��������������  �������������������������������������������������  ���������������������������������������������  ��������...
EDITOR’S NOTE                                                                                 Market 02/2012 (02)       Pe...
CONTENTS                                                                                                                 C...
CONTENTSauditing. The first requirement for the auditors is to know    leaders. The “best” method is generally driven by a...
PENTESTING MARKETInterview withVictor MehaiChristiansennVictor Christiansenn is the Director of Sales at SecPoint. He esta...
Protector comes with Advanced IT Security features               How can you become a SecPoint employee?like Firewall, Rea...
PENTESTING FUNDAMENTALSWalk trough thepenetration testing fundamentalsTalking about penetration testing fundamentals and t...
An effective penetration tests provides to the                   a company. It’s the starting point because startingcompan...
PENTESTING FUNDAMENTALS  The standard also include network and application                Just to give a complete view on ...
its vulnerabilities and the impact of every possible           increase of cyber criminal activities have attracted theatt...
IT SECURITY AUDITINGInterview withMichaelBrozzettiMichael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC,an ex...
integrity, objectivity, competence, and confidentiality.     In the past you have spoken about values,This is what differe...
IT SECURITY AUDITINGthe reporting of these activities can become more           issues to senior-level management to get t...
How critical are IT Governance frameworks                       You are also an entrepreneur, how did you gosuch as COBIT,...
IT SECURITY AUDITINGInterview withMehmet CuneytUveyMehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967.He graduated f...
started here eight months ago. My daily tasks are ofdifferent dimensions. On one side, I try to perform plannedaudits for ...
IT SECURITY AUDITINGits added-value is also changing shape and going up to        place for IT Audit and Security professi...
�����������������������������������������������������   �����������������������������������������������  �����������������...
SECURITY                                                               CONSULTING BUSINESSInterview withLukas RufDr. Lukas...
Is there enough innovation taking place inthe field of Information Security? Are youinvolved in any innovative projects yo...
SECURITY                                                                   CONSULTING BUSINESSLR: Laws are on the right tr...
CLOUD COMPUTINGSecuring CloudsThe most common objections for holding back SaaS (Software asa Service) adoption as reported...
such as reducing carbon footprint and promoting                        well as internal threats. In a time of financial ch...
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
PenTest Market Magazine
Upcoming SlideShare
Loading in …5
×

PenTest Market Magazine

2,964 views

Published on

Social media is an addition to the toolkit – not something new and different. Small businesses need to focus on making a good product/service, marketing and distributing it effectively, and then supporting the customer. Social Media can add to all of these core pieces if used effectively. It may be free (or nearly free)
but the opportunity costs must be carefully weighed before investing precious resource into it.

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,964
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
70
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

PenTest Market Magazine

  1. 1. �������������� ������������������������������������������������� ��������������������������������������������� ������������������������������ �������������������������������������������� ���������������������������������������������� ����������������������������������������������������������������������������������������������������� ����������������������������������
  2. 2. EDITOR’S NOTE Market 02/2012 (02) Pentesting market is growing The second issue of PenTest Market is out. We have for you next fresh dose of interviews and articles devoted exclusively to pentesting business. First issue was very popular, so we decided to make PenTest Market a free magazine. Now access to our content will be easier than ever. Let’s look what have we prepared for you in this issue. On the cover you can see Victor Mehai Chrisiansenn, who is the Director of Sales at SecPoint. Victor told us about pentesting market which, in his opinion, is going to increase more and more in upcoming years. He has also described SecPoint tools for penetration testers. On the next pages we will „Walk through the penetration testing fundamentals” with Pierluigi Paganini. The author explained why to conduct a penetration test and showed that Penetration Test is a widespread need. We have talked with two experts in the area of IT security auditing. Michael Brozzetti told us what is the difference between an Internal Auditor and an External auditor. We asked him also about transition from IT security to IT Auditing. Furthermore, Mehmet Cuneyt recommended certifications, trainings and skills for someone who wants to pursue a career in IT Security Auditing. Another interesting person that we had a pleasure to talk with was Dr. Lukas Ruf. He is a senior security and strategy consultant with Consecom AG. He has shared with us his experience from security consulting business and told about strict cyber privacy in EU. Ian Moyse, a leader in Cloud Computing, has prepared for us a combination of pieces focusing on adopting Cloud in a secure manner. He provided you exemplary things to check before signing up with a cloud service provider. „Have you M.E.T?” – a really intriguing title. Amarendra in his article writes about what it takes to be a successful pen-tester. You just have to have M.E.T: Mindset, Experience, Tools, techniques, and training. Our next guests are Joe Hillis and Jay McBain. Joe is leading an initiative to engage the technology community to help Small Businesses and Communities with continuity and recovery of information systems following a disaster. Jay is an accomplished speaker, author and innovator in the IT industry. They both have much experience in IT security and you can learn from them a lot. Our last but not least interview in this issue features Raj Goel. He is an IT and information security expert with over 20 years of experience developing security solutions for the banking, financial services, health care, and pharmaceutical industries. Finally we can present you the article by our great contributor, Aby Rao. He provides you „10 ways to enhance your career in Information Security” based on his personal experience. This article is primarily targeted towards people who are at entry-level positions or are making a switch to IT Security from a different field of work. We hope you will find this issue of PenTest Market absorbing and uncommon. Thank you all for your great support and invaluable help. Enjoy reading! Krzysztof Marczyk & Pentest Team 02/2012(2) Page 3 http://pentestmag.com
