help ensure developmentguidelines are comprehensive and well integrated into theSoftware Development Life Cycle.On average, applications tested across the industry thisquarter were found to have approximately one high risk,two medium, and four low risks. This represents about a20 per cent aggregate improvement over the previousquarter, indicates successes in identifying and eliminatingvulnerabilities with support from the BT Ethical Hackingteam. On average, systems which performed a test andutilized the findings to make corrections remediated 22per cent of all findings; systems which re-tested a secondtime typically doubled the number of risks closed.While the majority of security risks tracked down by theEthical Hacking team deal with custom developedapplications
,
infrastructure items such as softwarepatching are also assessed. Across industry, diligentpatching practices were noticed across the board with onenotable exception: the ubiquitous Apache and Tomcatweb servers, which represented over 90 per cent of outdated software. While the Apache Foundation is alsodiligent about squashing bugs and releasing updates,implementing the newest release is sometimescomplicated as the server is bundled with a vendor application such as Tivoli. In such instances, criticalremediation patches can be delayed until a vendor solution is available. In such cases, it is recommended toanalyze the Apache foundation change logs from theversion in place to the current one, and assessing theapplicability of individual vulnerabilities corrected for riskand possible countermeasures which can serve as a stop-gap until a vendor solution is available.
INDUSTRY METRICS

Activity (12)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->