Cloud Pentesting_PenTest Regular 05/2012

Page 1


smart security interface© the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma® the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt® the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination ����������������������������������������������������������������

CSTC® PKI made simple and accessible to SMB: card initialization, management of ������������������������������������������������������������������������������ TMS infrastructure

contact: team@charismathics.com

www.charismathics.com

05/2012 (13) May



EDITOR’S NOTE

05/2012 (13) Dear Readers!

TEAM Managing Editor: Malgorzata Skora malgorzata.skora@software.com.pl Associate Editor: Shane MacDougall shane@tacticalintelligence.org 2nd Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: Jeff Weaver, Johan Snyman, Dennis Distler, Massimo Buso, Juan Bidini, Edward Werzyn, Eric Stalter, Marek Janáč Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

Cloud pentesting enjoys great popularity these days and it is still much to be explained and discovered about it. PenTest cannot lag behind. We have prepared for you insightful articles for advanced specialists but also for those who take their first steps in the field. But that certainly is not all. Apart from regular sections, PenTest decided to portray those who although in minority are not minor characters in the business. But first things first. Let’s see full offer of PenTest Regular. Section Link this time features Simon Wepfer with his article BehaviourDriven Security Testing. You can learn about the details of BDD and fruitful cooperation of security testers and social engineers. The author prepared also a tutorial explaining how to create a simple security test using cucumber. Our main section Cloud Pentesting is composed of three articles. Jon Ringler presents cloud pentesting as a challenge but he provides methodology turning simple clouds into thunderclouds. In the next article Chris Brenton “demystifies” the cloud and provides tricks and tips for navigating tricky waters of cloud pentesting. The author discusses solutions such as IaaS, PaaS and SaaS. Last but not least article in this section by Ayan Kumar Pan and Susmita Mandal provides a brief description of the types of cloud service providers and various risks that can strike these service providers. In the new section Conference we would like to provide pieces of information on various interesting conferences around the world. This time you can learn more about RSA Conference from Hugh Thompson, RSA Conference Program Committee Chairman. Our special section She and IT is devoted to women in IT Security field, their careers, opinions and plans. We invited Natalya Kaspersky, Debbie Christofferson and Val Rahmani. Natalya presents her way up in the business and she can surprise with her views on women in IT. Debbie Christofferson outlines stories, including her own, of three women who are successful and active IT specialists. Their pieces of advice and experiences can be a good lesson and motivation equally for men and women. Finally, Val Rahmani shares with us details concerning her creative and full of achievements professional life, views on female specialists and her predictions for the future. May edition of PenTest Regular ends with regular sections Read and PainPill. John B. Ottman presents third chapter of his book Save the Database, Save the World. Dean Bushmiller in his article titled Setting Expectations in a Fantasy Movie World claims that IT specialists are seen as those who come and with one click save the humanity. Dean describes what shaped this opinion and proposes how peers, the press and public opinion can be brought back to more real perspective. I hope that you will find this issue worthwhile. If you have any suggestions about the topics, problems you want to read about or people you would like to know better thanks to PenTest please, feel free to contact us at en@pentestmag.com. Thank you all for your great support and invaluable help. Enjoy reading! Malgorzata Skora & PenTest Team

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

05/2012 (13) May

Page 4

http://pentestmag.com


CONTENTS

LINK

06

SHE AND IT

Behaviour-Driven Security Testing by Simon Wepfer

Many penetration tests are poorly documented. Even if we are following standards and checklists, reports often do not state exactly what has been tested. The following technique from software integration testing helps out.

CLOUD PENTESTING

12

Turning a Cloud into a Thundercloud by Jon Ringler

With many companies adapting their products for Cloud Computing and customers asking for Cloud Computing capabilities, the world of Information Technology has begun a paradigm shift from traditional data center centric models to what has become known as, “The Cloud”.

18

Pentesting in the Cloud by Chris Brenton

With the phenomenal growth of cloud computing, many of us are engaging clients where one or more aspects of their cloud deployment is considered in scope. Penetration testing a cloud deployment can make for tricky waters to navigate, due to its shared responsibility model. In this article we’ll demystify the cloud, as well as provide tricks and tips for navigating those waters.

24

Risks in Cloud Computing

34

Do what you know well, believe in success and be stubborn – Natalya Kaspersky, InfoWatch Group of Companies CEO, Kaspersky Lab cofounder by Aby Rao

Natalya Kaspersky is a co-founder of Kaspersky Lab, one of the world’s largest antivirus companies, and CEO of InfoWatch Group of Companies, specializing on developing software solutions for IT security. Natalya’s global business and IT-marketing expertise helped make InfoWatch market leader in the Russian DLP market and continually expand its global operations.

38

Women in Security

44

I like building big ponds from small ones! IT, Women and Planes – Val Rahmani, CEO of Damballa Inc.

by Debra Christofferson

Three stories of women in security follow, each sharing diverse backgrounds and views: Marni Money as a network security engineer with an audit background, Pamela Fusco as a principal consultant with a CISO background, and Debra Christofferson as an information security consultant with a manager background.

by Aby Rao and PenTest Team

by Ayan Kumar Pan and Susmita Mandal

Everything in the cloud is safe and secure until it rains; and when it rains, it pours. It’s impossible to stop the rain, but an umbrella can serve to keep back from getting wet. This composition sheds a light on cloud computing and its evolution, including its history, current scenario and future aspects.

