PenTest Market Magazine

��

EDITOR’S NOTE Market 02/2012 (02) Pentesting market is growing The second issue of PenTest Market is out. We have for you next fresh dose of interviews and articles devoted exclusively to pentesting business. First issue was very popular, so we decided to make PenTest Market a free magazine. Now access to our content will be easier than ever. Let’s look what have we prepared for you in this issue. On the cover you can see Victor Mehai Chrisiansenn, who is the Director of Sales at SecPoint. Victor told us about pentesting market which, in his opinion, is going to increase more and more in upcoming years. He has also described SecPoint tools for penetration testers. On the next pages we will „Walk through the penetration testing fundamentals” with Pierluigi Paganini. The author explained why to conduct a penetration test and showed that Penetration Test is a widespread need. We have talked with two experts in the area of IT security auditing. Michael Brozzetti told us what is the difference between an Internal Auditor and an External auditor. We asked him also about transition from IT security to IT Auditing. Furthermore, Mehmet Cuneyt recommended certifications, trainings and skills for someone who wants to pursue a career in IT Security Auditing. Another interesting person that we had a pleasure to talk with was Dr. Lukas Ruf. He is a senior security and strategy consultant with Consecom AG. He has shared with us his experience from security consulting business and told about strict cyber privacy in EU. Ian Moyse, a leader in Cloud Computing, has prepared for us a combination of pieces focusing on adopting Cloud in a secure manner. He provided you exemplary things to check before signing up with a cloud service provider. „Have you M.E.T?” – a really intriguing title. Amarendra in his article writes about what it takes to be a successful pen-tester. You just have to have M.E.T: Mindset, Experience, Tools, techniques, and training. Our next guests are Joe Hillis and Jay McBain. Joe is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster. Jay is an accomplished speaker, author and innovator in the IT industry. They both have much experience in IT security and you can learn from them a lot. Our last but not least interview in this issue features Raj Goel. He is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. Finally we can present you the article by our great contributor, Aby Rao. He provides you „10 ways to enhance your career in Information Security” based on his personal experience. This article is primarily targeted towards people who are at entry-level positions or are making a switch to IT Security from a different field of work. We hope you will find this issue of PenTest Market absorbing and uncommon. Thank you all for your great support and invaluable help. Enjoy reading! Krzysztof Marczyk & Pentest Team 02/2012(2) Page 3 http://pentestmag.com

CONTENTS CONTENTS PENTESTING MARKET Interview with Victor Mehai 06 Christiansenn by Aby Rao Pen test market has grown a lot during the last few years and the good news is that this increase is not going to stop as there will always be a new vulnerability and and the remmedy for it is required instantly. So we always to keep finding new possible loopholes and the customers and end users do understand the need Pen-Testing as it’s TEAM a proactive way of finding what might be coming to them in the future and they do want stay prepared and prevent Editor: Krzysztof Marczyk krzysztof.marczyk@software.com.pl it on it. There is nothing better than Pen Testing and it just going to increase more and more in the coming time. Associate Editor: Aby Rao Betatesters / Proofreaders: Massimo Buso, Daniel Distler, Davide Quarta, Jonathan Ringler, Johan Snyman, Jeff Weaver, Edward Werzyn PENTESTING Senior Consultant/Publisher: Paweł Marciniak FUNDAMENTALS Walk Trough the Penetration Testing CEO: Ewa Dudzic ewa.dudzic@software.com.pl 08 Fundamentals by Pierluigi Paganini Art Director: Ireneusz Pogroszewski The figure of the pen tester is a critical figure, he must think ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the Production Director: Andrzej Kuca choice of reliable and professional experts is crucial. The andrzej.kuca@software.com.pl risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly Marketing Director: Ewa Dudzic hires hackers revealed in the time cyber criminals. The ewa.dudzic@software.com.pl information is power, is money and the concept of „trust” Publisher: Software Press Sp. z o.o. SK is a fundamental for this kind of analysis. 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 IT SECURITY AUDITING www.pentestmag.com Interview with Michael Brozzetti Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. 12 by Aby Rao All trade marks presented in the magazine were used only for IT security professionals can make excellent candidates informative purposes. for IT auditors because it’s like looking through the other end of the lends. IT Auditors are independent of All rights to trade marks presented in the magazine are reserved by the companies which own them. operations, so an IT security professional transitioning To create graphs and diagrams we used program has the practical experience to know where vulnerabilities by might exist or where operations personnel might be prone to taking “short-cuts.” This operational experience Mathematical formulas created by Design Science MathType™ can certainly help them make sound recommendations for organizational improvement if they decide a transition into IT Auditing. DISCLAIMER! The techniques described in our articles may only Interview with Mehmet Cuneyt Uvey be used in private, local networks. The editors hold no responsibility for misuse of the presented 16 by Jeff Weaver techniques or consequent data loss. The profession of Auditing is one of the oldest ones in human history. There are many different types (Financial, Quality, Operational, Health and Safety, etc.) and levels of 02/2012(2) Page 4 http://pentestmag.com

CONTENTSauditing. The first requirement for the auditors is to know leaders. The “best” method is generally driven by athe business that they are auditing. Risk assessment business’s operational needs and budget, but involvesknow-how is a must. Auditors need more Technical skills, the common underlying process of making systems andunderstand Project Management and should also spend data available after a catastrophic event. For some, ittime for learning the SDLC (Systems Development Life simply means having access to data files within 3 days;Cycle) for the relevant business processes so that they can while others may require continuous access to systemslook underneath the numbers (business results), but also and data, regardless of the event.to the systems and processes that create those numbers. SOCIAL MEDIASECURITY CONSULTING Interview with Jay McBain 34 by Aby RaoBUSINESS Building a personal brand is key in today’s „flat” world. Interview with Lukas Ruf20 Social media is one of the tools that blend with a more by Aby Rao physical presence through local communities, charities,As a security consultant supporting customers inter- industry events, associations and peer groups. Socialnationally, EU faces exactly the same problems like any media can build large, targeted virtual peer networks andother regions. In general, however, the EU is positioned has an ability to amplify thought leadership more thanbetter to counteract attacks effectively than other due to a any medium in the past.good level of education and, hence, awareness of threatsand daily mitigation measures. IT SECURITY Interview with Raj GoelCLOUD COMPUTING 40 by Aby Rao Securing Clouds24 At a very high level, CEOs and CFOs are primarily by Ian Moyse concerned with lowering costs, increasing revenues. ITCloud computing is a new concept of delivering computing security doesn’t really matter to them – I’m met very fewresources, not a new technology. Services ranging from CEOs or CFOs who actively seek out IT compliance orfull business applications, security, data storage and IT audit services. If they could avoid them, they wouldprocessing through to Platforms as a Service (PaaS) are – with the exception of Sarbanes-Oxley (SOX) compliancenow available instantly in an on-demand commercial model. – that’s the only regulation that captured their attentionIn this time of belt-tightening, this new economic model for and budgets.computing is achieving rapid interest and adoption. KNOW-HOWSUCCESSFUL PENTESTER 10 Ways to Enhance Your Career in Have you M.E.T? 44 Information Security28 by Amarendra by Aby RaoDue to the large gray area in the field of software At first glance, this may look like one of those self-security, it is very difficult to spot a good help articles promising that your life will turn aroundpenetration tester. Add to it the „ethical” baggage, 360 degrees if you follow the advice offered. Sadly, Iand things get even more murkier. Based on am making no such promises. It could very well be 30experience, the author discusses the elements that make a or 50 ways to enhance your career, but I have limited itsuccessful penetration tester. Hopefully, these ideas shall to 10, based on my personal experiences. This articlehelp your organization in making a well-informed choice. is primarily targeted towards people who are at entry- level positions, or are making a switch to IT Security from a different field of work. Experienced professionalsDISASTER RECOVERY shouldn’t have a problem running through the list fairly Interview with Joe Hillis30 quickly. by Aby RaoDisaster Recovery is a subjective area; typically vieweddifferently by technology professionals and business 02/2012(2) Page 5 http://pentestmag.com

PENTESTING MARKETInterview withVictor MehaiChristiansennVictor Christiansenn is the Director of Sales at SecPoint. He establishedthe SecPoint security firm in 1998, at the tender age of 16, in thebasement of his parent’s house. Since then, the young entrepreneurhas been working with in IT security industry full-time for more than11 years. His passions are Wifi Security, Vulnerability Scanning, UTMAppliance. He is interested in Freemason.SecPoint is a world-renowned IT company. this increase is not going to slow down and there willWhat is the key to success of your company? always be a new vulnerabilities and the need to find aVictor Christiansenn: Innovation and Continuous remedy for them is required as fast as possible. So, weDevelopment. Doing things differently than everybody always try to keep finding new potential loopholes andelse and opening up new markets, like with the Portable the customers and end users do understand the needPenetrator. Also to quickly adapt to new requirements for Pen-Testing as a proactive way of finding what mightin the market. be coming to them in the future and they do want stay prepared. There is nothing better than Pen Testing andYou have been on the market since 1998. it just going to increase more and more in the comingWhat was the most challenging at the time.beginning of your career?VC: Every day is a challenge! Once you love your job What would you advise to people who wantyou do not see it as as a challenge. to start their own company in the IT field? VC: Go for it! The whole Internet is waiting for you. As IHow has the pentesting market has said, the threats are something that will never go away.changed during these several years? Do you You will always find some news about the new threatsconsider anything as a turning point for the discovered. It requires a lot of manpower and skills tomarket? be able to be the one who finds it before anyone else.VC: It has changed a lot. We have seen sales of the Then comes the part to find the solution and integratingPenetrator and Portable Penetrator increase, especially it into the Pen-Testing Product, so that the scanner canthe last three years. There has been a turning point scan for it and find if that vulnerability is indeed presentwhere customers have realized the need for pentesting. on the network.Plus, every other day a new vulnerability is found andas an IT Security company we are always strive find the Please, tell us more about your productssolution to the vulnerability. (SecPoint Protector, SecPoint Penetrator, SecPoint Portable Penetrator).How do you see this market in the future? VC: Protector is an advanced UTM (Unified ThreatVC: Growing big time. Pen test market has grown a Management), which ensures Real-Time all roundlot during the last few years and the good news is that protection for users connected on your Wired Network. 02/2012(2) Page 6 http://pentestmag.com

Protector comes with Advanced IT Security features How can you become a SecPoint employee?like Firewall, Real-Time Intrusion Prevention IPS, What traits and skills are highly appreciated?Anti-Spam, Multiple Anti-Virus suites, Web Filter, Web What may discourage you in hiring aProxy, Anti Phishing, Content Filter, Full Mail Archiver, potential employee?DLP (Data Leak Prevention), Incoming and Outgoing VC: We ONLY working with the best. If you have theMail Backup, and more. Protector is available as an skills, we have the right place for you. The IT SecurityAppliance, as well as in VMWare. Protector is easy to Industry always welcomes talented people. „Skills” andinstall and comes with a fully-customizable easy to use „Results on time” is highly appreciated everywhere. It isInterface. nothing but the game of speed, where you need to be Penetrator is a complete Penetration Testing, able to find a possible loophole, then find the solution,Vulnerability Scanning Suite. Portable Penetrator can and then integrate it into the scanner. It is a game ofscan any IP over a Wired Network for vulnerabilities. Speed and Skills. The better the skill, the faster andThe system scans and searches for over 50,000 types more accurate your output will be.of vulnerabilities on any IP address. Further you canLaunch Real Exploits in order to check how secure your How will SecPoint surprise us in the future?network is. Penetrator is available as an Appliance as What are the long-term plans of thewell as a VMWare version. company? Cloud Penetrator is an online Vulnerability assessment VC: Watch out for 2012 and 2013! Many new thingsutility that is used to check Vulnerabilities on Public IP are coming. We are working around the clock in orderaddresses. It has an advanced Crawler that crawls to get more and more features built. By mid-2012 wethrough each and every page of the Website/Websites are planning to add some exciting new features to ourpresent on a Public IP Address and looks for over 50,000 products and the development phase is a never endingtypes of vulnerabilities. It is a complete vulnerability process.assessment tool for a Public IP address. For example– SQL Injection, XSS Cross Site Scripting, CommandExecution, etc. For more information you can visit ourFAQ section on our web site: http://shop.secpoint.com/shop/cms-faq.html.Are SecPoint Penetrator and SecPointPortable Penetrator intended for allpentesters regardless of their skill level?VC: Yes. Penetrator and Portable Penetrator comeswith an easy to use interface and scanning can beinitiated with just three clicks. So, it is quite easy to use.The reports have Executive Summary and in-depthTechnical details for the Technical Team. Customerscan also host our Products as a Cloud SAAS Service.It is a new trend that is quite rewarding and is gettingmore and more famous everyday around the globe.8. Which companies would benefit the most ABY RAOfrom your services? In which part of the world Aby Rao has several years experience in IT industry and hasdo you the most business contacts? working knowledge in applying various security controls andVC: Apart from the enterprise level products, we implementing countermeasures related to Web Applicationsalso have entry level products for Small and Medium and Database. He is skilled at planning and leading all phasesBusinesses. So, we try to serve all sectors. We have the of Software Development Life Cycle, Project Management andbiggest customer base in Europe and USA. Agile Software Development. Aby has a Bachelor Engineering With SecPoint’s ‘No Hidden Cost Policy,’ customers in Computer Science, Master of Science in Information Science,get the convenience of obtaining the solution they need Master of Science in Television Management and various ITat no extra cost. Products come with many features certi�cations including CISSP, CISA< Security+, ITIL, ISO/IECand upgrades, but they do not need to pay for them 20000 etc. He is also an independent �lmmaker and currentlyseparately. resides with his wife in Durham, North Carolina, USA. 02/2012(21) Page 7 http://pentestmag.com

