Cyber Security Auditing Software

www.titania.com

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and �rewall devices. Any security issues identi�ed within those technologies will then have to be explained in a way that both management and system maintainers can understand.

he network scanning phase of a penetration assessment will quickly identify a number of security

weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

www.titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Why not see for yourself, evaluate for free at titania.com

Page 4 http://pentestmag.comOPEN 03/2013

Managing Editor: Patrycja Przybyłowiczpatrycja.przybylowicz@software.com.pl

Betatesters & ProofreadersJeff Smith, Cleiton Alves, Hani Ragab, Karol Sitec, Dalibor Filipovic, Eric Geissinger, Amit Chugh, Ricardo Puga, Dan Dieterle, Gregory Chrysanthou, Harish Chaudhary, Abhishek Kar, Gareth Watters, Eric De La Cruz Lugo, Barry Grumbine, Wayne Kearns, Steven Wierckx, Jakub Walczak, Artem Shishkin, Donald Iverson, Ewa Duranc, Stefanus Natahusada,Tzvi Spitz, Vaman Kini, Jeff Weaver, Vaman Amarjeet, Larry Karisny, Gavin Inns, Vaman Amarjeet, Abhishek Koserwal, Peter Harmsen, Hussein Rajabali

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzic ewa.dudzic@software.com.pl

Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.plDTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear Readers

We would like to present you the third issue of PenTest Open – a free monthly publication, where you can read some of our best ar-

ticles from last month.This time you will find here a selection of really good tutorials written by our best authors and experienced pentesters. We hope that this read will help you to improve your skills and allow you to broaden your horizons.We start with Gugliemo Scaiola’s tutorial, where he presents how to cre-ate an own SQLi test lab. By establishing the virtual environment for your work, you will be able to test your skills in a legal and effective way.Austin Scott’s article is dedicated to data diodes, that are used in applica-tions requiring the highest level of security, such as state secret protec-tion. He explores the inner workings and practical control system applica-tions of the uni-directional gateways and provides a step by step guide showing how to create your own using Open Source Software.Terrance Stachowski will teach you how to prepare a professional and detailed penetration test results report. Take advantage of his experience and knowledge, that he agreed to share with you.Since the work of penetration tester often requires to be mobile, Domagoj Vrataric in his short tutorial will show you how you can achieve it by trans-forming your tablet into pentest platform.On the other hand, Albert Whale describes the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. From his article you will find out which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well.The article by Prashant Mishra deals with the problem of internal security matters within any organization and puts the accent on the importance of a well constructed Information Security Policy in the company.We hope that you will find this selection of articles, worth your time and will enjoy the reading.

PenTest Team

Page 5 http://pentestmag.comOPEN 03/2013

BUILDING SQLI TEST LAB06 From the Beginning: Building a SQLi

Test LabBy Guglielmo ScaiolaEnter virtualization technology where it is possible to cre-ate an extensive lab without the risk to be jailed.There are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or VirtualBox Your choice may be related to your fa-vorite operating system or your computer hardware. The author in his professional work, uses different virtualiza-tion products. However in this article, he describes Vm-ware Workstation 8, but you can transform the examples with a few modifications to another virtual environment.

SCADA STEP BY STEP14 Defending Industrial Control

Systems with Data DiodesBy Austin ScottOriginally designed by government organizations to pro-tect top secret information, data diodes are most com-monly used in ap-plications requiring the highest level of security such as state secret protection, banking or bat-tlefield up-links. In recent years we could observe an in-creasing demand for data diodes in the world of industrial control and automation to protect critical in-frastructure due to the simple and virtually impenetrable nature of these devices. In this article the author explores the in-ner workings and practical control system applications of these uni-directional gateways and provide a step by step guide to creat-ing your own using open source software.

SOCIAL ENGINEERING22 Information Security Policy (ISMS)

By Prashant MishraThese days about 90% of the business depends on In-formation Security as it can be accessible through Inter-

CONTENTS

net from anywhere. The security within any organization starts with building a Security Policy, a centralized, evolv-ing document defining what is allowed and what is not.

TEST RESULTS REPORTING32 Running Head Penetration Test

Results ReportingBy Terrance StachowskiUpon completion of a penetration test, all of the infor-mation collected must be neatly entered into the after-actions, results report. Since this document is the only tangible, deliverable element supplied to the customer, it should appear professional, well organized, and clearly detail and explain what was uncovered during the pen-etration test.

TIPS & TRICKS38 Transforming Your Tablet into

Pentest PlatformBy Domagoj VrataricAs a penetration tester you always appreciate to work at any place. That’s a nice thing when you are working in IT industry. With your laptop you can be mobile when work-ing on penetration testing. However, as probably many of you, the author of this article wanted more...

LET’S TALK ABOUT SECURITY42 Homeland Security – Reducing the

Thread from AttacksBy Albert WhaleThe author describes the changes being made in the Homeland Security activities for new software in devel-opment, and how they are improving our overall security. From this article you will also find out which activities can fit into their Software Development Lifecycle (SDLC) pro-grams to further benefit other organizations as well. This read is not presenting an offensive approach to Cyber Se-curity, but an improved defensive approach.

6 http://pentestmag.comPageOPEN 03/2013

BUILDING SQLI TEST LAB

There are many virtual machine technologies to choose from: Vmware Esxi and Vmware workstation, Microsoft HyperV, Xen, or Virtual-

Box Your choice may be related to your favorite oper-ating system or your computer hardware. In my pro-fessional work, I use different virtualization products, but in this article, I will use Vmware Workstation 8, but you can transform the examples without with a few modifications to another virtual environment.

I will assume that the virtualization system is al-ready properly installed. After this, the first step is the preparation of the attacking machine. I think that nowadays the choice is obvious: Backtrack, (http://www.backtrack-linux.org/downloads/), after which you can install it in a new virtual machine. If you want to maintain a good working lab and follow these exercises, I do not recommend to using the live version, since the exercises will go better if you persistently update your installations with the latest version. The second step, after you have properly conFigured the network adapter, is the upgrade of the attacking machine. You can do this with these simple instructions: root@bt:~# apt-get update root@bt:~# apt-get upgrade. (See Figure 1).

Now we can setup the IP address, in my case is 192.18.254.1/24. It is also better to stop the DHCP client started by default, to avoid losing your IP ad-dress. (See Figure 2).

Now we can install the target machine. For this lab I will install a Windows 2K8 R2 machine. If you do not have a regular license you can download the 180 days trial version at http://www.microsoft.com/en-us/download/details.aspx?id=11093, but if you think you will be creating a lot of labs with the Win-dows system, the best ways is to subscribe a Micro-

From the BeginningBuilding a SQLI Test Lab…

I remember when I was trying to learn hacking. It was a lot of time ago when pterodactyls were still flying in the sky. Those years it was very difficult to create hacking labs. The only way to do that was physical machines, but today it is much simpler. Enter virtualization technology where it is possible to create an extensive lab without the risk to be jailed.

Figure 2. Recap network configuration

Figure 1. My Vmware test lab

7 http://pentestmag.comPageOPEN 03/2013

soft Technet subscription. With this subscription you can download all Microsoft Operating System for testing purpose without expiration. You can use the default installation and after configuring the network card (in my lab the IP address is 192.168.254.202), you can install all of the Windows updates.

The purpose of this lab is to attack the web page and the back-end database. After that you need to download Xampp, which is a simple wamp (Win-dows, Apache, MySQL and PHP) package (http://www.apachefriends.org/it/xampp.html). The instal-lation of this package is very windows-like: next... next...next… I downloaded and installed the porta-ble lite version and I shorten the path to c:\xampp.

After the completion of Xampp installation you have a complete Apache environment, powered by PHP and MySQL, and for administering Xampp, there is a friendly console, xampp-control in the xampp directory. (See Figure 3).

Depending on your needs it is possible to re-move HTTPS, using the “config” button, “Apache (httpd-ssl.conf)”. (See Figure 4).

And you put a # for comment the row “listen 443”.(See Figure 5).

Now you can start Apache without any problems.If you have the default configuration in Windows

2K8 server, you need another little step to make it work correctly. You must enable Apache on Win-dows Firewall. The fastest way to do this in our lab is to enable “Notify me when Windows firewall blocks a new program”. Go to the control panel – system and security – windows firewall – change notification settings and here you can set new no-tification status. (See Figure 6).

After set “Notify me when Windows firewall blocks a new program”, if you start Apache from the Xampp console, a pop-up warning will appear asking to allow you to access, your Apache dae-mon work properly. (See Figure 7).

The last step to build your complete lab is to down-load the vulnerable web application. For this test I have chosen Damn Vulnerable Web App (http://www.dvwa.co.uk/). This web application is built with a lot of vulnerabilities and in this article we will look

Figure 7. Ops…

Figure 6. Windows firewall configuration

Figure 5. Remove port 443 in httpd-ssl.conf

Figure 4. Removing httpsd

Figure 3. Xampp Control Panel

8 http://pentestmag.comPageOPEN 03/2013

BUILDING SQLI TEST LAB

at just one of them, but if you want to know more of DVWA, a lot of very interesting materials can be found at: http://code.google.com/p/dvwa/wiki/RE-ADME. To work with this app you need only to unzip in c:\xampp\htdocs (see Figure 8).

For the first time you must connect to DVWA website with the server’s browser and finish the database setup. (See Figure 9).

In this screen, you can create a database by pressing the button “create/reset database”. (See Figure 10).

After that the DVWA website is up and running, it can be browsed outside the server.

What? You are trying to access from your back-track distro? You are receiving a forbidden error? Then you can try to edit .htaccess in the DVWA

folder and change the line “allow from 127.0.0.1” in “allow from all” to fix the problem. (See Figure 11).

If all works you must connect from the attacker machine to the URL http://192.168.254.202/dvwa/

Figure 9. It works…

Figure 8. Take a look of htdocs folder

Figure 10. Create Dvwa DB

Figure 11. :(

Figure 12. Enter credentials

Figure 13. The home page… a lot of duty…

9 http://pentestmag.comPageOPEN 03/2013

login .php and this page need authentication.(See Figure 12). The username is “admin” and pass-word is “password”. (See Figure 13).

Now, we are ready to try the lab exercises.If you need a little video for reviewing the DVWA

installation, you can find it at http://www.youtube.com/watch?v=GzIj07jt8rM.

Sharpen the Ax – Prepare your ToolsAfter setting up the lab, we need to know all the tools that we will use in the exercise.

The first one is sqlmap (http://sqlmap.org/) and is my preferred for sql injection application. In my opinion, it has a very good balance between pow-er, simplicity and flexibility, sqlmap support a lot of

databases engines, various injection techniques, six types for the nerds, is capable to dump data-bases tables, download and upload files, execute commands and it has a bunch of other nice fea-tures. (See Figure 14).

In this exercise we will see some basic, but in-teresting, features of this tool, and we need also to keep in mind that the website needs authentica-tion, and this authentication is performed between cookies. Sqlmap is able to manage the cookies, but how do we capture them? Which tool is able to do that?

For the demo, capturing cookies, I try two techniques: The first is the use of a Firefox plug-in, and The sec-ond one is a very powerful tool called burp suite. (http://www.portswigger.net/burp/). (See Figure 15).

Burp suite is an integrated platform for testing web apps. It is possible to buy the more powerful, professional suite, with more functions like Burp Intruder or Burp Scanner, but for testing purpose it is sufficient to use the free edition. With Burp proxy, after configuring the web browser for this, it is possible to pause an HTTP sessions and manip-ulate the GET and POST traffic. If you need only a part of these features, you can use Firefox plug-in called tamper data. With tamper data you can pause the session in the same manner as the burp proxy and intercept cookies. In backtrack, all these tools are installed by default. (See Figure 16).

