Page 1

Cyber Security Auditing Software

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

Dear Readers


Managing Editor: Patrycja Przybyłowicz Betatesters & Proofreaders Jeff Smith, Cleiton Alves, Hani Ragab, Karol Sitec, Dalibor Filipovic, Eric Geissinger, Amit Chugh, Ricardo Puga, Dan Dieterle, Gregory Chrysanthou, Harish Chaudhary, Abhishek Kar, Gareth Watters, Eric De La Cruz Lugo, Barry Grumbine, Wayne Kearns, Steven Wierckx, Jakub Walczak, Artem Shishkin, Donald Iverson, Ewa Duranc, Stefanus Natahusada,Tzvi Spitz, Vaman Kini, Jeff Weaver, Vaman Amarjeet, Larry Karisny, Gavin Inns, Vaman Amarjeet, Abhishek Koserwal, Peter Harmsen, Hussein Rajabali Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic Art Director: Ireneusz Pogroszewski DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631

e would like to present you the third issue of PenTest Open – a free monthly publication, where you can read some of our best articles from last month. This time you will find here a selection of really good tutorials written by our best authors and experienced pentesters. We hope that this read will help you to improve your skills and allow you to broaden your horizons. We start with Gugliemo Scaiola’s tutorial, where he presents how to create an own SQLi test lab. By establishing the virtual environment for your work, you will be able to test your skills in a legal and effective way. Austin Scott’s article is dedicated to data diodes, that are used in applications requiring the highest level of security, such as state secret protection. He explores the inner workings and practical control system applications of the uni-directional gateways and provides a step by step guide showing how to create your own using Open Source Software. Terrance Stachowski will teach you how to prepare a professional and detailed penetration test results report. Take advantage of his experience and knowledge, that he agreed to share with you. Since the work of penetration tester often requires to be mobile, Domagoj Vrataric in his short tutorial will show you how you can achieve it by transforming your tablet into pentest platform. On the other hand, Albert Whale describes the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. From his article you will find out which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well. The article by Prashant Mishra deals with the problem of internal security matters within any organization and puts the accent on the importance of a well constructed Information Security Policy in the company. We hope that you will find this selection of articles, worth your time and will enjoy the reading.

Whilst every effort has been made to ensure the high quality of

PenTest Team

the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.


The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

OPEN 03/2013






net from anywhere. The security within any organization

From the Beginning: Building a SQLi Test Lab

By Guglielmo Scaiola

Enter virtualization technology where it is possible to create an extensive lab without the risk to be jailed.There are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or VirtualBox Your choice may be related to your favorite operating system or your computer hardware. The author in his professional work, uses different virtualization products. However in this article, he describes Vmware Workstation 8, but you can transform the examples with a few modifications to another virtual environment.

ing document defining what is allowed and what is not.

TEST RESULTS REPORTING Head Penetration Test 32Running Results Reporting By Terrance Stachowski

Upon completion of a penetration test, all of the information collected must be neatly entered into the afteractions, results report. Since this document is the only tangible, deliverable element supplied to the customer, it should appear professional, well organized, and clearly detail and explain what was uncovered during the penetration test.


Your Tablet into 38Transforming Pentest Platform



starts with building a Security Policy, a centralized, evolv-

Defending Industrial Control Systems with Data Diodes

By Domagoj Vrataric

By Austin Scott

As a penetration tester you always appreciate to work at

Originally designed by government organizations to pro-

any place. That’s a nice thing when you are working in IT

tect top secret information, data diodes are most com-

industry. With your laptop you can be mobile when work-

monly used in ap-plications requiring the highest level of

ing on penetration testing. However, as probably many of

security such as state secret protection, banking or bat-

you, the author of this article wanted more...

tlefield up-links. In recent years we could observe an increasing demand for data diodes in the world of industrial control and automation to protect critical in-frastructure due to the simple and virtually impenetrable nature of these devices. In this article the author explores the inner workings and practical control system applications of these uni-directional gateways and provide a step by step guide to creat-ing your own using open source software.


Security – Reducing the 42Homeland Thread from Attacks By Albert Whale

The author describes the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. From this article you will also find out which activities can fit into their Software Development Lifecycle (SDLC) pro-

22Information Security Policy (ISMS)

grams to further benefit other organizations as well. This

By Prashant Mishra

These days about 90% of the business depends on Information Security as it can be accessible through Inter-

OPEN 03/2013



read is not presenting an offensive approach to Cyber Security, but an improved defensive approach.



From the Beginning Building a SQLI Test Lab‌

I remember when I was trying to learn hacking. It was a lot of time ago when pterodactyls were still flying in the sky. Those years it was very difficult to create hacking labs. The only way to do that was physical machines, but today it is much simpler. Enter virtualization technology where it is possible to create an extensive lab without the risk to be jailed.


here are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or VirtualBox Your choice may be related to your favorite operating system or your computer hardware. In my professional work, I use different virtualization products, but in this article, I will use Vmware Workstation 8, but you can transform the examples without with a few modifications to another virtual environment. I will assume that the virtualization system is already properly installed. After this, the first step is the preparation of the attacking machine. I think that nowadays the choice is obvious: Backtrack, (, after which you can install it in a new virtual machine. If you want to maintain a good working lab and follow these exercises, I do not recommend to using the live version, since the exercises will go better if you persistently update your installations with the latest version. The second step, after you have properly conFigured the network adapter, is the upgrade of the attacking machine. You can do this with these simple instructions: root@bt:~# apt-get update root@bt:~# apt-get upgrade. (See Figure 1). Now we can setup the IP address, in my case is It is also better to stop the DHCP client started by default, to avoid losing your IP address. (See Figure 2). OPEN 03/2013

Now we can install the target machine. For this lab I will install a Windows 2K8 R2 machine. If you do not have a regular license you can download the 180 days trial version at en-us/download/details.aspx?id=11093, but if you think you will be creating a lot of labs with the Windows system, the best ways is to subscribe a Micro-

Figure 1. My Vmware test lab

Figure 2. Recap network configuration

Page 6

soft Technet subscription. With this subscription you can download all Microsoft Operating System for testing purpose without expiration. You can use the default installation and after configuring the network card (in my lab the IP address is, you can install all of the Windows updates. The purpose of this lab is to attack the web page and the back-end database. After that you need to download Xampp, which is a simple wamp (Windows, Apache, MySQL and PHP) package (http:// The installation of this package is very windows-like: next...… I downloaded and installed the portable lite version and I shorten the path to c:\xampp. After the completion of Xampp installation you have a complete Apache environment, powered by PHP and MySQL, and for administering Xampp, there is a friendly console, xampp-control in the xampp directory. (See Figure 3). Depending on your needs it is possible to remove HTTPS, using the “config” button, “Apache (httpd-ssl.conf)”. (See Figure 4).

And you put a # for comment the row “listen 443”. (See Figure 5). Now you can start Apache without any problems. If you have the default configuration in Windows 2K8 server, you need another little step to make it work correctly. You must enable Apache on Windows Firewall. The fastest way to do this in our lab is to enable “Notify me when Windows firewall blocks a new program”. Go to the control panel – system and security – windows firewall – change notification settings and here you can set new notification status. (See Figure 6). After set “Notify me when Windows firewall blocks a new program”, if you start Apache from the Xampp console, a pop-up warning will appear asking to allow you to access, your Apache daemon work properly. (See Figure 7). The last step to build your complete lab is to download the vulnerable web application. For this test I have chosen Damn Vulnerable Web App (http:// This web application is built with a lot of vulnerabilities and in this article we will look

Figure 3. Xampp Control Panel

Figure 6. Windows firewall configuration

Figure 4. Removing httpsd

Figure 5. Remove port 443 in httpd-ssl.conf OPEN 03/2013

Figure 7. Ops… Page 7

BUILDING SQLI TEST LAB at just one of them, but if you want to know more of DVWA, a lot of very interesting materials can be found at: To work with this app you need only to unzip in c:\xampp\htdocs (see Figure 8). For the first time you must connect to DVWA website with the server’s browser and finish the database setup. (See Figure 9). In this screen, you can create a database by pressing the button “create/reset database”. (See Figure 10). After that the DVWA website is up and running, it can be browsed outside the server. What? You are trying to access from your backtrack distro? You are receiving a forbidden error? Then you can try to edit .htaccess in the DVWA

folder and change the line “allow from” in “allow from all” to fix the problem. (See Figure 11). If all works you must connect from the attacker machine to the URL

Figure 11. :(

Figure 8. Take a look of htdocs folder

Figure 9. It works…

Figure 12. Enter credentials

Figure 10. Create Dvwa DB

Figure 13. The home page… a lot of duty…

OPEN 03/2013

Page 8

login .php and this page need authentication.(See Figure 12). The username is “admin” and password is “password”. (See Figure 13). Now, we are ready to try the lab exercises. If you need a little video for reviewing the DVWA installation, you can find it at com/watch?v=GzIj07jt8rM.

Sharpen the Ax – Prepare your Tools

After setting up the lab, we need to know all the tools that we will use in the exercise. The first one is sqlmap ( and is my preferred for sql injection application. In my opinion, it has a very good balance between power, simplicity and flexibility, sqlmap support a lot of

databases engines, various injection techniques, six types for the nerds, is capable to dump databases tables, download and upload files, execute commands and it has a bunch of other nice features. (See Figure 14). In this exercise we will see some basic, but interesting, features of this tool, and we need also to keep in mind that the website needs authentication, and this authentication is performed between cookies. Sqlmap is able to manage the cookies, but how do we capture them? Which tool is able to do that? For the demo, capturing cookies, I try two techniques: The first is the use of a Firefox plug-in, and The second one is a very powerful tool called burp suite. (http:// (See Figure 15). Burp suite is an integrated platform for testing web apps. It is possible to buy the more powerful, professional suite, with more functions like Burp Intruder or Burp Scanner, but for testing purpose it is sufficient to use the free edition. With Burp proxy, after configuring the web browser for this, it is possible to pause an HTTP sessions and manipulate the GET and POST traffic. If you need only a part of these features, you can use Firefox plugin called tamper data. With tamper data you can pause the session in the same manner as the burp proxy and intercept cookies. In backtrack, all these tools are installed by default. (See Figure 16).