  3. 3. CONTENTS CONTENTS PENTESTING MARKET Interview with Victor Mehai 06 Christiansenn by Aby Rao Pen test market has grown a lot during the last few years and the good news is that this increase is not going to stop as there will always be a new vulnerability and and the remmedy for it is required instantly. So we always to keep finding new possible loopholes and the customers and end users do understand the need Pen-Testing as it’s TEAM a proactive way of finding what might be coming to them in the future and they do want stay prepared and prevent Editor: Krzysztof Marczyk krzysztof.marczyk@software.com.pl it on it. There is nothing better than Pen Testing and it just going to increase more and more in the coming time. Associate Editor: Aby Rao Betatesters / Proofreaders: Massimo Buso, Daniel Distler, Davide Quarta, Jonathan Ringler, Johan Snyman, Jeff Weaver, Edward Werzyn PENTESTING Senior Consultant/Publisher: Paweł Marciniak FUNDAMENTALS Walk Trough the Penetration Testing CEO: Ewa Dudzic ewa.dudzic@software.com.pl 08 Fundamentals by Pierluigi Paganini Art Director: Ireneusz Pogroszewski The figure of the pen tester is a critical figure, he must think ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski like an hacker paid to break our infrastructures and access to the sensible information we possess, for this reason the Production Director: Andrzej Kuca choice of reliable and professional experts is crucial. The andrzej.kuca@software.com.pl risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly Marketing Director: Ewa Dudzic hires hackers revealed in the time cyber criminals. The ewa.dudzic@software.com.pl information is power, is money and the concept of „trust” Publisher: Software Press Sp. z o.o. SK is a fundamental for this kind of analysis. 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 IT SECURITY AUDITING www.pentestmag.com Interview with Michael Brozzetti Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. 12 by Aby Rao All trade marks presented in the magazine were used only for IT security professionals can make excellent candidates informative purposes. for IT auditors because it’s like looking through the other end of the lends. IT Auditors are independent of All rights to trade marks presented in the magazine are reserved by the companies which own them. operations, so an IT security professional transitioning To create graphs and diagrams we used program has the practical experience to know where vulnerabilities by might exist or where operations personnel might be prone to taking “short-cuts.” This operational experience Mathematical formulas created by Design Science MathType™ can certainly help them make sound recommendations for organizational improvement if they decide a transition into IT Auditing. DISCLAIMER! The techniques described in our articles may only Interview with Mehmet Cuneyt Uvey be used in private, local networks. The editors hold no responsibility for misuse of the presented 16 by Jeff Weaver techniques or consequent data loss. The profession of Auditing is one of the oldest ones in human history. There are many different types (Financial, Quality, Operational, Health and Safety, etc.) and levels of 02/2012(2) Page 4 http://pentestmag.com
  4. 4. CONTENTSauditing. The first requirement for the auditors is to know leaders. The “best” method is generally driven by athe business that they are auditing. Risk assessment business’s operational needs and budget, but involvesknow-how is a must. Auditors need more Technical skills, the common underlying process of making systems andunderstand Project Management and should also spend data available after a catastrophic event. For some, ittime for learning the SDLC (Systems Development Life simply means having access to data files within 3 days;Cycle) for the relevant business processes so that they can while others may require continuous access to systemslook underneath the numbers (business results), but also and data, regardless of the event.to the systems and processes that create those numbers. SOCIAL MEDIASECURITY CONSULTING Interview with Jay McBain 34 by Aby RaoBUSINESS Building a personal brand is key in today’s „flat” world. Interview with Lukas Ruf20 Social media is one of the tools that blend with a more by Aby Rao physical presence through local communities, charities,As a security consultant supporting customers inter- industry events, associations and peer groups. Socialnationally, EU faces exactly the same problems like any media can build large, targeted virtual peer networks andother regions. In general, however, the EU is positioned has an ability to amplify thought leadership more thanbetter to counteract attacks effectively than other due to a any medium in the past.good level of education and, hence, awareness of threatsand daily mitigation measures. IT SECURITY Interview with Raj GoelCLOUD COMPUTING 40 by Aby Rao Securing Clouds24 At a very high level, CEOs and CFOs are primarily by Ian Moyse concerned with lowering costs, increasing revenues. ITCloud computing is a new concept of delivering computing security doesn’t really matter to them – I’m met very fewresources, not a new technology. Services ranging from CEOs or CFOs who actively seek out IT compliance orfull business applications, security, data storage and IT audit services. If they could avoid them, they wouldprocessing through to Platforms as a Service (PaaS) are – with the exception of Sarbanes-Oxley (SOX) compliancenow available instantly in an on-demand commercial model. – that’s the only regulation that captured their attentionIn this time of belt-tightening, this new economic model for and budgets.computing is achieving rapid interest and adoption. KNOW-HOWSUCCESSFUL PENTESTER 10 Ways to Enhance Your Career in Have you M.E.T? 44 Information Security28 by Amarendra by Aby RaoDue to the large gray area in the field of software At first glance, this may look like one of those self-security, it is very difficult to spot a good help articles promising that your life will turn aroundpenetration tester. Add to it the „ethical” baggage, 360 degrees if you follow the advice offered. Sadly, Iand things get even more murkier. Based on am making no such promises. It could very well be 30experience, the author discusses the elements that make a or 50 ways to enhance your career, but I have limited itsuccessful penetration tester. Hopefully, these ideas shall to 10, based on my personal experiences. This articlehelp your organization in making a well-informed choice. is primarily targeted towards people who are at entry- level positions, or are making a switch to IT Security from a different field of work. Experienced professionalsDISASTER RECOVERY shouldn’t have a problem running through the list fairly Interview with Joe Hillis30 quickly. by Aby RaoDisaster Recovery is a subjective area; typically vieweddifferently by technology professionals and business 02/2012(2) Page 5 http://pentestmag.com