Figure 17. Start tampering with tamper data and Firefox

Figure 16. The “little” friend… tamper data

Figure 15. Another friend…burp

Figure 14. We meet with… sqlmap

10 http://pentestmag.comPageOPEN 03/2013

BUILDING SQLI TEST LAB

Cut the Trunk – Owning the WebserverNow we are ready to change our state of mind to the attacker mode The first step of the attack phase is to log in to the server to get the session cookie. For this task, I first try the simplest way using tamper data. I start firefox, I type the URL http://192.168.254.202/dvwa/login.php and I open “tools” – “tamper data”, now I can “start tamper”. I must type username “admin” and password “pass-word” on login page, when I will click on “login” but-ton. (See Figure 17).

I choose “tamper” and I can copy the session cook-ie. (See Figure 18). I confirm with “OK” and “submit” in the next pop up, and now I can stop tamper.

This operation can be done in the same manner with burp proxy, so let me show you how.

I start burpsuite from bash java -jar /pentest/web/burpsuite/burpsuite_free_v1.5.jar, I set up

the proxy configuration in firefox “edit” – “prefer-ence” – “advanced” – “network” – “settings”, I set “manual proxy configuration” with http proxy ad-dress 127.0.0.1 and port 8080 and I save the con-figuration. (See Figure 19).

Now I get the login page of my vulnerable web app, every time a page is transmitted or received burp will prompt you with a flashing icon, where you can choose to go forward with the button “for-ward” button. Again, you must login using user-name and password when prompted from applica-tion, and now you can intercept the phpsessid in burp. (See Figure 20).

After this you can close burp and delete proxy configuration on Firefox.

In the real world we can intercept this session id with sniffing or with other stealing techniques. In the image you can see intercepting cookie with sniffing the wire with Wireshark. (See Figure 21).

Now the first step is finished. I have the ses-sion cookie and I can use it to inject the applica-tion with sqlmap. Backtrack sqlmap is located in /pentest/database/sqlmap/, but before the injec-tion I take a look of the vulnerable web page. The page is http://192.168.254.202/dvwa/vulnerabili-ties/sqli and you can connect at this page with the button “sql injection” on the left of the login page. I tried some input to the page. I tried insert-ing “1” on “user id” tab, now I can copy the URL

Figure 18. Get the session cookie

Figure 21. Another way to get session cookie

Figure 20. The session cookie again

Figure 19. ConFigure proxies in Firefox

11 http://pentestmag.comPageOPEN 03/2013

and I can use as the injection URL for sqlmap. (See Figure 22).

For testing my injection I need some parame-ters, the first is the session cookie, which I already have, the second is the vulnerable URL, I have that also (In the real word, I might not know where the vulnerable one is located and I need to try ALL possible vulnerable URLs, but for testing purpose I submit directly the vulnerable URL).

Pause for ReflectionOne manner to try sql injection is the insertion of sin-gle quote on input, if we are using low security level in dvwa we can see an error page. (See Figure 23).

But, if we use the dvwa security level set on high we do not see anything and, naturally, I want to use high security.

In dvwa, for learning purpose, the cookie can manage the security level “security=high”, but in real life this is not that easy. (See Figure 24).

Next, I open a shell and change directory with cd /pentest/database/sqlmap/ and I try my first automated

injection: ./sqlmap.py --cookie=’security=high; PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘http:// 192.168.254.202/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ --string=’surname’ --dbs.

This string, if the security level is set to high, does not work, as you can see in the next image. (See Figure 25).

Now I try to inject my second string: ./sqlmap.py --cookie=’security=medium; PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘http://192.168. 254.202/dvwa/vulnerabilities/sqli/?id=1 &Submit=Submit#’ --string=’surname’ --dbs.

If you use the security level set to low, the injec-tion is simple, but with security level to medium, the PHP function mysql_real_escape_string is used to pre-pend backslashes to the following characters: \x00, \n, \r, \, ‘, “ and \x1a. This means that the (SQL server will interpret single, or double quotes as text. At this point it is necessary to en-ter any text requiring quotes as their ASCII hex-en-

Figure 22. Normal operation of the web page

Figure 23. Trying sqli...

Figure 24. dvwa security Figure 26. Second injection with sqlmap

Figure 25. First injection with sqlmap

12 http://pentestmag.comPageOPEN 03/2013

BUILDING SQLI TEST LAB

coded equivalent. In this case, this syntax table_name=’users’ become table_name=0x7573657273 (see Figure 26 and 27).

Sqlmap has extract the available databases, at this point the webapp is yours. Just a couple of steps for extracting all data and, if needed, for password cracking.

In real world, I do not know the name of app da-tabases, but normally, is pretty simple to guess it. In my lab the installed databases are:

[*] cdcol[*] dvwa[*] information_schema[*] mysql[*] performance_schema[*] phpmyadmin[*] test[*] webauth

It is not too difficult to suppose that the database name is “dvwa” and I give these info in sqlmap in-jection as a parameters. Now, with this addition-al info the injection string for extracting database

tables becomes: ./sqlmap.py --cookie=’security=medium;PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘http://192.168.254.202/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ --string=’Surname’ -D dvwa --tables (see Figure 28).

And the result is shown on Figure 29.Now, we dump the table… I think that the “users” ta-

ble is more interesting…look inside with this injection, so I try: ./sqlmap.py --cookie=’security=medium; PHPSESSID=gl9kses7umi8rvmo34l184ka22’ -u ‘http://192.168.254.202/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ --string=’Surname’ -D dvwa -T users –dump (see Figure 30).

Ok, now I have the username and the password hash (if in your application the passwords are in plaintext, the task is already ended at this step), and if I suppose that these hashes are encoded with MD5 algorithm, I can try to crack them in dif-ferent manners. Today I try to crack with querying a website: http://www.md5decrypter.co.uk/ (see Figure 31).

But, it is possible to crack the MD5 hash with rainbow tables, or with the Evergreen “john the ripper”.

Figure 27. Second injection with sqlmap: the results

Figure 31. Sorry john the ripper, tonight I don’t want to work hard…

Figure 30. Get password hash

Figure 29. Go deeper with sqlmap: the results

Figure 28. Go deeper with sqlmap

http://pentestmag.comOPEN 03/2013

Just for ending the article, if you set the secu-rity level to high, you will use these two functions: stripslashes and is_numeric. The specific piece of code is:

// Retrieve data$id = $_GET[‘id’];$id = stripslashes($id);$id = mysql_real_escape_string($id);if (is_numeric($id)){$getid=”SELECT first_name, last_nameFROM users

WHERE user_id = ‘$id’”;$result=mysql_query($getid) or die(‘<pre>’ .

mysql_error() . ‘</pre>’ );

This code is pretty secure, in my knowledge, the idea of the DVWA developers, was to learn how to write secure code to other developer. At this URL http://0xzoidberg.wordpress.com/2010/06/13/sql-injection-dvwa-continued/ you can find some addi-tional information about the code.

It is also interesting to analyze the use of the dep-recated function magic_quote in an attempt to in-crease security: http://blog.kotowicz.net/2009/10/hardening-php-magicquotesgpc-false.html.

I hope this article served you to begin to take the first steps into the world of web application secu-rity …, especially without going to jail. DVWA of-fers a lot of other examples in various issues, and you can find other vulnerable apps, on-line or with installation on local web servers for testing and im-proving your skills without risk. Hack to live, live to hack!

GuGLIeLmO SCAIOLAGuglielmo Scaiola has worked as an I.T. Pro, since 1987. He is a freelance consul-tant, pentester and trainer, and works especially in the banking environment. Over the years he has achieved several

certifications, including: MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA. In 2011 he was awarded the “Ec-Council Instructor – Circle of Excellence.” He can be contacted at s0ftwar@miproparma.com.

14 http://pentestmag.comPageOPEN 03/2013

SCADA STEP BY STEP

Defending IndustrialControl Systems with Data Diodes

Originally designed by government organizations to protect top secret information, data diodes are most commonly used in applications requiring the highest level of security such as state secret protection, banking or battlefield up-links.

In recent years I have seen an increasing de-mand for data diodes in the world of industrial control and automation to protect critical infra-

structure due to the simple and virtually impenetra-ble nature of these devices. In this article we will explore the inner workings and practical control system applications of these unidirectional gate-ways and provide a step by step guide to creating your own using open source software.

What are Data Diodes?Sometimes known as a unidirectional network or unidirectional security gateway, data diodes en-

sure the safety of sensitive information within a network. I prefer to call them “Data Diodes” when speaking about Industrial Control and Automation System (Aka ICAS / ICS / SCADA / DCS systems) security because anyone with an electrical back-ground almost instantly recognizes their function. By creating a physical barrier that only allows data transfers in one direction (hence the “uni” in unidi-rectional) we can enhance security in one of two ways:

• Making a network segment write only (see Fig-ure 1).

Figure 1. Write Only Control System Data Diode Figure 2. Read Only Control System Data Diode

15 http://pentestmag.comPageOPEN 03/2013

• Making a network segment read only (the more common configuration for control systems), see Figure 2.

Strength in SimplicityThe strength of a Data Diode is its simplicity. At the core of all data diodes is a simple duplex fi-ber optic connection (fiber optic connections of-ten have a dedicated send / receive fiber strand) with either the send or receive fiber disconnect-ed. Severing one of the physical fiber connections makes it impossible to send data in one direction. (See Figure 3).

What are the Typical Applications of a Data Diode?Data diodes were originally developed for use in the defense industry in order to protect top secret information from getting into the wrong hands. If you read the marketing materials put out by the data diode vendors you will see they are sprinkled with military terms like “tactical deployment” and “warfighter operations” which is a clear indication of the audience they are targeting. Most data di-Figure 3. Fiber Optic Patch Cable link at the Heart of a Data

Diode

Figure 4. Typical Advanced Persistent Threat

16 http://pentestmag.comPageOPEN 03/2013

SCADA STEP BY STEP

odes on the market today have an impressive ar-ray of top level security certificates from countries around the world. Data diodes have been blessed by NERC (North American Electric Reliability Cor-poration) as a compliant solution for protecting critical infrastructure like power plants. Their abil-ity to securely manage high-traffic systems make them ideal for use in a control system environ-ment. A data diode is an effective defense against data exfiltration (a military term for the covert re-trieval of sensitive data) which many Advanced Persistent Threats (APTs) like Flame and the Night Dragon attacks are designed to perform. If the corporate network is unable to send data into the control network, the control network will still be secured if the corporate network is compro-mised. Also if an industrial control system is com-promised by a deep penetrating worm, the hack-er will be unable to send commands or updates because of the one way network traffic gateway. (See Figure 4).

ICSSec (Industrial Control System and Automation System Security) in the Real WorldIf you believe in the so called control system “Air Gap” then I have a unicorn farm run by lep-rechauns I would love to sell you. I will not dis-pute the fact that it is a terrible idea to direct-ly connect any piece of industrial equipment or SCADA system to the Internet. However, in my experience most control systems are indirectly connected to the Internet. Why would anyone be foolish enough to indirectly connect a SCADA / DCS system to the Internet? The answer is sim-ple, people need the data. The data generated by an industrial control system is pure gold; far too valuable to not be connected to the corporate network. Data taken directly from the SCADA / DCS is used by most business units in an organi-zation, for example:

• Accounting• How many widgets did we produce?• How much oil did we pump?• How much process downtime did we have?

• Regulatory Compliance• How much greenhouse gas did our process

produce?• Did the formula change for the drug we are

manufacturing?• Health and Safety

• For the past 15 years has the toxic gas our workers have been exposed to been within a safe limit?

• Preventative Maintenance• How many running hours until we need to

rebuild that motor?• Process Optimization

• What are the most common alarms?• How long does it take the operator to inter-

vene in the SCADA system when the pro-cess enters an abnormal situation?