Figure 14. We meet with… sqlmap Figure 16. The “little” friend… tamper data

Figure 15. Another friend…burp OPEN 03/2013

Figure 17. Start tampering with tamper data and Firefox Page 9

BUILDING SQLI TEST LAB Cut the Trunk – Owning the Webserver

Now we are ready to change our state of mind to the attacker mode The first step of the attack phase is to log in to the server to get the session cookie. For this task, I first try the simplest way using tamper data. I start firefox, I type the URL and I open “tools” – “tamper data”, now I can “start tamper”. I must type username “admin” and password “password” on login page, when I will click on “login” button. (See Figure 17). I choose “tamper” and I can copy the session cookie. (See Figure 18). I confirm with “OK” and “submit” in the next pop up, and now I can stop tamper. This operation can be done in the same manner with burp proxy, so let me show you how. I start burpsuite from bash java -jar /pentest/ web/burpsuite/burpsuite_free_v1.5.jar, I set up

the proxy configuration in firefox “edit” – “preference” – “advanced” – “network” – “settings”, I set “manual proxy configuration” with http proxy address and port 8080 and I save the configuration. (See Figure 19). Now I get the login page of my vulnerable web app, every time a page is transmitted or received burp will prompt you with a flashing icon, where you can choose to go forward with the button “forward” button. Again, you must login using username and password when prompted from application, and now you can intercept the phpsessid in burp. (See Figure 20). After this you can close burp and delete proxy configuration on Firefox. In the real world we can intercept this session id with sniffing or with other stealing techniques. In the image you can see intercepting cookie with sniffing the wire with Wireshark. (See Figure 21). Now the first step is finished. I have the session cookie and I can use it to inject the application with sqlmap. Backtrack sqlmap is located in /pentest/database/sqlmap/, but before the injection I take a look of the vulnerable web page. The page is and you can connect at this page with the button “sql injection” on the left of the login page. I tried some input to the page. I tried inserting “1” on “user id” tab, now I can copy the URL

Figure 18. Get the session cookie

Figure 20. The session cookie again

Figure 19. ConFigure proxies in Firefox OPEN 03/2013

Figure 21. Another way to get session cookie Page 10

and I can use as the injection URL for sqlmap. (See Figure 22). For testing my injection I need some parameters, the first is the session cookie, which I already have, the second is the vulnerable URL, I have that also (In the real word, I might not know where the vulnerable one is located and I need to try ALL possible vulnerable URLs, but for testing purpose I submit directly the vulnerable URL).

Pause for Reflection

One manner to try sql injection is the insertion of single quote on input, if we are using low security level in dvwa we can see an error page. (See Figure 23). But, if we use the dvwa security level set on high we do not see anything and, naturally, I want to use high security. In dvwa, for learning purpose, the cookie can manage the security level “security=high”, but in real life this is not that easy. (See Figure 24). Next, I open a shell and change directory with cd / pentest/database/sqlmap/ and I try my first automated

injection: ./ --cookie=’security=high; PH

PSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘http:// sqli/?id=1&Submit=Submit#’ --string=’surname’ --dbs.

This string, if the security level is set to high, does not work, as you can see in the next image. (See Figure 25). Now I try to inject my second string: ./sqlmap.

py --cookie=’security=medium; PHPSESSID=gl9k ses7umi8rvmo34l184ka22’ -u ‘http://192.168. 254.202/dvwa/vulnerabilities/sqli/?id=1 &Submit=Submit#’ --string=’surname’ --dbs.

If you use the security level set to low, the injection is simple, but with security level to medium, the PHP function mysql_real_escape_string is used to pre-pend backslashes to the following characters: \x00, \n, \r, \, ‘, “ and \x1a. This means that the (SQL server will interpret single, or double quotes as text. At this point it is necessary to enter any text requiring quotes as their ASCII hex-en-

Figure 25. First injection with sqlmap

Figure 22. Normal operation of the web page

Figure 23. Trying sqli...

Figure 24. dvwa security OPEN 03/2013

Figure 26. Second injection with sqlmap Page 11

BUILDING SQLI TEST LAB coded equivalent. In this case, this syntax table_ name=’users’ become table_name=0x7573657273 (see Figure 26 and 27). Sqlmap has extract the available databases, at this point the webapp is yours. Just a couple of steps for extracting all data and, if needed, for password cracking. In real world, I do not know the name of app databases, but normally, is pretty simple to guess it. In my lab the installed databases are: [*] [*] [*] [*] [*] [*] [*] [*]

cdcol dvwa information_schema mysql performance_schema phpmyadmin test webauth

It is not too difficult to suppose that the database name is “dvwa” and I give these info in sqlmap injection as a parameters. Now, with this additional info the injection string for extracting database

tables becomes: ./ --cookie=’security =medium;PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘ sqli/?id=1&Submit=Submit#’ --string=’Surname’ -D dvwa --tables (see Figure 28). And the result is shown on Figure 29. Now, we dump the table… I think that the “users” table is more interesting…look inside with this injection, so I try: ./ --cookie=’security=medium;

PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘ sqli/?id=1&Submit=Submit#’ --string=’Surname’ -D dvwa -T users –dump (see Figure 30).

Ok, now I have the username and the password hash (if in your application the passwords are in plaintext, the task is already ended at this step), and if I suppose that these hashes are encoded with MD5 algorithm, I can try to crack them in different manners. Today I try to crack with querying a website: (see Figure 31). But, it is possible to crack the MD5 hash with rainbow tables, or with the Evergreen “john the ripper”.

Figure 30. Get password hash

Figure 27. Second injection with sqlmap: the results

Figure 28. Go deeper with sqlmap

Figure 29. Go deeper with sqlmap: the results OPEN 03/2013

Figure 31. Sorry john the ripper, tonight I don’t want to work hard… Page 12

Just for ending the article, if you set the security level to high, you will use these two functions: stripslashes and is_numeric. The specific piece of code is: // Retrieve data $id = $_GET[‘id’]; $id = stripslashes($id); $id = mysql_real_escape_string($id); if (is_numeric($id)){ $getid=”SELECT first_name, last_nameFROM users WHERE user_id = ‘$id’”; $result=mysql_query($getid) or die(‘<pre>’ . mysql_error() . ‘</pre>’ );

This code is pretty secure, in my knowledge, the idea of the DVWA developers, was to learn how to write secure code to other developer. At this URL you can find some additional information about the code. It is also interesting to analyze the use of the deprecated function magic_quote in an attempt to increase security: hardening-php-magicquotesgpc-false.html. I hope this article served you to begin to take the first steps into the world of web application security …, especially without going to jail. DVWA offers a lot of other examples in various issues, and you can find other vulnerable apps, on-line or with installation on local web servers for testing and improving your skills without risk. Hack to live, live to hack!

Guglielmo Scaiola

Guglielmo Scaiola has worked as an I.T. Pro, since 1987. He is a freelance consultant, pentester and trainer, and works especially in the banking environment. Over the years he has achieved several certifications, including: MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA. In 2011 he was awarded the “Ec-Council Instructor – Circle of Excellence.” He can be contacted at s0ftwar@ OPEN 03/2013


Defending Industrial Control Systems with Data Diodes

Originally designed by government organizations to protect top secret information, data diodes are most commonly used in applications requiring the highest level of security such as state secret protection, banking or battlefield up-links.


n recent years I have seen an increasing demand for data diodes in the world of industrial control and automation to protect critical infrastructure due to the simple and virtually impenetrable nature of these devices. In this article we will explore the inner workings and practical control system applications of these unidirectional gateways and provide a step by step guide to creating your own using open source software.

What are Data Diodes?

sure the safety of sensitive information within a network. I prefer to call them “Data Diodes” when speaking about Industrial Control and Automation System (Aka ICAS / ICS / SCADA / DCS systems) security because anyone with an electrical background almost instantly recognizes their function. By creating a physical barrier that only allows data transfers in one direction (hence the “uni” in unidirectional) we can enhance security in one of two ways:

Sometimes known as a unidirectional network or unidirectional security gateway, data diodes en-

• Making a network segment write only (see Figure 1).

Figure 1. Write Only Control System Data Diode

Figure 2. Read Only Control System Data Diode

OPEN 03/2013

Page 14

• Making a network segment read only (the more common configuration for control systems), see Figure 2.

Strength in Simplicity

The strength of a Data Diode is its simplicity. At the core of all data diodes is a simple duplex fiber optic connection (fiber optic connections often have a dedicated send / receive fiber strand) with either the send or receive fiber disconnected. Severing one of the physical fiber connections makes it impossible to send data in one direction. (See Figure 3).

What are the Typical Applications of a Data Diode?

Figure 3. Fiber Optic Patch Cable link at the Heart of a Data Diode

Data diodes were originally developed for use in the defense industry in order to protect top secret information from getting into the wrong hands. If you read the marketing materials put out by the data diode vendors you will see they are sprinkled with military terms like “tactical deployment” and “warfighter operations” which is a clear indication of the audience they are targeting. Most data di-

Figure 4. Typical Advanced Persistent Threat OPEN 03/2013

Page 15

SCADA STEP BY STEP odes on the market today have an impressive array of top level security certificates from countries around the world. Data diodes have been blessed by NERC (North American Electric Reliability Corporation) as a compliant solution for protecting critical infrastructure like power plants. Their ability to securely manage high-traffic systems make them ideal for use in a control system environment. A data diode is an effective defense against data exfiltration (a military term for the covert retrieval of sensitive data) which many Advanced Persistent Threats (APTs) like Flame and the Night Dragon attacks are designed to perform. If the corporate network is unable to send data into the control network, the control network will still be secured if the corporate network is compromised. Also if an industrial control system is compromised by a deep penetrating worm, the hacker will be unable to send commands or updates because of the one way network traffic gateway. (See Figure 4).

