�������������� ������������������������������������������������� ��������������������������������������������� ���������������
��������������� �������������������������������������������� ���������������������������������������������� ���������������������������� �������������������������������������������������������������������������
����������������������������������
EDITOR’S NOTE
Market 02/2012 (02)
Pentesting market is growing
The second issue of PenTest Market is out. We have for you next fresh dose of interviews and articles devoted exclusively to pentesting business. First issue was very popular, so we decided to make PenTest Market a free magazine. Now access to our content will be easier than ever. Let’s look what have we prepared for you in this issue. On the cover you can see Victor Mehai Chrisiansenn, who is the Director of Sales at SecPoint. Victor told us about pentesting market which, in his opinion, is going to increase more and more in upcoming years. He has also described SecPoint tools for penetration testers. On the next pages we will „Walk through the penetration testing fundamentals” with Pierluigi Paganini. The author explained why to conduct a penetration test and showed that Penetration Test is a widespread need. We have talked with two experts in the area of IT security auditing. Michael Brozzetti told us what is the difference between an Internal Auditor and an External auditor. We asked him also about transition from IT security to IT Auditing. Furthermore, Mehmet Cuneyt recommended certifications, trainings and skills for someone who wants to pursue a career in IT Security Auditing. Another interesting person that we had a pleasure to talk with was Dr. Lukas Ruf. He is a senior security and strategy consultant with Consecom AG. He has shared with us his experience from security consulting business and told about strict cyber privacy in EU. Ian Moyse, a leader in Cloud Computing, has prepared for us a combination of pieces focusing on adopting Cloud in a secure manner. He provided you exemplary things to check before signing up with a cloud service provider. „Have you M.E.T?” – a really intriguing title. Amarendra in his article writes about what it takes to be a successful pen-tester. You just have to have M.E.T: Mindset, Experience, Tools, techniques, and training. Our next guests are Joe Hillis and Jay McBain. Joe is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster. Jay is an accomplished speaker, author and innovator in the IT industry. They both have much experience in IT security and you can learn from them a lot. Our last but not least interview in this issue features Raj Goel. He is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. Finally we can present you the article by our great contributor, Aby Rao. He provides you „10 ways to enhance your career in Information Security” based on his personal experience. This article is primarily targeted towards people who are at entry-level positions or are making a switch to IT Security from a different field of work. We hope you will find this issue of PenTest Market absorbing and uncommon. Thank you all for your great support and invaluable help. Enjoy reading! Krzysztof Marczyk & Pentest Team
02/2012(2)
Page 3
http://pentestmag.com
CONTENTS
CONTENTS
PENTESTING MARKET
06
TEAM Editor: Krzysztof Marczyk krzysztof.marczyk@software.com.pl Associate Editor: Aby Rao Betatesters / Proofreaders: Massimo Buso, Daniel Distler, Davide Quarta, Jonathan Ringler, Johan Snyman, Jeff Weaver, Edward Werzyn Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
02/2012(2)
Interview with Victor Mehai Christiansenn by Aby Rao
Pen test market has grown a lot during the last few years and the good news is that this increase is not going to stop as there will always be a new vulnerability and and the remmedy for it is required instantly. So we always to keep finding new possible loopholes and the customers and end users do understand the need Pen-Testing as it’s a proactive way of finding what might be coming to them in the future and they do want stay prepared and prevent it on it. There is nothing better than Pen Testing and it just going to increase more and more in the coming time.
PENTESTING FUNDAMENTALS
08
Walk Trough the Penetration Testing Fundamentals by Pierluigi Paganini
The figure of the pen tester is a critical figure, he must think like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the choice of reliable and professional experts is crucial. The risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly hires hackers revealed in the time cyber criminals. The information is power, is money and the concept of „trust” is a fundamental for this kind of analysis.