PENTESTING FUNDAMENTALSWalk trough thepenetration testing fundamentalsTalking about penetration testing fundamentals and their introductionin private and military sectors. The growing request for experiencedIT professionals is demonstration of the awareness in the matter, it’sexpression of the need to deep analyze every aspect of technologysolutions.T he level of security and confidence requested by are planned as the part of the design phase and the market requires a meticulous approach in the assigned to internal or external staff in relation to the testing phase of the architectures, the methods type of checks that are to be conducted.introduced in recent years have become an integral part A first classification of penetration tests is made onof the production cycle of each solution. the knowledge of the technical details regarding of the final target distinguishing Black box testing fromWhy conduct a penetration test? White box testing. Black box testing assumes no priorThe penetration testing is a fundamental method for knowledge of the system to test. The attacker hasthe evaluation of the security level of a computer to first locate the target identifying its surface beforearchitecture or network that consists in the simulation of starting the analysis. Whit the term of white box testingan attack to resources of the system under analysis. we identify an attacker with complete knowledge of the Of course the investigation can be conduced by infrastructure to be tested.experts to audit the security level of the target but also The figure of the pen tester is a critical figure, he mustby cyber criminals that desire to exploit the system. think like an hacker paid to break our infrastructures and The penetration testing process is conducted over access to the sensible information we possess, for thisthe target searching for any kind of vulnerabilities reason the choice of reliable and professional expertsthat could be exploited like software bugs, improper is crucial. The risk to engaging the wrong professionalsconfigurations, hardware flaws. is high and it is also happened in the history that The expertize provided by professional penetration companies have wrongly hires hackers revealed intesters is an irreplaceable component for the evaluation the time cyber criminals. The information is power, isof the security of systems deployed in private and money and the concept of “trust” is a fundamental formilitary sectors. In many sector for the validation of this kind of analysis.any systems or component these kind of test are Over the years it has fortunately increased awareness ofrequested. the risks attributable to vulnerabilities exploitable in systems The testing approach has radically changed over the and related economic impact, this aspect is not negligibleyears, similar tests were originally conducted mainly on because it has enabled a more robust commitment bysystems already in production or operation in order to management of companies that has requested more anddemonstrate their vulnerabilities, today’s test sessions more often penetration testing activities. 02/2012(2) Page 8 http://pentestmag.com

An effective penetration tests provides to the a company. It’s the starting point because startingcompany a useful report on the status of their services from the report the company must proceed toand its exposure to the main threat known. Don’t forget secure its infrastructures evaluating correctivethat many incidents registered last year were related actions and their impact on actual business. Ato unknown vulnerabilities of the victims systems and well-documented penetration test results, helpsmisconfiguration of any kind of appliance. management to identify the right actions to secure While the main objective of penetration testing is the structures and to size the budget for them.to determine security level of the company, and inparticular of its infrastructures, it can have number of According the principal methodologies the wholefurther objectives, including testing the organization’s process of a penetration test, from initial requirementssecurity incidents identification and response capability, analysis to report generation, could be applied to thetesting security policy compliance and testing employee following areas:security awareness. Main benefits of a well done penetration testing are: • Information security • Process security• Identifying and classification of the vulnerabilities • Internet technology security of the systems. The aspect of the classification is • Communications security essential to give right priority to activities needed to • Wireless security improve security and securing infrastructure. • Physical security• Identification of those critical components in the surface of attack of a system that while not Standard & Regulations vulnerable have characteristics that make them Activities of penetration testing are being object of susceptible to attacks over time. regulation also by several standards, for example the• Determining the feasibility of a particular set of Payment Card Industry Data Security Standard (PCI attack vectors. DSS), and security and auditing standard, requires• Helping organizations meet regulatory compliance. both annual and ongoing penetration testing. The PCI• Identification of the vulnerabilities is the starting DSS Requirement 11.3 (https://www.pcisecuritystand point for a deeper analysis made to assess the ards.org/pdfs/infosupp_11_3_penetration_testing.pdf) potential impact on the business of the company. addresses penetration testing like the attempts to exploit• Providing evidence of real status of the systems the vulnerabilities to determine whether unauthorized providing a detailed report to the management of access or other malicious activity is possible.Figure 1. How safe is your computer? 02/2012(21) Page 9 http://pentestmag.com

PENTESTING FUNDAMENTALS The standard also include network and application Just to give a complete view on the standards andlayer testing as well as controls and processes around methodologies in penetration testing we can remind thethe networks and applications, and should occur from others guidelines available worldwide recognized:both outside the network trying to come in (externaltesting) and from inside the network. • Standards for Information Systems Auditing (ISACA), The most important factor for a successfully introduced in 1967. This ISACA organizationpenetration test is the adopted methodology that’s the provides the basic and the most important amongreason why the discipline is evolved starting its origin the audit certifications useful to demonstrate to thein 1970’s. market mastering the concepts of security, control Professionals during the years have proposed and audit of information systems.and developed efficient frameworks for conducting a • OWASP: The Open Web Application Securitycomplete and accurate penetration test. Project (OWASP) is an open source community The Open Source Security Testing Methodology project developing software tools and knowledgeManual (OSSTMM) by Pete Herzog has become a de- based documentation that helps people securefacto methodology for performing penetration testing Web applications and Web services.and obtaining security metrics. • NSA Infrastructure Evaluation Methodology (IEM) Pete Herzog, OSSTMM creator said: The primarygoal of the OSSTMM is to provide transparency. It provides How effective are our system, how efficient are ourtransparency of those who have inadequate security processes? We never going to know until we runconfigurations and policies. It provides transparency of those drills and exercises that stress out the platforms andwho perform inadequate security and penetration tests. It perform the analysis. Simulate the possible attacks,provides transparency of the unscrupulous security vendors measuring the level of response of our architecturevying to sponge up every last cent of their prey’s already is fundamental, we have learned by the events howmeager security budget; those who would side-step business dangerous an unpredicted incident could be.values with over-hyped threats of legal compliance, cyber- Conducting a pen test is a good opportunity to test theterrorism, and hackers. level of security of an environment but also to evaluate In main opinion transparency and an efficient the response of the company to an intrusion or to anmethodology are essential for the study and the incident. Using this methodology it is possible to stressassessment of every system. and analyze a system or an application discoveringFigure 2. Chinese Army computer hacking class 02/2012(2) Page 10 http://pentestmag.com

its vulnerabilities and the impact of every possible increase of cyber criminal activities have attracted theattacks or malfunctions on the overall architecture attention to the security requirements of any IT solutions.and on related systems. It’s happened that during The verification of the effectiveness of the solutionsa penetration test discovered mutual vulnerabilities mentioned in defense has become a significant activitybetween components, for example the exploit of a first that has led to an increased demand of figures suchWeb service could cause the block or better an exploit as the penetration tester, which is multidisciplinary andin a related system that use the services provide. multifaceted professional with the ability to analyze and Several years ago, during the period I conducted study a system identifying its vulnerabilities.penetration testing for a major company I observed Of course in critical environment, like a militaryduring a test session that some components were one, the governments due the secrecy of the solutionintentionally excluded because the administrators of the analyzed have preferred to promote internal born groupplatforms were informed regarding the vulnerabilities. of expert trained to execute penetration test. In theseThat behavior it’s really dangerous, excluding weak sector nations such as China, Russia and the US aresystems during a penetration test it’s a common wrong at the forefront.practice that prevent an efficient analysis of the system. Also bring as example such systems within critical In this way we will never be able to measure the infrastructures, related vulnerabilities are alerting theimpact of the vulnerabilities on the overall security security world community. The case of Stuxnet virusdespite how the risks are addressed and recognize has taught the world how dangerous a cyber weaponby the management of a firm. In a past experience capable of exploiting vulnerability in a system might be.I have had the opportunity to audit a company ISO The only possibility we have facing these cyber threats27001 compliant, its management was perfectly aware is to thoroughly test each individual component of theregarding some known vulnerabilities accepting the systems we are going to deploy. The method of solicitingrelated risks. Few months later, an external attack such infrastructure through penetration tests is essential,damaged the company due a vulnerability not known unique opportunity to identify critical vulnerabilities that ifcorrelated to a well non problem not tested. exploited could affect their security posture. Penetration tests are a precious opportunity to protectPenetration Test, a widespread need our infrastructures that must be integrated in moreIf the practice to carry out a penetration test is articulated testing policiesy, a good example has beenrecognized and requested by the major standards that provided by the Special Publication 800-42, Guidelinewe examined in a private environment, it becomes on Network Security Testing published by the Nationalcrucial in critical environments such as military and Institute of Standards and Technology (NIST), angovernment. agency of the U.S. Department of Commerce. In these areas information management are extremely Let me conclude with phrase that I’ve read severalsensitive and it is essential for the environments to time on the Web that resume the purpose of penetrationbe tamper-resistant. For this reason, every device, test methodology:component and infrastructure must be subjected to “Protecting your enterprise by breaking it”rigorous testing in time for the purpose of assessingthe level of overall security. Particularly critical are allthose heterogeneous environments where components PIERLUIGI PAGANINIare provided by different providers and whose iteration Pierluigi Paganini has a Bachelor inenables the delivery of services. It is this type of Computer Science Engineering IT, majoringenvironment, together with those characterized by in Computer Security and Hackingopenness to the outside, are a real thorn in the side of techniques. Security expert with over 20management bodies as these architectures are more years experience in the �eld. Certi�edexposed to external threats. Ethical Hacker at EC Council in London. In recent years there has been a dramatic growth Actually he is Company Operation Directorof the attacks perpetrated against successful private for Bit4Id, Researcher, Security Evangelist,companies and government agencies, a phenomenon Security Analyst and Freelance Writer. The passion for writingin constant and growing concern. and a strong belief that security is founded on sharing and Demonstration projects conducted by groups awareness led Pierluigi to found the security blog „Securityof hacktivist like Anonymous, warfare operations Affairs”.conducted by foreign governments for purposes of Security Affairs (http://securityaffairs.co/wordpress)offense and cyber espionage and an unprecedented Email: pierluigi.paganini@securityaffairs.co 02/2012(21) Page 11 http://pentestmag.com

IT SECURITY AUDITINGInterview withMichaelBrozzettiMichael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC,an expert internal auditing and governance firm and is Chairmanof the Business Integrity Alliance™ which is a joint venture betweenzEthics, Inc. and Boundless LLC missioned to advocate and advancethe practices supporting the principles of integrity, transparency,accountability, and risk oversight. Michael has a passion for helpingorganizations strategically manage the risk of internal control failure,respond to critical risk events, and improve the quality of internal auditactivities. Michael Brozzetti is a Certified Internal Auditor® LearningSystem training partner with the Institute of Internal Auditors, VillanovaUniversity, and the Holmes Corporation.It’s not very common for us to interview the department. In 2005, I decided to take that “leapprofessionals with extensive audit of faith” and focused my energy into Boundless LLC,experience. Please tell us about your which later became recognized as a Philadelphia 100background and professional experience. “Fasting Growing Company” in 2010.Michael Brozzetti: I started my auditing career withPricewaterhouseCoopers LLP (PwC) as an intern Can you tell us a little bit about your companywhere I gained a lot of experience in the IT Auditing, Boundless LLC and the services you offer?IT Governance, and Business Process Reengineering MB: Boundless LLC helps safeguard reputation anddomains. In 2002, I moved into working full-time fiduciary integrity by helping organizations manageas an IT Auditor at Charming Shoppes, which is a the risk of internal control failure, respond to criticalpublically traded specialty retail company. As of that risk events, and improve the quality of internal audittime, the company was going through transition and activities. We accomplish this by helping organizationshad decided to bolster its Internal Audit department integrate and improve their organizational ARCs –by hiring lots of fresh talent so I had an excellent Audit, Risk, and Compliance – through our training,opportunity to work with a lot of great people to help speaking, and consulting service offerings. “One-build a new Internal Audit department from the ground size” does not fit all anymore so Boundless remainsup. It was a unique and valuable experience to help flexible in supporting our clients’ needs and whensuch a large company design and implement internal we are engaged in a consulting capacity we workaudit processes and systems to support all of the on a retainer basis pledging to uphold the Instituteauditing and consulting engagements performed by of Internal Auditors (IIA) Code of Ethics principles for 02/2012(2) Page 12 http://pentestmag.com

integrity, objectivity, competence, and confidentiality. In the past you have spoken about values,This is what differentiates us from the other consulting morals and ethics? Why would these terms befirms. Training and speaking is where I like to spend important to any organization?the majority of my time because I find it rewarding to MB: These terms are particularly important to how anhelp people improve what they do and how they do organization governs itself and behaves to its internalit. and external stakeholders. Professional standards say that internal auditors are responsible for promotingYou teach at a university, what courses do appropriate ethics and values within the organization.you teach and how has it helped you as a I have come to the belief that values do, in fact,professional? motivate while morals and ethics constrain behavior,MB: I teach a Certified Internal Auditor (CIA) review which was a notion written on by Paul Chippendale. Acourse in partnership with Villanova University and the simple way to discern between the difference betweenInstitute of Internal Auditors (IIA). The CIA is the only morals and ethics is that morals are related to a singleglobally accepted designation for internal auditors. It persons belief of what is acceptable and ethics areis the standard by which internal audit professionals related to a group belief of what is acceptable. Does ademonstrate their knowledge and competence in the company want to make a profit? YES, of course, butareas of governance, risk and control. I think what has at what cost and what constrains the company fromhelped me most as a professional is the interaction with using overly aggressive captive pricing practices,so many talented Internal Auditors that come to take misleading sales practices, or cheap foreign laborthe course. The course design promotes experiential where work safety and employee health is of littlelearning so when an audit topic is discussed it is often concern. I would say ethics in this case should beanchored to the real world experiences of the group. This the constraint, however some would argue as longlearning style really makes the course topics resonate as it is legal it is okay. I disagree with this mentalitywith participants and it also fosters an excellent 360 and believe that most law and regulation should bedegree learning environment for participants, as well viewed as the bare minimum. When making significantas myself. business decisions I encourage companies to routinely �� This may sound quite rudimentary but can ask three questions. 1) Is it legal? 2) Is it ethical? 3) Isyou tell us what the difference is between an it sustainable? If you can’t say YES, to questions 1 andInternal Auditor and an External auditor? 2 it is really difficult to say Yes to number 3 which moreMB: External auditors are primarily responsible for than likely proves it to be a bad business decision fromproviding opinions about financial statements within the a long-term governance perspective. Reference (http://scope of accounting standards and rules. The external www.youtube.com/watch?v=3yt1gzFqe0M).auditors approach is historical in nature usually lookingat the previous fiscal year or quarter and typically put If an IT security professional notices illegaltheir greatest focus on financial reporting risk. On the practices within their organization (innerother hand, Internal auditors have a much broader threats), what approach should they take toresponsibility for assessing operational risk, fraud risk, report such activities?strategic risk, technology risk, and financial risk beyond MB: First, it is important to get the facts straight andjust that of financial reporting. Internal Auditors often validate the documentation supports the findings beforetake a more forward looking approach and ultimately raising the issue to trusted management or through amake recommendations to improve the governance, trusted ethics/fraud hotline. I am emphasizing therisk, and control processes of their organizations. word “trusted” because if the IT security professionalReference (http://www.youtube.com/watch?v=4-ko4n- does not have sufficient reason to trust managementHyjs). or an ethics/fraud hotline to address the problem 02/2012(21) Page 13 http://pentestmag.com