Figure 5. Database Replication through a Data Diode OPEN 03/2013

ICSSec (Industrial Control System and Automation System Security) in the Real World

If you believe in the so called control system “Air Gap” then I have a unicorn farm run by leprechauns I would love to sell you. I will not dispute the fact that it is a terrible idea to directly connect any piece of industrial equipment or SCADA system to the Internet. However, in my experience most control systems are indirectly connected to the Internet. Why would anyone be foolish enough to indirectly connect a SCADA / DCS system to the Internet? The answer is simple, people need the data. The data generated by an industrial control system is pure gold; far too valuable to not be connected to the corporate network. Data taken directly from the SCADA / DCS is used by most business units in an organization, for example: • Accounting • How many widgets did we produce? • How much oil did we pump? • How much process downtime did we have? • Regulatory Compliance • How much greenhouse gas did our process produce? • Did the formula change for the drug we are manufacturing? • Health and Safety • For the past 15 years has the toxic gas our workers have been exposed to been within a safe limit? • Preventative Maintenance • How many running hours until we need to rebuild that motor? • Process Optimization • What are the most common alarms? • How long does it take the operator to intervene in the SCADA system when the process enters an abnormal situation? • What was the energy usage in DCS A compared to DCS B? • Quality Control • Was there a problem with the process while we were making the product with serial #192813? Keep in mind that many control systems are in remote locations, far from the corporate headquarters that pay their bills. Most people are not willing to jump on a plane to collect some data they need for a report and reading values over

Page 16

Figure 6. TCPIP SYN ACK Two Way Communication

Figure 7. Data Diode Reverse Proxy Servers OPEN 03/2013

Page 17

SCADA STEP BY STEP the phone is very error prone. The Internet is the most cost effective way to transmitting data over long distances. Often the bridge between the corporate network and the industrial control network is a gateway computer, a firewall or a series of firewalls. Firewalls rely on many layers of software to segment a network. Due to the nature of software a small oversight in the realtime OS, rule engine, configuration or installation could allow an attacker to bypass the Firewall completely. ICSsec (Industrial Control System and Automation System Security) guidelines suggest that firewalls from multiple vendors should be used in case one vendors firewall is compromised (NIST 800-82, IEC 62443 formerly ANSI/ISA99). Firewalls certainly play an important role in any control systemâ&#x20AC;&#x2122;s Defense in Depth (DiD) strategy, but it is important to remember that history has shown us that they are not impenetrable. If you are only interested in accessing the valuable information that a control

system is producing, than a data diode is a more secure choice. You are providing read access to the data in the ICS without allowing anyone to write data to the ICS. A typical example is transferring data from one SQL server in your ICS to another SQL server in your corporate network. If the corporate network is compromised there is no physical way data can be sent to the control network. (See Figure 5).

Figure 8. Two Bare Bone Mini-PCs for our homemade data diode

Figure 9. Two PCI Express Fiber Optic ST Cards for the Fiber Optic Link in our do-it-yourself Data Diode

OPEN 03/2013

The Problem with One Way Data

If you are familiar with TCP/IP (Transmission Control Protocol), you are probably questioning the practicality of such a solution as TCP/IP requires two way communication to work. TCP/IP requires a two way handshake (SYN / ACK) in order to establish a connection and terminate a connection. In fact there is a very common misconception that it is impossible to use TCP/IP connections through a data diode. (See Figure 6). There are two ways around this problem:

Page 18

• UDP (User Datagram Protocol) variants of protocols should be used when available. UDP is a lightweight protocol typically used for speed as it does not waste network bandwidth by handshaking or data integrity checksums. • TCP/IP client-server reverse proxies on either end of the data diode can be setup to respond to the hand shaking requests automatically without the need to actually send any data back to the insecure network. A reverse proxy server retrieves data from another computer and serves it up as if it were the original source. Reverse proxies are most frequently used to speed up the delivery of web content and reduce the load on the content main server. The client-server proxies solution should work in most cases however, thorough testing should be completed in a lab environment before deploying a data diode solution into an ICS. (See Figure 7).

How to Roll Your Own Data Diode

If you were to crack open a typical data diode you will see it is simply made up of two mini-pcs with a fiber-optic link running between them. There are dozens of patents around variants of data diodes and data diode software. For example there is a patent for a data diode that only uses a single computer to handle both ends of the connection (which seems less secure to me). A fiber link between two computers is far too simple a concept to patent, so you won’t end up in court creating a data diode in this configuration. Now let’s step through the process of creating our own data diode.

Step 1. Purchase two computers

It is important to find a small form factor computer which supports a PCI-Express card for our two fiber optic PCI-Express cards (reverse) proxy servers. For most industrial applications I would purchase a couple of fan-less industrial PCs with solid state hard drives that can be stored in a locked computer panel box or server room. For the purposes of our proof of concept I will purchase two low cost PCs: • Slim Bare bones PC with a PCI-Express card slot • Solid State Hard Disk drive • 2 Gigs memory • i5 Processor These PCs should come with an integrated Ethernet card which we will plug our network connection through. 2 x – Barebones PC with PCI-Express card slot – $600.00 each (see Figure 8).

Step 2. Purchase two fiber optic PCI-Express cards

Figure 10. The heart of our handcrafted unidirectional gateway is the ST Fiber Optic Patch cable OPEN 03/2013

If you don’t have experience with fiber optic networks you need to be aware of the many standards and modes that are available. It is critical that you select fiber optic cards and a patch cable that are all compatible. I have selected multi-mode “Fiber-to-the-desk” PCI-Express card with ST connectors which make it very easy to disconnect one of the fiber l inks. 2 x – Gigabit Ethernet Multi-Mode ST Fiber Card 1000Mbps PCI-Express – $200.00 each (see Figure 9). Page 19

SCADA STEP BY STEP Step 3. Purchase a fiber optic patch cable

I have found a suitable multi-mode fiber patch cord with male connectors on each end: 3m Multi-Mode 62.5/125 Duplex Fiber Patch Cable ST – ST – $12.00 (see Figure 10).

Step 4. Install a Secure Operating System on the PCs

I prefer to use OpenBSD because it is free, open source, Ultra-secure out of the box and I have friends here in Calgary who are OpenBSD gurus.

Step 5. Configure your Reverse Proxy

Depending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your database’s web services to replicate the data.

Step 6. Disconnect one of the fiber optic ST connectors

Once you have your two proxy servers configured and communicating to each other you can simply

disconnect one of the two fiber ST connectors. You will likely need to spend time properly configuring your reverse proxy servers to relay the information correctly and you will need to write some scripts in your database to perform the continuous data replication. (See Figure 11). For a total cost of $1612 and some tender loving coding, you too can have your own home-brew Data Diode!


Data Diodes represent a simple yet virtually impenetrable way of segmenting a network. They have been used for years to secure classified information by government organizations and are an excellent complement to firewalls in a typical control system’s defense in depth strategy. Adding a data diode to your network doesn’t have to cost tens of thousands of dollars either. You can reap the benefits of a unidirectional data diode for a few thousand dollars and some technical elbow grease.

Austin Scott

Figure 11. Our completed home brew data diode configuration OPEN 03/2013

Austin Scott is CEO of Synergist SCADA Inc and heads up a talented team that offers a consummate blend of controls expertise, industry know-how, and advanced software development skills. “Synergist SCADA Inc. is focused on maximizing the effectiveness of our customers’ SCADA investment. We provide control systems design, upgrade strategies, HMI / SCADA / PLC programming, security audits, and field services.” Austin Scott is currently authoring a book on pragmatic ICS Security practices that is due out this summer. Page 20

BOSTON • May 28-31, 2013 The Westin Boston Waterfront

Get the best real-world Android developer training anywhere! • Choose from more than 75 classes and tutorials • Network with speakers and other Android developers • Check out more than 40 exhibiting companies “AnDevCon is one of the best networking and information hubs available to Android developers.” —Nate Vogt, Android Developer, Willow Tree Apps

Register NOW at A BZ Media Event

Follow us:

AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robot is used under terms of the Creative Commons 3.0 Attribution License.


Information Security Policy (ISMS) These days about 90% of the business depends on Information Security as it can be accessible through internet from anywhere. The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not. For the security of the confidential information, people introduced information security policies(BS7799, ISO17799, ISO 27000, ISO 27001, ISO 27002). These all depends on three key aspects i.e. Confidentiality, Integrity and Availability.


he Security policy is a plan, outlining what the companies critical assets are, and how they must be protected. Company should conduct a vulnerability assessment prior to creating their security policy. The vulnerability assessment is performed by reviewing the network, application and system architecture and auditing the equipment and software within the same. The Assessment produces a document that defines and prioritizes the potential risks along with costs to address potential vulnerabilities.

Scope • How sensitive information must be handled • How to properly maintain your ID(s) and password(s), as well as any other accounting data. • How to respond to a potential security incident, intrusion attempt, etc. • How to use workstations and Internet connectivity in a secure manner. • How to properly use the corporate e-mail system.


Information is an asset that the organization has a duty and responsibility to protect. The availability of complete and accurate information is essential OPEN 03/2013

to the organization functioning in an efficient manner and to providing products and services to customers. The organization holds and processes confidential and personal information on private individuals, employees, partners and suppliers and information relating to its own operations. In processing information the organization has a responsibility to safeguard information and prevent its misuse. The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organization’s information assets: • to protect the organization’s information from all threats, whether internal or external, deliberate or accidental, • to enable secure information sharing, • to encourage consistent and professional use of information, • to ensure that everyone is clear about their roles in using and protecting information, • to ensure business continuity and minimize business damage, • to protect the organization from legal liability and the inappropriate use of information. The Information Security Policy is a high level document, and adopts a number of controls to

Page 22

protect information. The controls are delivered by policies, standards, processes, procedures, supported by training and tools.

systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used:

Why have a Information Security Policy?

• • • •

To ensure that the company continually operates in accordance with the specified policies or procedures and external requirements in meeting company goals and objectives in relation to information security. To ensure that improvements to the ISMS (Information Security Management System) are identified, implemented and suitable to achieve objectives.

What is a Information Security Policy?

Information Security works mainly on three aspects: • Confidentiality. • Integrity. • Availability.


Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or

OPEN 03/2013

Information classification Secure document storage Application of general security policies Education of information custodians and end users.


Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted.


Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. A user in this definition maybe either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

Page 23

SOCIAL ENGINEERING Privacy Policy for customers

It is a part of our company’s core values that we will properly value and protect any information entrusted to us about our customers. This policy describes how we will safeguard personal and company information, to ensure peace of mind when dealing with our company. It is our policy that: • Our company will collect only that information about customers which is needed and relevant. • Our company will not disclose information to other parties unless customers have been properly notified of such a disclosure. • Our company will strive to make certain that information about customers is kept accurate and up-to-date. Our company will use appropriate controls to ensure that this information is kept secure, and is only viewed or used by the proper personnel. Our company will comply with applicable laws, regulations, and industry standards when protecting employee information. We hold our employees, vendors, contractors, suppliers, and trading partners to meet this same set of policies.