Val Rahmani is the CEO of Damballa, a company that brings a new approach to the fight against modern cyber-threats. Ms. Rahmani brings more than 25 years of customer-driven business and technical leadership to the role. Prior to Damballa, she served as general manager of IBM’s Internet Security Systems (ISS) division, after she made IBM’s $1.3 billion acquisition of the company.

CONFERENCE

READ

32

„Intelligent Defenders on One Side and Intelligent Attackers on the Other” – Hugh Thompson, RSA Conference Program Committee Chairman On RSA Conference and the IT Security Market

48

by PenTest Team

Dr. Herbert H. Thompson is Program Committee Chair for RSA Conference, the world’s leading information security gathering. In addition, he’s also Chief Security Strategist at People Security and an Adjunct Professor in the Computer Science Department at Columbia University in New York. He is a world-renown expert in application security and has co-authored four books on the topic including, How to Break Software Security: Effective Techniques for Security Testing ...

05/2012 (13) May

Save the Database, Save the World – Chapter 3 by John B. Ottman

It may take a skilled hacker only minutes to crack into a database and exit undetected with hordes of valuable, sensitive data. What’s more, these intruders re not amateurs out for a weekend conquest or a reason to brag on clandestine message boards.

PAINPILL

54

Setting Expectations in a Fantasy Movie World by Dean Bushmiller

When people ask my mom what I do, she says things like, “Well you know the television show where the police get the bad guy’s computer and pull all the evidence off?

Page 5

http://pentestmag.com


LINK

Behaviour-Driven Security Testing Many penetration tests are poorly documented. Even if we are following standards and checklists, reports often do not state exactly what has been tested. The following technique from software integration testing helps out.

M

ost of the security testers I know do not have a strong background in software development. Yes, they maybe know how to hack java, reverse-engineer binaries and bypass protection. These skills are often acquired in self-study and I think that is the reason why the security testing process itself often suffers.

Testing like developers

The solution is to test like a developer would. He uses integration tests to check whether everything within the application glues together on the higher level. He spends initial efforts on specifying and writing tests, but the actual testing is then run automatically and is available for the rest of the application’s lifecycle. In counterpart, most penetration testers smash their automated tools against the application first, and then look manually for additional vulnerabilities using experience and gut feeling. If lucky, the client gets a table with findings and a vague list of tested points. This approach is not really satisfying – not for the client nor for the tester in the long run. Would it not be nice to ‘order’ a penetration test once, being able to re-run it every time something is changed on the application or infrastructure?

Behaviour-Driven Security Testing

Behaviour-driven development (BDD) is used in agile 05/2012 (13) May

development. It creates applications defined by their behaviour (what a application should be able to do) instead of low-level unit tests. BDD uses a business language to specify requirements. The standard here is Gherkin, which is easy to read and therefore a great interface between technology and business. Here is a simple scenario in Gherkin for testing a web application’s logout feature. Given I am logged in When I logout

Then I should see “Successfully logged out”

If the web application does not show “Successfully logged out”, the test fails. As security guys we would probably change the scenario to determine if the session is really terminated from the user’s perspective: Given I am logged in When I logout

And I visit “/settings”

Then I should see “Please login”

Gherkin groups multiple scenarios into features. Each feature has its own text file with a header. Most web applications probably have somewhere a feature definition similar to:

Page 6

http://pentestmag.com



CLOUD PENTESTING

Turning a Cloud into a Thundercloud With many companies adapting their products for Cloud Computing and customers asking for Cloud Computing capabilities, the world of Information Technology has begun a paradigm shift from traditional data center centric models to what has become known as, “The Cloud”.

T

he Cloud does have its distinct advantages and disadvantages, and like it or not, Security professionals have to adapt along with the trends or get left behind. Securing The Cloud is a challenge unto itself, and this article deals with penetration testing The Cloud – turning simple clouds into thunderclouds! Moving to The Cloud is attractive for both service providers and for customers. Service providers can off

load some of the day-to-day administration associated to their service offering to the customer. Customers can have the control of operating their systems the way they would like to without the overhead of maintaining the systems associated with the offering. It’s a win – win right? The low hanging fruit within The Cloud is the data. Service providers are taking less accountability and less safeguards in The Cloud to be able to offer a

Figure 1. Traditional Data Center Architecture

05/2012 (13) May

Page 12

http://pentestmag.com


profitable multi-tenant solution. Customers are getting a lower cost model of a hosted solution with the same expectations around data security. Something has to give.