• What was the energy usage in DCS A com-pared to DCS B?

• Quality Control• Was there a problem with the process while

we were making the product with serial #192813?

Keep in mind that many control systems are in remote locations, far from the corporate head-quarters that pay their bills. Most people are not willing to jump on a plane to collect some data they need for a report and reading values over Figure 5. Database Replication through a Data Diode

17 http://pentestmag.comPageOPEN 03/2013

Figure 6. TCPIP SYN ACK Two Way Communication

Figure 7. Data Diode Reverse Proxy Servers

18 http://pentestmag.comPageOPEN 03/2013

SCADA STEP BY STEP

the phone is very error prone. The Internet is the most cost effective way to transmitting data over long distances. Often the bridge between the corporate network and the industrial control net-work is a gateway computer, a firewall or a se-ries of firewalls. Firewalls rely on many layers of software to segment a network. Due to the na-ture of software a small oversight in the real-time OS, rule engine, configuration or installa-tion could allow an attacker to bypass the Fire-wall completely. ICSsec (Industrial Control Sys-tem and Automation System Security) guide-lines suggest that firewalls from multiple vendors should be used in case one vendors firewall is compromised (NIST 800-82, IEC 62443 former-ly ANSI/ISA99). Firewalls certainly play an im-portant role in any control system’s Defense in Depth (DiD) strategy, but it is important to re-member that history has shown us that they are not impenetrable. If you are only interested in ac-cessing the valuable information that a control

system is producing, than a data diode is a more secure choice. You are providing read access to the data in the ICS without allowing anyone to write data to the ICS. A typical example is trans-ferring data from one SQL server in your ICS to another SQL server in your corporate network. If the corporate network is compromised there is no physical way data can be sent to the control network. (See Figure 5).

The Problem with One Way DataIf you are familiar with TCP/IP (Transmission Con-trol Protocol), you are probably questioning the practicality of such a solution as TCP/IP requires two way communication to work. TCP/IP requires a two way handshake (SYN / ACK) in order to es-tablish a connection and terminate a connection. In fact there is a very common misconception that it is impossible to use TCP/IP connections through a data diode. (See Figure 6).

There are two ways around this problem:

Figure 8. Two Bare Bone Mini-PCs for our homemade data diode

Figure 9. Two PCI Express Fiber Optic ST Cards for the Fiber Optic Link in our do-it-yourself Data Diode

19 http://pentestmag.comPageOPEN 03/2013

• UDP (User Datagram Protocol) variants of protocols should be used when avail-able. UDP is a lightweight protocol typical-ly used for speed as it does not waste network bandwidth by handshaking or data integrity checksums.

• TCP/IP client-server reverse proxies on ei-ther end of the data diode can be setup to respond to the hand shaking requests auto-matically without the need to actually send any data back to the insecure network. A re-verse proxy server retrieves data from anoth-er computer and serves it up as if it were the original source. Reverse proxies are most frequently used to speed up the delivery of web content and reduce the load on the con-tent main server. The client-server proxies solution should work in most cases howev-er, thorough testing should be completed in a lab environment before deploying a data di-ode solution into an ICS. (See Figure 7).

How to Roll Your Own Data DiodeIf you were to crack open a typical data diode you will see it is simply made up of two mini-pcs with a fiber-optic link running between them. There are dozens of patents around variants of data di-odes and data diode software. For example there is a patent for a data diode that only uses a sin-gle computer to handle both ends of the connec-tion (which seems less secure to me). A fiber link between two computers is far too simple a con-cept to patent, so you won’t end up in court cre-ating a data diode in this configuration. Now let’s step through the process of creating our own data diode.

Step 1. Purchase two computersIt is important to find a small form factor com-puter which supports a PCI-Express card for our two fiber optic PCI-Express cards (reverse) proxy servers. For most industrial applications I would purchase a couple of fan-less industri-al PCs with solid state hard drives that can be stored in a locked computer panel box or server room.

For the purposes of our proof of concept I will purchase two low cost PCs:

• Slim Bare bones PC with a PCI-Express card slot

• Solid State Hard Disk drive• 2 Gigs memory• i5 Processor

These PCs should come with an integrated Ether-net card which we will plug our network connec-tion through.

2 x – Barebones PC with PCI-Express card slot – $600.00 each (see Figure 8).

Step 2. Purchase two fiber optic PCI-express cardsIf you don’t have experience with fiber optic net-works you need to be aware of the many stan-dards and modes that are available. It is critical that you select fiber optic cards and a patch cable that are all compatible. I have selected multi-mode “Fiber-to-the-desk” PCI-Express card with ST connectors which make it very easy to disconnect one of the fiber l inks.

2 x – Gigabit Ethernet Multi-Mode ST Fiber Card 1000Mbps PCI-Express – $200.00 each (see Fig-ure 9).

Figure 10. The heart of our handcrafted unidirectional gateway is the ST Fiber Optic Patch cable

20 http://pentestmag.comPageOPEN 03/2013

SCADA STEP BY STEP

Step 3. Purchase a fiber optic patch cableI have found a suitable multi-mode fiber patch cord with male connectors on each end:

3m Multi-Mode 62.5/125 Duplex Fiber Patch Ca-ble ST – ST – $12.00 (see Figure 10).

Step 4. Install a Secure Operating System on the PCsI prefer to use OpenBSD because it is free, open source, Ultra-secure out of the box and I have friends here in Calgary who are OpenBSD gurus.

Step 5. Configure your Reverse ProxyDepending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your database’s web services to replicate the data.

Step 6. Disconnect one of the fiber optic ST connectorsOnce you have your two proxy servers configured and communicating to each other you can simply

disconnect one of the two fiber ST connectors. You will likely need to spend time properly configuring your reverse proxy servers to relay the information correctly and you will need to write some scripts in your database to perform the continuous data rep-lication. (See Figure 11).

For a total cost of $1612 and some tender lov-ing coding, you too can have your own home-brew Data Diode!

ConclusionData Diodes represent a simple yet virtually impen-etrable way of segmenting a network. They have been used for years to secure classified informa-tion by government organizations and are an ex-cellent complement to firewalls in a typical control system’s defense in depth strategy. Adding a data diode to your network doesn’t have to cost tens of thousands of dollars either. You can reap the ben-efits of a unidirectional data diode for a few thou-sand dollars and some technical elbow grease.

AuSTIn SCOTTAustin Scott is CEO of Synergist SCADA Inc and heads up a talented team that offers a consummate blend of con-trols expertise, industry know-how, and advanced soft-ware development skills. “Synergist SCADA Inc. is fo-cused on maximizing the effectiveness of our customers’ SCADA investment. We provide control systems design, upgrade strategies, HMI / SCADA / PLC programming, security audits, and field services.” Austin Scott is cur-rently authoring a book on pragmatic ICS Security prac-tices that is due out this summer.

Figure 11. Our completed home brew data diode configuration

AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robotis used under terms of the Creative Commons 3.0 Attribution License.

BOSTON• May 28-31,2013The Westin Boston Waterfront

Follow us: twitter.com/AnDevConA BZ Media Event

Register NOW at www.AnDevCon.com

Get the best real-world Android developer training anywhere!• Choose from more than 75 classes

and tutorials

• Network with speakers and other Android developers

• Check out more than 40 exhibiting companies

“AnDevCon is one of the best networking and information hubs available to Android developers.”

—Nate Vogt, Android Developer, Willow Tree Apps

22 http://pentestmag.comPageOPEN 03/2013

SOCIAL ENGINEERING

The Security policy is a plan, outlining what the companies critical assets are, and how they must be protected. Company should

conduct a vulnerability assessment prior to creat-ing their security policy. The vulnerability assess-ment is performed by reviewing the network, ap-plication and system architecture and auditing the equipment and software within the same. The As-sessment produces a document that defines and prioritizes the potential risks along with costs to ad-dress potential vulnerabilities.

Scope

• How sensitive information must be handled • How to properly maintain your ID(s) and

password(s), as well as any other accounting data.

• How to respond to a potential security incident, intrusion attempt, etc.

• How to use workstations and Internet connec-tivity in a secure manner.

• How to properly use the corporate e-mail system.

IntroductionInformation is an asset that the organization has a duty and responsibility to protect. The availability of complete and accurate information is essential

to the organization functioning in an efficient man-ner and to providing products and services to cus-tomers.

The organization holds and processes confiden-tial and personal information on private individu-als, employees, partners and suppliers and infor-mation relating to its own operations. In processing information the organization has a responsibility to safeguard information and prevent its misuse.

The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organization’s information assets:

• to protect the organization’s information from all threats, whether internal or external, deliber-ate or accidental,

• to enable secure information sharing, • to encourage consistent and professional use

of information, • to ensure that everyone is clear about their

roles in using and protecting information, • to ensure business continuity and minimize

business damage, • to protect the organization from legal liability

and the inappropriate use of information.

The Information Security Policy is a high lev-el document, and adopts a number of controls to

Information Security Policy (ISmS)These days about 90% of the business depends on Information Security as it can be accessible through internet from anywhere. The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not. For the security of the confidential information, people introduced information security policies(BS7799, ISO17799, ISO 27000, ISO 27001, ISO 27002). These all depends on three key aspects i.e. Confidentiality, Integrity and Availability.

23 http://pentestmag.comPageOPEN 03/2013

protect information. The controls are delivered by policies, standards, processes, procedures, sup-ported by training and tools.

Why have a Information Security Policy? To ensure that the company continually operates in accordance with the specified policies or proce-dures and external requirements in meeting com-pany goals and objectives in relation to information security.

To ensure that improvements to the ISMS (Infor-mation Security Management System) are identi-fied, implemented and suitable to achieve objec-tives.

What is a Information Security Policy? Information Security works mainly on three as-pects:

• Confidentiality. • Integrity. • Availability.

ConfidentialityConfidentiality of information ensures that only those with sufficient privileges may access cer-tain information. When unauthorized individuals or

systems can access information, confidentiality is breached. To protect the confidentiality of informa-tion, a number of measures are used:

• Information classification • Secure document storage • Application of general security policies • Education of information custodians and end

users.

IntegrityIntegrity is the quality or state of being whole, com-plete, and uncorrupted. The integrity of informa-tion is threatened when it is exposed to corruption, damage, destruction, or other disruption of its au-thentic state. Corruption can occur while informa-tion is being compiled, stored, or transmitted.

AvailabilityAvailability is the characteristic of information that enables user access to information with-out interference or obstruction and in a required format. A user in this definition maybe either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to autho-rized users.

24 http://pentestmag.comPageOPEN 03/2013

SOCIAL ENGINEERING

Privacy Policy for customers It is a part of our company’s core values that we will properly value and protect any information en-trusted to us about our customers. This policy de-scribes how we will safeguard personal and com-pany information, to ensure peace of mind when dealing with our company.

It is our policy that:

• Our company will collect only that information about customers which is needed and relevant.

• Our company will not disclose information to other parties unless customers have been properly notified of such a disclosure.

• Our company will strive to make certain that information about customers is kept accurate and up-to-date.

Our company will use appropriate controls to en-sure that this information is kept secure, and is only viewed or used by the proper personnel.

Our company will comply with applicable laws, regulations, and industry standards when protect-ing employee information.

We hold our employees, vendors, contractors, suppliers, and trading partners to meet this same set of policies.

Risk Analysis (Identifying The Assets)As in any other sensitive procedure, Risk Analy-sis and Risk Management play an essential role in the proper functionality of the process. Risk Analy-sis is the process of identifying the critical informa-tion assets of the company and their use and func-tionality – an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to pro-tect it.

In order to be able to conduct a successful Risk Analysis, you need to get well acquainted with the ways a company operates; if applicable, the ways of working and certain business procedures, which information resources are more important than others (prioritizing), and identifying the devices / procedures that could lead to a possible security problem.