IT SECURITY AUDITING
12
Interview with Michael Brozzetti
16
Interview with Mehmet Cuneyt Uvey
by Aby Rao
IT security professionals can make excellent candidates for IT auditors because it’s like looking through the other end of the lends. IT Auditors are independent of operations, so an IT security professional transitioning has the practical experience to know where vulnerabilities might exist or where operations personnel might be prone to taking “short-cuts.” This operational experience can certainly help them make sound recommendations for organizational improvement if they decide a transition into IT Auditing.
by Jeff Weaver
The profession of Auditing is one of the oldest ones in human history. There are many different types (Financial, Quality, Operational, Health and Safety, etc.) and levels of
Page 4
http://pentestmag.com
CONTENTS
auditing. The first requirement for the auditors is to know the business that they are auditing. Risk assessment know-how is a must. Auditors need more Technical skills, understand Project Management and should also spend time for learning the SDLC (Systems Development Life Cycle) for the relevant business processes so that they can look underneath the numbers (business results), but also to the systems and processes that create those numbers.
SOCIAL MEDIA
SECURITY CONSULTING BUSINESS
20
34
Interview with Lukas Ruf by Aby Rao
As a security consultant supporting customers internationally, EU faces exactly the same problems like any other regions. In general, however, the EU is positioned better to counteract attacks effectively than other due to a good level of education and, hence, awareness of threats and daily mitigation measures.
Securing Clouds by Ian Moyse
Cloud computing is a new concept of delivering computing resources, not a new technology. Services ranging from full business applications, security, data storage and processing through to Platforms as a Service (PaaS) are now available instantly in an on-demand commercial model. In this time of belt-tightening, this new economic model for computing is achieving rapid interest and adoption.
IT SECURITY
Interview with Raj Goel by Aby Rao
At a very high level, CEOs and CFOs are primarily concerned with lowering costs, increasing revenues. IT security doesn’t really matter to them – I’m met very few CEOs or CFOs who actively seek out IT compliance or IT audit services. If they could avoid them, they would – with the exception of Sarbanes-Oxley (SOX) compliance – that’s the only regulation that captured their attention and budgets.
44
Have you M.E.T? by Amarendra
Due to the large gray area in the field of software security, it is very difficult to spot a good penetration tester. Add to it the „ethical” baggage, and things get even more murkier. Based on experience, the author discusses the elements that make a successful penetration tester. Hopefully, these ideas shall help your organization in making a well-informed choice.
DISASTER RECOVERY
30
by Aby Rao
KNOW-HOW
SUCCESSFUL PENTESTER
28
Interview with Jay McBain
Building a personal brand is key in today’s „flat” world. Social media is one of the tools that blend with a more physical presence through local communities, charities, industry events, associations and peer groups. Social media can build large, targeted virtual peer networks and has an ability to amplify thought leadership more than any medium in the past.
40
CLOUD COMPUTING
24
leaders. The “best” method is generally driven by a business’s operational needs and budget, but involves the common underlying process of making systems and data available after a catastrophic event. For some, it simply means having access to data files within 3 days; while others may require continuous access to systems and data, regardless of the event.
Interview with Joe Hillis by Aby Rao
10 Ways to Enhance Your Career in Information Security by Aby Rao
At first glance, this may look like one of those selfhelp articles promising that your life will turn around 360 degrees if you follow the advice offered. Sadly, I am making no such promises. It could very well be 30 or 50 ways to enhance your career, but I have limited it to 10, based on my personal experiences. This article is primarily targeted towards people who are at entrylevel positions, or are making a switch to IT Security from a different field of work. Experienced professionals shouldn’t have a problem running through the list fairly quickly.
Disaster Recovery is a subjective area; typically viewed differently by technology professionals and business
02/2012(2)
Page 5
http://pentestmag.com
PENTESTING MARKET
Interview with
Victor Mehai Christiansenn
Victor Christiansenn is the Director of Sales at SecPoint. He established the SecPoint security firm in 1998, at the tender age of 16, in the basement of his parent’s house. Since then, the young entrepreneur has been working with in IT security industry full-time for more than 11 years. His passions are Wifi Security, Vulnerability Scanning, UTM Appliance. He is interested in Freemason.
SecPoint is a world-renowned IT company. What is the key to success of your company?
Victor Christiansenn: Innovation and Continuous Development. Doing things differently than everybody else and opening up new markets, like with the Portable Penetrator. Also to quickly adapt to new requirements in the market.
You have been on the market since 1998. What was the most challenging at the beginning of your career?