IT SECURITY AUDITINGthe reporting of these activities can become more issues to senior-level management to get theirchallenging. attention and take action. For example, if an IT security professional findsthat their company is holding CVV codes for credit If an IT security professional would likecard customers and that this information was recently to make a transition to IT Auditing, whatbreached the IT security professional might find it path (certification, formal education, workpeculiar as to why they are not getting a positive experience etc) would you recommend andresponse from the CISO or CIO. The IT security what are some of challenges they have to beprofessional might know that the laws and regulations aware of?requires the company to notify the customers of the MB: IT security professionals can make excellentpossibility of a breach, but is now concerned the candidates for IT auditors because it’s like lookingCIO/CISO is down playing the incident because through the other end of the lends. IT Auditorsthey recently learned that they were responsible for are independent of operations, so an IT securityimplementing the security program and developing the professional transitioning has the practical experiencedata privacy policies. As you can see, it is important to know where vulnerabilities might exist or wherethat the reporting takes place to a trusted party that is operations personnel might be prone to taking “short-independent enough from the event so that the best cuts.” This operational experience can certainly helpdecisions can be made for the organization. I know them make sound recommendations for organizationalthis is easier said than done and often involves lots of improvement if they decide a transition into IT Auditing.moral courage when no one is listening to significant In terms of IT audit certifications, I often recommendconcerns. To prepare for such an incident, I would the CISA because it is considered by many to be thesuggest that the IT security professional establish most recognized and referenced by companies lookingtrusted relationships with other professionals in the to hire IT Audit professionals. I know IT Auditors thatorganizations audit, compliance, risk, legal, ethics, come from a variety of educational backgroundsand other departments so that they have multiple including, business, accounting, and IT. In myexperts to raise concerns to in the best interest of the experience, companies love to hire CISA’s with “Big 4”organization. I wish I could say reporting was as easy experience so if you have an opportunity to make theas filing through the hotline or reporting to the senior transition by getting hired by a Big 4 firm you shouldmost security officer, but the reality is that while this certainly consider this even if it is just for the short-might work in some cases, don’t assume it always term. These firms typically offer lots of great hands-onwill. experience and a lot of education which have a lot of value even if you decide not to try and make a partnerWhy would someone attain the CIA at the firm.certification and would you recommendthat certification to anyone in the IT Security From your consulting experience, canprofession? you share with us some of the common ITMB: IT Security professionals play an important Governance issues you have noticed?role in assuring their organization maintains strong MB: I would have to say one of the most commongovernance, risk, and control practices. There IT Governance issues is understanding that ITis nothing wrong with IT security professionals Governance is not only limited to just IT, it’s a teammaintaining a career path as a technical security sport that involves all aspects of the businessexpert, however professionals wanting to get involved operations. IT governance comes down to aligningin more of the broader business risk issues might want IT with the business strategies, goals, and objectivesto think about becoming a Certified Internal Auditor. so that reliable information is at the right place,My first certification was as a Certified Information at the right time, and in the right hands to supportSystems Auditor (CISA) which helped me learn a lot sound decision making. While this might seem like aabout the technology and security risks that IT security simplistic view it truly is the essence of IT governance.professionals face every day, however my decision There are many excellent IT governance frameworksto pursue the CIA certification was to gain a broader that can be used to support the business, however itperspective into the business risk of operating an is a common mistake to try and use the framework toenterprise. In my experience, when you can frame run the business rather than using the frameworksthe technology and security risks within a broader and applying them to support the operations of thebusiness risk perspective it helps communicating business. 02/2012(2) Page 14 http://pentestmag.com

How critical are IT Governance frameworks You are also an entrepreneur, how did you gosuch as COBIT, ISO 17799 in building a strong about building your personal brand?organizational foundation? What frameworks MB: Far too often, we find people just doing whathave you recommended in the past few they’re told to do rather than believing in what must beyears? done. In my view, this is problematic within the auditingMB: The speed and reliability of information flow industry because you can always pay someone tois critical in today globalized marketplace and IT tell you what you want to hear and unfortunatelyGovernance frameworks can certainly serve as a strong this happens. While it is important to maintain anorganizational foundation. There are many frameworks, open mind, it is equally important to make businessincluding COBIT, ISO 27001, 27002, and 38500. While judgments based on sound principles. A reputationthe IT governance space is mature with frameworks I built on consistent action and sound principles endurebelieve that the practical implementations are harder so that is the motto I like to associate with to build mycases to find due to some of the issues I noted above. personal brand. Mean what you say, and say what youISACA had drawn up a nice paper that aligned COBIT mean!with ITIL (Information Technology Infrastructure Library)which I thought which was very helpful in a compliance What book are you reading currently and anyproject I was involved in. I found it very useful to consider recommendations for our readers?frameworks and align them within the process-driven MB: I love to read and right now I have two books on mycontext understood by most IT professionals (ITIL) and plate. “It is Dangerous to be Right when the Governmentthe control objective-driven context understood by IT is Wrong” by Judge Andrew P. Napolitano and “TheAuditors (COBIT.) Again, it comes down to recognizing Original Argument: The Federalists’ Case for thethat everyone has stake in IT governance and that it Constitution.” I have a grown an great deal of interest inreally needs to approached from an enterprise viewpoint how the government and business communities interactand that the frameworks adopted can satisfy all with each other, which you can probably tell from mystakeholders. current reading list. Two good books I have read and also recommend is “Tribes” by Seth Godin and “No OneYou have a very strong profile as a speaker, Would Listen” by Harry Markopoulos.how did you attain that and how do youcontinuous hone your speaking skills?MB: There is certainly an art and science toprofessional speaking. Storytelling is an excellentway to help people view things in a different lightto help them make the best possible chooses intheir personal and professional endeavors. Asprofessionals we are all, to some degree, speakerswhether it is in an auditorium of hundreds or aconference room of just a few. I grew a real passion ABY RAOfor speaking once I started instructing the CIA review Aby Rao has several years experiencecourse in partnership with the IIA and Villanova in IT industry and has workingUniversity in 2008. One of the course participants knowledge in applying variousthat had attended my class thought I would make a security controls and implementinggood speaker so she invited me into a local chapter countermeasures related to Webas a speaker. From that point, I learned that speaking Applications and Database. He isis an excellent way to help people make a difference skilled at planning and leading allso I joined my local National Speakers Association phases of Software Development(NSA) chapter and, at this time, sit on the NSA Life Cycle, Project Management andPhiladelphia Chapter Board. I have an opportunity Agile Software Development. Abyto work and learn from some of the best speakers has a Bachelor Engineering in Computer Science, Master ofin the business whom all have various disciplines Science in Information Science, Master of Science in Televisionof expertise. The NSA four pillars of professional Management and various IT certi�cations including CISSP,speaking include ethics, expertise, eloquence, and CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also anentrepreneurship which are also driving principles I independent �lmmaker and currently resides with his wife inuse to continually hone my speaking skills. Durham, North Carolina, USA. 02/2012(21) Page 15 http://pentestmag.com

IT SECURITY AUDITINGInterview withMehmet CuneytUveyMehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967.He graduated from Middle East Technical University, PublicAdministration Department. He then completed his MBA degreefrom Bloomsburg University of Pennsylvania, USA. He has 25 yearsof experience in Internal Audit, IT Audit, IT Risk Management, ITGovernance, Information Security and Project Management. Heperformed audits, managed many projects and rendered consultancyservices to public and private institutions. Mehmet has CGEIT, CISM,CISA, BS7799/ISO27001 Lead Auditor, PMP certificates and has workedas one of ISACA’s CobiT Trainers in the past. Currently, he works asan Internal Auditor for Turkish Tractor and Agricultural MachinesCompany (a CNH – Koc Group partnership). He gives lectures tograduate level classes about the above-mentioned subjects at variousuniversities. He speaks Turkish, English and German.What motivated you to get into the IT information security is one of the most important partsSecurity field? in IT audit. That’s how I got into IT Security.Mehmet Cuneyt Uvey: I am of internal audit andfinance origin. Back in the 80’s and early 90’s, the bank I How did you get your start in IT Security?worked for was in a huge transition into automation. The MCU: After establishing the IT Audit department andbank had 600 branches, the systems developed first performing process & systems audits, we recognizedwere aimed at branch automation. Use of mainframe that there was an information security standard publishedand manual procedures were consolidated to batch by BSI (British Standards Institute) named BS-7799processing, which was the first precedent. Later on high (now ISO27001). We had the chance to get the standardvolume of investment into ATMs, credit card business and we thought of using the standard for our audits forand POS machines were new additions to the network. information security. This was the first time.Self-service banking channels and Internet bankingbecame all integrated. During this transition, I thought As an internal auditor what are some of yourof auditing the systems and IT processes instead of day to day tasks?the financial transactions. I had the chance to establish MCU: I work in one of the largest tractor companies/the IT Audit in the bank I worked and understood that factories in the world. The Internal Audit Department 02/2012(2) Page 16 http://pentestmag.com

started here eight months ago. My daily tasks are ofdifferent dimensions. On one side, I try to perform plannedaudits for the most critical processes (for example, SupplyChain Management) and relevant systems, on the otherside, I try to follow-up previous internal and/or externalaudit findings to ensure compliance. Another additionaldimension is the coordination of corporate projects orbecome involved in compliance related projects (mostlyIT related) to insurer auditability and accountability. Inneed, one of my tasks is to perform special audits, adhoc assignments from the top management.What certifications, training, or skills wouldyou recommend for someone who wants topursue a career in IT Security Auditing?MCU: My first security related certification was BS 7799Lead Auditor designation. This certification gives youthe chance to look at Information Security with a broadperspective and a systematic approach. Moreover, youcan become an external auditor with this certificate, toassess companies which want to acquire the ISO27001Certification. I highly recommend CISSP certification,especially for technical background professionals. CISSPis like a passport valid in all countries. Last, but not least,ISACA’s globally recognized CISM (Certified InformationSecurity Manager) and to some extent CISA (CertifiedInformation Systems Auditor) and CRISC (Certified inRisk and Information Systems Control) certifications arealso helpful to get into IT Security and Audit. If you want togo further, Certified Ethical Hacker (CEH) designation ismore towards penetration testing, attacks and resemblesmore of technical perspective of Information Security.Are there any skills that you believe theauditors today lack, or should improve on?MCU: The profession of Auditing is one of the oldestones in human history. There are many different types(Financial, Quality, Operational, Health and Safety, etc.)and levels of auditing. The first requirement for theauditors is to know the business that they are auditing.Risk assessment know-how is a must. Auditors needmore Technical skills, understand Project Managementand should also spend time learning the SDLC(Systems Development Life Cycle) for the relevantbusiness processes, so that they can look underneaththe numbers (business results), but also to the systemsand processes that create those numbers.What do you feel are some of the largest risksthat companies face today, or ones in whichyou have seen?MCU: The world is changing and the way of doingbusiness is very different today. Information systems and 02/2012(21)

IT SECURITY AUDITINGits added-value is also changing shape and going up to place for IT Audit and Security professionals. I am thethe cloud. High dependency of Information Technology is founding President. Up to now, especially by bringingan advantage, as well as a disadvantage. At the end of CobiT into the financial sector and implementing it 12the day, Information Security becomes one of the largest years ago, had given me the chance to have a good jobrisks for a company’s reputation. There are many legal and to give consultancy and training to many large firmsarrangements regarding intellectual property, protection during my consultancy years. I made a Master’s Degreeof information and privacy, but there are also activist class out of CobiT and other frameworks and gave my “ITgroups that defend free access to all information and Governance” class in four best universities in my country.transparency. There are digital wars between countries, I had the chance to add value to many young colleaguessystems are destroyed or compromised with cyber-terror to help them and/or lecture them for certifications. Theseand organized collective attacks. Of course, companies all came from the know-how, frameworks, certificationstake their shares from such attacks too. and networking inside and around ISACA.What do you feel is the one of the biggest Beside ISACA are there other organizationsmistakes that companies make trying to meet that you would recommend being a part ofa compliance standard? (for Security Auditors), why?MCU: Trying to meet a standard is a very good effort. MCU: For security auditors with more technicalBut companies think getting the standard done and background, I highly recommend (ISC)2 – Internationalbeing certified is the end of the road. Definitely it is Information Systems Security Certification Consortium,just the beginning. A standard is defined as “minimum Inc., which is another path to follow. (ISC)2 is therequirement” to be able to get qualified. It needs to main organization behind sound security certificationsimprove, get updated and surely become one of the and designations like SSCP – Systems Securitymain components of daily routine to live and grow. Certified Practitioner; CAP – Certified Authorization Professional; CSSLP Certified Secure Software Life-There are many frameworks for auditors cycle Professional; and the most common of all, CISSPtoday, which one to you see as being the most – Certified Information Systems security Professional.well rounded?MCU: This is a hard to answer question. There are What would you say to someone who isgenerally applied frameworks such as CobiT, ISO 27001, looking to get into IT security and Auditing?ITIL, ISO 25999, ISO 38500 and so on. There are also MCU: It will be an uncommon answer to this questionsector specialized frameworks. The framework you want but first, after the relevant education, they need to learnto use should be relevant with the business line and also the business. What business are they in, what kind ofthe size of your company. PCI-DSS Standard for instance transactions take place, what kind of tools and techniquesis most important for Payment Card Industry; HIPAA are used, what systems are involved and what are their– Health Insurance Portability and Accountability Act is interaction and connections (interfaces) and what couldessential for health and insurance sectors, NIST (National be the risks and vulnerabilities of the business processInstitute of Standards and Technology) standards cover and so on... And among those risks, what could bealmost all the information security issues technically, and the information security risks. On one hand, businessso on. First you need to make sure that you search about knowledge is necessary, on the other hand relevantthe frameworks and standards that are most relevant for technical skills and understanding of its risks is essential.your business and fits the size of your organization. ABY RAOWhat benefits have you seen being a member Aby Rao has several years experience in IT industry and hasof an organization such as ISACA? working knowledge in applying various security controls andMCU: I am a member since 2000. During that time, I had implementing countermeasures related to Web Applicationsthe chance to get myself prepared, go through knowledge and Database. He is skilled at planning and leading all phasesand experience, have certifications in IT Audit (CISA), of Software Development Life Cycle, Project Management andSecurity (CISM), Governance (CGEIT), IT Risk (CRISC). Agile Software Development. Aby has a Bachelor EngineeringMoreover, we had the chance to establish an ISACA in Computer Science, Master of Science in Information Science,Chapter in Ankara, Turkey, together with colleagues Master of Science in Television Management and various ITand professionals, (same day with our sister Warsaw certi�cations including CISSP, CISA< Security+, ITIL, ISO/IECChapter), so that we could promote and share ISACA and 20000 etc. He is also an independent �lmmaker and currentlyits professional know-how and have a good networking resides with his wife in Durham, North Carolina, USA. 02/2012(2) Page 18 http://pentestmag.com