List everything that is essential for the proper functionality of the business processes; like key applications and systems, application servers, web servers, database servers, various business plans, projects in development, etc.

A basic approach would be:

• Identify what you’re trying to protect • Look at whom you’re trying to protect it from • Define what the potential risks are to any of

your Information Assets• Consider monitoring the process continually in

order to be up to date with the latest security weaknesses.

A possible list of categories to look at would be:

• Hardware: All servers, workstations, person-al computers, laptops, removable media (CD’s, floppies, tapes, etc.), communication lines, etc.

• Software: Identify the risks of a potential securi-ty problem due to outdated software, infrequent patches and updates to new versions, etc.

• Personnel: Those who have access to confi-dential information, sensitive data, those who “own”, administer or in any way modify existing databases.

Risk managementPhysical/Desktop & Password Security Policy.

• No third party or any other employee can enter on the floor without access card.

• Employee with company ID card are allowed on the floor.

• System can be accessible unique ID and Pass-word.

• No personal data can be stored on the system. • No data can be transferred through Bluetooth

or wifi. • No third party tool can be installed on the sys-

tem. • Unofficial site should be blocked. • Only licensed version software should be used. • Floopy, CD, Harddrive not allowed in the office. • No company assets can be login remotely. • Critical infrastructure should be placed in a

secure location (preferably a locked room) to prevent unauthorized access. Ensure that portals to critical infrastructure are closed and locked.

• Do not let unauthorized laptops or memo-ry sticks into a secure location. If laptops or memory sticks are required, set up processes to ensure that all portable media are scanned for malware with up to date scanning soft-ware before allowing contact with a network host.

ID management

• Each user should have a unique user name and password. Usernames and passwords should not be shared to enable easier tracking of system events.

• Solutions must enable the creation, editing, and deletion of users while the system is ac-tive.

• System must not provide a ―back door‖ allow-ing bypass of authentication procedures.

• Critical data like user names and passwords must be stored in a secure data repository us-ing encryption technology. Access rights to the repository require authentication and should be made available only to trusted personnel.

• Implement password aging. • Passwords should be more than 8 characters,

alphanumeric, special character, and a mix of upper and lower case characters.

• Users should change the password after first login with the default password.

• Authorized should change the default pass-word on equipment.

• Use switch port-based MAC address manage-ment to deny access to non-authorized users.

• Remote authentication should use encryption technology to transfer user name and pass-word through the system.

• Limit software installation and execution privi-leges to specific employees. When risk is high, implement two and three factor authentication (password, physical device – smart key, and biometrics) or real-time confirmation by a sec-ond person.

• Restrict user access to data archives. • Authentication should be required to modify

product firmware.

Server and OS management Securing the server Operating System.

After the installation and deployment of the OS, the following basic steps are necessary to secure the OS:

• Patch and update the OS • Harden and configure the OS to address secu-

rity adequately.

Install and Configure additional Security Controls If neededTest the security of the OS to ensure that the previ-ous steps adequately address all security issues.

The combined result of these steps should be a reasonable level of protection for the server’s OS.

Patch and upgrade OS

• Create, document, and implement a patching process.

• Identify vulnerabilities and applicable patch-es.15

• Mitigate vulnerabilities temporarily if needed and if feasible (until patches are available, test-ed, and installed).

Install Permanent fixes(Patches, upgrades etc)

• Hardening and securely configuring OS.

Administrators should perform the following steps to harden and securely configure a server OS:

• Remove unnecessary application, services and network protocols.

• Configure OS authentication.• Configure resource controls appropriately.

Removing or disabling unnecessary services en-hances the security of a server in several ways:

• Other services cannot be compromised and used to attack the host or impair the services of the server. Each service added to a host in-creases the risk of compromise for that host because each service is another possible ave-nue of access for an attacker. Less is more se-cure in this case.

• Other services may have defects or may be in-compatible with the server itself. By removing or disabling them, they should not affect the server and should potentially improve its avail-ability.

The Host can be configured to better suit the re-quirements of the particular services. Different ser-vices might require different hardware and software configurations, which could lead to unnecessary vul-nerabilities or negatively affect performance.

By reducing services, the number of logs and log entries is reduced; therefore, detecting unexpect-ed behavior becomes easier.

Configure OS user Authentication Remove or Disable Unneeded Default Accounts – The default configuration of the OS often includes

26 http://pentestmag.comPageOPEN 03/2013

SOCIAL ENGINEERING

guest accounts (with and without passwords), ad-ministrator or root level accounts, and accounts associated with local and network services. The names and passwords for those accounts are well known. Remove (whenever possible) or disable unnecessary accounts to eliminate their use by at-tackers, including guest accounts on computers containing sensitive information. For default ac-counts that need to be retained, including guest accounts, severely restrict access to the accounts, including changing the names (where possible and particularly for administrator or root level accounts) and passwords to be consistent with the organi-zational password policy. Default account names and passwords are commonly known in the attack-er community.

Disable Non-Interactive Accounts – Disable ac-counts (and the associated passwords) that need to exist but do not require an interactive login. For Unix systems, disable the login shell or provide a login shell with NULL functionality (e.g., /bin/false).

Create the User Groups – Assign users to the ap-propriate groups. Then assign rights to the groups, as documented in the deployment plan. This ap-proach is preferable to assigning rights to individu-al users, which becomes unwieldy with large num-bers of users.

Create the User Accounts – The deployment plan identifies who will be authorized to use each computer and its services. Create only the neces-sary accounts. Permit the use of shared accounts only when no viable alternatives exist. Have ordi-nary user accounts for server administrators that are also users of the server.

Configure Automated Time Synchronization – Some authentication protocols, such as Kerberos, will not function if the time differential between the client host and the authenticating server is signifi-cant, so servers using such protocols should be configured to automatically synchronize system time with a reliable time server. Typically the time server is internal to the organization and uses the Network Time Protocol (NTP) for synchronization; publicly available NTP servers are also available on the Internet.

Check the Organization’s Password Policy – Set account passwords appropriately. Elements that may be addressed in a password policy include the following:

• Length – a minimum length for passwords i.e 8 characters.

• Complexity – the mix of characters required. An example is requiring passwords to contain uppercase letters, lowercase letters, and non-alphabetic characters, and to not contain – dic-tionary words.

• Aging – how long a password may remain un-changed. Many policies require users and ad-ministrators to change their passwords period-ically. In such cases, the frequency should be determined by the enforced length and com-plexity of the password, the sensitivity of the in-formation protected, and the exposure level of passwords. If aging is required, consideration should be given to enforcing a minimum aging duration to prevent users from rapidly cycling through password changes to clear out their password history and bypass reuse restrictions.

• Reuse – whether a password may be reused. Some users try to defeat a password aging re-quirement by changing the password to one they have used previously. If reuse is prohibit-ed by policy, it is beneficial, if possible, to en-sure that users cannot change their passwords by merely appending characters to the begin-ning or end of their original passwords (e.g., original password was ―mysecret‖ and is changed to –1mysecret‖ or ―mysecret1‖).

• Authority – who is allowed to change or reset passwords and what sort of proof is required before initiating any changes.

• Password Security – how passwords should be secured, such as not storing passwords un-encrypted on the server, and requiring admin-istrators to use different passwords for their server administration accounts than their other administration accounts.

Some common tips for password Security:

• Always use at least 8 character password with combination of alphabets, numbers and special characters (>, %, @, #, $, )̂

• Use passwords that can be easily remembered by you

• Change password regularly as per policy • Use password that is significantly different from

earlier passwords.

Some common tips which we should not follow are:

• Don’t use passwords which reveals your per-sonal information or words found in dictionary.

27 http://pentestmag.comPageOPEN 03/2013

• Don’t write down or Store passwords. • Don’t share passwords over phone or Email. • Don’t use passwords which do not match

above complexity criteria.

Install and Configure Additional Security Controls OSs often do not include all of the security con-trols necessary to secure the OS, services, and applications adequately. In such cases, admin-istrators need to select, install, configure, and maintain additional software to provide the miss-ing controls. Commonly needed controls include the following:

• Anti-malware software, such as antivirus soft-ware, anti-spyware software, and rootkit detec-tors, to protect the local OS from malware and to detect and eradicate any infections that oc-cur. 20 Examples of when anti-malware soft-ware would be helpful include a system ad-ministrator bringing infected media to the serv-er and a network service worm contacting the server and infecting it.

• Host-based intrusion detection and prevention software (IDPS), to detect attacks performed against the server, including DoS attacks. For example, one form of host-based IDPS, file in-tegrity checking software, can identify changes to critical system files.

• Host-based firewalls, to protect the server from unauthorized access.

• Patch management or vulnerability manage-ment software to ensure that vulnerabilities are addressed promptly. Patch management and vulnerability management software can be used only to apply patches or also to identify new vulnerabilities in the server’s OSs, servic-es, and applications.

Security Testing the Operating System Periodic security testing of the OS is a vital way to identify vulnerabilities and to ensure that the ex-isting security precautions are effective and that security controls are configured properly (for ex-ample, the required cryptographic algorithms are in use to protect network communications). Com-mon methods for testing OSs include vulnerabil-ity scanning and penetration testing. Vulnerability scanning usually entails using an automated vul-nerability scanner to scan a host or group of hosts on a network for application, network, and OS vul-nerabilities. Penetration testing is a testing process

designed to compromise a network using the tools and methodologies of an attacker. It involves itera-tively identifying and exploiting the weakest areas of the network to gain access to the remainder of the network, eventually compromising the over-all security of the network. Vulnerability scanning should be conducted periodically, at least weekly to monthly, and penetration testing should be con-ducted at least annually. Because both of these testing techniques are also applicable to testing the server application.

Factors to be considered when deciding whether to test the production server or a similarly config-ured non-production server include the following:

The possible impact to the production server. If a certain test technique likely to cause a denial of service, then that technique should probably be used against the non-production server.

The presence of sensitivity personally identifi-able information (PII), If testing could expose sen-sitive PII, such as Social Security Numbers (SSN) or credit card information, to people without autho-rization to see it, then organizations should con-sider performing the testing on a non-production server that holds a false version of the PII (e.g., test data instead of actual sensitive PII).

How similar is the production and non-production servers can be configured. In practice, there are usually inconsistencies between the test and pro-duction environments, which can result in missed vulnerabilities if the non-production servers are used.

LoggingLogging is a cornerstone of a sound security pos-ture. Capturing the correct data in the logs and then monitoring those logs closely is vital. Network and system logs are important, especially system logs in the case of encrypted communications, where network monitoring is less effective. Server software can provide additional log data relevant to server-specific events.

Reviewing logs is mundane and reactive, and many server administrators devote their time to performing duties that they consider more impor-tant or urgent. However, log files are often the only record of suspicious behavior. Enabling the mech-anisms to log information allows the logs to be used to detect failed and successful intrusion at-tempts and to initiate alert mechanisms when fur-ther investigation is needed. Procedures and tools need to be in place to process and analyze the log files and to review alert notifications.

28 http://pentestmag.comPageOPEN 03/2013

SOCIAL ENGINEERING

Server Logs ProvideAlerts to suspicious activities that require further investigation.

• Tracking of an attackers activity.• Assistance in the recovery of the server.• Assistance in the post recovery of the server.• Required information for the local proceedings.• The selection and implementation of specific

server software determines which actions the server administrator should perform to estab-lish logging configurations.

Server Data Backup PoliciesAll organizations need to create a server data backup policy.

• Purpose of the policy • Parties affected by the policy • Servers covered by the policy • Definitions of key terms, especially legal and

technical • Detailed requirements from the legal, business,

and organization’s perspective • Required frequency of backups • Procedures for ensuring data is properly re-

tained and protected • Procedures for ensuring data is properly de-

stroyed or archived when no longer required • Procedures for preserving information for Free-

dom of Information Act (FOIA) requests, legal investigations, and other such requests

• Responsibilities of those involved in data reten-tion, protection, and destruction activities

• Retention period for each type of information logged

• Specific duties of a central/organizational data backup team, if one exists.