Traditional Data Center Architecture and Cloud Multi-tenancy Architecture

The first step when performing a penetration test is to assess what the client’s application performs that is valuable to their customers and what is of real value to a malicious attackers. The answer is almost always data (whether it be social security numbers, government documents, intellectual property, it’s all data). Below in Figure 1 and Figure 2, are example traditional and cloud based data center models. Security by obscurity plays a role in the Traditional Data Center Architecture, since all the environments are physically separated. However, for The Cloud Architecture to be profitable, the use of shared computing resources introduces several key components for a penetration tester to sight their sights on. The ability to hop from one POD to the next, the ability for clients to co-mingle data, and the utopia for a malicious individual, the prospect of escaping from the Virtual resources into the hypervisor level where they could copy or steal all the guest systems on the physical host and take them home with them for unlimited attempts at exploitation. Below in Figure 3, I added extra avenues of attack introduced by Cloud Computing. They are illustrated by the bad guys below. Above you see how the surface area for attack increases in The Cloud. The once silo’ed architectures

are now shared environments. Just image the chaos a malicious attacker could do if they could go from host to host within a customer’s resources, go from zone to zone, go from customer to customer, escape a compromised POD and access the physical host, go from the POD to the shared Network Layer, go from the physical host to the Network Layer, and finally (the crowned jewels) go from one customers data store to the next with minimal effort. Once you add in the lack of accountability for customers and service providers, the perform storm for data breach and compromise has been put to market.

Applying Penetration Testing Methodology to the Cloud

We are all familiar with the basic steps surrounding typical penetration testing methodologies. As a refresher, they are: • • • • • • • •

Planning and Preparation Information Gathering Network Mapping Vulnerability Identification Penetration Gaining Access and Privilege Escalation Maintaining Access Covering Your Tracks

Next we will apply the above phases of a penetration test to The Cloud and adapt the methodology to exploit the benefits of going to a Cloud Computing Model (for both consumer and provider use).

Figure 2. Cloud Multi-tenancy Architecture

05/2012 (13) May

Page 13

http://pentestmag.com


CLOUD PENTESTING Planning and Preparation

During the planning and preparation phase of a penetration test is when key objectives and deliverables of the engagement are determined. Rule of engagement will also be defined during this phase. This will set the tone for what tools you will need, how aggressive you can be with the tools, how engaged you can be with employees of the supplier and/or the customer of the Cloud Service. By the end of Planning and Preparation, you will have your rules of engagement, objectives, targets, and penetration tool kit all accounted for and the fun is ready to begin. It is VERY important that both The Cloud Provider and the Cloud Customer agree to the rules of engagement so not to cause legal issues if access to unauthorized systems or data is gained via the penetration test. I cannot state this enough, it is VERY important to get the “Get Out of Jail Free� card.

Information Gathering

Information gathering is consists of several important tasks which are often overlooked by companies around the globe. Information gathering is essentially using both technical (DNS/WHOIS) and non-technical (search engines, news groups, social networking, mailing lists, job postings, etc.) to find all the information you can about the target (company and/ or person). Social engineering (if in scope of the rules of engagement) can take place during the information gathering phase and can often times yield extremely valuable results. Social engineering is where the most data and most useful data will come from. The human element and

the want for humans to help one another without the proper checks and balances in place opens the door for further phases. Internet searches can often turn up what cloud provider is used by what company and who the key contacts are for their relationship. Further discovery can lead to information about The Cloud implementations and backend technologies. Attempts to ascertain valuable information is readily available due to undocumented or non-existent workflows between the two entities. An example of a social engineering attack that is magnified due to The Cloud is calling the technical help desk of the cloud customer posing as a technical representative from the cloud provider and asking for usernames and passwords for testing new functionality or new systems out. The introduction of The Cloud more than doubled the attack surface exposed to information gathering. When the customer controls the administrative functionality of the application that runs on resources provide by the Cloud Provider, there is a lot of trust and crosstalk established between those two entities without the proper due diligence being performed on either side.

Network Mapping

This is where the technical skill set and tool set will start to come into play. All the information gathered and planning and preparation phases flow into this phase. During this phase, a more technical approach is taken to footprint the network and resources in outlined in the planning and preparation phase. The specific information gathered pertaining to the network

Figure 3. Additional Avenues of Attack

05/2012 (13) May

Page 14

http://pentestmag.com


is taken and expanded upon to produce a picture of what the network topology resembles for the target. Many applications, tools, and custom scripts can be used in this stage to aid the enumeration of information of technical nature about the network and hosts targeted by the penetration testing team. Network mapping should stick to a pre-defined plan. The plan should account for weak spots and/or spots that are considered to be high value assets. Network mapping will assist the penetration testing team to build on the information gained in the previous phases allowing them to confirm or deny thoughts regarding the target system. The logical flow of network mapping progresses shows Figure 4. A unique paradigm for penetration testing a cloud environment is to also see if you can network map outside of the customer’s cloud portal. When attempting to identify critical services, see if you can reach other customers’ resources via open ports or the tools used during this phase. This will provide additional targets for the next phases.

Vulnerability Identi�cation

Once the network mapping phase is complete, the penetration testing team will have an idea of how The Cloud is laid out. During this phase, specific targets will have been identified and the methods used to test them out will be selected. The main activity taking place in this phase is the attempt to detect exploitable weak points and/or low hanging fruit. The majority of work in this phase will be or should be carried out via automated tools and will begin by identifying vulnerable services using the banners presented by those services. Using a commercial

or free vulnerability scanning tool will automate this process and search for known vulnerabilities specific to software, operating systems, ports, etc. available on the target machine. These tools will generate a lot of data to sift through, and this is where the penetration team earns their worth by performing false positive and false negative verification by correlating vulnerabilities with each other and information gained from the previous phases of the penetration test. After meaningful results are established and positive vulnerability results remain, the penetration testing team needs to classify those findings and identify any possible attach paths and scenarios for possible exploitation.