��

SECURITY CONSULTING BUSINESSInterview withLukas RufDr. Lukas Ruf is senior security and strategy consultant withConsecom AG, a Swiss-based consultancy specialized in ICT Security andStrategy Consulting. He is one of the experts with application, systemand network security of Switzerland. He is specialized in network andsystem security, risk management, identity and access management,computer network architectures, operating systems, and computerarchitectures. He is an expert in strategic network/ICT consulting,security audits, and designer of security architectures for distributedplatforms. Dr. Lukas Ruf has been gaining experience in Security andStrategy Consulting since early 2000. Since 1988 he has been activewith in ICT application development as an architect, lead engineer,apprentice coach, consultant, educator and trainer. His proficiencybuilds on this long-term experience.Dr. Ruf, you are a very distinguished LR: At ETH, I enrolled for electrical engineering. Forprofessional with experience in academia personal interest, I concentrated on micro electronicsand industry. Please tell us more about and anything that was possible to study in the fieldyourself leading to how you got into Security of computer and network engineering. My mastersconsulting business. were then focusing on computer and networkLukas Ruf: Back in 1988, I started my first part-time job architectures. For one of my term thesis, I designed andbesides highschool as a computer supporter for one of implemented the first port of Topsy v1 to the ia32 PCthe (then) larger PC resellers. Before enroling for studies platform.at ETH Zurich (ETHZ), I began working as a software To continue research in system and network designengineer for a ten-person consultancy. In 1996, I was and engineering, I started my Ph.D. thesis in the fieldasked by my boss to present my reflections on web- of Active Networking. Active Networking explored thesecurity to one of our major customers. This led to my possibilities of breaking the strict boundaries of networkfirst web-penetration testing in 1998. Business evolved layers already within the network stack – and allowedand I started my first one-man security consulting in for dynamic re-configuration and update of functionality2000. That’s it, basically. provided therein. This research allowed me to gain an in-detphWhile you were studying at ETH Zurich what understanding of networking as well as system securitydid you study and what was your research and stability. Insights of which I benefit every day in myfocus. job as security consultant. 02/2012(2) Page 20 http://pentestmag.com

Is there enough innovation taking place inthe field of Information Security? Are youinvolved in any innovative projects yourself?LR: From an academical point of view: there is a lotof room for future research and innovation is takingplace heavily. In daily practice, fundamental issues arestill obstacles although you cannot gain any fame inacademia. Me as a security consultant serving customers alsoin the field of their strategic evolution, I am involvedin various client side projects that are cutting edge forindustry and academia.You have a strong engineering background,please tell us how that is helping you in yourcareer.LR: My strong engineering background helps meeveryday: first, it allows me to understand the issuesengineers face daily and to interprete them towardsmanagement. Second, it is the foundation for securedesigns and architectures. And, foremost, it supports theconception of processes and organizational structuresthat fit the need of business as well as operation. When it comes to reviewing solutions it is /the/ crucialpoint to deliver the required insights as well as theappropriate assessment to our customers.Tell us more about your consulting firm, it’ssize and it’s technical strengths.LR: We are a strong team of experts that, as a team,covers an extremely wide range of technologies.Based on a group of friends that did their PhDstogether at ETH, we have been able to grow to,currently, eight consultants and one administrativesupport person. Our effective strength consists in the pool of expertsthat are, first, open for critizism, and second, strong inmethod. We all benefit from our ETH background thatlaid the technological foundations on which we builtour current offering: we combine organization withtechnology.Where does EU stand in terms of preventingcybercrime compared to rest of the world.LR: As a security consultant supporting customersinternationally, EU faces exactly the same problemslike any other regions. In general, however, the EU ispositioned better to counteract attacks effectively thanother due to a good level of education and, hence,awareness of threats and daily mitigation measures.EU is known for it’s strict cyber privacy. Whatare your thoughts on privacy laws in EU?

SECURITY CONSULTING BUSINESSLR: Laws are on the right track. From my point of view, Cloud computing is gaining tremendousthe protection of users’ rights should be extended to popularity in US, what is it’s status in EU?protect also the unknowning, common user: I have great LR: Cloud computing is gaining popularity in the EUconcerns when it comes to the willingness of people to tremendously as well. A big challenge – for good – is thepost any private fluffy triviality that, if combined correctly, strict interpretation of laws on privacy when it comes toprovides a very detailed profile of the user. People must customer identifying data in health care or similar. Thebe protective of their self dipslay – they do not know problem there is that users of cloud computing oftenwhat they are currently doing. neglect the laws focusing just on commercial benefit. Similarly, all kind of user tracking by cookies with I hope that EU-wide initiatives strengthen the right of‘like-it’ buttons must be prohibited by law. It must not be end-users there too.possible for any – private or governmental – institutionto screen any activity of the people. ‘1984’ is not far from Consecom AG is involved in SEBPS – Thewhere we are today. Secure Browsing Platform for Switzerland ? Please tell us more about that initiative.When you are consulting, how do you ensure LR: You can download SEBPS from www.sebps.net forthat your client is educated on various free. SEBPS is our contribution to the public to protectsecurity risks and issues related to their their web-activities against fraud while being usable.environment? Our goal has been to provide a drastic increase in web-LR: I tell them. :) browsing security for ‘my gand-mother’, i.e. the 99% of users in the world that need not know how to configureWhat are some of the security threats a linux kernel such that they can be safe against mostcompanies in EU are worried about? of the cyber attacks that affect common users. WeLR: Fraud. Based on identity theft, fraud is committed have accomplished this goal by providing a VM-based,every second. The protection of identities is crucial to hardened Firefox on Linux platform that renders theecommerce and egovernment – as well as private life. process-persistent installation of malware impossible.Please share with us some of your Switzerland is a beautiful country. How doexperiences in Identity and Access you make the best use of it’s natural beauty?Management. LR: I enjoy spending as much time as possible outdoorLR: Being very active also in IdM and IAM, I came with friends and family. In Switzerland, I enjoy hiking asto the conclusion that all business face an endless well as skiing. When at the sea, I have been enjoyingendeavor if they do not follow a correct and strong windsurfing for the past thirty years.method to introduce to IAM. Important is that theconcept is sound and meets the requirement ofbusiness. If IAM is an initiative carried out by operationonly, it rarely meets the effective requirements otherthan administration.You have some experience in securityarchitecture, what are some of the challengesin security architecture of large scale webapplications? ABY RAOLR: I have had the opportunity to support various Aby Rao has several years experience in IT industry nad hascustomers with developing the security architecture working knowledge in applying various security controls andof web-portals based on JSR 168 and JSR 286. implementing countermeasures related to Web ApplicationsThere, I had to learn that engineering must not follow and Database. He is skilled at planning and leading all phasesbasic concepts without reflection of the specific target of Software Development Life Cycle, Project Management andsolution. For large scale web application, performance Agile Software Development. Aby has a Bachelor Engineeringis always an issue to deal with the huge amount of data in Computer Science, Master of Science in Information Science,such that today’s end-customers do not klick away – Master of Science in Television Management and various ITwhile guaranteeing the appropriate level of protection certi�cations including CISSP, Security+, ITIL, ISO/IEC 20000for the company as well as for the end-customer. etc. He is also an independent �lmmaker and currently resides with his wife in Durham, North Carolina, USA. 02/2012(2) Page 22 http://pentestmag.com

CLOUD COMPUTINGSecuring CloudsThe most common objections for holding back SaaS (Software asa Service) adoption as reported from end customers, are named as‘security’ and ‘reliability’. This is interesting when you consider that SaaSSecurity is consistently reported as the fastest growth area of SaaS.T his ‘security’ objection usually stems from the tightening, this new economic model for computing is customers’ perspective; they are concerned achieving rapid interest and adoption. about the security of their data held outside their Cloud represents an IT service utility that enablesperimeter by the cloud provider. organisations to deliver agile services at the right cost Yet despite these concerns there has been a and the right service level; cloud computing offers thethunderstorm of growing noise surrounding cloud potential for efficiency, cost savings and innovationcomputing in the past 24 months. Vendors, analysts, gains to governments, businesses and individualjournalists and membership groups have all rushed to users alike. Wide-scale adoption and the full potentialcover the cloud medium, although everyone seems to of cloud will come by giving users the confidence andhave their own opinion and differing definition of cloud by demonstrating the solid information security that itcomputing. Similar to many new sectors of technology, promises to deliver.the key is to separate the truth from the hype before Computing is experiencing a powerful transformationmaking educated decisions on the right time to across the world. Driven by innovations in software,participate. hardware and network capacity, the traditional model of While still evolving and changing, cloud computing computing, where users operate software and hardwareis here to stay. It promises a transformation – a move locally under their ownership, is being replaced by zerofrom capital intensive, high-cost, complex IT delivery local infrastructure. You can leverage a simple browsermethods to a simplified, resilient, predictable and a access point through to powerful applications and largecost-efficient form factor. As an end user organisation amounts of data and information from anywhere at anyof different sizes, you need to consider where and when time, and in a cost effective manner.cloud may offer benefit and a positive edge to your Cloud computing offers substantial benefits includingbusiness. efficiencies, innovation acceleration, cost savings Cloud computing is a new concept of delivering and greater computing power. No more 12-18 monthcomputing resources, not a new technology. Services upgrade cycles; as huge IT burden like system orranging from full business applications, security, software updates are now delivered automatically withdata storage and processing through to Platforms as cloud computing and both small and large organisationsa Service (PaaS) are now available instantly in an can now afford to get access to cutting-edge innovativeon-demand commercial model. In this time of belt- solutions. Cloud computing also brings green benefits 02/2012(2) Page 24 http://pentestmag.com

such as reducing carbon footprint and promoting well as internal threats. In a time of financial challengesustainability by utilising computing power more protecting against the disgruntled employee is also toefficiently. be taken seriously. Cloud computing can refer to several different service There is no doubt cloud is bringing change. Withtypes, including Software as a Service (SaaS), Platform the Internet and technology, we have a generation ofas a Service (PaaS) and Infrastructure as a Service users demanding access to their applications from their(IaaS). SaaS is generally regarded as well suited to iPhone, iPad, BlackBerry or Android devices. We havethe delivery of standardised software applications and entered an era where infinite IT power and informationplatforms, like email, CRM, accounting and payroll. is available to a user on the smallest of devices, on theThe development of the SaaS business model has move and at an affordable price. As devices get morebeen rapid and it is now being used to provide high powerful, the Internet faster, the demand and supply ofperformance, resilient and secure applications across a cloud applications will skyrocket and the power in therange of company sizes and industries. hands of the user will be greater than we have ever However as already mentioned in end user survey, delivered before. Expect the marriage between mobilityafter survey, the top 2 issues that surface to the top and the cloud to continue to grow.are security (data being the typical lead in this) and So as you extend your footprint into utilising anreliability (being availability and accessibility). A good increasing number of cloud based services so you needreference point for this being the Cloud Industry Forums to consider the security aspects from an access control2011 survey extract below. perspective ie. who can access what, from where and Is this so different when you consider the traditional on what device and what are the additional risks if any ofnetwork form factor? Consider the increasing number of this. For example can a user store their login details onrecent and well publicised data breaches and reliability their personal Ipad and is that device secured enoughissues from the likes of Sony, Blackberry and TK-maxx. that if they lost it your cloud systems access would notOften these are tarred with the cloud brush, however be breached.these are breaches where the company was hosting its Cloud or SaaS does not provide one-size-fits-allown solution as a provider and yet was hacked from solutions, and not every application in the cloud willoutside. These are sizeable targets and with larger IT be right for your business. You should consider inteams and budgets than the average size business in what areas it makes sense to utilise the cloud. Wherethe market today. can your organisation gain improvement in areas of Look at end user surveys on IT challenges in general business efficiency, resilience and cost reduction? Lookand managing the complexity of security appears high to others in your sector and what they have done, andif not top of those lists, with other contributors around look for simplicity and obvious choices in your first cloudlack of IT expertise or not enough IT staff. Increasingly solution adoptions.businesses are concerned about protection of the Review your shortlisted vendors carefully andorganisations information assets both from external as compare them across multiple areas but not justTable 1. What are your most signi�cant concerns, if any, about the adoption of cloud your business? Only asked of respondents who either currently use cloud or will do at Total No. employees 20-200 More some point in the future Fewer than 20 than 200 Data security 64,00% 62,00% 61,00% 68,00% Data privacy 62,00% 68,00% 61,00% 60,00% Dependency upon internet access 50,00% 53,00% 58,00% 42,00% Con�dence in the reliability of the vendors 38,00% 32,00% 38,00% 41,00% Contract lock-in 35,00% 30,00% 43,00% 30,00% Cost of change/ migration 32,00% 27,00% 35,00% 33,00% Contractual liability for services if SLAs are missed 31,00% 16,00% 38,00% 33,00% Con�dence in knowing who to choose to supply service 28,00% 27,00% 29,00% 28,00% Con�dence in the vendors business capability 24,00% 16,00% 25,00% 26,00% Con�dence in the clarity of charges (ie will they be cheap on-prem) 22,00% 16,00% 26,00% 21,00% Lack of busines case to need cloud service 21,00% 11,00% 27,00% 22,00% Base 323 73 112 95 02/2012(21) Page 25 http://pentestmag.com