VC: Every day is a challenge! Once you love your job you do not see it as as a challenge.
How has the pentesting market has changed during these several years? Do you consider anything as a turning point for the market?
VC: It has changed a lot. We have seen sales of the Penetrator and Portable Penetrator increase, especially the last three years. There has been a turning point where customers have realized the need for pentesting. Plus, every other day a new vulnerability is found and as an IT Security company we are always strive find the solution to the vulnerability.
How do you see this market in the future?
VC: Growing big time. Pen test market has grown a lot during the last few years and the good news is that 02/2012(2)
this increase is not going to slow down and there will always be a new vulnerabilities and the need to find a remedy for them is required as fast as possible. So, we always try to keep finding new potential loopholes and the customers and end users do understand the need for Pen-Testing as a proactive way of finding what might be coming to them in the future and they do want stay prepared. There is nothing better than Pen Testing and it just going to increase more and more in the coming time.
What would you advise to people who want to start their own company in the IT field?
VC: Go for it! The whole Internet is waiting for you. As I said, the threats are something that will never go away. You will always find some news about the new threats discovered. It requires a lot of manpower and skills to be able to be the one who finds it before anyone else. Then comes the part to find the solution and integrating it into the Pen-Testing Product, so that the scanner can scan for it and find if that vulnerability is indeed present on the network.
Please, tell us more about your products (SecPoint Protector, SecPoint Penetrator, SecPoint Portable Penetrator).
VC: Protector is an advanced UTM (Unified Threat Management), which ensures Real-Time all round protection for users connected on your Wired Network.
Page 6
http://pentestmag.com
PENTESTING FUNDAMENTALS
Walk trough the
penetration testing fundamentals Talking about penetration testing fundamentals and their introduction in private and military sectors. The growing request for experienced IT professionals is demonstration of the awareness in the matter, it’s expression of the need to deep analyze every aspect of technology solutions.
T
he level of security and confidence requested by the market requires a meticulous approach in the testing phase of the architectures, the methods introduced in recent years have become an integral part of the production cycle of each solution.
Why conduct a penetration test?
The penetration testing is a fundamental method for the evaluation of the security level of a computer architecture or network that consists in the simulation of an attack to resources of the system under analysis. Of course the investigation can be conduced by experts to audit the security level of the target but also by cyber criminals that desire to exploit the system. The penetration testing process is conducted over the target searching for any kind of vulnerabilities that could be exploited like software bugs, improper configurations, hardware flaws. The expertize provided by professional penetration testers is an irreplaceable component for the evaluation of the security of systems deployed in private and military sectors. In many sector for the validation of any systems or component these kind of test are requested. The testing approach has radically changed over the years, similar tests were originally conducted mainly on systems already in production or operation in order to demonstrate their vulnerabilities, today’s test sessions 02/2012(2)
are planned as the part of the design phase and assigned to internal or external staff in relation to the type of checks that are to be conducted. A first classification of penetration tests is made on the knowledge of the technical details regarding of the final target distinguishing Black box testing from White box testing. Black box testing assumes no prior knowledge of the system to test. The attacker has to first locate the target identifying its surface before starting the analysis. Whit the term of white box testing we identify an attacker with complete knowledge of the infrastructure to be tested. The figure of the pen tester is a critical figure, he must think like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the choice of reliable and professional experts is crucial. The risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly hires hackers revealed in the time cyber criminals. The information is power, is money and the concept of “trust” is a fundamental for this kind of analysis. Over the years it has fortunately increased awareness of the risks attributable to vulnerabilities exploitable in systems and related economic impact, this aspect is not negligible because it has enabled a more robust commitment by management of companies that has requested more and more often penetration testing activities.
Page 8
http://pentestmag.com
IT SECURITY AUDITING
Interview with
Michael Brozzetti Michael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC, an expert internal auditing and governance firm and is Chairman of the Business Integrity Alliance™ which is a joint venture between zEthics, Inc. and Boundless LLC missioned to advocate and advance the practices supporting the principles of integrity, transparency, accountability, and risk oversight. Michael has a passion for helping organizations strategically manage the risk of internal control failure, respond to critical risk events, and improve the quality of internal audit activities. Michael Brozzetti is a Certified Internal Auditor® Learning System training partner with the Institute of Internal Auditors, Villanova University, and the Holmes Corporation. It’s not very common for us to interview professionals with extensive audit experience. Please tell us about your background and professional experience.