Penetration

This phase is where all the fun stuff happens. In this phase, the penetration team attempts to gain unauthorized access by circumventing the security measures in place and try to gain as many different access levels as possible. In The Cloud, this not only means (based on the rules of engagement) the customers cloud footprint, but also other customers of the cloud provider. If the penetration testing team can escalate privileges and get to another customers systems and data, then that same security hole can be utilized to put the customer’s data at risk. The penetration phase of the engagement can be sub-divided into the following methodologies: •

Exploit Code/Tool: Discovery of a publicly available exploit code or the creation of a custom script for exploitation is required. Remember to test the exploit in a lab prior to using it.

Figure 4. Network Mapping Flow

05/2012 (13) May

Page 15

http://pentestmag.com


CLOUD PENTESTING • • • • •

Tool/Script Development: Creation of a custom tool or script is the best way to automate a task to achieve just the expected results. Testing: Remember to test all exploits, scripts, tools, etc., in a lab prior to implementation, so you are familiar with the expected outputs. Penetration: The actual use of the above method against the target. Did it work: This step will verify or disprove the existence of vulnerability. Document the results: Document in detail the explanations of exploitation paths, impact assessments, and proof that the vulnerability does exists.

Gaining Access and Privilege Escalation

Now that you have a way in, now what? Activities in this phase will enable the penetration testing team to enumerate the target further, which includes confirmation and documentation of intrusion. This allows for a better report to be delivered to the customer outlining the impact assessment relative to the target. To escalate privileges, you have to first obtain access. This is often done by exposing weakness in low privilege accounts and then using other exploits to enhance privileges. The penetration testing team can do this by discovery of username and/or password combinations, using dictionary attacks, brute force attacks, enumerating accounts with blank passwords, finding systems with default accounts unchanged, etc. Now that you have obtained entry level access, reaching the end goal or target of the penetration test may require that additional systems are compromised as well. To accomplish this, the penetration testing team will have to bypass their security measures that may be potentially protecting access to the final target. These possible intermediate hops can be routers, firewalls, domain member servers or workstations, etc. Compromising an account with elevated rights on the target system is the final steps of the compromise. The penetration testing team has successfully breached the ultimate target (whether it is a system, data, etc.) and is under control of the penetration testing team. The end goal is to obtain administrative privileges over the system, in the form of administrative accounts such as Administrator, root, SYSTEM, etc. A single hole in The Cloud is sufficient to expose the entire network and all its data, regardless of how secure the perimeter may be. The Cloud is especially susceptible to the saying that “your systems are only as secure as your most insecure system. Cloud providers often use a management network to manage their 05/2012 (13) May

systems that manage the cloud. The communications between offices and users and The Cloud may utilize security functions such as authentication and encryption using technologies such as VPN, to ensure that the data in transit over the network cannot be faked nor intercepted. However, this does not guarantee that the communication endpoints have not been compromised. Once administrative access is obtained in The Cloud, the penetration testing team should turn their efforts on exploiting the management networks and gaining access into the Cloud Providers private networks (once again, if the rules of engagement permit such) and should try to compromise remote users, telecommuter and/or remote sites of The Cloud Provider.

When It Rains, It Pours

The end result of a penetration test performed on a Cloud Provider can yield valuable results and help the provider strengthen their security posture greatly. The Cloud does offer benefit and like it or not, it is here for the long term. It is up to Security Professionals like us to make sure that clouds that appear in across the Internet sky are secure, secure the customer data, secure the personal data, and can’t easily turn a bright sunny day into a thunderstorm of data loss and leakage.

JON RINGLER Jon Ringler is the Technology Security Director at FTI Consulting. Subject matter expert in the �eld of intrusion detection, forensics, cloud security, and application security. Jon has a Masters Degree in Information Assurance and holds several certi�cations such as CISSP, CISA, and CEH. Jon, his wonderful wife Debbie, and two beautiful daughters Avery and Camryn live in Annapolis, Maryland, USA.

Page 16

http://pentestmag.com


�������������������������� ����������������������

CloudPassage Halo is the award-winning cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. Halo is FREE for up to 25 servers. cloudpassage.com/pen


CLOUD PENTESTING

Pentesting in the Cloud With the phenomenal growth of cloud computing, many of us are engaging clients where one or more aspects of their cloud deployment is considered in scope.

P

enetration testing a cloud deployment can make for tricky waters to navigate, due to its shared responsibility model. In this article we’ll demystify the cloud, as well as provide tricks and tips for navigating those waters.