  5. 5. PENTESTING MARKETInterview withVictor MehaiChristiansennVictor Christiansenn is the Director of Sales at SecPoint. He establishedthe SecPoint security firm in 1998, at the tender age of 16, in thebasement of his parent’s house. Since then, the young entrepreneurhas been working with in IT security industry full-time for more than11 years. His passions are Wifi Security, Vulnerability Scanning, UTMAppliance. He is interested in Freemason.SecPoint is a world-renowned IT company. this increase is not going to slow down and there willWhat is the key to success of your company? always be a new vulnerabilities and the need to find aVictor Christiansenn: Innovation and Continuous remedy for them is required as fast as possible. So, weDevelopment. Doing things differently than everybody always try to keep finding new potential loopholes andelse and opening up new markets, like with the Portable the customers and end users do understand the needPenetrator. Also to quickly adapt to new requirements for Pen-Testing as a proactive way of finding what mightin the market. be coming to them in the future and they do want stay prepared. There is nothing better than Pen Testing andYou have been on the market since 1998. it just going to increase more and more in the comingWhat was the most challenging at the time.beginning of your career?VC: Every day is a challenge! Once you love your job What would you advise to people who wantyou do not see it as as a challenge. to start their own company in the IT field? VC: Go for it! The whole Internet is waiting for you. As IHow has the pentesting market has said, the threats are something that will never go away.changed during these several years? Do you You will always find some news about the new threatsconsider anything as a turning point for the discovered. It requires a lot of manpower and skills tomarket? be able to be the one who finds it before anyone else.VC: It has changed a lot. We have seen sales of the Then comes the part to find the solution and integratingPenetrator and Portable Penetrator increase, especially it into the Pen-Testing Product, so that the scanner canthe last three years. There has been a turning point scan for it and find if that vulnerability is indeed presentwhere customers have realized the need for pentesting. on the network.Plus, every other day a new vulnerability is found andas an IT Security company we are always strive find the Please, tell us more about your productssolution to the vulnerability. (SecPoint Protector, SecPoint Penetrator, SecPoint Portable Penetrator).How do you see this market in the future? VC: Protector is an advanced UTM (Unified ThreatVC: Growing big time. Pen test market has grown a Management), which ensures Real-Time all roundlot during the last few years and the good news is that protection for users connected on your Wired Network. 02/2012(2) Page 6 http://pentestmag.com
  6. 6. Protector comes with Advanced IT Security features How can you become a SecPoint employee?like Firewall, Real-Time Intrusion Prevention IPS, What traits and skills are highly appreciated?Anti-Spam, Multiple Anti-Virus suites, Web Filter, Web What may discourage you in hiring aProxy, Anti Phishing, Content Filter, Full Mail Archiver, potential employee?DLP (Data Leak Prevention), Incoming and Outgoing VC: We ONLY working with the best. If you have theMail Backup, and more. Protector is available as an skills, we have the right place for you. The IT SecurityAppliance, as well as in VMWare. Protector is easy to Industry always welcomes talented people. „Skills” andinstall and comes with a fully-customizable easy to use „Results on time” is highly appreciated everywhere. It isInterface. nothing but the game of speed, where you need to be Penetrator is a complete Penetration Testing, able to find a possible loophole, then find the solution,Vulnerability Scanning Suite. Portable Penetrator can and then integrate it into the scanner. It is a game ofscan any IP over a Wired Network for vulnerabilities. Speed and Skills. The better the skill, the faster andThe system scans and searches for over 50,000 types more accurate your output will be.of vulnerabilities on any IP address. Further you canLaunch Real Exploits in order to check how secure your How will SecPoint surprise us in the future?network is. Penetrator is available as an Appliance as What are the long-term plans of thewell as a VMWare version. company? Cloud Penetrator is an online Vulnerability assessment VC: Watch out for 2012 and 2013! Many new thingsutility that is used to check Vulnerabilities on Public IP are coming. We are working around the clock in orderaddresses. It has an advanced Crawler that crawls to get more and more features built. By mid-2012 wethrough each and every page of the Website/Websites are planning to add some exciting new features to ourpresent on a Public IP Address and looks for over 50,000 products and the development phase is a never endingtypes of vulnerabilities. It is a complete vulnerability process.assessment tool for a Public IP address. For example– SQL Injection, XSS Cross Site Scripting, CommandExecution, etc. For more information you can visit ourFAQ section on our web site: http://shop.secpoint.com/shop/cms-faq.html.Are SecPoint Penetrator and SecPointPortable Penetrator intended for allpentesters regardless of their skill level?VC: Yes. Penetrator and Portable Penetrator comeswith an easy to use interface and scanning can beinitiated with just three clicks. So, it is quite easy to use.The reports have Executive Summary and in-depthTechnical details for the Technical Team. Customerscan also host our Products as a Cloud SAAS Service.It is a new trend that is quite rewarding and is gettingmore and more famous everyday around the globe.8. Which companies would benefit the most ABY RAOfrom your services? In which part of the world Aby Rao has several years experience in IT industry and hasdo you the most business contacts? working knowledge in applying various security controls andVC: Apart from the enterprise level products, we implementing countermeasures related to Web Applicationsalso have entry level products for Small and Medium and Database. He is skilled at planning and leading all phasesBusinesses. So, we try to serve all sectors. We have the of Software Development Life Cycle, Project Management andbiggest customer base in Europe and USA. Agile Software Development. Aby has a Bachelor Engineering With SecPoint’s ‘No Hidden Cost Policy,’ customers in Computer Science, Master of Science in Information Science,get the convenience of obtaining the solution they need Master of Science in Television Management and various ITat no extra cost. Products come with many features certi�cations including CISSP, CISA< Security+, ITIL, ISO/IECand upgrades, but they do not need to pay for them 20000 etc. He is also an independent �lmmaker and currentlyseparately. resides with his wife in Durham, North Carolina, USA. 02/2012(21) Page 7 http://pentestmag.com
  7. 7. PENTESTING FUNDAMENTALSWalk trough thepenetration testing fundamentalsTalking about penetration testing fundamentals and their introductionin private and military sectors. The growing request for experiencedIT professionals is demonstration of the awareness in the matter, it’sexpression of the need to deep analyze every aspect of technologysolutions.T he level of security and confidence requested by are planned as the part of the design phase and the market requires a meticulous approach in the assigned to internal or external staff in relation to the testing phase of the architectures, the methods type of checks that are to be conducted.introduced in recent years have become an integral part A first classification of penetration tests is made onof the production cycle of each solution. the knowledge of the technical details regarding of the final target distinguishing Black box testing fromWhy conduct a penetration test? White box testing. Black box testing assumes no priorThe penetration testing is a fundamental method for knowledge of the system to test. The attacker hasthe evaluation of the security level of a computer to first locate the target identifying its surface beforearchitecture or network that consists in the simulation of starting the analysis. Whit the term of white box testingan attack to resources of the system under analysis. we identify an attacker with complete knowledge of the Of course the investigation can be conduced by infrastructure to be tested.experts