Risk Analysis (Identifying The Assets)

As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality – an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it. In order to be able to conduct a successful Risk Analysis, you need to get well acquainted with the ways a company operates; if applicable, the ways of working and certain business procedures, which information resources are more important than others (prioritizing), and identifying the devices / procedures that could lead to a possible security problem. List everything that is essential for the proper functionality of the business processes; like key applications and systems, application servers, web servers, database servers, various business plans, projects in development, etc. OPEN 03/2013

A basic approach would be: • Identify what you’re trying to protect • Look at whom you’re trying to protect it from • Define what the potential risks are to any of your Information Assets • Consider monitoring the process continually in order to be up to date with the latest security weaknesses. A possible list of categories to look at would be: • Hardware: All servers, workstations, personal computers, laptops, removable media (CD’s, floppies, tapes, etc.), communication lines, etc. • Software: Identify the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. • Personnel: Those who have access to confidential information, sensitive data, those who “own”, administer or in any way modify existing databases.

Risk Management

Physical/Desktop & Password Security Policy. • No third party or any other employee can enter on the floor without access card. • Employee with company ID card are allowed on the floor. • System can be accessible unique ID and Password. • No personal data can be stored on the system. • No data can be transferred through Bluetooth or wifi. • No third party tool can be installed on the system. • Unofficial site should be blocked. • Only licensed version software should be used. • Floopy, CD, Harddrive not allowed in the office. • No company assets can be login remotely. • Critical infrastructure should be placed in a secure location (preferably a locked room) to prevent unauthorized access. Ensure that portals to critical infrastructure are closed and locked. • Do not let unauthorized laptops or memory sticks into a secure location. If laptops or memory sticks are required, set up processes to ensure that all portable media are scanned for malware with up to date scanning software before allowing contact with a network host.

Page 24

ID Management • Each user should have a unique user name and password. Usernames and passwords should not be shared to enable easier tracking of system events. • Solutions must enable the creation, editing, and deletion of users while the system is active. • System must not provide a ―back door‖ allowing bypass of authentication procedures. • Critical data like user names and passwords must be stored in a secure data repository using encryption technology. Access rights to the repository require authentication and should be made available only to trusted personnel. • Implement password aging. • Passwords should be more than 8 characters, alphanumeric, special character, and a mix of upper and lower case characters. • Users should change the password after first login with the default password. • Authorized should change the default password on equipment. • Use switch port-based MAC address management to deny access to non-authorized users. • Remote authentication should use encryption technology to transfer user name and password through the system. • Limit software installation and execution privileges to specific employees. When risk is high, implement two and three factor authentication (password, physical device – smart key, and biometrics) or real-time confirmation by a second person. • Restrict user access to data archives. • Authentication should be required to modify product firmware.

Server and OS management

Securing the server Operating System. After the installation and deployment of the OS, the following basic steps are necessary to secure the OS: • Patch and update the OS • Harden and configure the OS to address security adequately.

Install and Configure additional Security Controls If Needed

Test the security of the OS to ensure that the previous steps adequately address all security issues.

The combined result of these steps should be a reasonable level of protection for the server’s OS.

Patch and upgrade OS • Create, document, and implement a patching process. • Identify vulnerabilities and applicable patches.15 • Mitigate vulnerabilities temporarily if needed and if feasible (until patches are available, tested, and installed).

Install Permanent fixes(Patches, upgrades etc) • Hardening and securely configuring OS. Administrators should perform the following steps to harden and securely configure a server OS: • Remove unnecessary application, services and network protocols. • Configure OS authentication. • Configure resource controls appropriately. Removing or disabling unnecessary services enhances the security of a server in several ways: • Other services cannot be compromised and used to attack the host or impair the services of the server. Each service added to a host increases the risk of compromise for that host because each service is another possible avenue of access for an attacker. Less is more secure in this case. • Other services may have defects or may be incompatible with the server itself. By removing or disabling them, they should not affect the server and should potentially improve its availability. The Host can be configured to better suit the requirements of the particular services. Different services might require different hardware and software configurations, which could lead to unnecessary vulnerabilities or negatively affect performance. By reducing services, the number of logs and log entries is reduced; therefore, detecting unexpected behavior becomes easier.

Configure OS User Authentication

Remove or Disable Unneeded Default Accounts – The default configuration of the OS often includes

SOCIAL ENGINEERING guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services. The names and passwords for those accounts are well known. Remove (whenever possible) or disable unnecessary accounts to eliminate their use by attackers, including guest accounts on computers containing sensitive information. For default accounts that need to be retained, including guest accounts, severely restrict access to the accounts, including changing the names (where possible and particularly for administrator or root level accounts) and passwords to be consistent with the organizational password policy. Default account names and passwords are commonly known in the attacker community. Disable Non-Interactive Accounts – Disable accounts (and the associated passwords) that need to exist but do not require an interactive login. For Unix systems, disable the login shell or provide a login shell with NULL functionality (e.g., /bin/ false). Create the User Groups – Assign users to the appropriate groups. Then assign rights to the groups, as documented in the deployment plan. This approach is preferable to assigning rights to individual users, which becomes unwieldy with large numbers of users. Create the User Accounts – The deployment plan identifies who will be authorized to use each computer and its services. Create only the necessary accounts. Permit the use of shared accounts only when no viable alternatives exist. Have ordinary user accounts for server administrators that are also users of the server. Configure Automated Time Synchronization – Some authentication protocols, such as Kerberos, will not function if the time differential between the client host and the authenticating server is significant, so servers using such protocols should be configured to automatically synchronize system time with a reliable time server. Typically the time server is internal to the organization and uses the Network Time Protocol (NTP) for synchronization; publicly available NTP servers are also available on the Internet. Check the Organization’s Password Policy – Set account passwords appropriately. Elements that may be addressed in a password policy include the following:

• Complexity – the mix of characters required. An example is requiring passwords to contain uppercase letters, lowercase letters, and nonalphabetic characters, and to not contain – dictionary words. • Aging – how long a password may remain unchanged. Many policies require users and administrators to change their passwords periodically. In such cases, the frequency should be determined by the enforced length and complexity of the password, the sensitivity of the information protected, and the exposure level of passwords. If aging is required, consideration should be given to enforcing a minimum aging duration to prevent users from rapidly cycling through password changes to clear out their password history and bypass reuse restrictions. • Reuse – whether a password may be reused. Some users try to defeat a password aging requirement by changing the password to one they have used previously. If reuse is prohibited by policy, it is beneficial, if possible, to ensure that users cannot change their passwords by merely appending characters to the beginning or end of their original passwords (e.g., original password was ―mysecret‖ and is changed to –1mysecret‖ or ―mysecret1‖). • Authority – who is allowed to change or reset passwords and what sort of proof is required before initiating any changes. • Password Security – how passwords should be secured, such as not storing passwords unencrypted on the server, and requiring administrators to use different passwords for their server administration accounts than their other administration accounts.

• Length – a minimum length for passwords i.e 8 characters.

• Don’t use passwords which reveals your personal information or words found in dictionary.

OPEN 03/2013

Some common tips for password Security: • Always use at least 8 character password with combination of alphabets, numbers and special characters (>, %, @, #, $, ^) • Use passwords that can be easily remembered by you • Change password regularly as per policy • Use password that is significantly different from earlier passwords. Some common tips which we should not follow are:

Page 26

• Don’t write down or Store passwords. • Don’t share passwords over phone or Email. • Don’t use passwords which do not match above complexity criteria.

Install and Configure Additional Security Controls

OSs often do not include all of the security controls necessary to secure the OS, services, and applications adequately. In such cases, administrators need to select, install, configure, and maintain additional software to provide the missing controls. Commonly needed controls include the following: • Anti-malware software, such as antivirus software, anti-spyware software, and rootkit detectors, to protect the local OS from malware and to detect and eradicate any infections that occur. 20 Examples of when anti-malware software would be helpful include a system administrator bringing infected media to the server and a network service worm contacting the server and infecting it. • Host-based intrusion detection and prevention software (IDPS), to detect attacks performed against the server, including DoS attacks. For example, one form of host-based IDPS, file integrity checking software, can identify changes to critical system files. • Host-based firewalls, to protect the server from unauthorized access. • Patch management or vulnerability management software to ensure that vulnerabilities are addressed promptly. Patch management and vulnerability management software can be used only to apply patches or also to identify new vulnerabilities in the server’s OSs, services, and applications.

Security Testing the Operating System

Periodic security testing of the OS is a vital way to identify vulnerabilities and to ensure that the existing security precautions are effective and that security controls are configured properly (for example, the required cryptographic algorithms are in use to protect network communications). Common methods for testing OSs include vulnerability scanning and penetration testing. Vulnerability scanning usually entails using an automated vulnerability scanner to scan a host or group of hosts on a network for application, network, and OS vulnerabilities. Penetration testing is a testing process OPEN 03/2013

designed to compromise a network using the tools and methodologies of an attacker. It involves iteratively identifying and exploiting the weakest areas of the network to gain access to the remainder of the network, eventually compromising the overall security of the network. Vulnerability scanning should be conducted periodically, at least weekly to monthly, and penetration testing should be conducted at least annually. Because both of these testing techniques are also applicable to testing the server application. Factors to be considered when deciding whether to test the production server or a similarly configured non-production server include the following: The possible impact to the production server. If a certain test technique likely to cause a denial of service, then that technique should probably be used against the non-production server. The presence of sensitivity personally identifiable information (PII), If testing could expose sensitive PII, such as Social Security Numbers (SSN) or credit card information, to people without authorization to see it, then organizations should consider performing the testing on a non-production server that holds a false version of the PII (e.g., test data instead of actual sensitive PII). How similar is the production and non-production servers can be configured. In practice, there are usually inconsistencies between the test and production environments, which can result in missed vulnerabilities if the non-production servers are used.


Logging is a cornerstone of a sound security posture. Capturing the correct data in the logs and then monitoring those logs closely is vital. Network and system logs are important, especially system logs in the case of encrypted communications, where network monitoring is less effective. Server software can provide additional log data relevant to server-specific events. Reviewing logs is mundane and reactive, and many server administrators devote their time to performing duties that they consider more important or urgent. However, log files are often the only record of suspicious behavior. Enabling the mechanisms to log information allows the logs to be used to detect failed and successful intrusion attempts and to initiate alert mechanisms when further investigation is needed. Procedures and tools need to be in place to process and analyze the log files and to review alert notifications.

Page 27


Alerts to suspicious activities that require further investigation. • • • • •

Tracking of an attackers activity. Assistance in the recovery of the server. Assistance in the post recovery of the server. Required information for the local proceedings. The selection and implementation of specific server software determines which actions the server administrator should perform to establish logging configurations.