Server Backup TypesThree primary types of backups exist: full, incre-mental, and differential. Full backups include the OS, applications, and data stored on the server (i.e., an image of every piece of data stored on the server hard drives). The advantage of a full back-up is that it is easy to restore the entire server to the state (e.g., configuration, patch level, data) it was in when the backup was performed. The dis-advantage of full backups is that they take consid-erable time and resources to perform. Incremental backups reduce the impact of backups by backing up only data that has changed since the previous backup (either full or incremental).

Differential backups reduce the number of back-up sets that must be accessed to restore a con-figuration by backing up all changed data since the last full backup. However, each differential backup increases as time lapses from the last full back-up, requiring more processing time and storage than would an incremental backup. Generally, full backups are performed less frequently (weekly to monthly or when a significant change occurs), and incremental or differential backups are performed more frequently (daily to weekly). The frequency of backups will be determined by several factors:

• Volatility of information on the site • Static content (less frequent backups) • Dynamic content (more frequent)• E-commerce/e-government (very frequent

backups)• Volatility of configuring the server • Type of data to be backed up (e.g., system, ap-

plication, log, or user data) • Amount of data to be backed up • Backup device and media available • Time available for dumping backup data • Criticality of data • Threat level faced by the server • Effort required for data reconstruction without

data backup • Other data backup or redundancy features of

the server (e.g., Redundant Array of Inexpen-sive Disks [RAID]).

Recovering From a Security CompromiseMost organizations eventually face a successful compromise of one or more hosts on their network. Organizations should create and document the re-quired policies and procedures for responding to successful intrusions. The response procedures should outline the actions that are required to re-spond to a successful compromise of the server and the appropriate sequence of these actions (sequence can be critical). Most organizations al-ready have a dedicated incident response team in place, which should be contacted immediately when there is suspicion or confirmation of a com-promise. In addition, the organization may wish to ensure that some of its staff are knowledgeable in the fields of computer and network forensics.

A server administrator should follow the organi-zation’s policies and procedures for incident han-dling, and the incident response team should be contacted for guidance before the organization takes any action after a suspected or confirmed

29 http://pentestmag.comPageOPEN 03/2013

security compromise. Examples of steps common-ly performed after discovering a successful com-promise are as follows:

• Report the incident to the organization’s com-puter incident response capability.

• Isolate the compromised systems or take other steps to contain the attack so that additional in-formation can be collected.

• Consult expeditiously, as appropriate, with management, legal counsel, and law enforce-ment.

• Investigate similar 43 hosts to determine if the attacker also has compromised other systems.

• Analyze the intrusion, including:• The current state of the server, starting with

the most ephemeral data (e.g., current net-work connections, memory dump, files time stamps, logged in users)

• Modifications made to the server’s software and configuration

• Modifications made to the data • Tools or data left behind by the attacker • System, intrusion detection, and firewall log

files. • Restore the server before redeploying it.

• Either install a clean version of the OS, ap-plications, necessary patches, and serv-er content; or restore the server from back-ups (this option can be more risky because the backups may have been made after the compromise, and restoring from a compro-mised backup may still allow the attacker access to the server).

• Disable unnecessary services. • Apply all patches. • Change all passwords (including on uncom-

promised hosts, if their passwords are be-lieved to have been seen by the compro-mised server, or if the same passwords are used on other hosts).

• Reconfigure network security elements (e.g., firewall, router, IDPS) to provide addi-tional protection and notification.

• Test the server to ensure security. • Reconnect the server to the network. • Monitor the server and network for signs that

the attacker is attempting to access the server or network again.

• Document lessons learned.

Based on the organization’s policy and procedures, system administrators should decide whether to re-

install the OS of a compromised server or restore it from a backup. Factors that are often considered include the following:

• Level of access that the attacker gained (e.g., root, user, guest, system)

• Type of attacker (internal or external) • Purpose of compromise (e.g., Web page de-

facement, illegal software repository, platform for other attacks, data exfiltration)

• Method used for the server compromise • Actions of the attacker during and after the

compromise (e.g., log files, intrusion detection reports)

• Duration of the compromise • Extent of the compromise on the network (e.g.,

the number of hosts compromised) • Results of consultation with management and

legal counsel.

The lower the level of access gained by the in-truder and the more the server administrator un-derstands about the attacker’s actions, the less risk there is in restoring from a backup and patch-ing the vulnerability. For incidents in which there is less known about the attacker’s actions and/or in which the attacker gains high-level access, it is recommended that the OS, server software, and other applications be reinstalled from the manu-facturer’s original distribution media and that the server data be restored only from a known good backup.

management SummaryThis section has been created mainly with the idea of answering the most common questions a manager could ask as far as Information Security is concerned. Its purpose is to explain in a brief, yet effective way why from a management point of view one would want to invest in securing the core Information Assets of the company, and the potential risks attached to cutting the Information Security budget.

A lot of businesses (still) tend to ask the question why they should invest in information security, as sensitive data is backed up every day and in the event of an intrusion, virus outbreak or data cor-ruption, data and business processes can be re-stored and brought back up in a matter of minutes.

Whereas theoretically there is nothing wrong with this mode of thinking and the procedures that are in place do provide a certain degree of secu-rity, practice has shown time and time over again

30 http://pentestmag.comPageOPEN 03/2013

SOCIAL ENGINEERING

that the “classic” security methods such as virus scanner/backup/restore may not be enough to ‘hold the fort’. People still fail to realize that their Internet connectivity represents a big threat to the whole world if it is not properly secured; that there are hybrid code out there that will not only take out your network(s) and trash your data, but will also steal documents, passwords, etc; and that there are people out there that will try to enter your systems for whatever reason and damage your systems.

A successful intrusion with the idea of purpose-fully causing damage to business could damage the image of the company and the brand name to no end. It may take minutes to recover your cor-rupted files, but it may take years to clear a name, or image.

A simple defacement of the company web site will show the world how insecure it (and, subse-quently your in-house systems) is/was, that proper security measures were not in place, and if it con-cerns an online shop, most of your clients will be afraid to use it anymore. Or imagine your compa-ny networks contributing to a worldwide, full-scale Distributed Denial Of Service (DDoS) attack, which will definitely get you in trouble and/or damage your reputation a lot. Just imagine being in a situa-tion where your company systems are unknowing-ly attacking other businesses online, or success-ful penetrations in other companies are performed, using your networks!

Another common management mistake is plain and simple, smugness. How many times have you heard phrases like: “we have recently purchased a well known firewall product to protect our company network”, “we have server level content blocking software as well”, “our administrator is a certified security professional”, or “we think we are pretty dam secure, so why should we invest in further se-curity measures?”.

Security is a never ending process that requires constant monitoring, updates, investment, re-search and implementation of new technologies; not forgetting the most important point: education of staff. Because no matter the amount of money you are prepared to spend, and no matter the tech-nologies involved, the secret lies within the individ-ual who configures your security system(s).

Internet can be a very beneficial resource to your business, however it brings certain risks with it. For the best possible results you will probably need to employ full-time specialists taking care of your (IT) security, thus ensuring you are capitalizing the

benefits of the Internet, while having your critical data reasonably secured.

It is to hope that by now any company manager has enough background information to be able to ask the right questions to their security products vendor, or the security consulting company build-ing and developing their security solutions. I cannot stress enough, on the other hand, the importance of getting your company executives familiarized with all the risks posed by their Internet connectiv-ity and other (IT) security issues; the clearer top company executives and decision makers are on the whole situation from a security point of view, the sooner and quicker an effective IT security pol-icy/strategy will be in place!

Conclusion The aim of this paper is to explore the process of building and implementing an successful Informa-tion Security Policy in detail, as well as giving vari-ous recommendations for the development of a Security Awareness Course.

The security within any organization starts with building a Security Policy, a centralized, evolving document defining what is allowed and what is not. Along with what I hope to be large amounts of useful information, I have provided you with some ready-made “Best Practices” sections on vari-ous security threats, as well as a sample Security Newsletter in order to save you valuable time and resources. The implementation process requires constant monitoring of Internet Threats, along with the measurement of staff knowledge and aware-ness levels to ensure that there is a continuous im-provement in their level of knowledge and security awareness.

PRASHAnT mISHRAInformation Security Officer at Syniverse TechnologiesManaging Security with Regulatory bodies(Telecom Regulatory Authority of India), DoT (Department of Telecommunications) & TEC (Telecommunications En-gineering Center) Intelligence Bureau, Department Of Police, Involved in information Security, vulnerability assessment and Penetration Testing. Certified Ethical Hacker.(CEH), EC-Council Certified Security Analyst (EC-SA).Applied for LPT (Licensed Penetration Tester), Do-ne Training in Computer Hacking Forensic Investigator (CHFI) .

www.titania.comT: +44 (0) 1905 888785

evaluate for free at www.titania.com

What do all these have in common?

They all use Nipper Studioto audit their firewalls, switches & routers

SME pricing from

£650 scaling to

enterprise level

Nipper Studio is an award winning configuration auditing tool which analyses vulnerabilities and security weaknesses. You can use our point and click interface or automate using scripts. Reports show:

1) Severity of the Threat & Ease of Resolution

2) Configuration Change Tracking & Analysis

3) Potential Solutions including Command Line Fixes to resolve the Issue

Nipper Studio doesn’t produce any network traffic, doesn’t need to interact directly with devices and can be used in secure environments.

32 http://pentestmag.comPageOPEN 03/2013

TEST RESULTS REPORTING

At the conclusion of a penetration test, all of the data collected must be massaged into useful data, upon which the customer can

act. The purpose behind a penetration test may differ, but one constant of penetration testing is the requirement for meticulous documentation, re-cording each step, collecting information as you go, entering said data into a report, and delivering it to the customer.

This phase of the penetration test is sometimes seen as an afterthought, but this is the hands-on product you deliver to the customer, it is vitally im-portant that scrupulous attention to detail be given to constructing and delivery of, a well-polished fi-nal product. Writing the results report may not be as glamorous or exciting as actually performing the technical portion of the test, but in many re-spects, it is the most critical task a penetration tes-ter performs because it allows the customer to see what you have actually done.

The results report is essentially your way of showing the customer what you have done. They have no way of knowing that you spent long nights plugging away at their systems if you have no way of demonstrating it – it is your evidence that a pen-etration test has been conducted.

You owe it to the people who are paying you to deliver a professional final product. The final re-

port demonstrates your competence, illustrates the amount of work you put into the test, and gives the customer a way forward, after all the test is supposed to highlight issues with their security. A professional, well-written report can impress your customer and win repeat business, and lead to word-of-mouth advertising – a poorly written report could cost you future business with that customer and word could travel that you’re services are not quite up to scratch.

existing Guidance on Penetration Test ReportingThere is an absolute plethora of materials written about the subject of penetration testing. Many of us have bowed bookshelves containing volumes on the subject and a massive ‘Favorites’ folder dedicated to subject. There seems to be an un-ending well of excellent resources to draw techni-cal tricks of the trade from, but there is very little written about one of the most important, time-con-suming, and frustrating sections of the test – the results report.

It is understandable that sitting down to write the final report can be very dull when compared to the other aspects of the test, but considering its im-portance, it is vital that the report is written well. Penetration testing is a scientific process, and the

Running HeadPenetration Test Results Reporting

Upon completion of a penetration test, all of the information collected must be neatly entered into the after-actions, results report. Since this document is the only tangible, deliverable element supplied to the customer, it should appear professional, well organized, and clearly detail and explain what was uncovered during the penetration test. This article will examine methods and best practices of the reporting stage of a penetration test. The target audience of this paper is penetration testers who wish to improve their report writing skills.

