Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
10Activity
0 of .
Results for:
No results containing your search query
P. 1
Ethical Hacking Quarterly Newsletter

Ethical Hacking Quarterly Newsletter

Ratings: (0)|Views: 324|Likes:
Published by BT Let's Talk
The BT Assure Ethical Hacking Center of Excellence is pleased to introduce the first in a series of quarterly newsletters.
The BT Assure Ethical Hacking Center of Excellence is pleased to introduce the first in a series of quarterly newsletters.

More info:

Published by: BT Let's Talk on Jun 25, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/14/2013

pdf

text

original

 
 
The BT Assure Ethical Hacking Center ofExcellence is pleased to introduce the first in aseries of quarterly newsletters.
In this first issue of the newsletter, you‟ll be
able to read about the following:
Best practices for making the most ofaudit data and protecting privateinformation in unsuspecting places
Ethical Hacking consultant, StephenJensen discussing the rapid evolution ofthe threat in a world full of powerfulmobile devices, motivated adversaries,and explosive growth in malware.
The most common vulnerabilities foundin real world environments and somesimple policies which can help combatthem
A review of top security news topics inthe first quarter of 2012 including someof the most incredible malware everdiscovered.
Who are we?
Part of the BT Assure suite of managed security services, the Ethical Hacking Center ofExcellence is a specialist team of EthicalHacking professionals who providecomprehensive network analysis, applicationtesting, code analysis, ISO 27002, HIPAA, PCI,and HITECH compliance audits, wireless,mobile device, and web penetration testing andadvisory services to leading global companiesincluding members of the Fortune 500.The quarterly newsletter was created to providedecision makers with a quick and concisesource for the latest trends and news direct
from the practitioners „in the trenches‟ of 
vulnerability discovery and management.We hope that you find the newsletter enjoyableand informative.
 
Ethical HackingQuarterly
BT Ethical Hacking Center of ExcellenceIssue 1
 
 
SECURITY BEST PRACTICES
Managing Audit Data
Getting a firm grip on audit trails is an enormouschallenge. With so many systems generating somuch information, it can seem impossible tomanage. Once generated, using that trove ofinformation to detect and react to security issuescan be equally challenging. Here are someguidelines to help make the most of audit dataresources:
Consider what information is valuable to log,and set policies for what is logged. Auditsystems can log only the minimum or absolutelyeverything.
Find the middle ground that ensures importantevents are captured. Suggested events includelogon/logoffs, file activities (renames,overwrites, copies, deletions), privilegedcommand use, application faults, and any otherevents deemed important based on a system'srole.
Implement a log collection capability thatenables administrators to gather audit data fromall systems to point(s) of aggregation. Collectinginformation in a centralized way makes it mucheasier to assure proper backups and reviewsare performed.
Back up log data often, and keep it secure.Some attacks can go unnoticed for years, andit's important for both detecting and repairingintrusions to be able to review the attacker'sfootprints. It can also help prevent future attacksand provide valuable evidence for legalproceedings. Backups of audit data should bemade separately from general backups andstored for at least a year, preferably at an off-site location.
Establish policy for review of audit data andprovide resources to enforce it. Professionalintrusion analysts, armed with the right tools forsifting through audit data are critical tosituational awareness and adaptive networkdefense. Today's sophisticated attacks maybypass detection by automated means likeIntrusion Prevention Systems and Antivirus; atrained analyst's review of audit data may be theonly way to detect these attacks.
Source Code Information Leaks
 Application developers often use comment lines in sourcecode to jot down notes for other programmers (orthemselves) to ensure that the code is re-usable. Thesenotes and even the code itself may contain sensitiveinformation including names, private server addresses, oraccount numbers. Without proper policy, source code canbe a source of information leaks which can benefithackers or disclose private data. To protect privateinformation in source code:
Control access to source code using repositorieswhich have access control capabilities. Ensure thatonly users with legitimate access to source code cancheck-out data from the repository.
Ensure access control lists are up to date. Sourcecode access lists should be re-evaluated every threemonths or whenever anyone with access has achange of employment status.
Set policy for kinds of information which may not beincluded in source code or comments. This list maybe similar to the list of prohibited content in a contentpublishing guide or other existing policy, but shouldalways include account numbers or privateoperations information.
 
 
Stephen Jensen, Principal Consultant 
 
Stephen is a principal consultant at BT and hasspecialized in cyber security for over ten years.Stephen got started in the security field afterwitnessing a catastrophic hack at a softwarecompany. In the aftermath the hacking incident, thatfirm was ultimately driven out of business by its owncustomers. Stephen went on to study securityprinciples and hacker culture, eventually becoming asenior application tester with BT, leading up testevents to help identify application risks so that theirowners can prioritize and remediate them beforethey are found by hackers. We spoke with Stephenabout some of the critical issues facing thoseapplication owners and the technology industry.1. What is the most interesting thing in your
opinion that the „bad guys‟ are doing tactically in
the last year and how has it changed the threat?Mobile malware has increased exponentially in thepast year. Malware targeting the Android platformalone has increased 3,325 percent. The bad guysare constantly changing up their tactics and lookingat new vulnerabilities in these platforms and theapplications that run on them. Anyone with asmartphone is now a potential target for attack.2. What do you think is the most serious orcommon misconception about InformationSecurity today?I think one of the biggest misconceptions is that
you‟re not a target. We tend to think that only the big
companies get attacked. Truth is, everyone is a
target, whether you‟re a bank, an insurance
company or a social media site. If you store datathat suits the agenda of the a
ttacker, you‟re a target.
 3. What is the biggest security misstep (or steps)that you notice when analyzing an organization?The false sense of security that comes with neverhaving been a victim of an attack. Security is likeinsurance. Youspend money on it, but don't trulyappreciate its value until something bad happens.Companies aren't always willing to spend the moneyon security related expenditures, because the ROIisn't always clear. Until you become a target, younever really appreciate the time and money investedinto securing your assets. 4. What technology or process do you think isbeing most overlooked right now for securitythreat?I think there are several areas that could to belooked at, including mobile application development,Near Field Communication (such as MasterCardPay Pass and RFID hacking), and cloud computing.  Anything that is computer-based or engages inremote communication with another entity, rangingfrom cars to phones, is a potential target for anattacker. We live in an automated and computerizedworld; no technology is out of bounds for an attack.
 
WHITE HAT SPOTLIGHT
 
“I saw first 
hand the „worst casescenario‟ of a hacking attack. How 
simple programming mistakes could leave a company vulnerable, its clients reputations publicly damaged, and its employees left without jobs. It showed me how devastating these attacks could be 
and how many real people‟s livesare directly affected by them.” 
 

Activity (10)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this
BT Let's Talk liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->