Weekly round up of pen test and forensic tools that have come to my attention over the last week, it is not a comprehensive tool list but tools that I found interesting or details of tools I use that have been upgrade.
NMAP 6
http://nmap.org/changelog.html
web-sorrow
http://web-sorrow.googlecode.com/
A perl based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information file.s It's entirely focused on Enumeration and collecting Info on the target server
Bluelog v-1.0.4
ftp://ftp.digifail.com/downloads/software/bluelog/
Bluelog is a Bluetooth site survey tool, designed to tell you how many discoverable devices there are in an area as quickly as possible.
Monday 25 June 2012
Wednesday 20 June 2012
Talk at Bedford College 28th June
A bit of blatent promoting of a talk I'm doing at Bedford College on the 28th June.
Hollywood Effect on Digital Forensics
The success of forensics-based dramas like CSI, Numb3rs, and NCIS has ensured there is no shortage of applicants to study forensics. Hollywood and its public are enamoured by the apparently supernatural potency of the discipline. This talk looks at Hollywood and the TV interpretation of digital forensics and gives an insight into how it is really done.
If you want to attend please book online at www.bedfordtrainingservices.co.uk/forensics
Hollywood Effect on Digital Forensics
The success of forensics-based dramas like CSI, Numb3rs, and NCIS has ensured there is no shortage of applicants to study forensics. Hollywood and its public are enamoured by the apparently supernatural potency of the discipline. This talk looks at Hollywood and the TV interpretation of digital forensics and gives an insight into how it is really done.
If you want to attend please book online at www.bedfordtrainingservices.co.uk/forensics
Monday 18 June 2012
Tools (June 18th)
Weekly round up of pen test and forensic tools that have come to my attention over the last week, one of my interests is the Raspberry Pi and I was interested to see the following from Pwnie Express. I have to admit I have a Pineapple Mk IV and built my own miniPwner.
Raspberry Pwn Released by Pwnie Express
https://github.com/pwnieexpress/Raspberry-Pwn
Security enthusiasts can now easily turn their Raspberry Pi into a full-featured security penetration testing and auditing platform! This fully open-source release includes the following testing tools:
SET Fasttrack kismet aircrack-ng nmap dsniff netcat nikto xprobe scapy wireshark tcpdump ettercap hping3 medusa macchanger nbtscan john ptunnel p0f ngrep tcpflow openvpn iodine httptunnel cryptcat sipsak yersinia smbclient sslsniff tcptraceroute pbnj netdiscover netmask udptunnel dnstracer sslscan medusa ipcalc dnswalk socat onesixtyone tinyproxy dmitry fcrackzip ssldump fping ike-scan gpsd darkstat swaks arping tcpreplay sipcrack proxychains proxytunnel siege sqlmap wapiti skipfish w3af
Raspberry Pi
http://www.raspberrypi.org/
The Raspberry Pi is a credit-card sized computer that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video
Raspberry Pwn Released by Pwnie Express
https://github.com/pwnieexpress/Raspberry-Pwn
Security enthusiasts can now easily turn their Raspberry Pi into a full-featured security penetration testing and auditing platform! This fully open-source release includes the following testing tools:
SET Fasttrack kismet aircrack-ng nmap dsniff netcat nikto xprobe scapy wireshark tcpdump ettercap hping3 medusa macchanger nbtscan john ptunnel p0f ngrep tcpflow openvpn iodine httptunnel cryptcat sipsak yersinia smbclient sslsniff tcptraceroute pbnj netdiscover netmask udptunnel dnstracer sslscan medusa ipcalc dnswalk socat onesixtyone tinyproxy dmitry fcrackzip ssldump fping ike-scan gpsd darkstat swaks arping tcpreplay sipcrack proxychains proxytunnel siege sqlmap wapiti skipfish w3af
Raspberry Pi
http://www.raspberrypi.org/
The Raspberry Pi is a credit-card sized computer that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video
Thursday 14 June 2012
Danger of Risk Transfer
One of the ways of mitigating risk is to transfer the risk to another party, insurance is a form of risk transfer however the use of insurance can introduce a need for additional controls.
Most insurance policies require those taking them out to abide by a set of rules, in order to reduce the risk to the insurance company. Failure to keep to the terms and conditions of an insurance policy can make it invalid and it no longer covers the risk, which is reverted back to the orginal owner.