CLOUD COMPUTINGprice. With cloud computing you need to ensure all sectors to enable businesses to understandthat you validate who you are dealing with, what and utilize this important new technology to itstheir reputation is and the quality of service you will advantage.receive. CompTIA’s Cloud Essentials certification is an example option that enables employees of varyingExample things to check before signing up with roles to validate their cloud knowledge, take onlinea cloud service provider, that a reputable cloud training and exam condition testing, and differentiateprovider will be happy to answer include: themselves in the competitive job market. John McGlinchey,Vice President, Europe & Middle East,• What are the terms and conditions in the service CompTIA commented “We have had a demand from level agreement (SLA)? the user market for a training curriculum with testing• Are there penalties if a supplier fails to deliver? to support this rapidly growing new form factor. The• What has the provider’s success rate been over a demand and adoption is outstripping the skill base and certain period? it is key that individuals and businesses recognise and• Can they provide customer testimonials? Can you address this shortfall, before it becomes a serious issue speak to the customers directly? for all concerned.”• Who is going to support the services? Will it be More education is needed in cloud across all sectors their own supporting staff or a third party? Where to enable businesses to understand and utilize this are the support staff ? important new technology option to its advantage and• Do they provide out of hours support? If so, what this need for understanding stretches past simply the kind of support do you get? border of the IT department. Expect to see more cloud• Where are the suppliers data centres ? Which will courses and exams providing the market with the you be utilising ? required validations in this new cloudy world.• Where is your data stored? Is it in the UK, Europe, The IT department in this form factor may not be or the US? deploying the hardware and software any longer, but• Who has access to your data? they will play a key role in ensuring the integrity of your• What security certifications does the vendor hold systems and security controls that you have in place for for their data centre operations? your cloud operations.• How often has the vendor updated its service in the Ignoring the cloud or moving everything to it in a past 12 months? race to be ‘all cloud’ are both perilous positions. Taking• Will you be getting ongoing value for money from educated steps to the cloud will ensure you gain the the enhancements? benefits that it can bring in a secure manner and that• Can you see the service roadmap the vendor you don’t end up in a technological storm. delivered in the past year?There is nothing to fear inherently about the cloud.Companies simply have to perform their diligence asthey would when buying any other solution, as long asthey know the right questions to ask. In addition to considering the security aspects thatmay change in utilising cloud solutions such as mobility,access control and the security of the chosen vendor IAN MOYSEitself you should also consider the education of cloud Ian Moyse is Workbooks.com Sales Director, Eurocloud UKinherent in your own IT staff. Whilst the fundamental Board Member and Cloud Industry Forum Governance Boardtechnology being utilised is not new the architectures, Member. He has over 25 years of experience in the IT Sector,security methods and mobility aspects do require with nine of these specialising in security and over 23 years ofadoption of new skills and mind-sets and you will likely channel experience Starting as a Systems Programmer at IBMalso be engaging with vendors you may not have dealt in the mainframe environment, he has held senior positionswith or even have heard of prior. in both large and smaller organisations including Senior Vice Cloud offers opportunities for those that embrace President for EMEA at CA and Managing Director of severalthe new form factor and self-educate and certify UK companies. For the last 7 years he has been focused onthemselves for the needs of employers today and Security in Cloud Computing and has become a thoughttomorrow. More education is needed in cloud across leader in this arena. 02/2012(2) Page 26 http://pentestmag.com

SUCCESSFUL PENTESTERHave you M.E.T?What it takes to be a successfulpen-tester“You see, but you do not observe. The distinction is clear.”Sherlock Holmes uttered the above sentence to Dr. Watson, in A ScandalIn Bohemia. This phrase fits perfectly to penetration testers, and it isrequired to build skills to “observe” things, than merely “seeing” them.D ue to the large gray area in the field of Mindset software security, it is very difficult to spot a An attacker follows no rules. This is very important to good penetration tester. Add to it the “ethical” understand – it essentially means an attacker will findbaggage, and things get even more murkier. Based a path to break into your software system in a way youon experience, the author discusses the elements that never imagined. This frame of mind allows you to thinkmake a successful penetration tester. Hopefully, these beyond the obvious – think of ways to compromise aideas shall help your organization in making a well- system, and more importantly, think of ways to defendinformed choice. the system. Remember, an attacker has to find one Security tools are a primary focus of a penetration weak link to capture the castle (software system), whiletester, and rightly so – these reduce a lot of work, the defender has to defend every possible weak spot.automate things that otherwise would have been Unless you have built (or participated in building one)very tedious to do manually, as well as provide large and complex software systems, you may notinstant results (who does not like “instant results”?) completely understand the defense and the offense.However, a security tool has limitations – false Understanding both the attack and defense patternspositives, false negatives (bigger problem), as well are very important in the role of a penetration tester.as incomplete coverage. What then, in addition to the In order to build this mindset, one must be inherentlyknowledge of tools, makes a successful penetration curious about how things work. This curiosity allows youtester? to look under the hood of large and complex systems Enter M.E.T. – know their inner working, understand the interaction of its sub-components, know how things fail, and know• Mindset how things can be made better.• Experience As an example, if you find an XSS, these are the• Tools, techniques, and training questions a curious mind will think of:If you have M.E.T., you can be a successful and • What is the root cause of this XSS?knowledgeable penetration tester. And probably no • Are similar vulnerabilities lurking around other placeslonger dependent on various security certifications to in the application as well, assuming developersprove your ability. make same mistakes, and copy-paste code? 02/2012(2) Page 28 http://pentestmag.com

Good books for a penetration tester Blogs/Groups to follow for up-to-date • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities – Dowd, McDo- information on the �eld of security • SecurityFocus http://www.securityfocus.com/ nald, Schuh • Schneier on Security http://www.schneier.com/ • 24 Deadly Sins of Software Security: Programming Flaws • TaoSecurity http://taosecurity.blogspot.in/ and How to Fix Them – Michael Howard • The Web Application Hacker’s Handbook – Stuttard, Pin- to http://mdsec.net/wahh/ a system goes a long way into becoming a successful • Browser Security Handbook – Michal Zalewski http:// penetration tester. code.google.com/p/browsersec/wiki/Main • Secure Coding in C and C++ – Robert Seacord Several good books are available that prepare you to • Practical Cryptography – Bruce Schneier understand the working of a software system, its failure • Hunting Security Bugs – Gallagher, Jeffries modes, and ways to address failure. Good blogs, and security sites keep you up-to-date in the security field.• What type of fix applies in this case? Wireshark, a popular packet capture tool, is used• Is there any framework control that can provide a by pen-testers to find network security issues (eg., more generic solution? cleartext transfer of credentials). It is more important to• What can be done to prevent re-occurence of study the analysis of wireshark logs, and understand similar issues? the protocol involved, than merely looking for individual issues. If you understand the network protocol, you mayYour contract may only specify finding issues, but you find more issues with the client-server communicationcan explore deeper to suggest a fix as well. In turn than a cleartext transfer of credentials.you start building the right mindset of exploring thingsdeeper, and not merely scratching the surface. Summary Even though security tools play an important role inExperience the life of a penetration tester, mindset and experienceTime is the essence of penetration testing. Given infinite are very important to succeed at this job. The authortime, and infinite resources, anyone can find all possible encourages pentesters to look beyond the obvious tosecurity flaws of a system. However, experience find real security issues that plauge software systemsteaches you how to optimize the available resources of today.to achieve maximum coverage and output. Typicalpenetration testing assignments are a few weeks – twoto six mostly, and with experience will you be able toutilize this time effeciently, and effectively. Experience also teaches you to “spot” patterns or“chain” of events in a software system – a possible denial-of-service, followed by an inbound network connectionto the transaction service, and a system compromisehappen in a lock-step fashion. Effectively disablingan attack requires any one even to be neutralized/controlled, which again comes with experience. Themore penetration testing assignments you undertake,chances are the more wiser you become. Experience also teaches you to properly distinguishbetween a cause of a vulnerability (buffer overflow in thesource code), and the effect (arbitrary code execution,privilege escalation, etc.). Combined with right mindset,and proper training and techniques, it is a very powerfulskill to have. AMARENDRA Amarendra has over a decade of experience working withTools, techniques, and training large and complex software systems, especially their security.Systematic training in the area of software engineering, He loves to build and break things, and learn in the process.vulnerability assessment, as well as knowing causes of He is always striving to make software systems better, andvulnerabilities are important. Learning to threat model secure. 02/2012(21) Page 29 http://pentestmag.com

DISASTER RECOVERYInterview withJoe HillisJoe is the co-founder and Operations Director of the InformationTechnology Disaster Resource Center, a 501(c)(3) public charity. Hillisis leading an initiative to engage the technology community to helpSmall Businesses and Communities with continuity and recovery ofinformation systems following a disaster.Mr. Hillis, you come from a paramedical guidance in advance of a disaster; to help facilitatebackground. We are curious to know how did business continuity and rapid recovery following ayou end up in Information Technology. catastrophic event.Joe Hillis: As a career FireFighter/Paramedic, I worked During the early phase of a disaster response,a 24 hour shift at a local Fire Department every 3rd the ITDRC provides connectivity, communications,day. My employer had an IBM System 36 for incident technology assets, and mobile workspace to firstreporting, and I began developing custom reports in an responders and emergency management officials.RPG based report writer in my downtime. I began taking As the incident progresses, we assist disaster reliefprogramming courses at a local community college and organizations by establishing call centers and databasedeveloped several applications to simplify repetitive applications to manage commodities, volunteers, andadministrative tasks. My schedule was such that my full requests for service. Once an incident stabilizes andtime job was only 120 days a year, which left 4-5 days long term recovery begins, ITDRC volunteers work witha week to devote to my new passion. I was eventually affected small businesses and non-profits by providingappointed as the Information Specialist for the city, and technical recovery assistance and temporary equipmentbegan consulting for other municipalities and small to ensure they can continue operations.businesses. After retiring from municipal government in2004, I entered the private technology sector full time. How did this organization come into being? JH: Following the 9/11 events, Senator Ron Wyden (D-You are the co-founder and Operations OR) proposed the creation of a National EmergencyDirector of the Information Technology Technology Guard of volunteers (NETGuard) toDisaster Resource Center which is a non- assist with public infrastructure recovery. The initiativeprofit organization. Please tell us about your received overwhelming support from Congress, butorganizations and what services you offer. never materialized after a pilot program in 2008.JH: The ITDRC is a 501(c)(3) non-profit public charity After carefully monitoring the NETGuard initiative forcomprised of volunteer Information Technology Profes- several years, a group of service oriented professionalssionals who assist communities, non-profit organi- from the Technology, Emergency Management, andzations, and small businesses with technology Small Business sectors formally established the ITDRCcontinuity and recovery from disaster. in January 2009. The 5 member Board co-managed the Volunteer Subject Matter Experts (SMEs) provide operation until mid-2011, when an Operations DirectorSystems, Network, and Infrastructure “best practice” was appointed. 02/2012(2) Page 30 http://pentestmag.com

Our vision was to become a recognized and trusted connected to a PBX and phone bank on the Commandtechnology clearinghouse; providing technology guidance Bus, which was manned by local volunteers.and resources, and distributing in-kind donations to One week prior, ITDRC volunteers were deployedcommunities affected by disaster. After more than a dozen in Branson, MO following a destructive tornado thatdisaster deployments, our mission remains focused on destroyed dozens of structures including a strip shoppinghelping communities and small businesses to prepare for, center containing several small businesses. The owner ofand continue operations following a disaster. a resale shop found their point of sale server under the collapsed roof of the building (with no backup). MembersJust so our readers understand the criticality of the Disaster Technology Team dried out the systemof disaster recovery planning, can you overnight, replaced damaged hardware components, andprovide us some facts and figures on how verified the data integrity before returning the recoveredmuch IT-related loss is incurred when disaster system back to the owner. These are just a few examplesstrikes? of tasks our “Technology Heroes” performed within theJH: In the past 10 years, several sources including last month, and are common on each deployment.FEMA have published statistics indicating 25-40%of businesses never reopen following a disaster, or Can our readers volunteer at yourfail within 1 year. Unfortunately these studies do not organization and what kind of skills are youdifferentiate the percentage of businesses that fail looking for?specifically due to an IT related loss. JH: The ITDRC welcomes volunteers from all technology A study of small business disaster recovery preparedness disciplines. Individuals with Systems, Network, andconducted by Carbonite in 2011 indicates 48% of small Infrastructure skill sets are always in demand duringbusinesses have experienced a data loss. Additionally, a disaster deployments. Those with Technical Support,2011 study by the Aberdeen Group indicates 5% of small Programming, Project Management, and Analystbusinesses and 9% of medium businesses reported data skills are extremely helpful in continuity planning andlosses from natural disaster. However, neither report recovery, and can typically participate virtually aroundindicates the net impact on the businesses. their work schedules. Another study conducted by the Aberdeen Group in2010 contrasts the cost of Datacenter downtime for Can you please share with us some of theorganizations with Best-in-class, Average, and Poor or No industry best practices related to disasterdisaster recovery plans. Although the business interruption recovery?results were somewhat predictable, the financial loss to JH: Disaster Recovery is a subjective area; typicallyan unprepared business is a staggering 40-times higher viewed differently by technology professionals andthan a Best-in-Class prepared organization. business leaders. The “best” method is generally driven by a business’s operational needs and budget, butIt is highly commendable to run an involves the common underlying process of makingorganization like ITDRC to help small systems and data available after a catastrophic event.businesses and communities. Can you share For some, it simply means having access to data fileswith us some of your stories from recent within 3 days; while others may require continuousdisasters in US? access to systems and data, regardless of the event.JH: Following a string of deadly tornadoes in Kentucky In its simplest form, business critical data must belast month, the ITDRC was called to provide technology backed up and stored in a safe place so that it can besupport for a small community of 2,000 residents. Our retrieved and recovered in the event of a system loss orMobile Command Center initially provided workspace, failure. Systems should be backed up in a manner andcomputers, and connectivity for the Logistics branch of frequency acceptable to the business to meet recoverythe Incident Management Team. Technology volunteers needs.were also requested to establish temporary voice As a best practice, data files should be backed upand data communications in a makeshift Emergency to a secure; preferably offsite location one or moreOperations Center at the County Courthouse. times daily. This can be accomplished through manual Virtual Operations Support personnel assisted field methods such a nightly backup up to tape or disk, andteams by establishing a web portal to track service placing the media in a vault; or automated to replicaterequests and public offers of assistance, as well as virtual block by block changes in real time to a recovery servertelephone numbers for volunteer and donation inquiries. across the country. Current backup technologies areThe virtual phone numbers were routed to ATA devices capable of meeting either of these needs, and can 02/2012(21) Page 31 http://pentestmag.com