to audit the security level of the target but also The figure of the pen tester is a critical figure, he mustby cyber criminals that desire to exploit the system. think like an hacker paid to break our infrastructures and The penetration testing process is conducted over access to the sensible information we possess, for thisthe target searching for any kind of vulnerabilities reason the choice of reliable and professional expertsthat could be exploited like software bugs, improper is crucial. The risk to engaging the wrong professionalsconfigurations, hardware flaws. is high and it is also happened in the history that The expertize provided by professional penetration companies have wrongly hires hackers revealed intesters is an irreplaceable component for the evaluation the time cyber criminals. The information is power, isof the security of systems deployed in private and money and the concept of “trust” is a fundamental formilitary sectors. In many sector for the validation of this kind of analysis.any systems or component these kind of test are Over the years it has fortunately increased awareness ofrequested. the risks attributable to vulnerabilities exploitable in systems The testing approach has radically changed over the and related economic impact, this aspect is not negligibleyears, similar tests were originally conducted mainly on because it has enabled a more robust commitment bysystems already in production or operation in order to management of companies that has requested more anddemonstrate their vulnerabilities, today’s test sessions more often penetration testing activities. 02/2012(2) Page 8 http://pentestmag.com
  8. 8. An effective penetration tests provides to the a company. It’s the starting point because startingcompany a useful report on the status of their services from the report the company must proceed toand its exposure to the main threat known. Don’t forget secure its infrastructures evaluating correctivethat many incidents registered last year were related actions and their impact on actual business. Ato unknown vulnerabilities of the victims systems and well-documented penetration test results, helpsmisconfiguration of any kind of appliance. management to identify the right actions to secure While the main objective of penetration testing is the structures and to size the budget for them.to determine security level of the company, and inparticular of its infrastructures, it can have number of According the principal methodologies the wholefurther objectives, including testing the organization’s process of a penetration test, from initial requirementssecurity incidents identification and response capability, analysis to report generation, could be applied to thetesting security policy compliance and testing employee following areas:security awareness. Main benefits of a well done penetration testing are: • Information security • Process security• Identifying and classification of the vulnerabilities • Internet technology security of the systems. The aspect of the classification is • Communications security essential to give right priority to activities needed to • Wireless security improve security and securing infrastructure. • Physical security• Identification of those critical components in the surface of attack of a system that while not Standard & Regulations vulnerable have characteristics that make them Activities of penetration testing are being object of susceptible to attacks over time. regulation also by several standards, for example the• Determining the feasibility of a particular set of Payment Card Industry Data Security Standard (PCI attack vectors. DSS), and security and auditing standard, requires• Helping organizations meet regulatory compliance. both annual and ongoing penetration testing. The PCI• Identification of the vulnerabilities is the starting DSS Requirement 11.3 (https://www.pcisecuritystand point for a deeper analysis made to assess the ards.org/pdfs/infosupp_11_3_penetration_testing.pdf) potential impact on the business of the company. addresses penetration testing like the attempts to exploit• Providing evidence of real status of the systems the vulnerabilities to determine whether unauthorized providing a detailed report to the management of access or other malicious activity is possible.Figure 1. How safe is your computer? 02/2012(21) Page 9 http://pentestmag.com
  9. 9. PENTESTING FUNDAMENTALS The standard also include network and application Just to give a complete view on the standards andlayer testing as well as controls and processes around methodologies in penetration testing we can remind thethe networks and applications, and should occur from others guidelines available worldwide recognized:both outside the network trying to come in (externaltesting) and from inside the network. • Standards for Information Systems Auditing (ISACA), The most important factor for a successfully introduced in 1967. This ISACA organizationpenetration test is the adopted methodology that’s the provides the basic and the most important amongreason why the discipline is evolved starting its origin the audit certifications useful to demonstrate to thein 1970’s. market mastering the concepts of security, control Professionals during the years have proposed and audit of information systems.and developed efficient frameworks for conducting a • OWASP: The Open Web Application Securitycomplete and accurate penetration test. Project (OWASP) is an open source community The Open Source Security Testing Methodology project developing software tools and knowledgeManual (OSSTMM) by Pete Herzog has become a de- based documentation that helps people securefacto methodology for performing penetration testing Web applications and Web services.and obtaining security metrics. • NSA Infrastructure Evaluation Methodology (IEM) Pete Herzog, OSSTMM creator said: The primarygoal of the OSSTMM is to provide transparency. It provides How effective are our system, how efficient are ourtransparency of those who have inadequate security processes? We never going to know until we runconfigurations and policies. It provides transparency of those drills and exercises that stress out the platforms andwho perform inadequate security and penetration tests. It perform the analysis. Simulate the possible attacks,provides transparency of the unscrupulous security vendors measuring the level of response of our architecturevying to sponge up every last cent of their prey’s already is fundamental, we have learned by the events howmeager security budget; those who would side-step business dangerous an unpredicted incident could be.values with over-hyped threats of legal compliance, cyber- Conducting a pen test is a good opportunity to test theterrorism, and hackers. level of security of an environment but also to evaluate In main opinion transparency and an efficient the response of the company to an intrusion or to anmethodology are essential for the study and the incident. Using this methodology it is possible to stressassessment of every system. and analyze a system or an application discoveringFigure 2. Chinese Army computer hacking class 02/2012(2) Page 10 http://pentestmag.com