Michael Brozzetti: I started my auditing career with PricewaterhouseCoopers LLP (PwC) as an intern where I gained a lot of experience in the IT Auditing, IT Governance, and Business Process Reengineering domains. In 2002, I moved into working full-time as an IT Auditor at Charming Shoppes, which is a publically traded specialty retail company. As of that time, the company was going through transition and had decided to bolster its Internal Audit department by hiring lots of fresh talent so I had an excellent opportunity to work with a lot of great people to help build a new Internal Audit department from the ground up. It was a unique and valuable experience to help such a large company design and implement internal audit processes and systems to support all of the auditing and consulting engagements performed by 02/2012(2)
the department. In 2005, I decided to take that “leap of faith” and focused my energy into Boundless LLC, which later became recognized as a Philadelphia 100 “Fasting Growing Company” in 2010.
Can you tell us a little bit about your company Boundless LLC and the services you offer?
MB: Boundless LLC helps safeguard reputation and fiduciary integrity by helping organizations manage the risk of internal control failure, respond to critical risk events, and improve the quality of internal audit activities. We accomplish this by helping organizations integrate and improve their organizational ARCs – Audit, Risk, and Compliance – through our training, speaking, and consulting service offerings. “Onesize” does not fit all anymore so Boundless remains flexible in supporting our clients’ needs and when we are engaged in a consulting capacity we work on a retainer basis pledging to uphold the Institute of Internal Auditors (IIA) Code of Ethics principles for
Page 12
http://pentestmag.com
IT SECURITY AUDITING
Interview with
Mehmet Cuneyt Uvey Mehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967. He graduated from Middle East Technical University, Public Administration Department. He then completed his MBA degree from Bloomsburg University of Pennsylvania, USA. He has 25 years of experience in Internal Audit, IT Audit, IT Risk Management, IT Governance, Information Security and Project Management. He performed audits, managed many projects and rendered consultancy services to public and private institutions. Mehmet has CGEIT, CISM, CISA, BS7799/ISO27001 Lead Auditor, PMP certificates and has worked as one of ISACA’s CobiT Trainers in the past. Currently, he works as an Internal Auditor for Turkish Tractor and Agricultural Machines Company (a CNH – Koc Group partnership). He gives lectures to graduate level classes about the above-mentioned subjects at various universities. He speaks Turkish, English and German. What motivated you to get into the IT Security field?
Mehmet Cuneyt Uvey: I am of internal audit and finance origin. Back in the 80’s and early 90’s, the bank I worked for was in a huge transition into automation. The bank had 600 branches, the systems developed first were aimed at branch automation. Use of mainframe and manual procedures were consolidated to batch processing, which was the first precedent. Later on high volume of investment into ATMs, credit card business and POS machines were new additions to the network. Self-service banking channels and Internet banking became all integrated. During this transition, I thought of auditing the systems and IT processes instead of the financial transactions. I had the chance to establish the IT Audit in the bank I worked and understood that 02/2012(2)
information security is one of the most important parts in IT audit. That’s how I got into IT Security.
How did you get your start in IT Security?
MCU: After establishing the IT Audit department and performing process & systems audits, we recognized that there was an information security standard published by BSI (British Standards Institute) named BS-7799 (now ISO27001). We had the chance to get the standard and we thought of using the standard for our audits for information security. This was the first time.
As an internal auditor what are some of your day to day tasks?