Server Data Backup Policies

All organizations need to create a server data backup policy. • • • • • • • • • • • •

Purpose of the policy Parties affected by the policy Servers covered by the policy Definitions of key terms, especially legal and technical Detailed requirements from the legal, business, and organization’s perspective Required frequency of backups Procedures for ensuring data is properly retained and protected Procedures for ensuring data is properly destroyed or archived when no longer required Procedures for preserving information for Freedom of Information Act (FOIA) requests, legal investigations, and other such requests Responsibilities of those involved in data retention, protection, and destruction activities Retention period for each type of information logged Specific duties of a central/organizational data backup team, if one exists.

Server Backup Types

Three primary types of backups exist: full, incremental, and differential. Full backups include the OS, applications, and data stored on the server (i.e., an image of every piece of data stored on the server hard drives). The advantage of a full backup is that it is easy to restore the entire server to the state (e.g., configuration, patch level, data) it was in when the backup was performed. The disadvantage of full backups is that they take considerable time and resources to perform. Incremental backups reduce the impact of backups by backing up only data that has changed since the previous backup (either full or incremental). OPEN 03/2013

Differential backups reduce the number of backup sets that must be accessed to restore a configuration by backing up all changed data since the last full backup. However, each differential backup increases as time lapses from the last full backup, requiring more processing time and storage than would an incremental backup. Generally, full backups are performed less frequently (weekly to monthly or when a significant change occurs), and incremental or differential backups are performed more frequently (daily to weekly). The frequency of backups will be determined by several factors: • Volatility of information on the site • Static content (less frequent backups) • Dynamic content (more frequent) • E-commerce/e-government (very frequent backups) • Volatility of configuring the server • Type of data to be backed up (e.g., system, application, log, or user data) • Amount of data to be backed up • Backup device and media available • Time available for dumping backup data • Criticality of data • Threat level faced by the server • Effort required for data reconstruction without data backup • Other data backup or redundancy features of the server (e.g., Redundant Array of Inexpensive Disks [RAID]).

Recovering From a Security Compromise

Most organizations eventually face a successful compromise of one or more hosts on their network. Organizations should create and document the required policies and procedures for responding to successful intrusions. The response procedures should outline the actions that are required to respond to a successful compromise of the server and the appropriate sequence of these actions (sequence can be critical). Most organizations already have a dedicated incident response team in place, which should be contacted immediately when there is suspicion or confirmation of a compromise. In addition, the organization may wish to ensure that some of its staff are knowledgeable in the fields of computer and network forensics. A server administrator should follow the organization’s policies and procedures for incident handling, and the incident response team should be contacted for guidance before the organization takes any action after a suspected or confirmed

Page 28

security compromise. Examples of steps commonly performed after discovering a successful compromise are as follows:

install the OS of a compromised server or restore it from a backup. Factors that are often considered include the following:

• Report the incident to the organization’s computer incident response capability. • Isolate the compromised systems or take other steps to contain the attack so that additional information can be collected. • Consult expeditiously, as appropriate, with management, legal counsel, and law enforcement. • Investigate similar 43 hosts to determine if the attacker also has compromised other systems. • Analyze the intrusion, including: • The current state of the server, starting with the most ephemeral data (e.g., current network connections, memory dump, files time stamps, logged in users) • Modifications made to the server’s software and configuration • Modifications made to the data • Tools or data left behind by the attacker • System, intrusion detection, and firewall log files. • Restore the server before redeploying it. • Either install a clean version of the OS, applications, necessary patches, and server content; or restore the server from backups (this option can be more risky because the backups may have been made after the compromise, and restoring from a compromised backup may still allow the attacker access to the server). • Disable unnecessary services. • Apply all patches. • Change all passwords (including on uncompromised hosts, if their passwords are believed to have been seen by the compromised server, or if the same passwords are used on other hosts). • Reconfigure network security elements (e.g., firewall, router, IDPS) to provide additional protection and notification. • Test the server to ensure security. • Reconnect the server to the network. • Monitor the server and network for signs that the attacker is attempting to access the server or network again. • Document lessons learned.

• Level of access that the attacker gained (e.g., root, user, guest, system) • Type of attacker (internal or external) • Purpose of compromise (e.g., Web page defacement, illegal software repository, platform for other attacks, data exfiltration) • Method used for the server compromise • Actions of the attacker during and after the compromise (e.g., log files, intrusion detection reports) • Duration of the compromise • Extent of the compromise on the network (e.g., the number of hosts compromised) • Results of consultation with management and legal counsel.

Based on the organization’s policy and procedures, system administrators should decide whether to reOPEN 03/2013

The lower the level of access gained by the intruder and the more the server administrator understands about the attacker’s actions, the less risk there is in restoring from a backup and patching the vulnerability. For incidents in which there is less known about the attacker’s actions and/or in which the attacker gains high-level access, it is recommended that the OS, server software, and other applications be reinstalled from the manufacturer’s original distribution media and that the server data be restored only from a known good backup.

Management Summary

This section has been created mainly with the idea of answering the most common questions a manager could ask as far as Information Security is concerned. Its purpose is to explain in a brief, yet effective way why from a management point of view one would want to invest in securing the core Information Assets of the company, and the potential risks attached to cutting the Information Security budget. A lot of businesses (still) tend to ask the question why they should invest in information security, as sensitive data is backed up every day and in the event of an intrusion, virus outbreak or data corruption, data and business processes can be restored and brought back up in a matter of minutes. Whereas theoretically there is nothing wrong with this mode of thinking and the procedures that are in place do provide a certain degree of security, practice has shown time and time over again

Page 29

SOCIAL ENGINEERING that the “classic” security methods such as virus scanner/backup/restore may not be enough to ‘hold the fort’. People still fail to realize that their Internet connectivity represents a big threat to the whole world if it is not properly secured; that there are hybrid code out there that will not only take out your network(s) and trash your data, but will also steal documents, passwords, etc; and that there are people out there that will try to enter your systems for whatever reason and damage your systems. A successful intrusion with the idea of purposefully causing damage to business could damage the image of the company and the brand name to no end. It may take minutes to recover your corrupted files, but it may take years to clear a name, or image. A simple defacement of the company web site will show the world how insecure it (and, subsequently your in-house systems) is/was, that proper security measures were not in place, and if it concerns an online shop, most of your clients will be afraid to use it anymore. Or imagine your company networks contributing to a worldwide, full-scale Distributed Denial Of Service (DDoS) attack, which will definitely get you in trouble and/or damage your reputation a lot. Just imagine being in a situation where your company systems are unknowingly attacking other businesses online, or successful penetrations in other companies are performed, using your networks! Another common management mistake is plain and simple, smugness. How many times have you heard phrases like: “we have recently purchased a well known firewall product to protect our company network”, “we have server level content blocking software as well”, “our administrator is a certified security professional”, or “we think we are pretty dam secure, so why should we invest in further security measures?”. Security is a never ending process that requires constant monitoring, updates, investment, research and implementation of new technologies; not forgetting the most important point: education of staff. Because no matter the amount of money you are prepared to spend, and no matter the technologies involved, the secret lies within the individual who configures your security system(s). Internet can be a very beneficial resource to your business, however it brings certain risks with it. For the best possible results you will probably need to employ full-time specialists taking care of your (IT) security, thus ensuring you are capitalizing the OPEN 03/2013

benefits of the Internet, while having your critical data reasonably secured. It is to hope that by now any company manager has enough background information to be able to ask the right questions to their security products vendor, or the security consulting company building and developing their security solutions. I cannot stress enough, on the other hand, the importance of getting your company executives familiarized with all the risks posed by their Internet connectivity and other (IT) security issues; the clearer top company executives and decision makers are on the whole situation from a security point of view, the sooner and quicker an effective IT security policy/strategy will be in place!


The aim of this paper is to explore the process of building and implementing an successful Information Security Policy in detail, as well as giving various recommendations for the development of a Security Awareness Course. The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not. Along with what I hope to be large amounts of useful information, I have provided you with some ready-made “Best Practices” sections on various security threats, as well as a sample Security Newsletter in order to save you valuable time and resources. The implementation process requires constant monitoring of Internet Threats, along with the measurement of staff knowledge and awareness levels to ensure that there is a continuous improvement in their level of knowledge and security awareness.

Prashant Mishra

Information Security Officer at Syniverse Technologies Managing Security with Regulatory bodies(Telecom Regulatory Authority of India), DoT (Department of Telecommunications) & TEC (Telecommunications Engineering Center) Intelligence Bureau, Department Of Police, Involved in information Security, vulnerability assessment and Penetration Testing. Certified Ethical Hacker.(CEH), EC-Council Certified Security Analyst (ECSA).Applied for LPT (Licensed Penetration Tester), Done Training in Computer Hacking Forensic Investigator (CHFI) .

Page 30

What do all these have in common?

They all use Nipper Studio to audit their firewalls, switches & routers Nipper Studio is an award winning configuration auditing tool which analyses vulnerabilities and security weaknesses. You can use our point and click interface or automate using scripts. Reports show: 1) Severity of the Threat & Ease of Resolution 2) Configuration Change Tracking & Analysis 3) Potential Solutions including Command Line Fixes to resolve the Issue Nipper Studio doesn’t produce any network traffic, doesn’t need to interact directly with devices and can be used in secure environments. T: +44 (0) 1905 888785

SME pricing from

£650 scaling to enterprise level

evaluate for free at


Running Head Penetration Test Results Reporting Upon completion of a penetration test, all of the information collected must be neatly entered into the after-actions, results report. Since this document is the only tangible, deliverable element supplied to the customer, it should appear professional, well organized, and clearly detail and explain what was uncovered during the penetration test. This article will examine methods and best practices of the reporting stage of a penetration test. The target audience of this paper is penetration testers who wish to improve their report writing skills.


t the conclusion of a penetration test, all of the data collected must be massaged into useful data, upon which the customer can act. The purpose behind a penetration test may differ, but one constant of penetration testing is the requirement for meticulous documentation, recording each step, collecting information as you go, entering said data into a report, and delivering it to the customer. This phase of the penetration test is sometimes seen as an afterthought, but this is the hands-on product you deliver to the customer, it is vitally important that scrupulous attention to detail be given to constructing and delivery of, a well-polished final product. Writing the results report may not be as glamorous or exciting as actually performing the technical portion of the test, but in many respects, it is the most critical task a penetration tester performs because it allows the customer to see what you have actually done. The results report is essentially your way of showing the customer what you have done. They have no way of knowing that you spent long nights plugging away at their systems if you have no way of demonstrating it – it is your evidence that a penetration test has been conducted. You owe it to the people who are paying you to deliver a professional final product. The final reOPEN 03/2013

port demonstrates your competence, illustrates the amount of work you put into the test, and gives the customer a way forward, after all the test is supposed to highlight issues with their security. A professional, well-written report can impress your customer and win repeat business, and lead to word-of-mouth advertising – a poorly written report could cost you future business with that customer and word could travel that you’re services are not quite up to scratch.