Shared Responsibility

Arguably one of the biggest disruptions that cloud computing brings to penetration testing is the concept of shared ownership. In the past, if an organization contracted you for services, they would typically own all of the components on their network. This would open up all layers of the OSI for potential testing. In a cloud environment, it is entirely possible that the contracting organization controls very few of those layers. This requires additional up front work to ensure your testing remains in scope and does not negatively impact any third parties. Here are two terms you need to be familiar with: •

cloud provider or tenant. Note in certain cases there may be multiple clouds where the organization acts as a provider for one, and a tenant for others.

Cloud Deployment Models

Depending on the deployment model, the provider and tenant may be part of the same organization, or they could be completely different companies. Obviously this is a point you will want to ensure is clarified before defining the scope of your testing. Potential models include: •

Provider – The entity that built the cloud deployment, and is offering metered service to one or more tenants. Tenant – The entity that is contracting the metered service from the provider.

One of the first points you need to clarify when determining scope is whether the organization is a

05/2012 (13) May

Page 18

Private – Typically the cloud is deployed on a local LAN. The provider and tenant are part of the same organization, but not necessarily part of the same workgroup or division. Public – Typically the provider offers compute, storage, network, etc. as a service that is consumed by the tenant on a pay for use basis. In this deployment model the provider and tenant are almost always part of different organizations. Community – Possibly a private or public deployment, a community cloud is managed and consumed by multiple entities that share a similar business model. For example a government could choose to set up a community cloud that is then consumed by different government agencies. Hybrid – A deployment that combines aspects of two or more of the above deployment models, as http://pentestmag.com


CLOUD PENTESTING

Risks in Cloud Computing Everything in the cloud is safe and secure until it rains; and when it rains, it pours. It’s impossible to stop the rain, but an umbrella can serve to keep back from getting wet. This composition sheds a light on cloud computing and its evolution, including its history, current scenario and future aspects.

F

urther, a brief description on the types of cloud service providers has been given. Fianlly, the various risks that can strike these service providers are stated, which forms the crux of this composition; thereby mentioning few attacks, namely, man-in-the-middle, back door, replay, social engineering, TCP hijacking and spoofing.

Evolution of the Cloud

Cloud computing is a technology that uses the internet and central remote servers to maintain data and applications [1]. It is a scalable platform which provides an on-demand service and computing resources to consumers and businesses so that they

Figure 1. A toon representation of cloud computing

05/2012 (13) May

can use applications without installation and access their personal files at any computer with internet access. This technology allows for much more efficient computing by centralizing storage, memory, processing and bandwidth (Figure 2). It is referred as ‘cloud’ due to its characteristics of on-demand service; scalability; and the capability to use it only with a personal computer and Internet access. Cloud computing is not a brand new concept as many people think. In fact, it dates back to 1960s pioneered by J.C.R. Licklider and John McCarthy. J.C.R. Licklider, instrumental in the development of ARPANET that led to the Internet, envisioned computation in the form of a global network. John McCarthy, the father of Artificial Intelligence and LISP, suggested in a speech (in 1961) at MIT that computing can be sold like a utility, like electricity or water. The first known academic usage and definition of the term Cloud Computing was provided by Prof. Ramnath K. Chellappa in a talk titled Intermediaries in Cloud-Computing, presented at the INFORMS meeting in Dallas in 1997. Going further along the timeline, Salesforce (1999), Amazon (2002), Google apps and Windows Azure (2009) joined the action. Currently, Amazon Web Services’ (AWSs’) products such as Elastic Beanstalk, CloudFormation, Amazon Cloud Player and Amazon Cloud Drive; Dell’s vStart; IBM’s SmartCloud; Apple’s iCloud; HP’s BladeSystem

Page 24

http://pentestmag.com



CONFERENCE

“Intelligent Defenders on One Side and Intelligent Attackers on the Other” Hugh Thompson, RSA Conference Program Committee Chairman On RSA Conference and the IT Security Market

Dr. Herbert H. Thompson is Program Committee Chair for RSA Conference, the world’s leading information security gathering. In addition, he’s also Chief Security Strategist at People Security and an Adjunct Professor in the Computer Science Department at Columbia University in New York. He is a world-renown expert in application security and has co-authored four books on the topic including, How to Break Software Security: Effective Techniques for Security Testing (with Dr. James Whittaker, published by Addison-Wesley, 2003), and The Software Vulnerability Guide (with Scott Chase, published by Charles River 2005). In 2006 he was named one of the “Top 5 Most Influential Thinkers in IT Security” by SC Magazine. Could you introduce our readers to the themes and purposes of RSA Conference?

Hugh Thompson: RSA Conference is the largest gathering of information security professionals in the world. It offers a rich educational program, keynotes from luminaries and world figures, a tradeshow with over 350 exhibitors and a wide variety of events to help security professionals grow and connect with each other.

Who are your speakers at RSA? What do you take into account while choosing speakers and topics? 05/2012 (13) May

HT: Every year, the conference receives a large volume of submissions from information security professionals, researchers, analysts and executives. The Program Committee is comprised of some of the leading thinkers in IT security and they select a final group of sessions that will be presented at the conference. It’s an exceptionally competitive process.

Which topics enjoyed the biggest popularity among the participants this year?