33 http://pentestmag.comPageOPEN 03/2013

Figure 1. PTEST-Reporting, Eric Smith (2011). Retrieved from: http://www.pentest-standard.org/index.php/File:Ptes-reporting_new2.png

34 http://pentestmag.comPageOPEN 03/2013

TEST RESULTS REPORTING

findings in the report have to be repeatable. If a customer disagrees with the findings of the test, they have every right – and likely will – consult a second opinion. If you do not fully articulate in your report how you came to your conclusion, it may be difficult for someone else to repeat your process, and that person may actually derive different re-sults, which may put the reputation of your busi-ness into question.

In addition, the audience of the report has to be taken into consideration. Likely, there will be at very least two types of people reviewing the report, se-nior management, and technical staff. What those viewing the report will look to take out of it will vary greatly.

Senior management is likely to care less, or even understand the lingo utilized to explain how you got root on their web server, what they care about is the big-picture: “What does our security posture look like?”

The technical staff will likely be the ones required to patch the holes uncovered during the test, so they will want to know what system was affected, the severity of the vulnerability, and if possible, how to go about fixing it.

There are a number of fine resources available for learning about writing penetration test reports. Some sites to consider checking out are:

• Offensive Security – Penetration Test Report – http://www.offensive-security.com/penetration- testing-sample-report.pdf

• CORE Impact Professional – http://www.core-security.com/core-impact-pro

• The Penetration Testing Execution Standard (PTES) – http://www.pentest-standard.org/in-dex.php/Main_Page

• The Information Systems Security Assessment Framework (ISSAF) – http://www.oissg.org/issaf

• The Open Source Security Testing Methodol-ogy Manual (OSSTMM) – http://www.isecom.org/research/osstmm.html

• The Open Web Application Security Project (OWASP) – https://www.owasp.org/index.php/Main_Page

Unfortunately, there is not a hard/fast indus-try standard for writing penetration test reports; but this may largely be due to the varying needs of each customer. One thing many experts seem to agree upon is that the report should be broken up into at least two parts: the executive summa-ry and the technical report. Some suggest a third

part: the raw report, which includes everything, to include screenshots, dumps, scan results, etc. It is up to you if you include the raw data, but it should not hurt anything to add this as an appen-dix or separate document.

Take for example the report structure in Fig-ure 1. (PTEST-Reporting, Smith, 2011.), this is a pretty detailed tree of what could be expect-ed in the executive summary and the technical report.

example ReportThe following is a sample of recommendations that should be included in the penetration test report, feel free to use what fits your needs:

• Cover Page (Figure 2) The cover page should contain the following elements: • The name of the report• Date• Target organization’s name• Revision number• Control number• Classification• Author of report

Figure 2. PenTest Cover Page, T. Stachowski (2013).

35 http://pentestmag.comPageOPEN 03/2013

• Company performing the penetration test• A disclaimer

• Information Page – The information page will contain much of the information found on the cover sheet, but will also include a history of revisions, name of document reviewer, name of document editor, penetration test team mem-ber names, contact information, and a legal no-tice.

• Table of Contents – The table of contents lists the parts of the report in the order which they appear.

• Executive Summary – The executive summary should be brief, and non-technical. The target audience of the executive summary is senior-management and other non-technical staff. Il-lustrations such as pie charts and graphs may be helpful. The following should be included in the executive summary section:• Scope of Work / Test – The scope of work/

test section should detail what the pene-tration test was limited to, i.e. network only, website only, etc. It should also detail what was off-limits, such as hardware, tape li-braries, etc. Finally, the scope should detail

constraints, and problems encountered dur-ing the test, for example, if they were they asked to leave the building at certain hours.

• Type of test – Spell out the type of test that was conducted, i.e. White-box, Black-box, Grey-box, and give a brief description of the test.

• Test Objectives – The test objectives should detail why the test was conducted in the first place, such as the deployment of new hard-ware/software, annual inspection, etc.

• Timetable – The timetable should detail start and stop times/dates, amount of man-hours invested in the test, when phases of the test were conducted, etc.

• Summary of Findings – In the summary of findings section, you want to give a quick snapshot of what is going on, to paint the picture of the organization’s security pos-ture. Consider using images (such as those in figures 3 and 4) to illustrate findings. Re-member, this section is non-technical, se-nior-management does not care about the details, they want to know if their network is secure or not (Figure 3 and Figure 4).

Figure 5. Findings

Figure 3. Summary of Security Risk Pie

Figure 4. Summary of Security Risk Graph

36 http://pentestmag.comPageOPEN 03/2013

TEST RESULTS REPORTING

• Summary of Recommendations – Like the summary of findings section, this is a brief description of what needs to be done to re-mediate the uncovered issues. Do not get into the technical weeds in this section, but give a quick lower-level explanation of what needs to be done to correct vulnera-bilities.

• Technical Report – The technical report is where you supply detailed reporting. In this section you want to be very descriptive in ex-plaining how issues were discovered so that they are repeatable, and can be used after the administrators or local security team has patched the holes, to ensure that their fix ac-tions have eliminated the vulnerability. • Findings – For each specific finding, you

want to be very thorough, giving as much information as possible. Explain the meth-odology used to uncover each vulnera-bility – provide repeatable, systematic in-structions. Also, give remediation advice (Figure 5).

Additionally, when reporting your findings, you will also want to identify what was not found, for example, a scanner might detect a vulnerability that turns out to be a false positive. It is important to identify these find-ings to the customer so that they are not concerning themselves with chasing a red herring. You want to be 100% sure that if re-porting a false positive that it is in fact just that and not a true security risk.

• Out Of Scope Findings – You want to list all findings that fall within the scope of the pen-etration test, but if you come across vulner-abilities that fall outside of the scope, you want to ensure that you inform the customer that there is a risk that should be examined further.

• Conclusion – The conclusion should recap why the penetration test was performed, the

goals of the test, the impact that the current security posture has on the organization’s network.• Recommendations – Provide recommenda-

tions that go beyond the individual findings, such as general best-practice security tips, i.e. patch management program, current au-dits and antivirus updates, proper account privileges, etc.

• Risk Rating – Provide an overall risk rating appraisal for the scope of systems tested. Use clear language such as: High, Medium, Low, i.e. „The overall security risk posed to Acme, Inc. systems is HIGH. A hacker has the potential to cause serious financial and operational damages to Acme, Inc.”

• Appendix A: Glossary of Terminology – Pro-vide a glossary of terminology used throughout the report.

• Appendix B: Network Diagram – Provide a net-work diagram of the network scanned, such as one gathered from nmap.

• Appendix C: Tools / Exploits Used – Provide a list of tools and exploits utilized, as well as a quick description of what the tool does.

• Raw Report – The raw report is going to be a full data-dump of everything you’ve captured – the more information the better.

Other ConsiderationsSome vulnerabilities, if posing an immediate threat to the network, should be reported to the organization, and mitigated immediately. A pen-etration test is really designed to identify issues, not fix them on the spot, but there should be a point of contact within the organization to con-tact and report immediate findings to. If the issue is mitigated during the penetration test, it should still be documented in the report, if nothing else it will help to demonstrate to the customer the value to be gained from having a penetration test per-formed on their network.

References• CORE Impact Professional. Retrieved from: http://www.coresecurity.com/core-impact-pro• The Information Systems Security Assessment Framework (ISSAF). Retrieved from: http://www.oissg.org/issaf• The Open Source Security Testing Methodology Manual (OSSTMM). Retrieved from: http://www.isecom.org/re-

search/osstmm.html• The Open Web Application Security Project (OWASP). Retrieved from: https://www.owasp.org/index.php/Main_Page• The Penetration Testing Execution Standard (PTES). Retrieved from: http://www.pentest-standard.org/index.php/

Main_Page• Offensive Security – Penetration Test Report. Retrieved from: http://www.offensive-security.com/penetration-test-

ing-sample-report.pdf

http://pentestmag.comOPEN 03/2013

Coordinate with the customer to determine if they want sensitive or personally identifiable in-formation (PII) sanitized from the final report. Al-so, ensure that the document is classified using the customer’s classification standards, so there is no confusion to the sensitivity of the document.

Both hard and soft copies of the report should be carefully guarded and tracked. Hard copies should be signed for, and soft copies should be encrypted.

ConclusionThere is nothing sexy about writing the penetra-tion test report, but it is arguably the most critical component of the entire process. Taking the time to assemble a high-quality and comprehensive fi-nal product is a way to demonstrate to the custom-er that you are a professional and that the greatest of care has been taken in testing their network. Es-sentially the report is what the customer is paying you for, so ensure that you are providing them with a document they can act upon when the testing is over. Taking the time to ensure this stage of the test is done well can win repeat business and grow the reputation of your company.

TeRRAnCe STACHOWSkITerrance Stachowski is a defense con-tractor supporting the United States Air Force. He has fifteen years of IT experience, a M.S. in Cybersecurity from Bellevue University, and current-ly holds nineteen IT certifications, in-cluding the CISSP and L|PT. He special-

izes in IT Security, Penetration Testing, and Solaris Sys-tems Engineering. He can be reached at terrance.ski@skeletonkeyss.com.

38 http://pentestmag.comPageOPEN 03/2013

TIPS & TRICKS

I can bet you’ve at least once wanted to be extra mobile and be able to do penetration testing out of office. Good news! Today’s technology pro-

vides high-quality, cheap and fast solution to per-form those tasks with Android tablets. In my case, I have 7” Asus Nexus 7 3G with 32GB of storage and four CPU cores, you must admit that’s a quite nice device for penetration testing tasks. Nexus 7 is stocked with vanilla Android 4.2.1., but I wanted to have more customized tablet, so I’ve installed CyanogenMod 10 ROM. Also, I have unlocked tab-lets bootloader, flashed current with custom recov-ery image and rooted it to have full permissions on device. I must warn you that with rooting de-vice, you’re going to be exposed to more security vulnerabilities, but you’ll have more control of your device, and be able to use penetration testing tools that require rooted device. Remember that with unlocking and rooting tablet, you’re loosing device warranty, which only can be restored by reverting and installing original stock ROM. Android applica-tions mentioned in this article can be downloaded from URL’s at end of the article (Figure 1).

Hack your TabletYour stock Android ROM is quite nice OS for mobile devices, but you can get more powerful device by installing custom ROM’s such as CyanogenMod or

AOKP. In my case, I prefer first one. Connect tablet to your laptop or PC with USB cable, and enable USB debugging option in Android settings. Device must be in the bootloader mode, and in most tablets, you can enter in bootloader by switching off tablet, and power on by pressing power and volume up (or down). Simultaneously download CyanogenMod 10 from their official Web page. After that, download Android SDK package. Extract archive and in folder platform-tools you will find tools needed for flash-ing tablet (adb and fastboot). First thing we need to do is unlock bootloader, if it’s locked. Open your console and run fastboot with command ./fastboot oem unlock, wait few seconds and confirm unlock of bootloader. Have in mind that some devices don’t

Transforming Your Tablet into Pentest Platform

As a penetration tester I always appreciate to work at any place. That’s a nice thing when you are working in IT industry. With my laptop I can be mobile when working on penetration testing. However, as probably many of you, I wanted more. So, I’ve decided to transform my Nexus 7 into penetration testing platform. For base OS of my tablet, I picked Cyanogenmod 10 ROM and tools for various attacks, like MiTM, network discovery and port/vulnerability scanning, packet capture, Web attacks, and many more.