MCU: I work in one of the largest tractor companies/ factories in the world. The Internal Audit Department
Page 16
http://pentestmag.com
����������������������������������������������������� ����������������������������������������������� ��������������������������������������������������
���������������� ���������������������� ������������������
��������������������������������������������������������������
SECURITY CONSULTING BUSINESS
Interview with
Lukas Ruf Dr. Lukas Ruf is senior security and strategy consultant with Consecom AG, a Swiss-based consultancy specialized in ICT Security and Strategy Consulting. He is one of the experts with application, system and network security of Switzerland. He is specialized in network and system security, risk management, identity and access management, computer network architectures, operating systems, and computer architectures. He is an expert in strategic network/ICT consulting, security audits, and designer of security architectures for distributed platforms. Dr. Lukas Ruf has been gaining experience in Security and Strategy Consulting since early 2000. Since 1988 he has been active with in ICT application development as an architect, lead engineer, apprentice coach, consultant, educator and trainer. His proficiency builds on this long-term experience. Dr. Ruf, you are a very distinguished professional with experience in academia and industry. Please tell us more about yourself leading to how you got into Security consulting business.
Lukas Ruf: Back in 1988, I started my first part-time job besides highschool as a computer supporter for one of the (then) larger PC resellers. Before enroling for studies at ETH Zurich (ETHZ), I began working as a software engineer for a ten-person consultancy. In 1996, I was asked by my boss to present my reflections on websecurity to one of our major customers. This led to my first web-penetration testing in 1998. Business evolved and I started my first one-man security consulting in 2000. That’s it, basically.
While you were studying at ETH Zurich what did you study and what was your research focus. 02/2012(2)
LR: At ETH, I enrolled for electrical engineering. For personal interest, I concentrated on micro electronics and anything that was possible to study in the field of computer and network engineering. My masters were then focusing on computer and network architectures. For one of my term thesis, I designed and implemented the first port of Topsy v1 to the ia32 PC platform. To continue research in system and network design and engineering, I started my Ph.D. thesis in the field of Active Networking. Active Networking explored the possibilities of breaking the strict boundaries of network layers already within the network stack – and allowed for dynamic re-configuration and update of functionality provided therein. This research allowed me to gain an in-detph understanding of networking as well as system security and stability. Insights of which I benefit every day in my job as security consultant.
Page 20
http://pentestmag.com
CLOUD COMPUTING
Securing Clouds The most common objections for holding back SaaS (Software as a Service) adoption as reported from end customers, are named as ‘security’ and ‘reliability’. This is interesting when you consider that SaaS Security is consistently reported as the fastest growth area of SaaS.
T
his ‘security’ objection usually stems from the customers’ perspective; they are concerned about the security of their data held outside their perimeter by the cloud provider. Yet despite these concerns there has been a thunderstorm of growing noise surrounding cloud computing in the past 24 months. Vendors, analysts, journalists and membership groups have all rushed to cover the cloud medium, although everyone seems to have their own opinion and differing definition of cloud computing. Similar to many new sectors of technology, the key is to separate the truth from the hype before making educated decisions on the right time to participate. While still evolving and changing, cloud computing is here to stay. It promises a transformation – a move from capital intensive, high-cost, complex IT delivery methods to a simplified, resilient, predictable and a cost-efficient form factor. As an end user organisation of different sizes, you need to consider where and when cloud may offer benefit and a positive edge to your business. Cloud computing is a new concept of delivering computing resources, not a new technology. Services ranging from full business applications, security, data storage and processing through to Platforms as a Service (PaaS) are now available instantly in an on-demand commercial model. In this time of belt02/2012(2)
tightening, this new economic model for computing is achieving rapid interest and adoption. Cloud represents an IT service utility that enables organisations to deliver agile services at the right cost and the right service level; cloud computing offers the potential for efficiency, cost savings and innovation gains to governments, businesses and individual users alike. Wide-scale adoption and the full potential of cloud will come by giving users the confidence and by demonstrating the solid information security that it promises to deliver. Computing is experiencing a powerful transformation across the world. Driven by innovations in software, hardware and network capacity, the traditional model of computing, where users operate software and hardware locally under their ownership, is being replaced by zero local infrastructure. You can leverage a simple browser access point through to powerful applications and large amounts of data and information from anywhere at any time, and in a cost effective manner. Cloud computing offers substantial benefits including efficiencies, innovation acceleration, cost savings and greater computing power. No more 12-18 month upgrade cycles; as huge IT burden like system or software updates are now delivered automatically with cloud computing and both small and large organisations can now afford to get access to cutting-edge innovative solutions. Cloud computing also brings green benefits
Page 24
http://pentestmag.com
SUCCESSFUL PENTESTER
Have you M.E.T?