HT: The most popular topic this year was mobile security. Advanced threats and embedded security were also popular. Page 32

http://pentestmag.com


SHE AND IT

“Do what you know well, believe in success and be stubborn”

Natalya Kaspersky,

InfoWatch Group of Companies CEO, Kaspersky Lab co-founder Natalya Kaspersky is a co-founder of Kaspersky Lab, one of the world’s largest antivirus companies, and CEO of InfoWatch Group of Companies, specializing on developing software solutions for IT security. Natalya’s global business and IT-marketing expertise helped make InfoWatch market leader in the Russian DLP market and continually expand its global operations. Today InfoWatch Group of Companies sells its products in more than 10 countries, including Germany, Switzerland, UAE, India, Saudi Arabia, Bahrein, etc. The Group also includes „Natalya Kaspersky Innovation Center”, which creates and develops new technologies for further submitting to the Group to commercialize. Natalya Kaspersky is active in Russian and international business community life. She is a member of several IT committees of Russian governmental organizations, a member of Board of Directors of the German-Russian chamber of commerce, and a member of the Russian-British chamber of commerce Advisory Councils.

You are an accomplished entrepreneur in the field of IT Security. I am certain our readers would like to know more about your educational and professional background.

Natalya Kaspersky: I was born in Moscow, in 1966. Graduated from Moscow State Institute of Electronic Engineering with a master’s degree in Applied Mathematics. Later on I got a bachelor’s degree of Business Administration in The UK Open University. In 1994 I came to work for then a big Russian computer company KAMI, to the antivirus department which then had only 3 programmers. My task was to start regular sales of antivirus product. The total sales revenue at the time I came in represented $ 100 a month. In 2 years we reached revenue of $100.000 a year. It was enough to open our own company, while Kami at the time got huge problems and had no resources for the antivirus anymore. We named the company Kaspersky Lab and I became its’ CEO. We were extremely lucky to grow together with the antivirus market as it was at its’ initial stage. So, by the time 05/2012 (13) May

I left CEO position in 2007 Kaspersky Lab annual revenue reached $128 Mln and annual growth was of 159%. Now Kaspersky Lab is #4 vendor in the antivirus world. In 2003 I initiated the set-up of a daughter company InfoWatch, which focused on developing solutions to protect corporate confidential data. That was a completely new area, where nobody yet worked at the time. We didn’t know if the idea of internal protection would work or not, so created it as a separated company. Fortunately for us, IDC in 2005 announced segment of data leakage prevention (DLP) to be a separated segment on the market. In 2007 I bought from Kaspersky lab the majority of InfoWatch and became its’ CEO.

You were the co-founder of Kaspersky Lab and the company was built with no venture capital. Please, tell us how the company has grown since 1997.

NK: The company has seen four main waves of growth.

Page 34

http://pentestmag.com


SHE AND IT

Women in Security Three stories of women in security follow, each sharing diverse backgrounds and views: Marni Money as a network security engineer with an audit background, Pamela Fusco as a principal consultant with a CISO background, and Debra Christofferson as an information security consultant with a manager background.

C

onclusions and lessons apply to anyone at any point in their security career planning.

Marni Money’s Story

Marni leads the security program for Desert Schools Credit Union in Arizona and is titled as a network security engineer.

Audit and CISA

She fell into security by accident, when she was recruited by Ernst&Young out of college, as an MIS major. She was hired to do auditing. Marni obtained her CISA – Certified Information Systems Auditor – as soon as she met minimum eligibility. This was for her personal career growth, and because it was an expectation of firm auditors. This wasn’t particularly interesting to her, and every project dealt with accountants. But it changed as the security practice began to develop early in her career. She stuck with it, changed firms twice, and was employed by Anderson when it fell along with Enron’s collapse. This netted a return to Ernst&Young, and a shift to security consulting. Marni worked with policy development and strategy for clients, and was on board as Sarbanes-Oxley hit the scene. Audit taught Marni discipline, that you do what you’re told; you plan, prioritize, and meet deadlines and commitments. 05/2012 (13) May

100% Travel

When she married, the 100% travel requirement forced her to change jobs and she moved to a new city and new employer – Coca Cola – this time for Internal Audit. Marni’s new husband landed a job with Honeywell and they relocated again to the Seattle area. She moved to AT&T as a project manager, to prepare them for their first SOX audit, working in IT Operations. This is where Marni really hit her stride. Most of all, she gained an insider perspective.

Five-Year Employment Gap

Marni’s biggest change occurred when she took time off to start a family. She was worried about coming back in technology especially since Marni earned her MBA while she was out. She graduated in May, 2010 during a really tough job market. Coming off a five-year break, she submitted sixty-six job applications, that netted her 10 phone interviews, four in-person interviews, and one job offer. She took it. This tepid response she felt was due more to her 5-year employment gap, than the job market. Her audit experience was invaluable and her active CISA, CISSP, MCSE and CCNA certifications had been allowed to expire, but these still demonstrated a significant understanding of technology.

Security Compliance Lead

She was hired as an information security compliance lead, for everything related to security compliance for

Page 38

http://pentestmag.com



SHE AND IT

I like building big ponds from small ones! IT, Women and Planes –

Val Rahmani,

CEO of Damballa Inc.