DISASTER RECOVERYenable rapid recovery in a virtual environment, or on What communication channels do you usereplacement hardware if necessary. to offer preparedness information to various The most important component of disaster recovery organizations?is the usability or recoverability of data from a backup. JH: ITDRC conducts live preparedness presentationsTesting should be conducted frequently to verify the to non-profit, civic, and disaster response organizations.integrity of the data, and to ensure data will really be We feel this forum offers the best opportunity foraccessible when needed. attendees to network and visit with experts one on one. Our latest community outreach initiative includes aFor organizations with no IT disaster recovery 26 stop “Spring Disaster Preparedness Road Show”,plan, what fundamental steps would you with preparedness events scheduled in high risk areasrecommend? for hurricanes and tornadoes. Attendees will learn bestJH: At the very least, organizations of all sizes need to practices for protecting critical data and developingbackup critical data and store it offsite in some way! A functional recovery plans. The tour runs from April 23local tape drive, external USB disk, or even thumb drive through June 9, 2012.is better than having no backup. However, automated In addition to our web site (itdrc.org), ITDRC currentlybackups to a cloud storage area are the most popular utilizes Facebook (/ITDRC) and Twitter (@ITDRC) socialoptions, and surprisingly affordable. media channels. We are planning to expand our presence Next, spend an hour downloading and reading the to include Google+ (ITDRC) and LinkedIn later this year.business continuity templates and resources from theagencies and links below. Once you have a grasp on the Have you partnered with other non-profitconcept, spend an hour a week working on a plan for groups/organizations to provide additionalyour organization. Engage the resources of your staff and services?business contacts, and attend free SBA and technology JH: ITDRC partners with other non-profit organizationswebinars. Take it one step at a time, and delegate tasks to provide assistance to emergency management andto an intern or other staff member when possible. public assistance organizations following a disaster. We Test your plan; one component at a time if necessary. forge many of these partnerships through membershipSet a goal to have a table top exercise once a quarter, in several regional VOADs, or Volunteer Organizationsand maybe even a real (simulated) test once a year. Pick Active in Disaster. These groups allow us to pre-plan withcommon scenarios like losing the secretary’s computer other disaster response organizations to ensure they arewhere the accounting files are stored. Escalate the aware of our role and available resources in a disaster.events to include the loss of Internet connectivity or We’re extremely proud of our strategic partnershipselectricity on a Monday afternoon at 2PM; where the with several for-profit organizations as well. Theseutility company tells you it will be down for 4-5 days companies support our mission through their Corporatewhile they replace a 1 mile stretch of poles. These are Social Responsibility (CSR) programs and providevery real scenarios that you should be planning for! products, services, technical expertise, and financial Finally, share your plan with key personnel, and store support for our initiatives.multiple copies in a safe place. Hint: Keep a copy athome and one in an online folder that you can access Can you recommend a few free or low-costfrom a remote computer. tools small businesses can use to help them with IT disaster recovery?How important is it for senior management JH: Most operating systems include a native backupto be involved in building an IT Disaster program which can be configured to backup businessRecovery plan? critical data to a USB drive, tape, or other file share.JH: Senior management is ultimately responsible Recovery times are often longer with these applications,for the overall business operation and survival, and but they work, and should be used in the absence of amust provide IT staff with guidance to determine more robust solution. Alternatively, free cloud storageRecovery Point Objectives (RPO), Recovery Time space is available through services such as MicrosoftObjectives (RTO), and budget allowances. Once a Skydrive, DropBox, and Box.net, as well as dozens ofDisaster Recovery plan is developed, IT staff must be others. They typically don’t include automatic backupheld accountable for maintaining and testing the plan, software; and require manual intervention to save or copydocumenting the results. Management oversight is files to a special folder or through a web interface. Thererequired to protect the organization; its shareholders, also are a number of low cost, automated backup servicesemployees, and customers. for individuals and small businesses offered by vendors 02/2012(2) Page 32 http://pentestmag.com

such as Carbonite and Mozy. For IT centric businesses,we recommend a centralized backup solution such asStorageCraft Shadow Protect. This type of solutionprovides complete management of backup jobs,storage locations, status reporting, and rapid recoveryin the event of a disaster or server failure. Additionalsoftware features allow for granular recovery of a singlefile or mail message, and can be used to migrate acomplete system from old hardware to new.What resources are available in US forbusinesses to be better prepared whendisaster strikes?JH: There are a number of good (and free) resourcesavailable to help small businesses prepare for adisaster. We’ve listed a few of our favorites below:• Contingency Now www.contingencynow.com• Agility Recovery & SBA www.preparemybusiness.org• Small Business Administration (SBA) www.sba.gov• Federal Emergency Management Agency (FEMA) www.ready.gov/businessMedium and large businesses should consider consultingan IT Disaster Recovery Expert or Business ContinuityPlanner for assistance. Although the upfront cost can bea little intimidating, chances are the fees are much lessthan lost revenue from a single day of lost productivity.Are you current using or plan to use Cloudcomputing as a disaster recovery resource?JH: We strongly believe in the benefits of Cloudcomputing, and recommend the platform for businesseswith larger technology budgets, high availabilityrequirements, or rapid scalability needs. Unfortunately,the ROI for this technology is often >2 years, which canbe difficult for many small businesses. ITDRC is currently seeking a strategic partner to helpus test and evaluate the benefits of utilizing a cloudcomputing platform for our disaster recovery operations.ABY RAOAby Rao has several years experience in IT industry and hasworking knowledge in applying various security controls andimplementing countermeasures related to Web Applicationsand Database. He is skilled at planning and leading all phasesof Software Development Life Cycle, Project Management andAgile Software Development. Aby has a Bachelor Engineeringin Computer Science, Master of Science in Information Science,Master of Science in Television Management and various ITcerti�cations including CISSP, CISA< Security+, ITIL, ISO/IEC20000 etc. He is also an independent �lmmaker and currentlyresides with his wife in Durham, North Carolina, USA. 02/2012(21)

SOCIAL MEDIAInterview withJay McBainJay McBain managed the SMB Channel for IBM and Lenovo.He is an accomplished speaker, author and innovator in the ITindustry. Named to the Top 40 Under Forty list by the BusinessReview, Top 25 Newsmaker by CDN Magazine, Top 100 Most RespectedThought Leader by Vertical Systems Reseller Magazine, member ofGlobal Power 150 by SMB Magazine, as well as Top 250 Global ManagedServices Executives by MSPmentor.Please tell us about yourself. Services, Healthcare IT, Voice over IP and CloudJay McBain: I am an accomplished speaker, author and Computing.innovator in the IT industry. Named to the Top 40 Under I have lived in Calgary, Winnipeg, Toronto, Raleigh,Forty list by the Business Review, Top 25 Newsmaker and now in Albany, New York. I actively give back to theby CDN Magazine, Top 100 Most Respected Thought community and have been on the board of the UnitedLeader by Vertical Systems Reseller Magazine, Way, Models for Charity and Junior Achievement.member of Global Power 150 by SMB Magazine, aswell as Top 250 Global Managed Services Executives You own a company called ChannelEyes. Tellby MSPmentor. I am often sought out for keynotes, us more about your company.industry guidance, as well as business development JM: ChannelEyes is the first free and secure, socialopportunities. network for Vendors and their Channel Partners to I currently serve as Co-Chair of the CompTIA Vendor use every day. It’s kind of like Facebook, but instead ofAdvisory Council and Vice Chair of MSP Partners friends – it’s a filtered group of Vendor feeds on a SocialCommunity. I am also a board member of the Channel Wall.Vanguard Council, Ziff Davis Leadership Council, CRN Channel Partners will have a single place to see aChannel Intelligence Council and STEP – Sustainable snapshot of new channel information every day. You’llTechnology Environments Program with InfoComm. cut through the noise and clutter because you control I spent this 18 year career in various Executive who you follow, filter the relevant information and buildsales, marketing and strategy roles within IBM, Lenovo social conversations around it.and Autotask. I am currently the co-founder of a new Vendors, manufacturers and distributors of all types willsoftware company called ChannelEyes. It is the first have a single place to engage with your entire channel,free and secure social network for Suppliers and their targeting the right person with the right information atChannel Partners to use every day. the right time. The net result is better engagement, sell- As a futurist, and long standing member of the World through, and access to potential new partners.Future Society, I am an expert in Pervasive Computing ChannelEyes is a ridiculously simple way to organizewhich is the study of future computing models and your business partnerships, saving time and allowingthe resulting impact on society, as well as Managed you to take advantage of timely information. 02/2012(2) Page 34 http://pentestmag.com

You have worked for some high-profile Mobile devices such as iPad are being usedcompanies in the past, what made you start to access sensitive Electronic Health Records.your own company? What are some of the high-level securityJM: Working for 17 years at IBM and Lenovo taught challenges you anticipate in that arena?me a lot about the IT Channel and the challenges they JM: Some of the early limitations of tablets, includedface in keeping up to date and communicating with their lack of security, manageability and compatibility. Newervendors, manufacturers and distributors. I was always devices have improved and now offer PKI authenticationentrepreneurial, even inside large organizations, and certificates, biometrics and remote wipe capabilitiesstarting ChannelEyes gave me the opportunity to making them acceptable to many health organizations.pursue a passion. One lesser known limitation is if the device is subject to a legal hold – the health organization is in a legalYou serve on several committees such as dispute of some kind – the end user will lose the deviceCompTIA Vendor Advisory Council and MSP for an extended and unpredictable amount of time.Partners Community. What are some of your The story isn’t just about integrating and managingresponsibilities in those capacities? tablets from the consumer market. Industry experts asJM: The CompTIA Vendor Advisory Council includes well as futurists are calling for more devices, perhapsrepresentatives from 15 of the industry’s top technology dozens per individual, gaining access to each medicalhardware manufacturers and software vendors giving office.guidance on where CompTIA can reinvest its resources The consumerization of IT also isn’t just about hardwarein policies, practices and programs that can help all – we are at the beginning of another interesting trend:channel players achieve their financial and growth BYOA – Bring Your Own App. Some have predicted thatgoals. the explosion of over 1 million apps may spell the end Among the goals of the council: of the traditional desktop internet. While that is likely premature, apps could provide some real advantages• Validate and support the development of in the healthcare industry including cutting down on educational programs designed exclusively for IT training time, allowing health professionals to feel more channel professionals. invested, and replacing costly software licensing with• Validate and support the adoption of industry cheaper apps. recognized organizational credentials for IT However, there are several issues with BYOA partners in the disciplines of vertical markets, including: business models, technologies and business management acumen. • Compliance and regulations with regards to HIPAA,• Advocate on behalf of the IT industry through HITECH and others CompTIA’s Public Advocacy and political action • Security of the data on public clouds and committee initiatives. intermixing with consumer data• Support the philanthropic initiatives of the CompTIA • Portability of the output – getting the data back if Educational Foundation. something happens to company • Information fragmentation – decentralized dataThe CompTIA MSP Partners Community focuses on across hundreds of data centers and appsthe creation of industry standards and resources toimprove managed services marketing and delivery. The You have come up with an innovativegroup was created to provide networking opportunities approach called the “Dandelion Marketing”.among thought leaders, develop managed IT services- Can you please elaborate on that?specific programs and tools, and generate member- JM: Most of us sat through Marketing 101 learning thedriven initiatives. legacy model above. The main objective of traditional marketing training is choosing 2-3 “big” ideas and thenYou are also the Chief Social Officer at hitting a homerun in the marketplace. Careers were madeChannelEyes, what is a Chief Social officer? on the back of big sports marketing plays or the agencyJM: Chief Social Officer is a role that includes campaign that turned the corner for the company.marketing, sales and business development. Running I have never been a fan of black or white rhetorica social media platform means communicating through when predicting future trends. The traditional mediadozens of channels across the industry and engaging vehicles have been, continue to be, and will in thewith hundreds of the top influencers and connectors. future be very important for delivering results. TV, radio, 02/2012(21) Page 35 http://pentestmag.com