An example of this happening was reported in the New York Times when Golden State Bridge, was robbed of more than $125,000 when cybercriminals hacked into its bank account. The bank didn't cover the claims as the found the office manager had violated policy by visiting a social networking site, which it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect. This was sufficient to prevent the bank policy paying out.
When assessing risk, the risk mitigation process can introduce new vulnerabilities or increase the level of a vulnerability or the impact of a control mechanism which needs to be taken into account before final aaproval is given.
Most insurance policies require those taking them out to abide by a set of rules, in order to reduce the risk to the insurance company. Failure to keep to the terms and conditions of an insurance policy can make it invalid and it no longer covers the risk, which is reverted back to the orginal owner.
An example of this happening was reported in the New York Times when Golden State Bridge, was robbed of more than $125,000 when cybercriminals hacked into its bank account. The bank didn't cover the claims as the found the office manager had violated policy by visiting a social networking site, which it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect. This was sufficient to prevent the bank policy paying out.
When assessing risk, the risk mitigation process can introduce new vulnerabilities or increase the level of a vulnerability or the impact of a control mechanism which needs to be taken into account before final aaproval is given.
Keeping Childen Safe
A topic that has been discussed a lot and one that my friends and ex colleagues at the National Centre for CyberStalking Research at the University of Bedfordshire. It is also something that concerns me as I have a daughter who is coming up to the age where she will be more active online and my partner has a son who who is already interacting with online social sites but having a mild form of Asperger's syndrome can making him vulnerable to online interactions.
The news that Government are changing the regulatory framework in the UK to make it easier to trace cyber bullies and cyber trolls is good news, but further work is required to ensure prosecution of those involved succeeds quickly.
What is disturbing are article such as the ones about Habbo Hotel http://www.bbc.co.uk/news/technology-18433471 used by children to interact with each other being used by sexual predators despite as the company behind it state the use of 200 moderators.
However the range of forums for children is growing, many not well know by authorities or by parents. A lot of books now have an online connection, take the "Chronicles of Ancient Darkness" a series of books for children that has an online site http://jointheclan.com/ for children to share and take part in the world of the clans. The site has an FAQ and a section on being safe online http://www.jointheclan.com/forum/faq.php?faq=clanrules#faq_clan_rules_inner but how many children read it, how many parents know their children are using the site. This site is reasonable good there are moderators and links to alert the administrators, but how many other fan sites are responsible.
The sad thing is children start in such forums and then progress onto using the video and online gaming sites where the abuse continues http://www.bbc.co.uk/news/magazine-18280000 at the moment as the BBC article puts it
"If you set up a website and allow third parties to publish things or to interact with each other you have to acknowledge that, absent any authentication of their true identities, some people will shelter behind the apparent anonymity of cyberspace and behave badly, even criminally. "
The question is how do you prevent people hiding their identities on the Internet? how can you authenticate true identities? people have being faking ID since the beginning of time probable. Under 18's use fake ID to get into pubs, clubs and over 18 films at the cinema, young children under the age of 13 have facebook accounts, most children know more about online usage and IT then their parents.
At the moment governments rely on self regulation by the owners of the sites, but are strong regulations required, they may not be enforceable due to the nature of the website but will set a baseline for the management of sites and could make prosecutions easier of those individuals who are the source of the abuse and those sites that don't act to try and reduce the activities of such individuals or fail to work with authorities in trying to trace and prosecute them.
The news that Government are changing the regulatory framework in the UK to make it easier to trace cyber bullies and cyber trolls is good news, but further work is required to ensure prosecution of those involved succeeds quickly.
What is disturbing are article such as the ones about Habbo Hotel http://www.bbc.co.uk/news/technology-18433471 used by children to interact with each other being used by sexual predators despite as the company behind it state the use of 200 moderators.
However the range of forums for children is growing, many not well know by authorities or by parents. A lot of books now have an online connection, take the "Chronicles of Ancient Darkness" a series of books for children that has an online site http://jointheclan.com/ for children to share and take part in the world of the clans. The site has an FAQ and a section on being safe online http://www.jointheclan.com/forum/faq.php?faq=clanrules#faq_clan_rules_inner but how many children read it, how many parents know their children are using the site. This site is reasonable good there are moderators and links to alert the administrators, but how many other fan sites are responsible.