Val Rahmani is the CEO of Damballa, a company that brings a new approach to the fight against modern cyber-threats. Ms. Rahmani brings more than 25 years of customer-driven business and technical leadership to the role. Prior to Damballa, she served as general manager of IBM’s Internet Security Systems (ISS) division, after she made IBM’s $1.3 billion acquisition of the company. Before that, Ms. Rahmani held several general management roles within IBM, including multi-billion dollar hardware, software and services businesses. Her IBM experience includes wireless, telco, utilities, media and government markets across the world. She also ran a strategy unit, where she focused on emerging markets, global alliances and services business models.

M

s. Rahmani was born in the United Kingdom and first came to the United States as executive assistant to Lou Gerstner, soon after he became chairman and CEO of IBM. She is an accomplished speaker, keynoting security and general business events. She isa Board Member of the Metro Atlanta Chamber Technology Leadership Council and Chairman of the Workforce Development Subcommittee. She is also a Board Member of Teradici, a PC-over-IP company in Vancouver, Canada. Ms. Rahmani holds an MA and a Doctor of Philosophy from Oxford University in England, and is a member of the British aerobatics team.

Ms. Rahmani, you have a very illustrious career. What motivates you and brings you the greatest satisfaction?

Val Rahmani: I love building. All the jobs I’ve enjoyed most have involved taking something new and building a team and a business around it, or rebuilding something to make it exciting again. There’s huge satisfaction in seeing an idea come to life, and a great team grow around it.

You were born in the UK and you came to the US in 1996 as an executive assistant to CEO Lou Gerstner. Please, tell us about your experience working with Mr. Gerstner. 05/2012 (13) May

VR: This was a fascinating time. Lou Gertsner was working to recreate IBM and build it into the strongest, most energetic company. Being fairly junior at the time, it was an amazing experience not only to see first-hand how someone can take on the task a transforming a huge company, but also to be part of this. I remember we were just launching the notion of ‘e-Business’, which we’d now talk about as Internet business, and Lou Gerstner was way out ahead, showing our teams around the world how it would benefit their customers. I was working with people around the world to help them understand.

Could you present your company – Damballa and the services you offer?

VR: Damballa is an Internet security company that protects companies of all sizes from the types of threats and cybercrime that are causing the much-publicised theft of intellectual property and personal information these days. Damballa has created a very different approach to the problem, which allows us to find and block threats that get by all other systems. In particular we can stop attacks on any device – Windows PCs, MACs, Android, iPad – which no other solution can. And because of our approach, we are the only solution that can truly protect against the attacks which cause the most concern to organizations – those known as zero-

Page 44

http://pentestmag.com



READ

Save The Database, Save The World! Chapter 3 A FALSE SENSE OF SECURITY

“84 percent of organizations believe their security is adequate, yet 56 percent of the same organizations have experienced a breach in the last year.”

I

t may take a skilled hacker only minutes to crack into a database and exit undetected with hordes of valuable, sensitive data. What’s more, these intruders re not amateurs out for a weekend conquest or a reason to brag on clandestine message boards. Many are hard-nosed, professional criminals. Others are highly skilled, well trained, and organized cyber warriors seeking to inflict massive harm. So what are organizations doing about it? The simple answer is this: not enough!

Databases Are Under Attack!

An Enterprise Strategy Group study recently surveyed over two hundred corporate and government organizations, and the results were not as expected: • • • •

Forty-three percent of corporate databases store confidential data. Eighty-four percent feel that their database security is adequate. Fifty-six percent of those organizations have experienced a breach in the last 12 months. Seventy-three percent predict that database attacks will increase.

How in the world can 84 percent of these organizations believe their security is adequate, yet 56 percent of the same organizations have experienced a breach in the last year? Whether these companies have a false sense 05/2012 (13) May

Page 48

http://pentestmag.com


Preventing

n -i r ts e e headlighlook d Get the best Live Online classes anywhere. Get 10% off when you use code BESTONLINE at checkout. ISSMP, ISSAP, CISSP, CERTIFIED ETHICAL HACKER classes start every week.

e

www.ExpandingSecurity.com Pen Testing and Training‌ with Freedom, Responsibility, and Security for All.


PAINPILL

Setting Expectations in a Fantasy Movie World When people ask my mom what I do, she says things like, “Well you know the television show where the police get the bad guy’s computer and pull all the evidence off? My son is that computer guy” or “You know the movie the Matrix? He is Neo.” I cringe. I smile. Oh mom!

