Professional Documents
Culture Documents
in
www.chmag.in
Fighting the
Advanced Threats
Knowing how to manage incidents is a
critical element for every security
environment.
The incident analysis begins with the
forensic and terminates with the report
given to the Incident Manager.
The
task
involves
digital
forensic
investigators, malware analysts and network
operators.
Only through the evaluation of the network
streams and the identification of the way the
attacker has infected the systems and has
sprung in the network or has exfiltrated
information it is possible to understand
what the cybercriminals were up to.
Some
organizations
(Mandiant,
for
example) has written and developed a set of
indicators that could help in deriving the
basic information of every compromise in
order to locate malicious artifacts
throughout the organizations.
www.chmag.in
www.chmag.in
www.chmag.in
www.chmag.in
www.chmag.in
www.chmag.in
What to do?
www.chmag.in
www.chmag.in
www.chmag.in
StefanoKorolevMaccaglia
stefano.maccaglia@gmail.com
Stefano is a Security expert with a long
streak of successful international project
behind him spanning from Infrastructural
Security to DWDM Optical Networking. Hes
leading Black Sun crew since its foundation
and is constantly involved, as a Chief
Research Officer, in cyberwarfare, malware
analysis and incident response.
Anatomy Of
Control Enviroment
Background
Information security leaders today are
under intense pressure, charged with
protecting their organization's Information
assets Information, customer data,
intellectual property etc. Most Chief
Information Security Officers (CISOs) are
now getting more attention from senior
executives than two years ago.
With
amendments in IT act in 2008 and
formation of rules by ministry of IT in 2011,
security has now become a compliance
requirement too. In addition a series of
high-profile hacking and data breaches has
helped industry leaders in convincing of the
key role that information security has to
play.
Rather than just reactively responding to
security incidents, the CISO's role is shifting
more proactively addressing security based
on holistic risk assessment. Although the
positive signs are encouraging, there are still
few concerns and issues that are being
ignored. Example:
www.chmag.in
1. Information
security
is
still
considered as CISOs accountability,
where as it need to be that of senior
management
where
CISO
is
facilitator
2. Many organizations still consider it
as
IT
security
rather
than
information security.
3. Most efforts are directed toward
compliance and certification. This
puts pressure on CISO/CIO for
implementing ISO 27001 standard.
(Since
the
rules
under
IT
(Amendment) act 2008 insist on
security standard like ISO27001 to
be implemented and must be
certified). This approach, though
helps
in
getting
security
certification, generally all efforts are
directed
towards
maintaining
certification rather than maturing
information security processes.
4. Security is treated as afterthought
process and hence for many projects
required for business, security
patched after completion rather than
embedding into design.
5. Security Governance is limited to
reviewing root-cause for incident
and problem management.
Current trends
The changing scenario of threats and
opportunities impacts the information
security processes and CISOs have to face
the challenges. Gartner has identified
various technology trends mainly in four
areas i.e. - CAMS (Cloud, Analytics and Big
Data, Mobile computing and Social Media).
These trends are inevitable for business to
adopt. The new era of crime that rides
technology revolution has created a the
need to build security around it without
compromising the benefits in order to
derive value for the business, is a challenge
for the security and assurance professionals.
On the external threat front the trends are
well past beyond traditional viruses and
script kiddies, who used to be happy by
disturbing Sunday afternoon siesta by
ringing doorbell and runaway. It is now a
professional world where targeted attacks
and advance persistent threat(APT) are here
to stay. Attackers (I do not see point in
calling them hackers anymore) use
multifaceted tools like hacking, social
engineering, zero-day attacks to gain access.
And once inside remain inside without
being detected. The objective is to gather the
information for various uses like terrorism,
killing competition, damaging reputation
etc.
www.chmag.in
CISOs Dichotomy
On one hand, in order to provide assurance
to the management on security of
information, CISOs strive to implement
latest technologies like SIEM, IPC, Contents
filters, DLP,DRM, DAM but they also need
skilled human resources to effectively
manage these technologies.
On other hand, management does wish to
protect but want to know value derived by
the investment. Stakeholders are more
interested in cost-benefit analysis while
investing in security resources. The primary
job for CISOs, therefore, is selecting
appropriate control that will satisfy the costbenefit requirements.
Selection of Controls
A real technical CISO shall not be very
happy with constrain related to cost.
Whereas management trained person might
see value of constrain. The challenge is how
to do it? The answer is to conduct a Risk
Assessment
(in
simple
words
use
commonsense).
Risk assessment is a done in various ways
and there are multiple standards and
framework available. The idea is to evaluate
the likelihood of threat materializing, and if
materializes how much damage it can do?
e.g. A zero day virus attack might affect the
operations. The likelihood is high (i.e.
anytime or once every day) impact I also
May 2013 | Page - 14
www.chmag.in
Summary
The changing technology and threat trends
are forcing organizations to concentrate on
new methods to ensure that information is
secure rather than combating the external
threats. It might require integrating
information security within in business and
thence IT operational processes using
enterprise-wide
risk
management
framework. Stakeholders, internal as well as
external, are interested not only in well
being but also in ensuring security of the
organizations.
Sunil Bakshi
bakshies@gmail.com
www.chmag.in
OWASP SKANDA
SSRF Exploitation
Framework
Is your server protected against port
scanning? The general answer will be Yes,
I have a firewall which restricts access to
internal servers from outside.
What if I tell you I can still scan the ports on
your server and your firewall wouldnt know
about it!
People usually think that it is not possible to
do a complete port scan on the web server
and other servers behind the firewall. This
article will make you think otherwise.
If the web application running on a server
has SSRF (Server Side Request Forgery)
vulnerability then it is possible to do port
scans on the devices behind the firewall.
Once you find a SSRF vulnerable server,
SKANDAcan do an automated scan for you
and provide you the status of the ports
present on that vulnerable server.
So what are we going to talk about in
this article?
In this article, the agenda is mainly, Cross
Site Port Attack. Cross Site Port Attack is a
type of SSRF vulnerability (@ONsec_lab,
http://lab.onsec.ru).Using this attack, Riyaz
Walikar (@riyazwalikar) was able to do a
port scan on the internal servers present in
www.chmag.in
www.chmag.in
www.chmag.in
www.chmag.in
It does a detailed
analysis of how the
responses
(error/time delay)
received
are
different from each
other, for different
payloads.
Accordingly
it
makes an informed
decision whether
the port is Closed,
Open
or
Open(Blind XSPA).
Initially SKANDA
scans for the predefined
list
of
important
ports
which are more
probable to be used by the servers, to
increase the chances of discovering an
open port quickly.
www.chmag.in
Customized Scan
option 2 !):
(Remember
the
Jayesh Chauhan
jayesh.sngh@gmail.com
Jayesh is a Certified Ethical Hacker
with about 1.9 years of experience in
Application Security and testing. He is
an author of open source tools - CSRF
PoC Generator and SKANDA. Jayesh is
very enthusiastic about making
automated tools in order to make a Pen
Testers life easier.
www.chmag.in
www.chmag.in
www.chmag.in
Pierluigi Paganini
Pierluigi Paganini is a security
researcher for the InfoSec Institute, a
security
training
company
that
specializes in CEH training courses.