The sad thing is children start in such forums and then progress onto using the video and online gaming sites where the abuse continues http://www.bbc.co.uk/news/magazine-18280000 at the moment as the BBC article puts it
"If you set up a website and allow third parties to publish things or to interact with each other you have to acknowledge that, absent any authentication of their true identities, some people will shelter behind the apparent anonymity of cyberspace and behave badly, even criminally. "
The question is how do you prevent people hiding their identities on the Internet? how can you authenticate true identities? people have being faking ID since the beginning of time probable. Under 18's use fake ID to get into pubs, clubs and over 18 films at the cinema, young children under the age of 13 have facebook accounts, most children know more about online usage and IT then their parents.
At the moment governments rely on self regulation by the owners of the sites, but are strong regulations required, they may not be enforceable due to the nature of the website but will set a baseline for the management of sites and could make prosecutions easier of those individuals who are the source of the abuse and those sites that don't act to try and reduce the activities of such individuals or fail to work with authorities in trying to trace and prosecute them.
Wednesday 13 June 2012
current challenges
Asked for views on
- The current challenges in information assurance - what are the latest threats and exploits
- Current trends of COST of breaches and examples of information assurance breaches
- Assessing risk and valuing information
Whilst not a comprehensive answer, I thought the following where suitable points
The current challenge is the BYOD (bring/buy your own device) this along with cloud and mobile working is stripping away the number of levels that controls and countermeasures can be deployed.
Defense in depth is becoming harder to achieve when the endpoint is someones personal tablet or smartphone, the number of exploits for Android is increasing and other smartphone tablet OS's
Interestingly although Android is a bit of a paradox, it is easier to exploit as it is less controlled than iOS from Apple however it has been selected by the USA Government as the basis of a secure phone as it is less locked down and they can add and implement secure features more easily than on the iOS
The main threat agents are :-
- Hactivists groups such as Anonymous
- Criminal gangs
- Industrial espionage, both state sponsored and private
- Cyber terrorism/warfare, applies to Governments and Critical Infrastructure
Cyber terrorism/warfare is much hyped, however it can be a possibility, from a risk management point of view it is a low likelihood, high impact risk. Normally you would consider risk transfer via insurance for this type of risk of low likelihood and high impact, but in this case it is not appropriate, migrating the risks through controls and countermeasures is costly but the impact can be very high.
My view is the danger that the Cyber warfare tools such as Stuxnet, Duqu & Flame once released into the wild can escape from the target environment, Stuxnet did this. The other problem is that the other threat agents can reverse engineer the code and produce new variants to do their bidding.
The main attack vectors are
- Infrastructure
- Application
- Social Engineering
A lot of the recent successful attacks have been via attacking the application (Sony) or through social engineering (RSA), infrastructure countermeasures are a mature technology (except SCADA) and attacks based on the network infrastructure are becoming less of a percentage of the overall attacks.
I see infrastructure attacks continuing to occur, new attacks will be developed to attack the mobile/cloud infrastructure, implementing man-in-the-middle attacks, redirect attacks, spoofing attacks on the remote cloud apps and storage will become more prevalent.
There is a lot of focus on Advanced Persistent Attacks (APT), however there are still problems in the basics of security countermeasures, security needs to be part of the fundamental design requirements during project initialization stages rather than being added during the project, at the end of the project, or afterward the project has been completed for any system development. Whilst looking at the new attacks we should not forget the old attacks and foget the security basics. This applies in particular to web applications, injection and cross site attacks have been know for years but applications are still vulnerable.
Legislation is slowly moving to compulsorily breach notification, higher penalties for information disclosure; this is driving the need for proper security programs and data classification being conducted by Information Security professionals rather than the IT department.
Within organisations there is a growth in the position of the Chief Information Security Officer (CISO) and the Information Security Manager (ISM) and all related acronyms. Certifications such as CISSP, CISM and CISA will become more prevalent in the qualifications for such positions along with others. Companies will be looking at standards and becoming certified and accredited to standards such as CoBIT, ISO/IEC 27000 series and ITIL as accreditation will help prove due diligence and show the company is working to the prudent man rule. A number of high profile companies that have been attacked recently didn't have a specialist information security person before the attack and now have filled that position (LinkedIn and Sony).