Existing Guidance on Penetration Test Reporting

There is an absolute plethora of materials written about the subject of penetration testing. Many of us have bowed bookshelves containing volumes on the subject and a massive ‘Favorites’ folder dedicated to subject. There seems to be an unending well of excellent resources to draw technical tricks of the trade from, but there is very little written about one of the most important, time-consuming, and frustrating sections of the test – the results report. It is understandable that sitting down to write the final report can be very dull when compared to the other aspects of the test, but considering its importance, it is vital that the report is written well. Penetration testing is a scientific process, and the

Page 32

Figure 1. PTEST-Reporting, Eric Smith (2011). Retrieved from: new2.png OPEN 03/2013

Page 33

TEST RESULTS REPORTING findings in the report have to be repeatable. If a customer disagrees with the findings of the test, they have every right – and likely will – consult a second opinion. If you do not fully articulate in your report how you came to your conclusion, it may be difficult for someone else to repeat your process, and that person may actually derive different results, which may put the reputation of your business into question. In addition, the audience of the report has to be taken into consideration. Likely, there will be at very least two types of people reviewing the report, senior management, and technical staff. What those viewing the report will look to take out of it will vary greatly. Senior management is likely to care less, or even understand the lingo utilized to explain how you got root on their web server, what they care about is the big-picture: “What does our security posture look like?” The technical staff will likely be the ones required to patch the holes uncovered during the test, so they will want to know what system was affected, the severity of the vulnerability, and if possible, how to go about fixing it. There are a number of fine resources available for learning about writing penetration test reports. Some sites to consider checking out are:

part: the raw report, which includes everything, to include screenshots, dumps, scan results, etc. It is up to you if you include the raw data, but it should not hurt anything to add this as an appendix or separate document. Take for example the report structure in Figure 1. (PTEST-Reporting, Smith, 2011.), this is a pretty detailed tree of what could be expected in the executive summary and the technical report.

Example Report

The following is a sample of recommendations that should be included in the penetration test report, feel free to use what fits your needs: • Cover Page (Figure 2) The cover page should contain the following elements: • The name of the report • Date • Target organization’s name • Revision number • Control number • Classification • Author of report

• Offensive Security – Penetration Test Report – • CORE Impact Professional – • The Penetration Testing Execution Standard (PTES) – • The Information Systems Security Assessment Framework (ISSAF) – • The Open Source Security Testing Methodology Manual (OSSTMM) – http://www.isecom. org/research/osstmm.html • The Open Web Application Security Project (OWASP) – Main_Page Unfortunately, there is not a hard/fast industry standard for writing penetration test reports; but this may largely be due to the varying needs of each customer. One thing many experts seem to agree upon is that the report should be broken up into at least two parts: the executive summary and the technical report. Some suggest a third OPEN 03/2013

Figure 2. PenTest Cover Page, T. Stachowski (2013).

Page 34

• Company performing the penetration test • A disclaimer

• Information Page – The information page will contain much of the information found on the cover sheet, but will also include a history of revisions, name of document reviewer, name of document editor, penetration test team member names, contact information, and a legal notice. • Table of Contents – The table of contents lists the parts of the report in the order which they appear. • Executive Summary – The executive summary should be brief, and non-technical. The target audience of the executive summary is seniormanagement and other non-technical staff. Illustrations such as pie charts and graphs may be helpful. The following should be included in the executive summary section: • Scope of Work / Test – The scope of work/ test section should detail what the penetration test was limited to, i.e. network only, website only, etc. It should also detail what was off-limits, such as hardware, tape libraries, etc. Finally, the scope should detail

constraints, and problems encountered during the test, for example, if they were they asked to leave the building at certain hours. Type of test – Spell out the type of test that was conducted, i.e. White-box, Black-box, Grey-box, and give a brief description of the test. Test Objectives – The test objectives should detail why the test was conducted in the first place, such as the deployment of new hardware/software, annual inspection, etc. Timetable – The timetable should detail start and stop times/dates, amount of manhours invested in the test, when phases of the test were conducted, etc. Summary of Findings – In the summary of findings section, you want to give a quick snapshot of what is going on, to paint the picture of the organization’s security posture. Consider using images (such as those in figures 3 and 4) to illustrate findings. Remember, this section is non-technical, senior-management does not care about the details, they want to know if their network is secure or not (Figure 3 and Figure 4).

Figure 3. Summary of Security Risk Pie

Figure 4. Summary of Security Risk Graph

OPEN 03/2013

Figure 5. Findings Page 35

TEST RESULTS REPORTING • Summary of Recommendations – Like the summary of findings section, this is a brief description of what needs to be done to remediate the uncovered issues. Do not get into the technical weeds in this section, but give a quick lower-level explanation of what needs to be done to correct vulnerabilities. • Technical Report – The technical report is where you supply detailed reporting. In this section you want to be very descriptive in explaining how issues were discovered so that they are repeatable, and can be used after the administrators or local security team has patched the holes, to ensure that their fix actions have eliminated the vulnerability. • Findings – For each specific finding, you want to be very thorough, giving as much information as possible. Explain the methodology used to uncover each vulnerability – provide repeatable, systematic instructions. Also, give remediation advice (Figure 5). Additionally, when reporting your findings, you will also want to identify what was not found, for example, a scanner might detect a vulnerability that turns out to be a false positive. It is important to identify these findings to the customer so that they are not concerning themselves with chasing a red herring. You want to be 100% sure that if reporting a false positive that it is in fact just that and not a true security risk. • Out Of Scope Findings – You want to list all findings that fall within the scope of the penetration test, but if you come across vulnerabilities that fall outside of the scope, you want to ensure that you inform the customer that there is a risk that should be examined further. • Conclusion – The conclusion should recap why the penetration test was performed, the

goals of the test, the impact that the current security posture has on the organization’s network. • Recommendations – Provide recommendations that go beyond the individual findings, such as general best-practice security tips, i.e. patch management program, current audits and antivirus updates, proper account privileges, etc. • Risk Rating – Provide an overall risk rating appraisal for the scope of systems tested. Use clear language such as: High, Medium, Low, i.e. „The overall security risk posed to Acme, Inc. systems is HIGH. A hacker has the potential to cause serious financial and operational damages to Acme, Inc.” • Appendix A: Glossary of Terminology – Provide a glossary of terminology used throughout the report. • Appendix B: Network Diagram – Provide a network diagram of the network scanned, such as one gathered from nmap. • Appendix C: Tools / Exploits Used – Provide a list of tools and exploits utilized, as well as a quick description of what the tool does. • Raw Report – The raw report is going to be a full data-dump of everything you’ve captured – the more information the better.

Other Considerations

Some vulnerabilities, if posing an immediate threat to the network, should be reported to the organization, and mitigated immediately. A penetration test is really designed to identify issues, not fix them on the spot, but there should be a point of contact within the organization to contact and report immediate findings to. If the issue is mitigated during the penetration test, it should still be documented in the report, if nothing else it will help to demonstrate to the customer the value to be gained from having a penetration test performed on their network.


• CORE Impact Professional. Retrieved from: • The Information Systems Security Assessment Framework (ISSAF). Retrieved from: • The Open Source Security Testing Methodology Manual (OSSTMM). Retrieved from: • The Open Web Application Security Project (OWASP). Retrieved from: • The Penetration Testing Execution Standard (PTES). Retrieved from: Main_Page • Offensive Security – Penetration Test Report. Retrieved from:

OPEN 03/2013

Page 36

Coordinate with the customer to determine if they want sensitive or personally identifiable information (PII) sanitized from the final report. Also, ensure that the document is classified using the customerâ&#x20AC;&#x2122;s classification standards, so there is no confusion to the sensitivity of the document. Both hard and soft copies of the report should be carefully guarded and tracked. Hard copies should be signed for, and soft copies should be encrypted.


There is nothing sexy about writing the penetration test report, but it is arguably the most critical component of the entire process. Taking the time to assemble a high-quality and comprehensive final product is a way to demonstrate to the customer that you are a professional and that the greatest of care has been taken in testing their network. Essentially the report is what the customer is paying you for, so ensure that you are providing them with a document they can act upon when the testing is over. Taking the time to ensure this stage of the test is done well can win repeat business and grow the reputation of your company.

Terrance Stachowski

Terrance Stachowski is a defense contractor supporting the United States Air Force. He has fifteen years of IT experience, a M.S. in Cybersecurity from Bellevue University, and currently holds nineteen IT certifications, including the CISSP and L|PT. He specializes in IT Security, Penetration Testing, and Solaris Systems Engineering. He can be reached at OPEN 03/2013


Transforming Your Tablet into Pentest Platform As a penetration tester I always appreciate to work at any place. That’s a nice thing when you are working in IT industry. With my laptop I can be mobile when working on penetration testing. However, as probably many of you, I wanted more. So, I’ve decided to transform my Nexus 7 into penetration testing platform. For base OS of my tablet, I picked Cyanogenmod 10 ROM and tools for various attacks, like MiTM, network discovery and port/ vulnerability scanning, packet capture, Web attacks, and many more.


can bet you’ve at least once wanted to be extra mobile and be able to do penetration testing out of office. Good news! Today’s technology provides high-quality, cheap and fast solution to perform those tasks with Android tablets. In my case, I have 7” Asus Nexus 7 3G with 32GB of storage and four CPU cores, you must admit that’s a quite nice device for penetration testing tasks. Nexus 7 is stocked with vanilla Android 4.2.1., but I wanted to have more customized tablet, so I’ve installed CyanogenMod 10 ROM. Also, I have unlocked tablets bootloader, flashed current with custom recovery image and rooted it to have full permissions on device. I must warn you that with rooting device, you’re going to be exposed to more security vulnerabilities, but you’ll have more control of your device, and be able to use penetration testing tools that require rooted device. Remember that with unlocking and rooting tablet, you’re loosing device warranty, which only can be restored by reverting and installing original stock ROM. Android applications mentioned in this article can be downloaded from URL’s at end of the article (Figure 1).