SOCIAL MEDIAmagazines, billboards and the like will always have a How can small business and non-profitskey place in the marketing plan, especially when you benefit from social media?consider demographics. Also, a celebrity corporate JM: Social media is an addition to the toolkit – notspokesperson who can connect with a targeted something new and different. Small businesses needaudience and who you can build a brand on will likely to focus on making a good product/service, marketinggrow in importance in upcoming years. and distributing it effectively, and then supporting the The change is happening at the grass roots level. customer. Social Media can add to all of these coreWe are being taught by newer, younger companies pieces if used effectively. It may be free (or nearly free)that have neither the budget or, in some cases, the but the opportunity costs must be carefully weighedtraditional training to adhere to the past principles of before investing precious resource into it.going “big” on a few ideas. The Dandelion is a popular concept where survival Cloud computing is here to stay, what areis based on wide and effective dispersion of seeds your experiences in that domain.into the ecosystem. Knowing that most seeds will fail JM: I have spoken as a futurist for over 15 years on theto plant, quantity is preferred over quality. With today’s idea of pervasive computing – a world where connectivityoverwhelming amount of information coming in all is ubiquitous, each person owns 20 or more computerdirections, it is fair to say that most messages will fail devices and the network serves and stores content andto plant as well? value. The cloud is the coming together of this trifecta and will change IT businesses from a technology and businessYou are heavily involved in social media, can model perspective. While it will take 10 years to fullyyou tell us more about Lifestreaming? realize the power of these new opportunities as we moveJM: One of the interesting concepts coming in Web through the adoption curve and legacy systems, people3.0 will be something called “lifestreaming”. The term will look back and see this time as more revolutionary thanwas coined by Eric Freeman and David Gelernter at the introduction of the PC in the late 70’s.Yale University in the mid-90’s. It is basically a time-ordered stream of documents and electronic media that Can you tell us about various tools andfunctions as a diary of your life. technologies which could help grow ones IT Personally, I have been using Quicken (or its Business?predecessors), scanning all of my papers, and categorizing JM: IT businesses, like all businesses, need toall of my digital pictures since I was in elementary school. focus on making a good product/service, marketingIt has become a huge directory tree of tens of thousands and distributing it effectively, and then supportingof documents sorted by year and month, chronicling my the customer. Investing in products that make theselife day by day. The ability to look back and find where activities more automated, efficient and cost effectiveand when I spent money, including scanned receipts, and are the place to start. Social Media can add to all ofdigital pictures allows me to triangulate every day of my these core pieces if used effectively. ChannelEyes, forlife, both personally as well as professionally. example, was developed to reduce information overload Perhaps a negative effect is that I have become a “go from emails, portals and newsletters and place it all on ato” guy for finding old documents. It goes something single wall – filtered by who you want to hear from andlike: “Hey Jay, remember that Gartner study from 1994 the type of information you want to see.on total cost of ownership?” As the years have passed,I have added different technologies to the stream. For How important is professional networkingexample, voicemails, instant messages, Facebook, and can you offer us some tips for networkingTwitter, LinkedIn and other information is now included. within our professional community? JM: I have spent a lot of time in my career studyingAs a professional, how can one build Personal industry communities and came to an interestingBrand using social media? epiphany about how communities work. Gartner GroupJM: Building a personal brand is key in today’s “flat” conducted an interesting research piece in 2009 whereworld. Social media is one of the tools that blend with peer networking, associations and communities are thea more physical presence through local communities, highest ranked ways that small and medium businessescharities, industry events, associations and peer learn, form opinions, and in the end, make decisions.groups. Social media can build large, targeted virtual IDC reported the same finding when they werepeer networks and has an ability to amplify thought digging into Healthcare earlier this year. In fact, 4 of theleadership more than any medium in the past. top 5 reported resources for Electronic Medical Record 02/2012(2) Page 36 http://pentestmag.com

(EMR) selection criteria involve associations, affiliates, industry is Virtualization, Cloud Computing, Electroniccolleagues, and buying groups. Health Records or Managed Services. When the needs of a group is not being met by larger or non-related peerWith the abundance of information at groups, new ones form organically from members asour fingertips, why do people choose they branch out.communities?JM: Business has always been transacted with some Traditional Medialevel of personal interaction. With the rise of e-commerce Trade magazines and event promoters have been quickin the late 90’s and now with Cloud Computing growing to recognize the communities trend, and have formedin popularity, it will be interesting if this remains true in powerful groups under their trusted brand. Havingthe future. a strong subscription or attendee following, makes During this time of growing “electronic ubiquity”, the the transition to community a logical step for theseneed for trusted and expert sources of information organizations.has increased significantly. The amount of competitivechoices for products and services, combined with vast New Media – Social Mediainformation on the internet and endless buzz through The fastest growth of communities has occurred with thesocial media, has created a scenario where cutting explosion of social media. Whether Twitter, Facebook,through the “white noise” has become one of the most Linkedin, or the dozens of other purpose built communityimportant skills as we enter the 10’s. tools, the cost and complexity to start a community is Communities offer a smaller group of like-minded approaching zero. Many connectors started as bloggerspeople (perhaps even competitors), sharing similar who have built a loyal and passionate following. Manyexperiences and challenges, the ability to collaborate bloggers have evolved into community leaders.and improve decision making. The feeling of belongingis strong, as well as the affinity of membership. There Distributors and vendorsis a feeling that communities are more democratic as The fact is that some companies get it and some don’t.they are built by the membership, and participation is Several organizations now recognize communities andencouraged and celebrated. have built organizations around community marketing. It is not uncommon to hear Chief Community OfficerWho starts these communities? in marketing circles. Organizing a community goes farJM: Tracing back some of the more popular communities beyond marketing and advertising however, with productto the beginning, the following sources are evident: development, pricing and programs all tightly connected.Connectors How do these communities interact with theirMalcolm Gladwell does a great job of explaining the followers?concept of connectors in the Tipping Point. These are JM: A dizzying array of new marketing vehiclespeople that you would recognize, even dating back to have popped up in recent years. Traditional mediagrade school, that seem to be the center of the universe. such as magazines and events are very important inAnother way you can recognize connectors is in a place communicating to a community, but new media allowslike Facebook. You seek out this person, and they are innovative ways to extend and enhance the message.1 degree of separation from everyone in your school, From webinars, podcasts, vodcasts, blogs, tweets,company, neighborhood, etc. In the business world, many Linkedin groups, to virtual trade shows, communityconnectors have translated this skill into organizing and groups are using as many as 30 different marketingbuilding a strong following. They have also recognized vehicles to be pervasive within the group.that vendors will pay top dollar to participate in these The challenge with these marketing vehicles isalready established communities. There is also a feeling different than in the past. The main inhibitor to effectivelyby these connectors of altruism, or “giving back” to the marketing was money, today it is effective content andindustry or geography where they do business. You delivery. Many of the vehicles I mentioned above aremay think that connectors are the most extroverted and free or cost very little compared with traditional media.charismatic people, but in reality, not always. Keeping content fresh, abundant and delivered daily takes resourcing beyond the marketing department.Industry verticals Media savvy Executives who can keynote an event,Several communities start as a result of a new tweet about it offstage, promote the message to thetechnology or sub-industry. An example in the IT media gathered, and then write a blog about it later on 02/2012(21) Page 37 http://pentestmag.com

SOCIAL MEDIAis the new model for the future. Messaging that would Do you like to travel? What are some of yourhave required triple-checking through legal a few years favorite destinations?ago, needs to be just-in-time and delivered on a daily JM: I love to travel. In addition to the 50 or so industrycadence. I have a mantra that is “be visible everyday”. events I attend each year, I am on a mission to visit Finally, community members have very effective 100 countries. I leave for Russia and 6 neighboringpersonal spam filters. Anything that doesn’t add value countries in just over a month which will put me at 57 onto the community will be rejected and have a negative the journey to 100! Here is the story:result for the organization delivering. The old days of How did it begin? Simple. “The Bucket List”. Yes,powerpoints and product spec slides doesn’t cut it. the 2007 movie, starring Jack Nicholson and Morgan Freeman (http://www.imdb.com/title/tt0825232/) wasWhy are communities important? the inspiration. I, like I suspect many others, had a goalJM: Beyond the human requirements of personal to visit much of the world but no real plan to do it. Theinteraction and belonging, communities provide tangible gentle reminder that every day is precious and waitingbenefits to all involved. Unfiltered information based on till retirement age is risky:common experience will always trump random whitepapers and case studies posted on the internet. The • Potential for health issuesgive/get relationships within a community inspire • Lack of energyopenness and, in most of the communities I have seen, • Getting limited (and censored) through “tours”a level of bluntness that is refreshing. Some key advantages of communities: Why 100 Countries? Again, simple. Round number.• Cost of entry low as compared to traditional media Actually, it was a bit more complicated…I wanted it to and other marketing opportunities. Very much a be remarkable, challenging, but yet attainable. Knowing “grass roots” feeling. that dozens of countries are in perpetual war (civil or• Ability to communicate and receive value is high. otherwise), and others were small islands spread around Tons of touch points, combined with a high degree the world, I chose a round number representing half. By of passion. the way, the United Nations recognizes 192 countries, and• Trusted source – community members have likely the US State Department recognizes 194. The debate experienced your challenges, or will shortly. The over places like Vatican City, Kosovo, and Taiwan make feeling you can “steal with pride” best practices and the number go up or down but the general consensus is contribute your own successes. 195 countries in the world today (2010). The Unofficial• Ability to enter new markets or industries. Opportunities Rules of the Tour (#1 rule is that there are no rules): to network, build like-minded connections and potentially drive business development opportunities. • 8 days per trip – not work related travel. Leave on a• Credibility that comes with “member of” status. Make Friday, return on a Sunday – only miss one week of the affiliations and partnerships that make your work each time. organization seem larger and more connected. Getting • Every June and December (try to catch summer published or quoted as an expert or thought leader is wherever I go north or south) invaluable for your organization and personal brands. • Book flight three months ahead, use Google Maps to determine path and transportation type betweenFinally, what is the future of communities? countries, and start locking in details the week ofJM: Based on the data from analysts, combined with the trip.the relentless growth of information available across the • Process inside each major city is to park 10 milesinternet and the behavioral habits of people, it is difficult outside of downtown and strap on Rollerbladesto predict a slowdown in the growth of communities in (actually Mission inline skates to be exact) and skatebusiness. Exponential growth, in fact. Specialization will up and down each street one by one. The skating iscontinue to expand as well, driving more need for these efficient and effective even in heavily crowded areas.groups and subgroups. There is an upper limit to the size I can travel about the speed of a bicycle meaning aof a community where the point of diminishing returns kicks good 4-5 hours will cover a large city and 30+ miles.in. The point at where coordination of the group and the • High degree of flexibility including sometimesgenerality of messaging outweigh the benefits listed above. driving at night, catching a nap in the car or stayingSmart communities will organize sub-groups before the in a luxury hotel – all somewhat random and in thefringe members go off and launch a competing community. moment. 02/2012(2) Page 38 http://pentestmag.com

How to choose Countries?A few times I have literally spun a globe and booked aflight where my finger stopped (China). Sometimes it iseducational and theme based (tracing back WWII fromAuschwitz back to Berlin). Other times it is centeredaround major events (watching World Cup soccer fromhome countries of Argentina and Brazil) and then goingto the actual site later (Johannesburg). The randomness is what drives some of the fun. I eat 100% local to the country I am in – usually offthe beaten (tourist) path and likely in some back alleysomewhere. I don’t speak any languages outside ofEnglish so it usually consists of a bunch of pointing andsheepish grins.What is the Endgame?The question I am asked most often is: How can youenjoy the travel and suck in local culture when you aredashing through countries almost daily? Two answers:• Rollerblading means that I cover more of a city than most people who stay for days and stick with “Top 10” tourist sites• I am keeping a “best of” list and will go back after the tour (perhaps in retirement) and spend quality time in the chosen places.At the current pace, I will likely be done 100 countriesby the time I am 50 – leaving lots of time to go backand explore deeper.What next?Another bucket list item is to one day sail the blue oceanand perhaps approach these countries in a differentfashion – as a mariner.ABY RAOAby Rao has several years experience in IT industry nad hasworking knowledge in applying various security controls andimplementing countermeasures related to Web Applicationsand Database. He is skilled at planning and leading all phasesof Software Development Life Cycle, Project Management andAgile Software Development. Aby has a Bachelor Engineeringin Computer Science, Master of Science in Information Science,Master of Science in Television Management and various ITcerti�cations including CISSP, Security+, ITIL, ISO/IEC 20000etc. He is also an independent �lmmaker and currently resideswith his wife in Durham, North Carolina, USA. 02/2012(21)

IT SECURITYInterview withRaj GoelRaj Goel, CISSP, is an IT and information security expert withover 20 years of experience developing security solutions forthe banking, financial services, health care, and pharmaceuticalindustries. He is a well-known authority on regulationsand compliance issues. Raj has presented at information securityconferences across the USA and Canada. He is a regular speaker onPCI-DSS, HIPAA, Sarbanes-Oxley, and other technology and businessissues, and he has addressed a diverse audience of technologists, policy-makers, front-line workers, and corporate executives. Raj works withSmall-to-Medium Businesses (SMBs 10-200 employees) to grow theirrevenues and profitability. He also works with hospitals and regionalmedical centers across the Northeast (NY, Vermont, New Hampshire,Maine, Pennsylvania) in helping them meet HIPAA compliancerequirements and utilizing Health Information Systems (HIS) effectively.You can contact him at raj@brainlink.com.You have more than 20 years of experience My first presentation on HIPAA compliance was inin IT, please tell us about your professional October 2001 – a month after 9/11. Since then, I havebackground in IT Security. led, or conducted over 150 seminars, webinars andRaj Goel: I had my first IT consulting client at age 13, full-day conferences. I have also been published infirst business card at 16, and have been consulting ever INFOSECURITY Magazine, quoted in CSO Online,since. In 1997, a large Health Insurance company in and appeared on TV on the Geraldo Show and PBSthe US asked me to help them understand something TV.called HIPAA. We had no idea what HIPAA was, nor To date, I have delivered CLEs to over 3000 attorneys,did they – however, the client’s management knew approximately 1500 accountants/CPAs and thousandsthat this proposed law needed to be understood, if the of CISSPs world-wide.health portal project we were working on was going to In short, I have been in IT for over 25 years, and ITsucceed. security for 15+ years. I learned what I could about the proposed legislation,and delved into the HIPAA Security standards. That Please tell us about your company, servicesled me to becoming a CISSP, and and gaining a real you offer and organizational growth in theunderstanding how ISO27001, HIPAA, PCI-DSS, past few years.and other data security and privacy standards are RG: I co-founded Brainlink Internatonal, Inc, with myrelated. wife, in 1994. We offer three sets of services: 02/2012(2) Page 40 http://pentestmag.com