Tuesday 12 June 2012
Tools (June 12th)
Weekly round up of pen test and forensic tools that have come to my attention over the last week, it is not a comprehensive tool list but tools that I found interesting or details of tools I use that have been upgrade.
web-sorrow V-1.3.9 -
http://code.google.com/p/web-sorrow/downloads/list
a remote web scanner for misconfig, version detection, and server enumeration tool writen in perl.
Joomla Folder Scanner v-1.0b4
http://sourceforge.net/projects/joomscanner/files/jfs/1.0b4/jfs_1.0b4_win.zip/download
Scan Joomla-Based Websites and detects components, modules, languages, templates and plugins (based on a list), in both, the public and the admin part of the website.
Penetration Testing Framework version 0.59 has been released
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html#
FOCA
http://www.informatica64.com/foca.aspx
FOCA 3.1 Free is a fingerprint and information gathering tool for pentesters. It searches for servers, domains, URLS and public documents and print out discovered information in a network tree. It also search for data leaks such as meta data, directory listing, insecure HTTP methods, .listing or .DS_Store files, activated cache in DNS Serves, etc
web-sorrow V-1.3.9 -
http://code.google.com/p/web-sorrow/downloads/list
a remote web scanner for misconfig, version detection, and server enumeration tool writen in perl.
Joomla Folder Scanner v-1.0b4
http://sourceforge.net/projects/joomscanner/files/jfs/1.0b4/jfs_1.0b4_win.zip/download
Scan Joomla-Based Websites and detects components, modules, languages, templates and plugins (based on a list), in both, the public and the admin part of the website.
Penetration Testing Framework version 0.59 has been released
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html#
FOCA
http://www.informatica64.com/foca.aspx
FOCA 3.1 Free is a fingerprint and information gathering tool for pentesters. It searches for servers, domains, URLS and public documents and print out discovered information in a network tree. It also search for data leaks such as meta data, directory listing, insecure HTTP methods, .listing or .DS_Store files, activated cache in DNS Serves, etc
Facebook & Trolls (3)
Probably the final post for now on this subject, this morning on the BBC http://www.bbc.co.uk/news/technology-18404621 an article about a UK Government proposal to make it easier to get information from ISP and service providers. Justice Secretary Ken Clarke is proposing new powers, to be added to the Defamation Bill to make it less costly and quicker for private individuals to get the information, whilst giving the providers a better defence against sued in the event of a defamation claim. Which if implemented should help in the battle against defamation, however it still leaves it in the hands of the individual to bring cases, but at least it is a move in the right direction. This Bill is expected to have its second reading debate on 12 June 2012 http://services.parliament.uk/bills/2012-13/defamation.html
Monday 11 June 2012
Facebook & Trolls (2)
After my posting on Saturday I continued to monitor the story about Facebook and Trolls and on today's Register http://www.theregister.co.uk/2012/06/11/woman_wins_landmark_trolling_case_against_facebook/ the was an interesting article about the case with a link to Bains Cohen LLP article http://www.bainscohen.com/bains-cohen-takes-on-first-ever-private-prosecution-of-internet-trolls which is interesting, it makes the point that the local police didn't know how to deal with the case and that there are sufficient laws in the UK for them to take action under the Protection From Harassment Act 1997, Communications Act 2003 and the Malicious Communications Act 1988.
Additionally they make the point "The bottle neck is clearly at the point where identities need to be revealed so the only long term solution is for the government to establish a body with some judicial powers to make it easier and cheaper for individuals or the police, to have the identity of their abusers revealed to them" which matches my view on the need for the government to make it easier for private individuals to pursure actions quickly and with the support of the authorities.
Additionally they make the point "The bottle neck is clearly at the point where identities need to be revealed so the only long term solution is for the government to establish a body with some judicial powers to make it easier and cheaper for individuals or the police, to have the identity of their abusers revealed to them" which matches my view on the need for the government to make it easier for private individuals to pursure actions quickly and with the support of the authorities.