I

am happy that she is proud of what I do, but she and the rest of the world have this movie or T.V. expectation of what we do as penetration testers. This expectation causes problems in many ways. We need to let the myth propagate so that our customers have some general idea of what we do, because they really do not know. We also need to manage and set expectations on what we can do with the time allotted by our customers. What the public thinks of penetration testing and what we can deliver can be the same thing, but the problem is typically time and results. I am not saying that we cannot do the great job where we find every flaw in the system. I am saying there is always a tradeoff between what we can accomplish and how much time we are given to do the task. There are ???? main group perceptions: Public- non technical, Technical, Peers and the Press. In each of these groups we encounter bias based upon movies and television. Your job is to give these people some idea of what we do. The best way to manage these expectations is to provide a parallel story or reality. I apologize at the beginning for not knowing your favorite show. To make this easy to understand for your group’s perception, replace my example with the localized myth, language, and movie. Ask your customers what they have seen, what they think. Change their perspective by explaining a few parts of what we do by relating it to what they do or think. 05/2012 (13) May

Public non-technical

What has shaped perspective? The movies based upon world-wide gross receipts are: Matrix Reloaded, Transformers, Mission Impossible, Ocean’s Eleven, and every James Bond movie. Television shows that have done the same are CSI, Dr. Who, and The X-files. What do they expect? They expect you to hit a few keys on the keyboard, screens of data will flow by; you will be able to sort and read this data as it scrolls up the screen, and with one stroke you have the answer. How can we bring them back to our reality? They do not care or know about the particulars of our business, but they do understand a little bit about the movie industry. Ask them how long they think it takes to make the movie or show. One basic piece of knowledge that they can understand; for every minute of broadcast quality television, it takes roughly 60 minutes of filming. This doesn’t include all the hours of pre-production or post-production work for all the people that work. So if one person were to string together all the work that goes into 1 minute of the final product, it would be a minimum of 10 hours. That is a ratio of 600 to 1. The public doesn’t calculate the original effort that supports those few keystrokes.

Page 54

http://pentestmag.com


In the Upcoming Issue of

Cyberwarfare Available to download on May 31th

If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl. We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.


Global I.T. Security Training & Consulting

������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������

IS YOUR NETWORK SECURE?

www.mile2.com ��

mile2 Boot Camps

A Network breach... Could cost your Job! Available Training Formats � � � � �

������������������������� ����������������� ������������������������������������������� ���������������������������������� ����������������������������������������������

� � ����������������������������������������� �������� � ������������������������������������� ��������� � ��������������������������������������� � ��������

� ���������������������� � �������������������������������

� � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ������������������������������ ����������������������������������������

���������

� ��������

� ����������������� � �����������������������������������

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

�� ���� ��� ���� ��� ���� ��������� ��� ����

������������������������ �������������� �������������������� ������������������ ����������������������������

Other New Courses!! ���� �������� ����

��������������������� ������������������� �����������

�������������������

� ������� �������� ������ ������

���������� ��������������������������� ��������� ��������������������������� ���������� ��������������������������

INFORMATION ASSURANCE SERVICES

����������������� �������������

���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� ��������������������������������������������

�������������� ���������������

11928 Sheldon Rd Tampa, FL 33626


Security Services :

$50,000 Firewall ruined by a lack of cents! • • • •

SERVICES AVAILABLE $250,000 $50,000 $300,000 $400,000

Intrusion Detection System Redundant Firewalls Salaries for IT Security Personnel Gee Whiz Computer Defense Shield

A UDI T S U P P O R T Strategic and Technical assessments for audit firms, audit, and IT departments:

Hacked because someone used password123 as a “temporary” password…….

Apologies for the above marketing gimmick, but it was necessary to grab your attention. We could tell you that we offer superior information security services followed by a highly biased list of reasons, quotes of industry sources, and facts to support our assertions. However, we both know that you know that game, so let’s change the rules and let the truth in our advertisement speak for our work, and maybe you’ll give us the opportunity to let our work speak instead. For the same reasons that clever marketing can sell an inferior product; your entire network can be hacked, starting with one little email. Interested, or shall you skip to the next page? As a proof in concept, the soft copy version of this document contains custom embedded software control codes designed to gain control over your computer, then masquerading as you, manipulate stock prices using information contained on your system. Buy buy! Sell Sell!. Sound farfetched? Maybe 5 years ago, but that is today’s new paradigm. Forgive the fear tactics, but the point is that skillful social manipulation in conjunction with “embedded software control codes” are the methods used by malicious parties to compromise (gain control of) modern networks. This challenge can only be met with intelligence.

• • • •

Penetration Testing Security Assessments Disaster Recovery Special Projects

PE E R B A SE D E VA L U A TI O N Ongoing comparison against peers of key IT security metrics and controls. Periodic reporting of key metrics. S T A TI S TI C A L PE N E T R A TI O N Periodic rotation of professional penetration testers against your network via a custom portal complete with the ability to limit the scope and depth of testing according to client needs. U SE R E D UC A TI O N

Custom security training We combine software engineering, security know how, and data exercises for your organization analysis to offer real world peer based metrics of your security issues including use of penetration as well as deep dive technical assessments ranging from penetration / tests as a way of providing users an unforgettable technical assessments to strategic reviews. experience.

Sleep better with our D3tangler™ technology! Our new patent pending D3tangler technology helps you win the evolving Contact: game of IT security. The technology solves all your security problems by Shohn Trojacek - trojacek@p2sol.com MAIN BRYAN, TX 77803 pressing a button! Don’t be fooled 120 byN.cheap competitor’s products! Tel 939.393.9081

www.p2sol.com securityservices @ p2sol dot com


���������������� “We help protect critical infrastructure one byte at a time”

• ���� Checklists, tools & guidance •���� Local chapters • ������ builders, breakers and defenders • ���������� ������������������������������������������������� and more.. ��������������������������������


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.