AOKP. In my case, I prefer first one. Connect tablet to your laptop or PC with USB cable, and enable USB debugging option in Android settings. Device must be in the bootloader mode, and in most tablets, you can enter in bootloader by switching off tablet, and power on by pressing power and volume up (or down). Simultaneously download CyanogenMod 10 from their official Web page. After that, download Android SDK package. Extract archive and in folder platform-tools you will find tools needed for flashing tablet (adb and fastboot). First thing we need to do is unlock bootloader, if it’s locked. Open your console and run fastboot with command ./fastboot oem unlock, wait few seconds and confirm unlock of bootloader. Have in mind that some devices don’t

Hack your Tablet

Your stock Android ROM is quite nice OS for mobile devices, but you can get more powerful device by installing custom ROM’s such as CyanogenMod or OPEN 03/2013

Figure 1. ClockworkMod Recovery

Page 38

have locked bootloader. After that, reboot your tablet and enter bootloader mode again. Now, for installing CyanogenMod we must have device with custom recovery. In my case, I used most popular ClockworkMod Recovery. Choose and download recovery for your device and install recovery image with command ./fastboot flash recovery nameofrecovery.img. After installing, don’t forget to choose option to “disable recovery flash”, reboot device into recovery, and now you have custom recovery with extra options. Next thing, root your device. The easiest way to root tablet is SuperSU application, download it and transfer to root folder of device storage. Again, enter recovery mode, and install application by choosing option “choose zip from sdcard”, after that, you will find SuperSU zip file, install it by pressing power button. Okay, you have rooted device, let’s profit from that. CyanogenMod will be installed in same way, transfer it to internal memory, and reboot into recovery mode. Now, choose next options by following order : Wipe cache, Wipe dalvik cache, Factory reset. After that, choose CyanogenMod zip and install it. You will need Google apps (they aren’t included in CyanogenMod), so pick right version for your ROM and download them. Transfer file to the device and install it as zip file. When you’re done with installing Google apps, reboot to recovery and fix permissions and again reboot tablet. If you have slower tablet, on XDA forum you can find topics with mods about performance improvements.

can be later analyzed using Wireshark. When we talk about MiTM attacks, one of the classic applications for capturing sessions with cookies from other users on wireless networks is DroidSheep. Also, it has features to manipulate and save cookies. Android have it’s version for attacking SSL protocol as well – SSLStrip, which requires rooted device. LanDroid is must have application with features such as Ping, Whois, Dig, NSlookup, IPLookup, Traceroute, PortScan, MAC lookup, WakeOnLan, and many more. dSploit is by the author “network analysis and penetration suite”, ready for various MiTM attacks, it comes with Port Scanner, Inspector, Vulnerability Finder, Login Cracker and other features for performing penetration testing. I must also mention Fing, application for network discovery with great interface and abilities, one of my favorite. Every penetration tester must have Android version of Nmap and Nikto Scanner. Good thing with Web vulnerability scanners is the fact that most of them have Web interface to control them, for example, Metasploit. One of most popular Web vulnerability scanners, Nessus have official application to control your Nessus server. There’s also proxy application for Android, SandroProxy, it can “Capture, intercept, analyze, modify, replay http requests” and it’s based on WebScarab. ProxyDroid is similar application, which can use for example existing Burp Suite server on your laptop and proxy all device traffic (Figure 2 and Figure 3).

Building Penetration Testing Platform

It’s impossible to complete penetration tests without tools for everyday tasks. To be more productive while typing on tablet, you must have full qwerty layout, so I recommend Hacker’s Keyboard. We’ll assume that every penetration tester must have terminal, and Android Terminal Emulator is as the name said – terminal emulator. It’s not rare to work-

Now we have multi-user device with enough processing power and mobile software to be perfect solution for mobile penetration testing platform. For easier connectivity to the Internet, I recommend buying a tablet with a 3G module and bigger GSM data plan, at least 2 GB monthly. All applications used in this article are free. We’re starting with applications for discovery and penetration testing of wireless networks, one of them is WiFinspect, great tool with abilities to test Access Points and internal/external networks. Also, it has feature to sniff networks, analyze captured .pcap file, host discovery and few more. With Apscan you can scan wireless networks around you, and it has ability to save AP list and sort and filter BSSID’s. WiFiKill application can disconnect clients from wireless network using Iptables, if you want to perform social engineering. Once you’re connected to wireless network, you can capture traffic, and analyze it with Shark and SharkReader, sniffed traffic OPEN 03/2013


Figure 2. Fing

Page 39

TIPS & TRICKS ing penetration testing inside VPN network, and on Android it isn’t problem to connect use VPN, VNC, SSH, RDP, TOR or to be local SSH server (ConnectBot application). When it comes to working with documents, OfficeSuite Viewer 7 is by the authors “OfficeSuite is a universal document viewer for Android enabling you to open, view, print and share native DOC, DOCX, DOCM, RTF, TXT, LOG, XLS, XLSX, XLSM, CSV, PPT, PPTX, PPS, PPSX, PPTM, PPSM, EML, PDF and ZIP files and attachments”. Working penetration testing means you’re working with extra sensitive business information, so it’s better to have encrypt solution like Cryptonite, with local and Dropbox encryption solutions. ASTRO File Manager is very handy application for managing files on your tablet, and it has the ability to work with cloud services such as Box, Dropbox, Google Drive and SkyDrive, plus it can scan your local network and search for SMB shares. After you install your favorite ROM and applications for penetration testing, it is a good idea to make backup of everything, so next time you choose to change current ROM you will have core penetration testing applications as backup solution, ready to be restored on any Android device with backup application of your choice.

• WiFinspect ?t=1282900 – WifiKill• s? – Nikto Droid • – Nmap • – dSploit • – Android SDK • – CyanogenMod • – Clock Work Mod • – Google Apps • =38643545 – XDA thread about “Performance boosting” • ?t=1933837 – XDA thread about “Performance tweaking”

I think it’s easier to scan QR code and install applications directly from Google Play than copy/paste link in browser, so bellow you’ll find QR codes of applications used in the article.


Now you have fast, extra mobile and productive platform to work on. I mentioned very few applications for penetration testing, there are many more applications, mostly paid, but this free applications cover almost complete basic penetration test methodology. It’s very important to secure your tablet from loosing it, and one of best practices is to use PIN or password method on screen lock in combination with anti-theft tools (remote storage wiping on stolen device). With above described Android applications you can make huge part of penetration testing, from testing wireless networks, MiTM attacks, local networks, Web applications testing with features to proxy HTTP requests.

Domagoj Vrataric

Figure 3. Nessus

Figure 4. Android Terminal Emulator and Hackers Keyboard OPEN 03/2013

QR Codes On the Web

Domagoj Vrataric is IT Security Manager at Aduro Ideja, a company from Croatia who offer software solutions for telecom industry, high volume data processing, real-time systems and penetration testing services. He has experience with penetration testing (OWASP methodology), mostly in telecommunication industry, eCommerce (osCommerce, ZenCart, OpenCart) and media industry. 10 years experience with Linux, 8 with IT security, knowledge about hackers culture and way of thinking. He is currently involved in penetration testing and project manager on few security projects. Additionally in charge of security in our company, from monitoring IT infrastructure, administration of Debian servers, security policies on computers and mobile phones.

Page 40




Hackers Keyboard

Shark reader



OfficeSuite Viewer




ASTRO File Manager



OPEN 03/2013

Page 41


Homeland Security Reducing the Threat from Attacks

This article is written to describe the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. The reader may also find which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well. This is not an offensive approach to Cyber Security, but an improved defensive approach.


very day the United States Government is subject to cyber-attacks which threaten the lives of citizens and agency missions. Threat agents include other countries, citizens of the United States, and organized crime (to name a few). The US Department of Homeland Security has the responsibility of protecting Federal systems and supporting other agencies of the US Government with protecting information and reporting cyber incidents. The actual source of the attacks is usually unpredictable (it would certainly make it easier if they would announce their intentions in advance), though most have similar objectives, to get the information that organizations are trying to protect. Attacks on information systems can be easily spoofed, thereby making the source IP address a non-reliable source of the connection. Open source projects such as the TOR network, bot nets, and other infected resources make investigations more challenging [1]. At present, most Federal agencies approach securing the homeland through defensive measures which are largely reactionary. The lack of proactive measures places these agencies in a losing battle. Attempting to identify the source of an attack is not trivial, as attacks are generally carried out by systems that have been compromised. UltimateOPEN 03/2013

ly, the source of the problem is insecure software. As such, agencies can better protect their systems by building security into their software [2]. Although a wealth of information exists to support building better software (see Microsoftâ&#x20AC;&#x2122;s SDL or Cigitalâ&#x20AC;&#x2122;s Software Security Touchpoints), most organizations encounter problems when trying to transition from theory to practice.

Regulation and Compliance to the Rescue?

Congress passed the E-Government Act of 2002 to address the lack of security within Federal information systems. Title III of the E-Government Act, the Federal Information Security Management Act (FISMA), was designed to promote responsibility for security through mandate. FISMA mandates that organizations report their security posture as measured by standards published by the National Institute of Standards and Technology (NIST). The security standards identify a minimum set of security requirements for information and information systems. The result is the development of a process drawing on security requirements that falls short in terms of defining how organizations can implement these standards, as well as how each organization can measure the effectiveness of their programs.

Page 42

FISMA is grounded in following processes and demonstrating compliance with checklists. Unfortunately, FISMA fails to offer the organizations the value of improving the overall security of their systems as FISMA focuses the government on processes and reporting which competes for security funding, usually to the detriment of actual security operations. FISMA identifies the classification of federal systems as Low, Moderate, or High vis a vis FIPS publication 199 [3]. FIPS 199 defines the standards for Security Categorization of Federal Information and Information Systems. Depending on the identified classification of systems, FISMA relies on NIST special publication 800-53 [4] which proscribes an increasingly restrictive set of security controls depending on the classification of federal systems. The intent of this publication is to allow the security practitioner to customize controls which are related to the system and the security classification. Using the NIST 800-53 controls, the organization is able to better classify the security issues, and activities needed to obtain accreditation for use. Unfortunately, one of the major drawbacks of NIST 800-53 is the failure to bridge information security theory with information security practice.

Is Pentesting Enough?