Saturday 9 June 2012
Facebook & Trolls
Story on The Guardian http://www.guardian.co.uk/technology/2012/jun/08/facebook-revealing-identities-cyberbullies saying Facebook forced into giving up cyberbullies identities. Further down the story and from a couple of other articles come the real reason for the court case, which by the way facebook didn't contend. Facebook as a company tries to protect itself by only giving out information that could be Personal Identifiable Information when it receives a court order, which seems reasonable otherwise they could be a lot of false challenges to Facebook and other companies including ISP's in order to gain information which the challenger could then use for malicious purposes. The good thing in this case was the lady in question managed to get the court order, now I'm not an expert on the legal workings in the UK, but she it was stated that she took action as her local police had other commitments, which I think that is the political correct way of stating the situation that they did not pursue the case for her, and the only option for her was going down the route of a private court case which probable cost her unless the law firm representing her did the case for free. Hopefully the information that has been requested, and Facebook have said they will comply with the court order and provide the information, will be enough to identify the abuser without further court actions required against ISPs and the abuser will be prosecuted.
The downside and the point I want to make is this is where there needs to be some action from the Government if the resources can't be made available to the police to deal with the problem of online abuse, is how can it be made easier and less costly for individuals to get court orders to enable ISP and Internet companies to release information in cases where they are being abused, and for this to be done quickly. As it is unlikely the police will be given sufficient resources, a possible solution would be for the creation of new body with sufficient powers that would verify an abuse claim, and then be able to get a fast track court order via judge that would sufficient for online providers and ISPs to hand over the requested information and then be able to work with the Police and the CPS to bring prosecutions. Ideally the body would be self funding, other than setting up costs, by imposing a order for costs against the abuser.
The downside and the point I want to make is this is where there needs to be some action from the Government if the resources can't be made available to the police to deal with the problem of online abuse, is how can it be made easier and less costly for individuals to get court orders to enable ISP and Internet companies to release information in cases where they are being abused, and for this to be done quickly. As it is unlikely the police will be given sufficient resources, a possible solution would be for the creation of new body with sufficient powers that would verify an abuse claim, and then be able to get a fast track court order via judge that would sufficient for online providers and ISPs to hand over the requested information and then be able to work with the Police and the CPS to bring prosecutions. Ideally the body would be self funding, other than setting up costs, by imposing a order for costs against the abuser.
Thursday 7 June 2012
Password Reuse
The reports in the last 24 hours about the stolen passwords from Linkedin, Harmony and Last.fm show that criminals are targeting users credentials, a point made by Imperva was that the password list from Linkedin that was published on a bulletin board appeared to have no repeats of the hashed values which leads to conclude that the number of compromised accounts is likely to be higher than the original figure.
The reason for this is that passwords are not unique, the UserID is unique but they is nothing to stop different users having the same password, a password encrypted using the same algorithm would give the same hash value, if the password hashing process had included a salt (random) value in the hashing process then the same password should produce a different hash value. An article on the Register website http://www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/ indicates that LinkedIn did not use a salt in the original hashing procedure.
If the hackers can crack the encryption then the users account would be vulnerable, however after notification of the hacker users are going to change their passwords. This will lead to a rise in scams using phishing techniques to get users to click on a link to change their password but end up being redirect to various malicious websites or having additional credentials and information harvested from them.
Even through the hack has been well publicised and users will be changing passwords, the list of passwords will still be of value as users often use the same password on a number of accounts, in which case users who have done this should change passwords immediately on all affected accounts.
Recommend actions
Change the password on the hacked account
Be wary of emails about LinkedIn, Harmony and Last.fm
Use different passwords on different accounts
The reason for this is that passwords are not unique, the UserID is unique but they is nothing to stop different users having the same password, a password encrypted using the same algorithm would give the same hash value, if the password hashing process had included a salt (random) value in the hashing process then the same password should produce a different hash value. An article on the Register website http://www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/ indicates that LinkedIn did not use a salt in the original hashing procedure.
If the hackers can crack the encryption then the users account would be vulnerable, however after notification of the hacker users are going to change their passwords. This will lead to a rise in scams using phishing techniques to get users to click on a link to change their password but end up being redirect to various malicious websites or having additional credentials and information harvested from them.