What it takes to be a successful pen-tester “You see, but you do not observe. The distinction is clear.” Sherlock Holmes uttered the above sentence to Dr. Watson, in A Scandal In Bohemia. This phrase fits perfectly to penetration testers, and it is required to build skills to “observe” things, than merely “seeing” them.
D
ue to the large gray area in the field of software security, it is very difficult to spot a good penetration tester. Add to it the “ethical” baggage, and things get even more murkier. Based on experience, the author discusses the elements that make a successful penetration tester. Hopefully, these ideas shall help your organization in making a wellinformed choice. Security tools are a primary focus of a penetration tester, and rightly so – these reduce a lot of work, automate things that otherwise would have been very tedious to do manually, as well as provide instant results (who does not like “instant results”?) However, a security tool has limitations – false positives, false negatives (bigger problem), as well as incomplete coverage. What then, in addition to the knowledge of tools, makes a successful penetration tester? Enter M.E.T. • • •
Mindset Experience Tools, techniques, and training
If you have M.E.T., you can be a successful and knowledgeable penetration tester. And probably no longer dependent on various security certifications to prove your ability. 02/2012(2)
Mindset
An attacker follows no rules. This is very important to understand – it essentially means an attacker will find a path to break into your software system in a way you never imagined. This frame of mind allows you to think beyond the obvious – think of ways to compromise a system, and more importantly, think of ways to defend the system. Remember, an attacker has to find one weak link to capture the castle (software system), while the defender has to defend every possible weak spot. Unless you have built (or participated in building one) large and complex software systems, you may not completely understand the defense and the offense. Understanding both the attack and defense patterns are very important in the role of a penetration tester. In order to build this mindset, one must be inherently curious about how things work. This curiosity allows you to look under the hood of large and complex systems – know their inner working, understand the interaction of its sub-components, know how things fail, and know how things can be made better. As an example, if you find an XSS, these are the questions a curious mind will think of: • •
Page 28
What is the root cause of this XSS? Are similar vulnerabilities lurking around other places in the application as well, assuming developers make same mistakes, and copy-paste code? http://pentestmag.com
DISASTER RECOVERY
Interview with
Joe Hillis Joe is the co-founder and Operations Director of the Information Technology Disaster Resource Center, a 501(c)(3) public charity. Hillis is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster. Mr. Hillis, you come from a paramedical background. We are curious to know how did you end up in Information Technology.
Joe Hillis: As a career FireFighter/Paramedic, I worked a 24 hour shift at a local Fire Department every 3rd day. My employer had an IBM System 36 for incident reporting, and I began developing custom reports in an RPG based report writer in my downtime. I began taking programming courses at a local community college and developed several applications to simplify repetitive administrative tasks. My schedule was such that my full time job was only 120 days a year, which left 4-5 days a week to devote to my new passion. I was eventually appointed as the Information Specialist for the city, and began consulting for other municipalities and small businesses. After retiring from municipal government in 2004, I entered the private technology sector full time.
You are the co-founder and Operations Director of the Information Technology Disaster Resource Center which is a nonprofit organization. Please tell us about your organizations and what services you offer.
JH: The ITDRC is a 501(c)(3) non-profit public charity comprised of volunteer Information Technology Professionals who assist communities, non-profit organizations, and small businesses with technology continuity and recovery from disaster. Volunteer Subject Matter Experts (SMEs) provide Systems, Network, and Infrastructure “best practice� 02/2012(2)
guidance in advance of a disaster; to help facilitate business continuity and rapid recovery following a catastrophic event. During the early phase of a disaster response, the ITDRC provides connectivity, communications, technology assets, and mobile workspace to first responders and emergency management officials. As the incident progresses, we assist disaster relief organizations by establishing call centers and database applications to manage commodities, volunteers, and requests for service. Once an incident stabilizes and long term recovery begins, ITDRC volunteers work with affected small businesses and non-profits by providing technical recovery assistance and temporary equipment to ensure they can continue operations.
How did this organization come into being?