  10. 10. its vulnerabilities and the impact of every possible increase of cyber criminal activities have attracted theattacks or malfunctions on the overall architecture attention to the security requirements of any IT solutions.and on related systems. It’s happened that during The verification of the effectiveness of the solutionsa penetration test discovered mutual vulnerabilities mentioned in defense has become a significant activitybetween components, for example the exploit of a first that has led to an increased demand of figures suchWeb service could cause the block or better an exploit as the penetration tester, which is multidisciplinary andin a related system that use the services provide. multifaceted professional with the ability to analyze and Several years ago, during the period I conducted study a system identifying its vulnerabilities.penetration testing for a major company I observed Of course in critical environment, like a militaryduring a test session that some components were one, the governments due the secrecy of the solutionintentionally excluded because the administrators of the analyzed have preferred to promote internal born groupplatforms were informed regarding the vulnerabilities. of expert trained to execute penetration test. In theseThat behavior it’s really dangerous, excluding weak sector nations such as China, Russia and the US aresystems during a penetration test it’s a common wrong at the forefront.practice that prevent an efficient analysis of the system. Also bring as example such systems within critical In this way we will never be able to measure the infrastructures, related vulnerabilities are alerting theimpact of the vulnerabilities on the overall security security world community. The case of Stuxnet virusdespite how the risks are addressed and recognize has taught the world how dangerous a cyber weaponby the management of a firm. In a past experience capable of exploiting vulnerability in a system might be.I have had the opportunity to audit a company ISO The only possibility we have facing these cyber threats27001 compliant, its management was perfectly aware is to thoroughly test each individual component of theregarding some known vulnerabilities accepting the systems we are going to deploy. The method of solicitingrelated risks. Few months later, an external attack such infrastructure through penetration tests is essential,damaged the company due a vulnerability not known unique opportunity to identify critical vulnerabilities that ifcorrelated to a well non problem not tested. exploited could affect their security posture. Penetration tests are a precious opportunity to protectPenetration Test, a widespread need our infrastructures that must be integrated in moreIf the practice to carry out a penetration test is articulated testing policiesy, a good example has beenrecognized and requested by the major standards that provided by the Special Publication 800-42, Guidelinewe examined in a private environment, it becomes on Network Security Testing published by the Nationalcrucial in critical environments such as military and Institute of Standards and Technology (NIST), angovernment. agency of the U.S. Department of Commerce. In these areas information management are extremely Let me conclude with phrase that I’ve read severalsensitive and it is essential for the environments to time on the Web that resume the purpose of penetrationbe tamper-resistant. For this reason, every device, test methodology:component and infrastructure must be subjected to “Protecting your enterprise by breaking it”rigorous testing in time for the purpose of assessingthe level of overall security. Particularly critical are allthose heterogeneous environments where components PIERLUIGI PAGANINIare provided by different providers and whose iteration Pierluigi Paganini has a Bachelor inenables the delivery of services. It is this type of Computer Science Engineering IT, majoringenvironment, together with those characterized by in Computer Security and Hackingopenness to the outside, are a real thorn in the side of techniques. Security expert with over 20management bodies as these architectures are more years experience in the �eld. Certi�edexposed to external threats. Ethical Hacker at EC Council in London. In recent years there has been a dramatic growth Actually he is Company Operation Directorof the attacks perpetrated against successful private for Bit4Id, Researcher, Security Evangelist,companies and government agencies, a phenomenon Security Analyst and Freelance Writer. The passion for writingin constant and growing concern. and a strong belief that security is founded on sharing and Demonstration projects conducted by groups awareness led Pierluigi to found the security blog „Securityof hacktivist like Anonymous, warfare operations Affairs”.conducted by foreign governments for purposes of Security Affairs (http://securityaffairs.co/wordpress)offense and cyber espionage and an unprecedented Email: pierluigi.paganini@securityaffairs.co 02/2012(21) Page 11 http://pentestmag.com
  11. 11. IT SECURITY AUDITINGInterview withMichaelBrozzettiMichael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC,an expert internal auditing and governance firm and is Chairmanof the Business Integrity Alliance™ which is a joint venture betweenzEthics, Inc. and Boundless LLC missioned to advocate and advancethe practices supporting the principles of integrity, transparency,accountability, and risk oversight. Michael has a passion for helpingorganizations strategically manage the risk of internal control failure,respond to critical risk events, and improve the quality of internal auditactivities. Michael Brozzetti is a Certified Internal Auditor® LearningSystem training partner with the Institute of Internal Auditors, VillanovaUniversity, and the Holmes Corporation.It’s not very common for us to interview the department. In 2005, I decided to take that “leapprofessionals with extensive audit of faith” and focused my energy into Boundless LLC,experience. Please tell us about your which later became recognized as a Philadelphia 100background and professional experience. “Fasting Growing Company” in 2010.Michael Brozzetti: I started my auditing career withPricewaterhouseCoopers LLP (PwC) as an intern Can you tell us a little bit about your companywhere I gained a lot of experience in the IT Auditing, Boundless LLC and the services you offer?IT Governance, and Business Process Reengineering MB: Boundless LLC helps safeguard reputation anddomains. In 2002, I moved into working full-time fiduciary integrity by helping organizations manageas an IT Auditor at Charming Shoppes, which is a the risk of internal control failure, respond to criticalpublically traded specialty retail company. As of that risk events, and improve the quality of internal audittime, the company was going through transition and activities. We accomplish this by helping organizationshad decided to bolster its Internal Audit department integrate and improve their organizational ARCs –by hiring lots of fresh talent so I had an excellent Audit, Risk, and Compliance – through our training,opportunity to work with a lot of great people to help speaking, and consulting service offerings. “One-build a new Internal Audit department from the ground size” does not fit all anymore so Boundless remainsup. It was a unique and valuable experience to help flexible in supporting our clients’ needs and whensuch a large company design and implement internal we are engaged in a consulting capacity we workaudit processes and systems to support all of the on a retainer basis pledging to uphold the Instituteauditing and consulting engagements performed by of Internal Auditors (IIA) Code of Ethics principles for 02/2012(2) Page 12 http://pentestmag.com