Even through the hack has been well publicised and users will be changing passwords, the list of passwords will still be of value as users often use the same password on a number of accounts, in which case users who have done this should change passwords immediately on all affected accounts.
Recommend actions
Change the password on the hacked account
Be wary of emails about LinkedIn, Harmony and Last.fm
Use different passwords on different accounts
Wednesday 6 June 2012
Information Security Program
This is part of a series of articles about the subject matter common to the CISA, CISM and CISSP certifications
Definitions (source Deloitte)
Information Security Program - An information security program is the comprehensive, organized collection of documented artefacts and processes that are used to continuously deliver information security across the enterprise
Information Security Program Framework - The information security program framework is the superset of the information security framework, the information security drivers and the information security services that describe and control all of the elements of information security for the enterprise
Information Security Strategy - An information security strategy is a documented specification that links all necessary organizational, technical and administrative information security controls to a strategic combination of business drivers, legal requirements, threat scenarios and design to ensure information security is operationally integrated with the overall IT architecture, business processes and business culture
Information Security Program
Achieving acceptable levels of information security whilst retaining value for money depends on good planning, an effective information security strategy and capable management. An information security program serves to protect:-
The information security program is the process used by an organisation to implement and make operational the Information Security Strategy, it consists of process that achieve the objectives of the strategy, it ensures the security systems are designed, engineered, built, deployed, changed, managed and maintained as well as decommissioning.
For it to be effective it must have well defined goals that are specific, objective and measurable, the metrics must be appropriate and capable of being used to determine if the goal has been achieved, and give indication if the goals where missed of how far out they where, and how performance can be improved. This allows gap analysis to be used in auditing the program.
Implementing
The use of standard frameworks such as COBIT or ISO/IEC 27001 in conjunction with a capability maturity model (CMM) scale can allow the information security manager to determine current position and set specific goals and determine a strategy to meet them. Senior Management/Board must approve the objectives and there has to be a top-down (from the Senior Management) buy into the Information security strategy and program. By senior management approving and buying into information security it should ensure that the strategy and program are aligned with business objectives.
Steps in developing a Information Security Program
Management of an information security program
The management of the information security program lends itself to the concepts and methodologies of a Total Quality Management (TQM) system. A TQM is based on the Deming cycle of Plan – Do – Check – Act (PDCA) an iterative four-step management method used in business for the control and continuous improvement of processes and products.
Definitions (source Deloitte)
Information Security Program - An information security program is the comprehensive, organized collection of documented artefacts and processes that are used to continuously deliver information security across the enterprise
Information Security Program Framework - The information security program framework is the superset of the information security framework, the information security drivers and the information security services that describe and control all of the elements of information security for the enterprise
Information Security Strategy - An information security strategy is a documented specification that links all necessary organizational, technical and administrative information security controls to a strategic combination of business drivers, legal requirements, threat scenarios and design to ensure information security is operationally integrated with the overall IT architecture, business processes and business culture
Information Security Program
Achieving acceptable levels of information security whilst retaining value for money depends on good planning, an effective information security strategy and capable management. An information security program serves to protect:-
- Information Assets
- Satisfy regulatory obligations
- Minimise potential legal and liability exposures
The information security program is the process used by an organisation to implement and make operational the Information Security Strategy, it consists of process that achieve the objectives of the strategy, it ensures the security systems are designed, engineered, built, deployed, changed, managed and maintained as well as decommissioning.
For it to be effective it must have well defined goals that are specific, objective and measurable, the metrics must be appropriate and capable of being used to determine if the goal has been achieved, and give indication if the goals where missed of how far out they where, and how performance can be improved. This allows gap analysis to be used in auditing the program.
Implementing
The use of standard frameworks such as COBIT or ISO/IEC 27001 in conjunction with a capability maturity model (CMM) scale can allow the information security manager to determine current position and set specific goals and determine a strategy to meet them. Senior Management/Board must approve the objectives and there has to be a top-down (from the Senior Management) buy into the Information security strategy and program. By senior management approving and buying into information security it should ensure that the strategy and program are aligned with business objectives.