Figure 1. ClockworkMod Recovery

39 http://pentestmag.comPageOPEN 03/2013

have locked bootloader. After that, reboot your tab-let and enter bootloader mode again. Now, for in-stalling CyanogenMod we must have device with custom recovery. In my case, I used most popu-lar ClockworkMod Recovery. Choose and down-load recovery for your device and install recovery image with command ./fastboot flash recovery nameofrecovery.img. After installing, don’t forget to choose option to “disable recovery flash”, reboot de-vice into recovery, and now you have custom recov-ery with extra options. Next thing, root your device. The easiest way to root tablet is SuperSU applica-tion, download it and transfer to root folder of device storage. Again, enter recovery mode, and install ap-plication by choosing option “choose zip from sd-card”, after that, you will find SuperSU zip file, install it by pressing power button. Okay, you have rooted device, let’s profit from that. CyanogenMod will be installed in same way, transfer it to internal mem-ory, and reboot into recovery mode. Now, choose next options by following order : Wipe cache, Wipe dalvik cache, Factory reset. After that, choose Cya-nogenMod zip and install it. You will need Google apps (they aren’t included in CyanogenMod), so pick right version for your ROM and download them. Transfer file to the device and install it as zip file. When you’re done with installing Google apps, re-boot to recovery and fix permissions and again re-boot tablet. If you have slower tablet, on XDA forum you can find topics with mods about performance improvements.

Building Penetration Testing PlatformNow we have multi-user device with enough pro-cessing power and mobile software to be perfect solution for mobile penetration testing platform. For easier connectivity to the Internet, I recom-mend buying a tablet with a 3G module and bigger GSM data plan, at least 2 GB monthly. All appli-cations used in this article are free. We’re start-ing with applications for discovery and penetration testing of wireless networks, one of them is WiFin-spect, great tool with abilities to test Access Points and internal/external networks. Also, it has fea-ture to sniff networks, analyze captured .pcap file, host discovery and few more. With Apscan you can scan wireless networks around you, and it has ability to save AP list and sort and filter BSSID’s. WiFiKill application can disconnect clients from wireless network using Iptables, if you want to per-form social engineering. Once you’re connected to wireless network, you can capture traffic, and ana-lyze it with Shark and SharkReader, sniffed traffic

can be later analyzed using Wireshark. When we talk about MiTM attacks, one of the classic appli-cations for capturing sessions with cookies from other users on wireless networks is DroidSheep. Also, it has features to manipulate and save cook-ies. Android have it’s version for attacking SSL protocol as well – SSLStrip, which requires rooted device. LanDroid is must have application with fea-tures such as Ping, Whois, Dig, NSlookup, IPLo-okup, Traceroute, PortScan, MAC lookup, Wake-OnLan, and many more. dSploit is by the author “network analysis and penetration suite”, ready for various MiTM attacks, it comes with Port Scan-ner, Inspector, Vulnerability Finder, Login Cracker and other features for performing penetration test-ing. I must also mention Fing, application for net-work discovery with great interface and abilities, one of my favorite. Every penetration tester must have Android version of Nmap and Nikto Scanner. Good thing with Web vulnerability scanners is the fact that most of them have Web interface to con-trol them, for example, Metasploit. One of most popular Web vulnerability scanners, Nessus have official application to control your Nessus server. There’s also proxy application for Android, Sandro-Proxy, it can “Capture, intercept, analyze, modify, replay http requests” and it’s based on WebScarab. ProxyDroid is similar application, which can use for example existing Burp Suite server on your laptop and proxy all device traffic (Figure 2 and Figure 3).

ProductivityIt’s impossible to complete penetration tests with-out tools for everyday tasks. To be more produc-tive while typing on tablet, you must have full qwerty layout, so I recommend Hacker’s Keyboard. We’ll assume that every penetration tester must have terminal, and Android Terminal Emulator is as the name said – terminal emulator. It’s not rare to work-

Figure 2. Fing

40 http://pentestmag.comPageOPEN 03/2013

TIPS & TRICKS

ing penetration testing inside VPN network, and on Android it isn’t problem to connect use VPN, VNC, SSH, RDP, TOR or to be local SSH server (Con-nectBot application). When it comes to working with documents, OfficeSuite Viewer 7 is by the authors “OfficeSuite is a universal document viewer for An-droid enabling you to open, view, print and share na-tive DOC, DOCX, DOCM, RTF, TXT, LOG, XLS, XL-SX, XLSM, CSV, PPT, PPTX, PPS, PPSX, PPTM, PPSM, EML, PDF and ZIP files and attachments”. Working penetration testing means you’re working with extra sensitive business information, so it’s bet-ter to have encrypt solution like Cryptonite, with lo-cal and Dropbox encryption solutions. ASTRO File Manager is very handy application for managing files on your tablet, and it has the ability to work with cloud services such as Box, Dropbox, Google Drive and SkyDrive, plus it can scan your local network and search for SMB shares. After you install your favorite ROM and applications for penetration test-ing, it is a good idea to make backup of everything, so next time you choose to change current ROM you will have core penetration testing applications as backup solution, ready to be restored on any An-droid device with backup application of your choice.

QR Codes

WiFinspecthttps://play.google.com/store/apps/detail-s?id=uk.co.opticiancms.wifiprobe

Figure 3. Nessus

Figure 4. Android Terminal Emulator and Hackers Keyboard

On the Web• http://forum.xda-developers.com/showthread.php

?t=1282900 – WifiKill • http://www.1mobile.com/nikto-droid-306934.html – Nikto

Droid• https://secwiki.org/w/Nmap/Android – Nmap • http://www.dsploit.net/ – dSploit• http://dl.google.com/android/android-sdk_r21.1-

linux.tgz – Android SDK• http://get.cm – CyanogenMod• http://www.clockworkmod.com/rommanager – Clock

Work Mod• http://goo.im/gapps – Google Apps• http://forum.xda-developers.com/showthread.php?p

=38643545 – XDA thread about “Performance boosting”

• http://forum.xda-developers.com/showthread.php ?t=1933837 – XDA thread about “Performance tweaking”

I think it’s easier to scan QR code and install appli-cations directly from Google Play than copy/paste link in browser, so bellow you’ll find QR codes of ap-plications used in the article.

Summary Now you have fast, extra mobile and productive plat-form to work on. I mentioned very few applications for penetration testing, there are many more appli-cations, mostly paid, but this free applications cover almost complete basic penetration test methodology. It’s very important to secure your tablet from loosing it, and one of best practices is to use PIN or password method on screen lock in combination with anti-theft tools (remote storage wiping on stolen device). With above described Android applications you can make huge part of penetration testing, from testing wireless networks, MiTM attacks, local networks, Web appli-cations testing with features to proxy HTTP requests.

DOmAGOj VRATARICDomagoj Vrataric is IT Security Manager at Aduro Ide-ja, a company from Croatia who offer software solu-tions for telecom industry, high volume data processing, real-time systems and penetration testing services. He has experience with penetration testing (OWASP meth-odology), mostly in telecommunication industry, eCom-merce (osCommerce, ZenCart, OpenCart) and media in-dustry. 10 years experience with Linux, 8 with IT securi-ty, knowledge about hackers culture and way of think-ing. He is currently involved in penetration testing and project manager on few security projects. Additionally in charge of security in our company, from monitoring IT infrastructure, administration of Debian servers, securi-ty policies on computers and mobile phones.

41 http://pentestmag.comPageOPEN 03/2013

APScanhttps://play.google.com/store/apps/detail-s?id=jerzy.cow.code.APscan

Sharkhttps://play.google.com/store/apps/detail-s?id=lv.n3o.shark

Shark readerhttps://play.google.com/store/apps/detail-s?id=lv.n3o.sharkreader

SSLStriphttps://play.google.com/store/apps/detail-s?id=com.crazyricky.androidsslstrip

LanDroidhttps://play.google.com/store/apps/detail-s?id=net.fidanov.landroid

Nessushttps://play.google.com/store/apps/detail-s?id=com.tenable

SandroProxyhttps://play.google.com/store/apps/detail-s?id=org.sandroproxy

ProxyDroidhttps://play.google.com/store/apps/detail-s?id=org.proxydroid

Finghttps://play.google.com/store/apps/detail-s?id=com.overlook.android.fing

Hackers Keyboardhttps://play.google.com/store/apps/detail-s?id=org.pocketworkstation.pckeyboard

ConnectBothttps://play.google.com/store/apps/detail-s?id=org.connectbot

OfficeSuite Viewerhttps://play.google.com/store/apps/detail-s?id=com.mobisystems.office

Cryptonitehttps://play.google.com/store/apps/detail-s?id=csh.cryptonite

ASTRO File Managerhttps://play.google.com/store/apps/detail-s?id=com.metago.astro

42 http://pentestmag.comPageOPEN 03/2013

LET'S TALK ABOUT SECURITY

Every day the United States Government is subject to cyber-attacks which threaten the lives of citizens and agency missions.

Threat agents include other countries, citizens of the United States, and organized crime (to name a few). The US Department of Homeland Secu-rity has the responsibility of protecting Federal systems and supporting other agencies of the US Government with protecting information and re-porting cyber incidents.

The actual source of the attacks is usually un-predictable (it would certainly make it easier if they would announce their intentions in advance), though most have similar objectives, to get the information that organizations are trying to pro-tect. Attacks on information systems can be easily spoofed, thereby making the source IP address a non-reliable source of the connection. Open source projects such as the TOR network, bot nets, and other infected resources make investigations more challenging [1]. At present, most Federal agencies approach securing the homeland through defen-sive measures which are largely reactionary. The lack of proactive measures places these agencies in a losing battle.

Attempting to identify the source of an attack is not trivial, as attacks are generally carried out by systems that have been compromised. Ultimate-

ly, the source of the problem is insecure software. As such, agencies can better protect their systems by building security into their software [2]. Although a wealth of information exists to support building bet-ter software (see Microsoft’s SDL or Cigital’s Soft-ware Security Touchpoints), most organizations encounter problems when trying to transition from theory to practice.

Regulation and Compliance to the Rescue?Congress passed the E-Government Act of 2002 to address the lack of security within Federal infor-mation systems. Title III of the E-Government Act, the Federal Information Security Management Act (FISMA), was designed to promote responsibility for security through mandate. FISMA mandates that organizations report their security posture as measured by standards published by the National Institute of Standards and Technology (NIST). The security standards identify a minimum set of se-curity requirements for information and information systems.

The result is the development of a process draw-ing on security requirements that falls short in terms of defining how organizations can implement these standards, as well as how each organization can measure the effectiveness of their programs.

Homeland SecurityReducing the Threat from Attacks

This article is written to describe the changes being made in the Homeland Security activities for new software in development, and how they are improving our overall security. The reader may also find which activities can fit into their Software Development Lifecycle (SDLC) programs to further benefit other organizations as well. This is not an offensive approach to Cyber Security, but an improved defensive approach.

43 http://pentestmag.comPageOPEN 03/2013

FISMA is grounded in following processes and demonstrating compliance with checklists. Unfor-tunately, FISMA fails to offer the organizations the value of improving the overall security of their sys-tems as FISMA focuses the government on pro-cesses and reporting which competes for security funding, usually to the detriment of actual security operations.

FISMA identifies the classification of federal systems as Low, Moderate, or High vis a vis FIPS publication 199 [3]. FIPS 199 defines the standards for Security Categorization of Federal Informa-tion and Information Systems. Depending on the identified classification of systems, FISMA relies on NIST special publication 800-53 [4] which pro-scribes an increasingly restrictive set of security controls depending on the classification of feder-al systems. The intent of this publication is to al-low the security practitioner to customize controls which are related to the system and the securi-ty classification. Using the NIST 800-53 controls, the organization is able to better classify the se-curity issues, and activities needed to obtain ac-creditation for use.

Unfortunately, one of the major drawbacks of NIST 800-53 is the failure to bridge information se-curity theory with information security practice.