• Managed IT support for Small Businesses (5-100 geopolitical issues, laws involved, and cultural issues. employees) in Manhattan, NYC. The biggest challenge we help clients deal with is the• HIPAA, PCI-DSS and IT security audits across the internal cultural issues. The corporate culture, local USA to Hospitals, Medical Groups and Level 3 and community standards, etc., so, before I accept an Level 2 PCI merchants. assignment, I take steps to understand the culture I will• Cyberforensics – data acquisition and evidence be stepping into. analysis to Matrimonial and Criminal Defense attorneys in NYC. What tips would you offer to young adolescents to protect their identity online?Managed IT is the fastest growing segment of the RG: That is a great question. How should adolescentsbusiness and IT security compliance audits are protect their identify online?holding steady. There is also a growing interest inCyberForensics from the attorneys. a) AVOID Social Media – Facebook, Twitter, etc. Consume the content, if you want, but do NOTYou have presented to several C-level create profiles, or posts online. If you do createexecutives. What are some of their concerns profiles on social media, limit the information thatrelated to IT Security and what is their you post about yourself and your profile information.approach towards organizational risk Do not provide too much information that someonemitigation? can use against you. Remember that what you postRG: That is a broad question. At a very high level, in social media applications cannot be removed andCEOs and CFOs are primarily concerned with lowering will be available forever for people to read.costs and increasing revenues. IT security does not • Learn the risks that going online creates –really matter to them – I have met with very few CEOs you can see my video at www.Brainlink.com/or CFOs who actively seek out IT compliance or IT audit blog/what-to-teach-your-kids-employees-and-services. If they could avoid them, they would – with interns-about-social-media/ or on YouTube.the exception of Sarbanes-Oxley (SOX) compliance • Read/understand as much as you can that– which is the only regulation that has captured their privacy is eroding fast and it is not in Facebook,attention and budgets. Google, Match.com, your mobile phone The CIOs/CPOs/CSOs are more focused on company, your ISP, your employer OR yourbecoming compliant and usually, their biggest concern government’s interest to protect it. It is YOURis managing the conflicting standards and regulations. privacy, it is YOUR identity, and only YOU canIn some cases, the standard is poorly worded (e.g. protect it.PCI) or their realities do not mesh with the law (e.g. b) Avoid using online dating sites.HIPAA). c) Use common (or uncommon) sense – never For example, HIPAA requires that all systems be EMAIL, SMS, POST or TWEET anything that youpatched and updated. Contracts with vendors require would not want to defend in court.that the hospital cannot update or apply Windows d) If you break laws (speeding, underage drinking,patches to MRI or XRAY machines without voiding engaging in political or social protests, etc.), DOwarranty. That is still a challenge. NOT to brag about it. The other challenge is that HIPAA requires disaster e) Choose your friends carefully – in real life, andrecovery and standard DR is expensive. A LOT of cloud online. Not everyone who wants to friend youproviders are selling their services as HIPAA-compliant, is a real friend and they could be opportunists,without really understanding (or intentionally ignoring) predators, robots, law enforcement or criminals.what impact ECPA and the Patriot Act have on HIPAA/PCI/GLBA compliance. Small and medium size health organizations find HIPAA/HITECH compliance requirementsSince you do a lot of work in the New York overwhelming. How do you help them in thatCity area, I am sure your international readers domain?are curious to know if you are willing to take RG: Everyone finds HIPAA/HITECH daunting – from theon any international assignments? smallest to the largest. I assist clients in understandingRG: Depending on the jurisdiction and the laws involved, why HIPAA/HITECH matters to them, why it is importantyes, we are willing to take on international assignments. to comply and most importantly, how we can INCREASEAcceptance of non-US assignments depend on current PROFITABILITY by becoming compliant. 02/2012(21) Page 41 http://pentestmag.com

IT SECURITY That is the angle most consultants, IT professionals RG: Learn Time Management! I have taking coursesand businesses overlook. Compliance can lead to at Landmark Education, read the 4-hour Work Weekgreater profits. and Getting Things Done, and received personalized coaching that has helped me build and maintain myDuring your interaction with Attorneys and priorities.accountants, what were some of the cyber-security areas they were interested in? How do you keep yourself up-to-date withRG: More and more, attorneys are concerned about latest development in IT. What are some ofdigital evidence and cyber-forensics. Other than that, your information sources?their interest in cybersecurity is pretty minimal. Getting RG: Slashdot.org, TheRegister.co.uk, various industrybetter Google ranking, more business through LinkedIn, journals and constant reading are how I keep up toand more friends on Facebook – that attracts their date. In all my presentations, I use publicly disclosedinterest – not cyber-security. data, and integrate disparate events and incidents into a coherent narrative.Social media has its own benefits, but privacycan be bit of a concern. What steps can Who are some of your role models in personalindividuals take to protect their civil liberties and professional life.and privacy? RG: Marcus Ranum, Bruce Schneier and HowardRG: That is too big of a question to answer. See the Schmidt are my personal cybersec heroes.short answer above and then watch my video at http://www.Brainlink.com/blog/what-to-teach-your-kids-employees-and-interns-about-social-media/, read thearticles at http://www.brainlink.com/category/articles/and then we can talk.In US, Federal Trade Commission plays avital role as an investigator of privacy andsecurity breaches. What should IT Securityprofessionals be aware of with respect toFTC’s role in security?RG: The FTC is not an investigator in the traditionalsense – they have become the guardians of consumerprivacy in the US. I recommend watching the severalwebinars and presentations I have done on LESSONSLEARNED FROM THE FTC at http://www.rajgoel.com/lessons-learned-from-the-ftc-federal-trade-commissionto get a better idea. ABY RAO Aby Rao has several years experienceWhat are your thoughts on SOPA, PIPA and in IT industry and has workingACTA legislation from consumer perspective? knowledge in applying variousWill consumer privacy and security be security controls and implementingsafeguarded due to these legislation? countermeasures related to WebRG: SOPA, PIPA, ACTA do NOT protect consumer Applications and Database. He isprivacy. These laws are bought-and-paid for by the skilled at planning and leading allRIAA and the MPAA to protect their business model phases of Software Developmentand profits in a dying industry. It is like horse-buggy Life Cycle, Project Management andmanufacturers passing laws that limit vehicles to no Agile Software Development. Abymore than 20 MPH/30Kph. has a Bachelor Engineering in Computer Science, Master of Science in Information Science, Master of Science in TelevisionAs a consultant and prolific speaker, effective Management and various IT certi�cations including CISSP,time management must be an important CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also anaspect of your life. Any tips on how you go independent �lmmaker and currently resides with his wife inabout juggling various roles? Durham, North Carolina, USA. 02/2012(2) Page 42 http://pentestmag.com

Now Hiring Teamwork Innovation QualityIntegrity Passion Sense of Security Compliance, Protection and Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12. info@senseofsecurity.com.au www.senseofsecurity.com.au

KNOW-HOW10 waysto enhance your career in InformationSecurityAt first glance, this may look like one of those self-help articlespromising that your life will turn around 360 degrees if you follow theadvice offered. Sadly, I am making no such promises. It could very wellbe 30 or 50 ways to enhance your career, but I have limited it to 10,based on my personal experiences.T his article is primarily targeted towards people assistance with their anti-virus or firewall configuration. who are at entry-level positions, or are making a If you are a rockstar, you might just end up creating a switch to IT Security from a different field of work. part-time or consulting gig at the organization.Experienced professionals shouldn’t have a problemrunning through the list fairly quickly. Get a certification or two I have noticed a perpetual “hoopla” on the topic ofHands-on skills are invaluable. It doesn’t industry-recognized certifications, such as CISSP,matter if it’s paid or pro-bono work CISM, CEH etc. A few pros have even criticized theAs you might have heard a million times before from purpose of these certifications. I understand theirvarious pros in the industry – there is no alternative to sentiment and point-of-view, but if you notice anygaining hands-on industry experience. Even a few hours security job opening, you will see these certificationsspent on a project will hold more value than unlimited listed more often than not. If you are someone wholab experiments. Project-based work can take you a doesn’t believe that a 4-6 hour exam can judge yourlong way and add credibility to your resume. People skills, then try something different, such as the OSCPwho transition to security from other closely associated (24 hour hands-on exam) or any of the open-bookfields, like system or network administration, physical SANS exams. While you are studying for any exam,security, disaster recovery planning, and programming, I would recommend that you create a home “lab” andoften get a chance to be intimately involved in security. experiment with what you learn, as well as attendGrab any such opportunities and make the most out seminars, network with other professionals, read whiteof them. For example, a software programmer might papers, and participate in mailing lists/forums etc. All ofconsider ways in which he/she can embed a robust these activities done together will help you be a well-security framework in their software development life rounded and confident professional.cycle. For those individuals who are completely new tothe industry, you can prove yourself by taking on some Volunteer whenever you get a chancesmall-scale projects, even if it means you have to work There are hundreds of security conferences organizedfor free. One place to gain some valuable experience is all over the world. In addition, you can volunteer at localto connect with local non-profit organizations and see events organized by ISSA, OWASP, ISACA, ASIS,if you can help them harden their machine, or provide HTCIA, IAPP etc. Although you will require membership 02/2012(2) Page 44 http://pentestmag.com

to these organizations, it may be worthwhile to attend acouple of their sessions to see how much they value theirvolunteers and organizers. Volunteering is a great way tomake new friends in the profession and learn about theircareer path. A few volunteering positions also offer you aplatform to exhibit your leadership and public-speakingskills. Most importantly, volunteering demonstrates yourkeenness to be a part of the community and contribute tothe success of the profession.Attend at least one conference a year, big orsmall – it’s worth itSecurity conferences are held all over the world. Someof the security conferences bring together the bestof all the talent that’s out there. It’s a perfect placeto meet these professionals and strike up a dialoguewith them. If you are the adventurous kind, you cansign up for events such as Lock Picking, Capture theFlag, etc. Often conferences also open up the floor tovarious product vendors and companies who are hiring.Many people spend time during session breaks talkingto various companies to learn about latest trends andtechnologies. If you prefer to do less interaction andmore learning, you can attend the sessions, or walk overto the booths where they sell the latest security books.If you are lucky, the authors of the books may be therefor a book signing. Overall, it is a good place to exploreyour career options. If BlackHat and HackerHalted arebeyond your budget, then look at local conferences.Usually conferences organized by the local ISSAchapter or *con conferences, such as ShmooCon orCarolinaCon, are good options as well.Consider obtaining formal education or anadvanced degreeI have noticed that several professionals in the industrygo back to college or a university to receive formaleducation. Research in the US has indicated thattypical college graduates earn about 73 percent morethan typical high school graduates, and those withadvanced degrees earn significantly more than highschool graduates. Some may argue this point, whileothers may not have the resources or inclination to goback to college. In any case, a formal degree may opennew doors and potentially put you in a better positionfor a promotion or raise. If you are the entrepreneurialkind, then an MBA will enable you to network with like-minded people and incubator programs at variousuniversities may even kickstart your business.Find a mentorThis is such a important step in anyone’s career. I referto mentors as SWOTers. At an informal level, they 02/2012(21)

KNOW-HOWare the best people to offer you advice, suggestions a technical term, or need assistance troubleshooting anand guidance related to your Strengths, Weakness, issue, we turn to the internet. Similarly, subscribing toOpportunities and Threats. The most important various blogs, via RSS reader, brings in vast amountselements in a mentor/mentee relationship is honesty of information right in front of you. Knowing key playersand trust. You can find a mentor at work, conferences, and their opinions will give you an advantage, especiallylocal chapters, or even through other connections, during interviews. On more than one occasion, I haveincluding neighbors or the friend of a friend. Feel free to been asked what security blogs I subscribe to, and washave more than one mentor, as there is nothing stopping lucky to be able to have an answer for them. Some ofyou from doing this. You will really gain quite a bit if you the blogs I would recommend are: Anton Shuvakin’sfind someone with several years of experience in your Security Warrior, Dark Reading, Jeremiah Grossman,field of interest. Often, your workplace will promote a McAfee Labs, OWASP, various SANS blogs, Schneiermentorship program. I cannot stress enough how much on Security, Social-engineer and Ethical Hackerthis can help your career. Network. Following experts on twitter is another good way of receiving bite-sized information.Talk to recruiters at regular intervalsThis may sound silly at first, especially if you already Make security a part of your lifehave a job with which you are fairly happy. Recruiters are I have observed that people who are successful inresourceful for four main reasons 1) They can provide any profession are generally passionate about theiryou with invaluable market information 2) They can give line of work. In our context, such people see securityyou a sense of what the industry needs are in terms of embedded in every element of their life. Purely out ofskillset 3) They are good at critiquing resumes 4) They curiosity, they will tinker around with technology, andcan analyze your background and estimate your market during the process, will discover something new thatvalue in terms of compensation and benefits. Talking to fuels their curious mind. These people don’t count therecruiters will help you negotiate a raise/promotion at your hours they spend hacking their cellphone or reviewingnext performance review. Sites like Linkedin, Salary.com code because they are experiencing “flow.” If you areand Glassdoor are other supplementary resources you keen to read how some people manage to work formight want to consider checking. Along similar lines, many hours without any breaks or distractions, I wouldif your company has an approachable HR team, take recommend the book titled Flow: The Psychologyyour HR manager to lunch and discuss various cross- of Optimal Experience by Mihály Csíkszentmihályi.functional opportunities within your company. Security is not a profession, but a lifestyle. There is nothing divine about the list mentionedDon’t be an expert, yet above. As a matter of fact, anyone with few years of“Yet” is the keyword in the above-mentioned phrase. experience may find this list trivial. What this list offersMany of you may aspire to be an ace pentester, or a is a chance to be introspective about your career andtop-class malware analyst, but don’t forget that it takes gauge where you stand, what needs to be achieved,several years of training and experience to get there. and possible next steps. Feel free to reach out to me ifInformation Security is such a vast sphere of work, that you have any questions or comments. Good luck withcalling yourself an expert early on in your career is not your career!just foolish, but also sets yourself up for failure. If youare new, take your time and learn the landscape first.Involve yourself in various types of projects, this wayyou will know your strengths and weaknesses. Once ABY RAOyou feel confident and passionate about a certain field, Aby Rao has several years experience in IT industry and hasthen you can start your journey in that direction. I have working knowledge in applying various security controls andtalked to a few people who thought PenTesting is “cool” implementing countermeasures related to Web Applicationsbecause they can claim to be “ethical hackers.” Due to and Database. He is skilled at planning and leading all phasestheir fascination with the title and not the job profile, of Software Development Life Cycle, Project Management andthey quit their job even before they completed their first Agile Software Development. Aby has a Bachelor EngineeringMetasploit exploit. in Computer Science, Master of Science in Information Science, Master of Science in Television Management and various ITRead and explore certi�cations including CISSP, CISA< Security+, ITIL, ISO/IECBlogs, forums and mailing lists have been such a boon 20000 etc. He is also an independent �lmmaker and currentlyto the technical community. Each time we come across resides with his wife in Durham, North Carolina, USA. 02/2012(2) Page 46 http://pentestmag.com

In the next issue of Available to download on May 15thSoon in PenTest Market!• Qatar CIRT team talk about IT Security• Interview with Tal Argoni• IT Security and a specialist recruiters point of view• Interview with Alexandro Fernandez• Pentesting business startupand more...If you would like to contact PenTest team, just send an emailto krzysztof.marczyk@software.com.pl ormaciej.kozuszek@software.com.pl. We will reply a.s.a.p..

PenTest Market Magazine

by Jay McBain

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 2

Statistics