JH: Following the 9/11 events, Senator Ron Wyden (DOR) proposed the creation of a National Emergency Technology Guard of volunteers (NETGuard) to assist with public infrastructure recovery. The initiative received overwhelming support from Congress, but never materialized after a pilot program in 2008. After carefully monitoring the NETGuard initiative for several years, a group of service oriented professionals from the Technology, Emergency Management, and Small Business sectors formally established the ITDRC in January 2009. The 5 member Board co-managed the operation until mid-2011, when an Operations Director was appointed.
Page 30
http://pentestmag.com
SOCIAL MEDIA
Interview with
Jay McBain Jay McBain managed the SMB Channel for IBM and Lenovo. He is an accomplished speaker, author and innovator in the IT industry. Named to the Top 40 Under Forty list by the Business Review, Top 25 Newsmaker by CDN Magazine, Top 100 Most Respected Thought Leader by Vertical Systems Reseller Magazine, member of Global Power 150 by SMB Magazine, as well as Top 250 Global Managed Services Executives by MSPmentor.
Please tell us about yourself.
Jay McBain: I am an accomplished speaker, author and innovator in the IT industry. Named to the Top 40 Under Forty list by the Business Review, Top 25 Newsmaker by CDN Magazine, Top 100 Most Respected Thought Leader by Vertical Systems Reseller Magazine, member of Global Power 150 by SMB Magazine, as well as Top 250 Global Managed Services Executives by MSPmentor. I am often sought out for keynotes, industry guidance, as well as business development opportunities. I currently serve as Co-Chair of the CompTIA Vendor Advisory Council and Vice Chair of MSP Partners Community. I am also a board member of the Channel Vanguard Council, Ziff Davis Leadership Council, CRN Channel Intelligence Council and STEP – Sustainable Technology Environments Program with InfoComm. I spent this 18 year career in various Executive sales, marketing and strategy roles within IBM, Lenovo and Autotask. I am currently the co-founder of a new software company called ChannelEyes. It is the first free and secure social network for Suppliers and their Channel Partners to use every day. As a futurist, and long standing member of the World Future Society, I am an expert in Pervasive Computing which is the study of future computing models and the resulting impact on society, as well as Managed 02/2012(2)
Services, Healthcare IT, Voice over IP and Cloud Computing. I have lived in Calgary, Winnipeg, Toronto, Raleigh, and now in Albany, New York. I actively give back to the community and have been on the board of the United Way, Models for Charity and Junior Achievement.
You own a company called ChannelEyes. Tell us more about your company.
JM: ChannelEyes is the first free and secure, social network for Vendors and their Channel Partners to use every day. It’s kind of like Facebook, but instead of friends – it’s a filtered group of Vendor feeds on a Social Wall. Channel Partners will have a single place to see a snapshot of new channel information every day. You’ll cut through the noise and clutter because you control who you follow, filter the relevant information and build social conversations around it. Vendors, manufacturers and distributors of all types will have a single place to engage with your entire channel, targeting the right person with the right information at the right time. The net result is better engagement, sellthrough, and access to potential new partners. ChannelEyes is a ridiculously simple way to organize your business partnerships, saving time and allowing you to take advantage of timely information.
Page 34
http://pentestmag.com
IT SECURITY
Interview with
Raj Goel Raj Goel, CISSP, is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. He is a well-known authority on regulations and compliance issues. Raj has presented at information security conferences across the USA and Canada. He is a regular speaker on PCI-DSS, HIPAA, Sarbanes-Oxley, and other technology and business issues, and he has addressed a diverse audience of technologists, policymakers, front-line workers, and corporate executives. Raj works with Small-to-Medium Businesses (SMBs 10-200 employees) to grow their revenues and profitability. He also works with hospitals and regional medical centers across the Northeast (NY, Vermont, New Hampshire, Maine, Pennsylvania) in helping them meet HIPAA compliance requirements and utilizing Health Information Systems (HIS) effectively. You can contact him at raj@brainlink.com. You have more than 20 years of experience in IT, please tell us about your professional background in IT Security.