Is Pentesting enough?Pen Testing the environment is often used as the primary means of determining the security of sys-tems. A drawback of using penetration testing as a sole mechanism for securing systems lies in the late stage of SDLC where testing occurs. Be-cause penetration testing occurs once a system is production ready, the earlier stages of the SDLC are often overlooked (for example sometime after code is running, a decision is generally made to run a ‘Pen Test’; exactly what is being tested is not necessarily clear.)

Another issue with pen testing relates to the lev-el of systems coverage. At Cigital, we have found that the Pen Test exercise covers only a small frac-tion of the actual codebase. For this reason, Cigital refers to Pen Tests as being a “Badness-ometer”. For example, when a pen test is performed on a system and several findings are discovered, the system is clearly insecure. However, if a pen test is performed and no findings are discovered, does this mean that the system is secure? Most likely the answer is “no”. Just because a security prac-titioner did not discover a vulnerability, the system may still have vulnerabilities which have not been

discovered (remember, the pen test only covers a small percentage of the codebase). For this rea-son, we can state that pen testing is not enough. The rule of thumb is that a pen test will only tell you how bad your code is, not how good. As a result, the pen test is really a badness-ometer.

A new Approach for Securing Systems?The traditional approach to cyber security has been reactive. The traditional approach is mired in an improper interpretation of “Defense in Depth”. Systems and networks are hardened at the perimeter of the network and include a mul-titude of tools which operate as filters through-out the cyber infrastructure. We like to call this the M&M defense (hard on the outside, and soft in the center). The underlying assumption is that adding more and more security products and services will inevitably reduce the attack surface and eradicate risk.

One of the problems with “securing the perim-eter” lies in the faulty assumption that networks have boundaries which can be defined. With the rise of cloud and mobile computing, the security team is left scratching their heads with respect to where the boundaries are and how to define them. When you boil down the challenge, the least com-mon denominator falls on the assurance of the software and software applications. Simply put, if you can establish an assurance level for deployed software, you will better understand where your weaknesses lie.

This has been a resounding within organizations and the number one reason that Cigital was called upon by DHS to assist in the deployment of Static Analysis tools and the development of the Build Se-curity In initiative.

Figure 1. Pentests are only a small measure of “Badness”

44 http://pentestmag.comPageOPEN 03/2013

LET'S TALK ABOUT SECURITY

Where do you Fix the Bugs?When considering the total cost of ownership for a software application, the benefits of implementing software security are considerable. Consider the diagram shown on Figure 2.

Figure 2 identifies that the cost of remediating vul-nerabilities at later stages of the development life cy-cle is far greater than the cost of remediating vulner-

abilities at earlier stages of the life cycle. In fact, the diagram shows that while the average cost of fixing a single vulnerability during the early stages of de-velopment is $977, the cost of remediating vulner-ability at a later stage is $14,102 (that’s a factor of 14 times higher!). Maybe you’re asking, but how can I fix the bugs, if I am testing the software with Pen Tests? Let’s approach this matter one step at a time.

Figure 2. The cost of remediating vulnerabilities

Figure 3. Cigital’s Software Development Life Cycle (SDLC) with Security Related activities

45 http://pentestmag.comPageOPEN 03/2013

Bugs Should Be Fixed in DevelopmentThe higher expense is usually incurred by detect-ing vulnerabilities late in the development process. Consider the Figure 3. This figure presents the SDLC as indicated by the boxes and provides se-curity Touchpoints for how security can be intro-duced at various stages of the SDLC. As you can see, we have inserted Security activities in each of the SDLC phases (you can read about these exer-cises and the security touch points in Software Se-curity by Gary McGraw) (While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily) [5].

Many times the overall size of the architecture and complexity of the environment can only be evaluated after the initial development or deploy-ment has already been made. While employing the security controls for an application has been known to be accomplished after the design is com-pleted, continuing to scrutinize the security of an environment after the implementation of the sys-tem is completed is a kin to trying to bolt security on top of the environment (as opposed to creating it inside the application). (McGraw)

This is not to say that we should stop using FISMA or halt the use of Pen Testing activities at all, because these activities are essential to determining the correct implementation of secu-rity in the enterprise. However, changing or aug-menting the traditional testing during the SDLC has been shown to improve the security of the application, as well as help to fix the security posture of the application before it reaches pro-duction.

Cigital has taken a different approach to Soft-ware Security; we recommend the implementation of security directly into the software. This approach enables the developers to be an active part of the active security team. The chart in Figure 3 looks at the development of new software and how security related activities are always a part of the Software Development Life Cycle (SDLC).

As we can see from Figure 3, the actual introduc-tion of Pen Testing is far to the right of the SDLC, very near the production phase. This is very late in the SDLC process and also complicates the up-dates for the software to implement better security into the software.

Figure 4. Security activities for new development

46 http://pentestmag.comPageOPEN 03/2013

LET'S TALK ABOUT SECURITY

By enabling the developers to implement bet-ter security directly into the software while it is on their desktop, we minimize the delays to improve the overall security of the software. This is an es-sential component to implementing better security controls.

Code ReviewHere are some of the code review functions which Cigital is providing to its clients, as well as to the Department of Homeland Security (and other gov-ernment agencies within it as well). This explains why the cost of fixing bugs is so costly in the Test-ing phase, Figure 2.

Figure 4 outlines three different activities which Homeland Security has undertaken as part of their new understanding of security development. The three activities listed above include:

• SecureAssist Secure Coding Guidance (train-ing the developers)

• Static Analysis• Dynamic Analysis• Binary Analysis [6]

We can easily see that the cost of fixing vulnera-bilities is significantly lower the further left we are in the development process. This is what we are discussing when we say that we want to enable the developers to become more proactive for fix-ing security issues. Since the developers already have the software on their desktop, they are the best choice to make the changes, before bugs are introduced into the software.

SecureAssist Secure Coding Guidance is a plu-gin that is provided to the developers Integrated Development Environment (IDE). SecureAssist changes the security stance from reactive reme-diation to proactive security. Instead of focusing on new ways to find bugs already in the code base – organizations should provide developers with the guidance they need to build expertise and to PRE-VENT bugs from entering the code base.

One of the best things about the SecureAssist plugin is that it does not require access to running code or code that compiles completely. It actually supports the developer working on the file(s) that the developer has access to, and works in real-time, compared to other testing activities. This tool examines one or more files or the complete project as well.

Static Analysis code review is usually performed after the project has succeeded in producing code

that compiles completely. Software which compiles with errors can introduce false findings (either pos-itive or negative), and are usually integrated into the Build Cycle of the SDLC. Static Analysis re-sults then need to be examined and distributed back to the development team in order to fix the vulnerabilities.

Static analysis reviews have always seemed to provide more results on the code base than Dy-namic Analysis [7]. While Static Analysis requires that the source code be available for a full review, the complexity of the tools require that Security An-alysts (or Developers) run the tools, and then fol-low-up on all of the findings presented.

Dynamic Analysis is the testing of web based ap-plications which are connectable via the network (Usually available via a web server) [8] or are con-nectable from a SOAP interface. Dynamic Analysis (You can use a Tool, or Manual examination to per-form a Pen Test) [9] is a great testing tool to further validate the effectiveness the security updates to the environment throughout the SDLC.

The difference with Dynamic Analysis is that the testing must be performed on a live application. Most testing is performed on applications within the pre-production environment as dynamic anal-ysis will aggressively test the application, making modifications (like a hacker is able to do) which will change the website. This type of testing should also be performed after implementing a full backup of the environment as well.

The first three testing types have well defined ac-tivities for evaluating the security of the new appli-cation. The last type of testing is Binary Analysis depends on the ability to test the actual binaries used in the application. This type of analysis is per-formed on software that is normally bought from

Figure 5. BSIMM review of 51 organizations

47 http://pentestmag.comPageOPEN 03/2013

another resource or is developed outside of the controls that the organization has put into place.

Binary Analysis is useful in examining resources which cannot be reviewed with static or dynamic analysis.

Because Homeland Security activities are de-pendent on the security of the organization from hackers, the largest areas of activity for attacks are seen coming from network (internet/intranet) con-nected resources. These systems are hosted by Private Enterprise solutions, insuring that 50% of the Security issues are related to the Architecture, and 50% are related to the software within.

As we can see, there are detailed activities and controls which have been developed to support the security of the network and architecture over-all. That leaves us with 50% of the environment to work on, the software to improve its security.

BSImmAs I mentioned earlier, the BSIMM model is cur-rently helping organizations to describe the activi-ties that they are currently employing, which begins to outline the holes that remain in order to improve the overall security of the environment (Figure 5).

BSIMM is a descriptive process used to deter-mine the current commitment of the organization for the security program. The example above indi-cates the overall posture of 51 organizations that are committed to improving the overall security within their organizations. While this outline is a re-

view of the security for private corporations, it can also be easily engaged to determine the posture of different departments within Homeland Security.

Cigital Federal is currently the provider of Soft-ware Security Consulting and Training for the Dept. of Homeland Security (DHS) as well as other Government agencies. Using Cigital’s 20+ Years of Software Security experience, Cigital Federal is delivering Consulting, Instruction, Products, Analy-sis and Processes to insure that better Software Security is achieved wherever it is needed.

Whether your needs are securing Homeland Se-curity, a bank, a utility or another organization Cigi-tal has the processes and resources to improve your organizational security.

ALBeRT WHALeAlbert Whale is a Security Consultant with Cigital Fed-eral in Sterling, VA. Albert resides in Pittsburgh, PA with his wife and three children (three others have escaped already). He has 28 years of Professional experience having worked in Application Development, Systems Engineering, Network Security and Application Security. Albert is the past President and Co-Founder of the Pitts-burgh FBI InfraGard, and has been active in the Securi-ty field since 9/11. Email: awhale@Cigital.com, LinkedIn: http://www.linkedin.com/in/aewhale, Skype: aewhale

References[1] Some solutions exist to block entire countries; however this does not stop attacks from compromised hosts with-

in your own country.[2] http://www.cigital.com/products/the-building-security-in-maturity-model-bsimm/[3] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf[4] NIST is currently requesting updates on revision 4 for the 880-53 control set. You can add comment to the securi-

ty and privacy controls update at http://www.nist.gov/itl/csd/sp800-020613.cfm[5] While our figure is more representative of a waterfall approach, the iterative SDLC process can adopt it easily.[6] While Binary Analysis is not part of the diagram, it can be a useful component of testing.[7] Cigital has a unique presence in the Static Analysis environment with the creation of the first Static Analysis tool

ITS4. After Cigital sold the license of the ITS4 to an investment group, the tool was later acquired by HP and is now known as HP Fortify.

[8] Usually available via a web server.[9] You can use a Tool, or Manual examination to perform a Pen Test.

Works Cited• BSIMM. (n.d.). http://bsimm.com/• DHS. (n.d.). http://www.dhs.gov/• FISMA. (n.d.). http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. FISMA• McGraw, G. (n.d.). Software Security – Building Security In. Addison-Wesley Software Security Series• NIST. (n.d.). NIST 800-53 revision 3 controls. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-fi-

nal_updated-errata_05-01-2010.pdf

http://www.htbridge.ch

Not stillness, not tranquility� but the serenity to do business online, as one should � unmolested. The site is built and launched, it has started making noise on the marketplace. Web servers are gently humming to the tune of orders ringing in, customers chirping, and purposefulness ful�lled. Life is good, not a cloud in the sky � just the daily, most welcome laborious bustle for earned reward, recognition and ever-growing customer satisfaction leading to loyalty and repeat orders. Word of mouth is you�re getting to be one of the best!

GO ON, READ THE REST OF THE STORY...

q: how much does Serenity cost?

a: it’s Priceless.

http://www.biometricsinstitute.org/events.php/389/8th-biometrics-institute-technology-showcase-exhibition