  12. 12. integrity, objectivity, competence, and confidentiality. In the past you have spoken about values,This is what differentiates us from the other consulting morals and ethics? Why would these terms befirms. Training and speaking is where I like to spend important to any organization?the majority of my time because I find it rewarding to MB: These terms are particularly important to how anhelp people improve what they do and how they do organization governs itself and behaves to its internalit. and external stakeholders. Professional standards say that internal auditors are responsible for promotingYou teach at a university, what courses do appropriate ethics and values within the organization.you teach and how has it helped you as a I have come to the belief that values do, in fact,professional? motivate while morals and ethics constrain behavior,MB: I teach a Certified Internal Auditor (CIA) review which was a notion written on by Paul Chippendale. Acourse in partnership with Villanova University and the simple way to discern between the difference betweenInstitute of Internal Auditors (IIA). The CIA is the only morals and ethics is that morals are related to a singleglobally accepted designation for internal auditors. It persons belief of what is acceptable and ethics areis the standard by which internal audit professionals related to a group belief of what is acceptable. Does ademonstrate their knowledge and competence in the company want to make a profit? YES, of course, butareas of governance, risk and control. I think what has at what cost and what constrains the company fromhelped me most as a professional is the interaction with using overly aggressive captive pricing practices,so many talented Internal Auditors that come to take misleading sales practices, or cheap foreign laborthe course. The course design promotes experiential where work safety and employee health is of littlelearning so when an audit topic is discussed it is often concern. I would say ethics in this case should beanchored to the real world experiences of the group. This the constraint, however some would argue as longlearning style really makes the course topics resonate as it is legal it is okay. I disagree with this mentalitywith participants and it also fosters an excellent 360 and believe that most law and regulation should bedegree learning environment for participants, as well viewed as the bare minimum. When making significantas myself. business decisions I encourage companies to routinely ��������� �� � � �������� ����� �������� ���������������������������� ��This may sound quite rudimentary but can ask three questions. 1) Is it legal? 2) Is it ethical? 3) Isyou tell us what the difference is between an it sustainable? If you can’t say YES, to questions 1 andInternal Auditor and an External auditor? 2 it is really difficult to say Yes to number 3 which moreMB: External auditors are primarily responsible for than likely proves it to be a bad business decision fromproviding opinions about financial statements within the a long-term governance perspective. Reference (http://scope of accounting standards and rules. The external www.youtube.com/watch?v=3yt1gzFqe0M).auditors approach is historical in nature usually lookingat the previous fiscal year or quarter and typically put If an IT security professional notices illegaltheir greatest focus on financial reporting risk. On the practices within their organization (innerother hand, Internal auditors have a much broader threats), what approach should they take toresponsibility for assessing operational risk, fraud risk, report such activities?strategic risk, technology risk, and financial risk beyond MB: First, it is important to get the facts straight andjust that of financial reporting. Internal Auditors often validate the documentation supports the findings beforetake a more forward looking approach and ultimately raising the issue to trusted management or through amake recommendations to improve the governance, trusted ethics/fraud hotline. I am emphasizing therisk, and control processes of their organizations. word “trusted” because if the IT security professionalReference (http://www.youtube.com/watch?v=4-ko4n- does not have sufficient reason to trust managementHyjs). or an ethics/fraud hotline to address the problem 02/2012(21) Page 13 http://pentestmag.com
  13. 13. IT SECURITY AUDITINGthe reporting of these activities can become more issues to senior-level management to get theirchallenging. attention and take action. For example, if an IT security professional findsthat their company is holding CVV codes for credit If an IT security professional would likecard customers and that this information was recently to make a transition to IT Auditing, whatbreached the IT security professional might find it path (certification, formal education, workpeculiar as to why they are not getting a positive experience etc) would you recommend andresponse from the CISO or CIO. The IT security what are some of challenges they have to beprofessional might know that the laws and regulations aware of?requires the company to notify the customers of the MB: IT security professionals can make excellentpossibility of a breach, but is now concerned the candidates for IT auditors because it’s like lookingCIO/CISO is down playing the incident because through the other end of the lends. IT Auditorsthey recently learned that they were responsible for are independent of operations, so an IT securityimplementing the security program and developing the professional transitioning has the practical experiencedata privacy policies. As you can see, it is important to know where vulnerabilities might exist or wherethat the reporting takes place to a trusted party that is operations personnel might be prone to taking “short-independent enough from the event so that the best cuts.” This operational experience can certainly helpdecisions can be made for the organization. I know them make sound recommendations for organizationalthis is easier said than done and often involves lots of improvement if they decide a transition into IT Auditing.moral courage when no one is listening to significant In terms of IT audit certifications, I often recommendconcerns. To prepare for such an incident, I would the CISA because it is considered by many to be thesuggest that the IT security professional establish most recognized and referenced by companies lookingtrusted relationships with other professionals in the to hire IT Audit professionals. I know IT Auditors thatorganizations audit, compliance, risk, legal, ethics, come from a variety of educational backgroundsand other departments so that they have multiple including, business, accounting, and IT. In myexperts to raise concerns to in the best interest of the experience, companies love to hire CISA’s with “Big 4”organization. I wish I could say reporting was as easy experience so if you have an opportunity to make theas filing through the hotline or reporting to the senior transition by getting hired by a Big 4 firm you shouldmost security officer, but the reality is that while this certainly consider this even if it is just for the short-might work in some cases, don’t assume it always term. These firms typically offer lots of great hands-onwill. experience and a lot of education which have a lot of value even if you decide not to try and make a partnerWhy would someone attain the CIA at the firm.certification and would you recommendthat certification to anyone in the IT Security From your consulting experience, canprofession? you share with us some of the common ITMB: IT Security professionals