Steps in developing a Information Security Program
- Determine desired outcomes for information security
- Define the desired state (objectives) for information security
- Determine the current state of information security
- Performa gap analysis between the current and desired states
- Develop a strategy to close the gaps identified
- Create a road map for the delivery of the strategy
- Develop a program to implement the strategy
- Manage the program to ensure objectives and desired outcomes are achieved
Management of an information security program
The management of the information security program lends itself to the concepts and methodologies of a Total Quality Management (TQM) system. A TQM is based on the Deming cycle of Plan – Do – Check – Act (PDCA) an iterative four-step management method used in business for the control and continuous improvement of processes and products.
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance
Monday 4 June 2012
May ADSL Log Analysis
Analysis of the logs files from my ADSL router for May, there was a large peak of UDP scans which emanated from China.
Peak number of events was on the 30th May when 545 events were logged, other dates that above average number of events were detected were the 14th and 21st of May. With a slightly elevated rate of events on the 24th May.
The detected events broke down country wise as follows
The events on the 24th were TCP probes all on port 23 from IP addresses registered in Turkey.
The events on the 30th were UDP probes on port 58299, the 21st were UDP probes on port 38029, and the 14th were UDP probes on port 58281
The top three IP addresses for the origination of the probes where
288 events - 59.66.241.nnn (Zijing Campus 2nd Phase, Tsinghua University)
128 events - 218.109.70.nnn (WASU-BB)
122 events - 113.117.150.nnn (CHINANET Guangdong province network)
 |
| Daily Frequency of scans |
Peak number of events was on the 30th May when 545 events were logged, other dates that above average number of events were detected were the 14th and 21st of May. With a slightly elevated rate of events on the 24th May.
The detected events broke down country wise as follows
| Country | Number of events | Number of unique IP |
|---|---|---|
| China | 783 | 44 |
| Turkey | 19 | 19 |
| India | 1 | 1 |
| Pakistan | 1 | 1 |
The events on the 24th were TCP probes all on port 23 from IP addresses registered in Turkey.
The events on the 30th were UDP probes on port 58299, the 21st were UDP probes on port 38029, and the 14th were UDP probes on port 58281
The top three IP addresses for the origination of the probes where
288 events - 59.66.241.nnn (Zijing Campus 2nd Phase, Tsinghua University)
128 events - 218.109.70.nnn (WASU-BB)
122 events - 113.117.150.nnn (CHINANET Guangdong province network)
Tools (4th June)
Weekly round up of pen test and forensic tools that have come to my attention over the last week, it is not a comprehensive tool list but tools that I found interesting or details of tools I use that have been upgrade.
Webapp-Exploit-Payloads v1.0 Released
http://www.toolswatch.org/2012/05/webapp-exploit-payloads-v1-0-released/
Webapp-Exploit-Payloads is a collection of payloads for common webapps. For example Joomla and WordPress.
PwnPi v1.0 – Pen Testing Raspberry Pi
http://www.toolswatch.org/2012/05/pwnpi-v1-0-pen-testing-raspberry-pi/
A Pen Test Drop Box distro for the Raspberry Pi
pweb suite perl based web app penetration testing-tools
http://pentestlab.org/pweb-suite-perl-based-web-app-penetration-testing-tools/
pWeb Suite (formerly known as pCrack Suite) is a set of Perl based penetration testing tools for web application vulnerability testing.
Gui For SqlMap v-300512 released
http://www.seclist.us/2012/05/gui-for-sqlmap-v-300512-released.html
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Webapp-Exploit-Payloads v1.0 Released
http://www.toolswatch.org/2012/05/webapp-exploit-payloads-v1-0-released/
Webapp-Exploit-Payloads is a collection of payloads for common webapps. For example Joomla and WordPress.
PwnPi v1.0 – Pen Testing Raspberry Pi
http://www.toolswatch.org/2012/05/pwnpi-v1-0-pen-testing-raspberry-pi/
A Pen Test Drop Box distro for the Raspberry Pi
pweb suite perl based web app penetration testing-tools
http://pentestlab.org/pweb-suite-perl-based-web-app-penetration-testing-tools/
pWeb Suite (formerly known as pCrack Suite) is a set of Perl based penetration testing tools for web application vulnerability testing.
Gui For SqlMap v-300512 released
http://www.seclist.us/2012/05/gui-for-sqlmap-v-300512-released.html
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Subscribe to:
Posts (Atom)