Raj Goel: I had my first IT consulting client at age 13, first business card at 16, and have been consulting ever since. In 1997, a large Health Insurance company in the US asked me to help them understand something called HIPAA. We had no idea what HIPAA was, nor did they – however, the client’s management knew that this proposed law needed to be understood, if the health portal project we were working on was going to succeed. I learned what I could about the proposed legislation, and delved into the HIPAA Security standards. That led me to becoming a CISSP, and and gaining a real understanding how ISO27001, HIPAA, PCI-DSS, and other data security and privacy standards are related. 02/2012(2)
My first presentation on HIPAA compliance was in October 2001 – a month after 9/11. Since then, I have led, or conducted over 150 seminars, webinars and full-day conferences. I have also been published in INFOSECURITY Magazine, quoted in CSO Online, and appeared on TV on the Geraldo Show and PBS TV. To date, I have delivered CLEs to over 3000 attorneys, approximately 1500 accountants/CPAs and thousands of CISSPs world-wide. In short, I have been in IT for over 25 years, and IT security for 15+ years.
Please tell us about your company, services you offer and organizational growth in the past few years.
RG: I co-founded Brainlink Internatonal, Inc, with my wife, in 1994. We offer three sets of services:
Page 40
http://pentestmag.com
Now Hiring Teamwork Innovation Quality Integrity
Passion
Sense of Security
Compliance, Protection and
Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.
info@senseofsecurity.com.au www.senseofsecurity.com.au
KNOW-HOW
10 ways
to enhance your career in Information Security At first glance, this may look like one of those self-help articles promising that your life will turn around 360 degrees if you follow the advice offered. Sadly, I am making no such promises. It could very well be 30 or 50 ways to enhance your career, but I have limited it to 10, based on my personal experiences.
T
his article is primarily targeted towards people who are at entry-level positions, or are making a switch to IT Security from a different field of work. Experienced professionals shouldn’t have a problem running through the list fairly quickly.
Hands-on skills are invaluable. It doesn’t matter if it’s paid or pro-bono work
As you might have heard a million times before from various pros in the industry – there is no alternative to gaining hands-on industry experience. Even a few hours spent on a project will hold more value than unlimited lab experiments. Project-based work can take you a long way and add credibility to your resume. People who transition to security from other closely associated fields, like system or network administration, physical security, disaster recovery planning, and programming, often get a chance to be intimately involved in security. Grab any such opportunities and make the most out of them. For example, a software programmer might consider ways in which he/she can embed a robust security framework in their software development life cycle. For those individuals who are completely new to the industry, you can prove yourself by taking on some small-scale projects, even if it means you have to work for free. One place to gain some valuable experience is to connect with local non-profit organizations and see if you can help them harden their machine, or provide 02/2012(2)
assistance with their anti-virus or firewall configuration. If you are a rockstar, you might just end up creating a part-time or consulting gig at the organization.
Get a certification or two
I have noticed a perpetual “hoopla” on the topic of industry-recognized certifications, such as CISSP, CISM, CEH etc. A few pros have even criticized the purpose of these certifications. I understand their sentiment and point-of-view, but if you notice any security job opening, you will see these certifications listed more often than not. If you are someone who doesn’t believe that a 4-6 hour exam can judge your skills, then try something different, such as the OSCP (24 hour hands-on exam) or any of the open-book SANS exams. While you are studying for any exam, I would recommend that you create a home “lab” and experiment with what you learn, as well as attend seminars, network with other professionals, read white papers, and participate in mailing lists/forums etc. All of these activities done together will help you be a wellrounded and confident professional.
Volunteer whenever you get a chance
There are hundreds of security conferences organized all over the world. In addition, you can volunteer at local events organized by ISSA, OWASP, ISACA, ASIS, HTCIA, IAPP etc. Although you will require membership
Page 44
http://pentestmag.com
In the next issue of
Available to download on May 15th
Soon in PenTest Market! • Qatar CIRT team talk about IT Security • Interview with Tal Argoni • IT Security and a specialist recruiters point of view • Interview with Alexandro Fernandez • Pentesting business startup and more... If you would like to contact PenTest team, just send an email to krzysztof.marczyk@software.com.pl or maciej.kozuszek@software.com.pl. We will reply a.s.a.p..