play an important Governance issues you have noticed?role in assuring their organization maintains strong MB: I would have to say one of the most commongovernance, risk, and control practices. There IT Governance issues is understanding that ITis nothing wrong with IT security professionals Governance is not only limited to just IT, it’s a teammaintaining a career path as a technical security sport that involves all aspects of the businessexpert, however professionals wanting to get involved operations. IT governance comes down to aligningin more of the broader business risk issues might want IT with the business strategies, goals, and objectivesto think about becoming a Certified Internal Auditor. so that reliable information is at the right place,My first certification was as a Certified Information at the right time, and in the right hands to supportSystems Auditor (CISA) which helped me learn a lot sound decision making. While this might seem like aabout the technology and security risks that IT security simplistic view it truly is the essence of IT governance.professionals face every day, however my decision There are many excellent IT governance frameworksto pursue the CIA certification was to gain a broader that can be used to support the business, however itperspective into the business risk of operating an is a common mistake to try and use the framework toenterprise. In my experience, when you can frame run the business rather than using the frameworksthe technology and security risks within a broader and applying them to support the operations of thebusiness risk perspective it helps communicating business. 02/2012(2) Page 14 http://pentestmag.com
  14. 14. How critical are IT Governance frameworks You are also an entrepreneur, how did you gosuch as COBIT, ISO 17799 in building a strong about building your personal brand?organizational foundation? What frameworks MB: Far too often, we find people just doing whathave you recommended in the past few they’re told to do rather than believing in what must beyears? done. In my view, this is problematic within the auditingMB: The speed and reliability of information flow industry because you can always pay someone tois critical in today globalized marketplace and IT tell you what you want to hear and unfortunatelyGovernance frameworks can certainly serve as a strong this happens. While it is important to maintain anorganizational foundation. There are many frameworks, open mind, it is equally important to make businessincluding COBIT, ISO 27001, 27002, and 38500. While judgments based on sound principles. A reputationthe IT governance space is mature with frameworks I built on consistent action and sound principles endurebelieve that the practical implementations are harder so that is the motto I like to associate with to build mycases to find due to some of the issues I noted above. personal brand. Mean what you say, and say what youISACA had drawn up a nice paper that aligned COBIT mean!with ITIL (Information Technology Infrastructure Library)which I thought which was very helpful in a compliance What book are you reading currently and anyproject I was involved in. I found it very useful to consider recommendations for our readers?frameworks and align them within the process-driven MB: I love to read and right now I have two books on mycontext understood by most IT professionals (ITIL) and plate. “It is Dangerous to be Right when the Governmentthe control objective-driven context understood by IT is Wrong” by Judge Andrew P. Napolitano and “TheAuditors (COBIT.) Again, it comes down to recognizing Original Argument: The Federalists’ Case for thethat everyone has stake in IT governance and that it Constitution.” I have a grown an great deal of interest inreally needs to approached from an enterprise viewpoint how the government and business communities interactand that the frameworks adopted can satisfy all with each other, which you can probably tell from mystakeholders. current reading list. Two good books I have read and also recommend is “Tribes” by Seth Godin and “No OneYou have a very strong profile as a speaker, Would Listen” by Harry Markopoulos.how did you attain that and how do youcontinuous hone your speaking skills?MB: There is certainly an art and science toprofessional speaking. Storytelling is an excellentway to help people view things in a different lightto help them make the best possible chooses intheir personal and professional endeavors. Asprofessionals we are all, to some degree, speakerswhether it is in an auditorium of hundreds or aconference room of just a few. I grew a real passion ABY RAOfor speaking once I started instructing the CIA review Aby Rao has several years experiencecourse in partnership with the IIA and Villanova in IT industry and has workingUniversity in 2008. One of the course participants knowledge in applying variousthat had attended my class thought I would make a security controls and implementinggood speaker so she invited me into a local chapter countermeasures related to Webas a speaker. From that point, I learned that speaking Applications and Database. He isis an excellent way to help people make a difference skilled at planning and leading allso I joined my local National Speakers Association phases of Software Development(NSA) chapter and, at this time, sit on the NSA Life Cycle, Project Management andPhiladelphia Chapter Board. I have an opportunity Agile Software Development. Abyto work and learn from some of the best speakers has a Bachelor Engineering in Computer Science, Master ofin the business whom all have various disciplines Science in Information Science, Master of Science in Televisionof expertise. The NSA four pillars of professional Management and various IT certi�cations including CISSP,speaking include ethics, expertise, eloquence, and CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also anentrepreneurship which are also driving principles I independent �lmmaker and currently resides with his wife inuse to continually hone my speaking skills. Durham, North Carolina, USA. 02/2012(21) Page 15 http://pentestmag.com
  15. 15. IT SECURITY AUDITINGInterview withMehmet CuneytUveyMehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967.He graduated from Middle East Technical University, PublicAdministration Department. He then completed his MBA degreefrom Bloomsburg University of Pennsylvania, USA. He has 25 yearsof experience in Internal Audit, IT Audit, IT Risk Management, ITGovernance, Information Security and Project Management. Heperformed audits, managed many projects and rendered consultancyservices to public and private institutions. Mehmet has CGEIT, CISM,CISA, BS7799/ISO27001 Lead Auditor, PMP certificates and has workedas one of ISACA’s CobiT Trainers in the past. Currently, he works asan Internal Auditor for Turkish Tractor and Agricultural MachinesCompany (a CNH – Koc Group partnership). He gives lectures tograduate level classes about the above-mentioned subjects at variousuniversities. He speaks Turkish, English and German.What motivated you to get into the IT information security is one of the most important partsSecurity field? in IT audit. That’s how I got into IT Security.Mehmet Cuneyt Uvey: I am of internal audit andfinance origin. Back in the 80’s and early 90’s, the bank I How did you get your start in IT Security?worked for was in a huge transition into automation. The MCU: After establishing the IT Audit department andbank had 600 branches, the systems developed first performing process & systems audits, we recognizedwere aimed at branch automation. Use of mainframe that there was an information security standard publishedand manual procedures were consolidated to batch by BSI (British Standards Institute) named BS-7799processing, which was the first precedent. Later on high (now ISO27001). We had the chance to get the standardvolume of investment into ATMs, credit card business and we thought of using the standard for our audits forand POS machines were new additions to the network. information security. This was the first time.Self-service banking channels and Internet bankingbecame all integrated. During this transition, I thought As an internal auditor what are some of yourof auditing the systems and IT processes instead of day to day tasks?the financial transactions. I had the chance to establish MCU: I work in one of the largest tractor companies/the IT Audit in the bank I worked and understood that factories in the world. The Internal Audit Department 02/2012(2) Page 16 http://pentestmag.com