Pen Testing the environment is often used as the primary means of determining the security of systems. A drawback of using penetration testing as a sole mechanism for securing systems lies in the late stage of SDLC where testing occurs. Because penetration testing occurs once a system is production ready, the earlier stages of the SDLC are often overlooked (for example sometime after code is running, a decision is generally made to run a ‘Pen Test’; exactly what is being tested is not necessarily clear.) Another issue with pen testing relates to the level of systems coverage. At Cigital, we have found that the Pen Test exercise covers only a small fraction of the actual codebase. For this reason, Cigital refers to Pen Tests as being a “Badness-ometer”. For example, when a pen test is performed on a system and several findings are discovered, the system is clearly insecure. However, if a pen test is performed and no findings are discovered, does this mean that the system is secure? Most likely the answer is “no”. Just because a security practitioner did not discover a vulnerability, the system may still have vulnerabilities which have not been OPEN 03/2013

discovered (remember, the pen test only covers a small percentage of the codebase). For this reason, we can state that pen testing is not enough. The rule of thumb is that a pen test will only tell you how bad your code is, not how good. As a result, the pen test is really a badness-ometer.

A New Approach for Securing Systems?

The traditional approach to cyber security has been reactive. The traditional approach is mired in an improper interpretation of “Defense in Depth”. Systems and networks are hardened at the perimeter of the network and include a multitude of tools which operate as filters throughout the cyber infrastructure. We like to call this the M&M defense (hard on the outside, and soft in the center). The underlying assumption is that adding more and more security products and services will inevitably reduce the attack surface and eradicate risk. One of the problems with “securing the perimeter” lies in the faulty assumption that networks have boundaries which can be defined. With the rise of cloud and mobile computing, the security team is left scratching their heads with respect to where the boundaries are and how to define them. When you boil down the challenge, the least common denominator falls on the assurance of the software and software applications. Simply put, if you can establish an assurance level for deployed software, you will better understand where your weaknesses lie. This has been a resounding within organizations and the number one reason that Cigital was called upon by DHS to assist in the deployment of Static Analysis tools and the development of the Build Security In initiative.

Figure 1. Pentests are only a small measure of “Badness”

Page 43

LET'S TALK ABOUT SECURITY Where do you Fix the Bugs?

When considering the total cost of ownership for a software application, the benefits of implementing software security are considerable. Consider the diagram shown on Figure 2. Figure 2 identifies that the cost of remediating vulnerabilities at later stages of the development life cycle is far greater than the cost of remediating vulner-

abilities at earlier stages of the life cycle. In fact, the diagram shows that while the average cost of fixing a single vulnerability during the early stages of development is $977, the cost of remediating vulnerability at a later stage is $14,102 (that’s a factor of 14 times higher!). Maybe you’re asking, but how can I fix the bugs, if I am testing the software with Pen Tests? Let’s approach this matter one step at a time.

Figure 2. The cost of remediating vulnerabilities

Figure 3. Cigital’s Software Development Life Cycle (SDLC) with Security Related activities OPEN 03/2013

Page 44

Bugs Should Be Fixed in Development

The higher expense is usually incurred by detecting vulnerabilities late in the development process. Consider the Figure 3. This figure presents the SDLC as indicated by the boxes and provides security Touchpoints for how security can be introduced at various stages of the SDLC. As you can see, we have inserted Security activities in each of the SDLC phases (you can read about these exercises and the security touch points in Software Security by Gary McGraw) (While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily) [5]. Many times the overall size of the architecture and complexity of the environment can only be evaluated after the initial development or deployment has already been made. While employing the security controls for an application has been known to be accomplished after the design is completed, continuing to scrutinize the security of an environment after the implementation of the system is completed is a kin to trying to bolt security on top of the environment (as opposed to creating it inside the application). (McGraw)

This is not to say that we should stop using FISMA or halt the use of Pen Testing activities at all, because these activities are essential to determining the correct implementation of security in the enterprise. However, changing or augmenting the traditional testing during the SDLC has been shown to improve the security of the application, as well as help to fix the security posture of the application before it reaches production. Cigital has taken a different approach to Software Security; we recommend the implementation of security directly into the software. This approach enables the developers to be an active part of the active security team. The chart in Figure 3 looks at the development of new software and how security related activities are always a part of the Software Development Life Cycle (SDLC). As we can see from Figure 3, the actual introduction of Pen Testing is far to the right of the SDLC, very near the production phase. This is very late in the SDLC process and also complicates the updates for the software to implement better security into the software.

Figure 4. Security activities for new development OPEN 03/2013

Page 45

LET'S TALK ABOUT SECURITY By enabling the developers to implement better security directly into the software while it is on their desktop, we minimize the delays to improve the overall security of the software. This is an essential component to implementing better security controls.

Code Review

Here are some of the code review functions which Cigital is providing to its clients, as well as to the Department of Homeland Security (and other government agencies within it as well). This explains why the cost of fixing bugs is so costly in the Testing phase, Figure 2. Figure 4 outlines three different activities which Homeland Security has undertaken as part of their new understanding of security development. The three activities listed above include: • SecureAssist Secure Coding Guidance (training the developers) • Static Analysis • Dynamic Analysis • Binary Analysis [6] We can easily see that the cost of fixing vulnerabilities is significantly lower the further left we are in the development process. This is what we are discussing when we say that we want to enable the developers to become more proactive for fixing security issues. Since the developers already have the software on their desktop, they are the best choice to make the changes, before bugs are introduced into the software. SecureAssist Secure Coding Guidance is a plugin that is provided to the developers Integrated Development Environment (IDE). SecureAssist changes the security stance from reactive remediation to proactive security. Instead of focusing on new ways to find bugs already in the code base – organizations should provide developers with the guidance they need to build expertise and to PREVENT bugs from entering the code base. One of the best things about the SecureAssist plugin is that it does not require access to running code or code that compiles completely. It actually supports the developer working on the file(s) that the developer has access to, and works in realtime, compared to other testing activities. This tool examines one or more files or the complete project as well. Static Analysis code review is usually performed after the project has succeeded in producing code OPEN 03/2013

that compiles completely. Software which compiles with errors can introduce false findings (either positive or negative), and are usually integrated into the Build Cycle of the SDLC. Static Analysis results then need to be examined and distributed back to the development team in order to fix the vulnerabilities. Static analysis reviews have always seemed to provide more results on the code base than Dynamic Analysis [7]. While Static Analysis requires that the source code be available for a full review, the complexity of the tools require that Security Analysts (or Developers) run the tools, and then follow-up on all of the findings presented. Dynamic Analysis is the testing of web based applications which are connectable via the network (Usually available via a web server) [8] or are connectable from a SOAP interface. Dynamic Analysis (You can use a Tool, or Manual examination to perform a Pen Test) [9] is a great testing tool to further validate the effectiveness the security updates to the environment throughout the SDLC. The difference with Dynamic Analysis is that the testing must be performed on a live application. Most testing is performed on applications within the pre-production environment as dynamic analysis will aggressively test the application, making modifications (like a hacker is able to do) which will change the website. This type of testing should also be performed after implementing a full backup of the environment as well. The first three testing types have well defined activities for evaluating the security of the new application. The last type of testing is Binary Analysis depends on the ability to test the actual binaries used in the application. This type of analysis is performed on software that is normally bought from

Figure 5. BSIMM review of 51 organizations

Page 46


[1] Some solutions exist to block entire countries; however this does not stop attacks from compromised hosts within your own country. [2] [3] [4] NIST is currently requesting updates on revision 4 for the 880-53 control set. You can add comment to the security and privacy controls update at [5] While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily. [6] While Binary Analysis is not part of the diagram, it can be a useful component of testing. [7] Cigital has a unique presence in the Static Analysis environment with the creation of the first Static Analysis tool ITS4. After Cigital sold the license of the ITS4 to an investment group, the tool was later acquired by HP and is now known as HP Fortify. [8] Usually available via a web server. [9] You can use a Tool, or Manual examination to perform a Pen Test.

Works Cited • • • • •

BSIMM. (n.d.). DHS. (n.d.). FISMA. (n.d.). FISMA McGraw, G. (n.d.). Software Security – Building Security In. Addison-Wesley Software Security Series NIST. (n.d.). NIST 800-53 revision 3 controls.

another resource or is developed outside of the controls that the organization has put into place. Binary Analysis is useful in examining resources which cannot be reviewed with static or dynamic analysis. Because Homeland Security activities are dependent on the security of the organization from hackers, the largest areas of activity for attacks are seen coming from network (internet/intranet) connected resources. These systems are hosted by Private Enterprise solutions, insuring that 50% of the Security issues are related to the Architecture, and 50% are related to the software within. As we can see, there are detailed activities and controls which have been developed to support the security of the network and architecture overall. That leaves us with 50% of the environment to work on, the software to improve its security.


As I mentioned earlier, the BSIMM model is currently helping organizations to describe the activities that they are currently employing, which begins to outline the holes that remain in order to improve the overall security of the environment (Figure 5). BSIMM is a descriptive process used to determine the current commitment of the organization for the security program. The example above indicates the overall posture of 51 organizations that are committed to improving the overall security within their organizations. While this outline is a reOPEN 03/2013

view of the security for private corporations, it can also be easily engaged to determine the posture of different departments within Homeland Security. Cigital Federal is currently the provider of Software Security Consulting and Training for the Dept. of Homeland Security (DHS) as well as other Government agencies. Using Cigital’s 20+ Years of Software Security experience, Cigital Federal is delivering Consulting, Instruction, Products, Analysis and Processes to insure that better Software Security is achieved wherever it is needed. Whether your needs are securing Homeland Security, a bank, a utility or another organization Cigital has the processes and resources to improve your organizational security.

Albert Whale

Albert Whale is a Security Consultant with Cigital Federal in Sterling, VA. Albert resides in Pittsburgh, PA with his wife and three children (three others have escaped already). He has 28 years of Professional experience having worked in Application Development, Systems Engineering, Network Security and Application Security. Albert is the past President and Co-Founder of the Pittsburgh FBI InfraGard, and has been active in the Security field since 9/11. Email:, LinkedIn:, Skype: aewhale

Page 47

q: how much does Serenity cost?

a: it’s Priceless. Not stillness, not tranquility� but the serenity to do business online, as one should � unmolested. The site is built and launched, it has started making noise on the marketplace. Web servers are gently humming to the tune of orders ringing in, customers chirping, and purposefulness ful�lled. Life is good, not a cloud in the sky � just the daily, most welcome laborious bustle for earned reward, recognition and ever-growing customer satisfaction leading to loyalty and repeat orders. Word of mouth is you�re getting to be one of the best! GO ON, READ THE REST OF THE STORY...

PenTest Magazine  

Pentesting Tutorials

PenTest Magazine  

Pentesting Tutorials