  16. 16. started here eight months ago. My daily tasks are ofdifferent dimensions. On one side, I try to perform plannedaudits for the most critical processes (for example, SupplyChain Management) and relevant systems, on the otherside, I try to follow-up previous internal and/or externalaudit findings to ensure compliance. Another additionaldimension is the coordination of corporate projects orbecome involved in compliance related projects (mostlyIT related) to insurer auditability and accountability. Inneed, one of my tasks is to perform special audits, adhoc assignments from the top management.What certifications, training, or skills wouldyou recommend for someone who wants topursue a career in IT Security Auditing?MCU: My first security related certification was BS 7799Lead Auditor designation. This certification gives youthe chance to look at Information Security with a broadperspective and a systematic approach. Moreover, youcan become an external auditor with this certificate, toassess companies which want to acquire the ISO27001Certification. I highly recommend CISSP certification,especially for technical background professionals. CISSPis like a passport valid in all countries. Last, but not least,ISACA’s globally recognized CISM (Certified InformationSecurity Manager) and to some extent CISA (CertifiedInformation Systems Auditor) and CRISC (Certified inRisk and Information Systems Control) certifications arealso helpful to get into IT Security and Audit. If you want togo further, Certified Ethical Hacker (CEH) designation ismore towards penetration testing, attacks and resemblesmore of technical perspective of Information Security.Are there any skills that you believe theauditors today lack, or should improve on?MCU: The profession of Auditing is one of the oldestones in human history. There are many different types(Financial, Quality, Operational, Health and Safety, etc.)and levels of auditing. The first requirement for theauditors is to know the business that they are auditing.Risk assessment know-how is a must. Auditors needmore Technical skills, understand Project Managementand should also spend time learning the SDLC(Systems Development Life Cycle) for the relevantbusiness processes, so that they can look underneaththe numbers (business results), but also to the systemsand processes that create those numbers.What do you feel are some of the largest risksthat companies face today, or ones in whichyou have seen?MCU: The world is changing and the way of doingbusiness is very different today. Information systems and 02/2012(21)
  17. 17. IT SECURITY AUDITINGits added-value is also changing shape and going up to place for IT Audit and Security professionals. I am thethe cloud. High dependency of Information Technology is founding President. Up to now, especially by bringingan advantage, as well as a disadvantage. At the end of CobiT into the financial sector and implementing it 12the day, Information Security becomes one of the largest years ago, had given me the chance to have a good jobrisks for a company’s reputation. There are many legal and to give consultancy and training to many large firmsarrangements regarding intellectual property, protection during my consultancy years. I made a Master’s Degreeof information and privacy, but there are also activist class out of CobiT and other frameworks and gave my “ITgroups that defend free access to all information and Governance” class in four best universities in my country.transparency. There are digital wars between countries, I had the chance to add value to many young colleaguessystems are destroyed or compromised with cyber-terror to help them and/or lecture them for certifications. Theseand organized collective attacks. Of course, companies all came from the know-how, frameworks, certificationstake their shares from such attacks too. and networking inside and around ISACA.What do you feel is the one of the biggest Beside ISACA are there other organizationsmistakes that companies make trying to meet that you would recommend being a part ofa compliance standard? (for Security Auditors), why?MCU: Trying to meet a standard is a very good effort. MCU: For security auditors with more technicalBut companies think getting the standard done and background, I highly recommend (ISC)2 – Internationalbeing certified is the end of the road. Definitely it is Information Systems Security Certification Consortium,just the beginning. A standard is defined as “minimum Inc., which is another path to follow. (ISC)2 is therequirement” to be able to get qualified. It needs to main organization behind sound security certificationsimprove, get updated and surely become one of the and designations like SSCP – Systems Securitymain components of daily routine to live and grow. Certified Practitioner; CAP – Certified Authorization Professional; CSSLP Certified Secure Software Life-There are many frameworks for auditors cycle Professional; and the most common of all, CISSPtoday, which one to you see as being the most – Certified Information Systems security Professional.well rounded?MCU: This is a hard to answer question. There are What would you say to someone who isgenerally applied frameworks such as CobiT, ISO 27001, looking to get into IT security and Auditing?ITIL, ISO 25999, ISO 38500 and so on. There are also MCU: It will be an uncommon answer to this questionsector specialized frameworks. The framework you want but first, after the relevant education, they need to learnto use should be relevant with the business line and also the business. What business are they in, what kind ofthe size of your company. PCI-DSS Standard for instance transactions take place, what kind of tools and techniquesis most important for Payment Card Industry; HIPAA are used, what systems are involved and what are their– Health Insurance Portability and Accountability Act is interaction and connections (interfaces) and what couldessential for health and insurance sectors, NIST (National be the risks and vulnerabilities of the business processInstitute of Standards and Technology) standards cover and so on... And among those risks, what could bealmost all the information security issues technically, and the information security risks. On one hand, businessso on. First you need to make sure that you search about knowledge is necessary, on the other hand relevantthe frameworks and standards that are most relevant for technical skills and understanding of its risks is essential.your business and fits the size of your organization. ABY RAOWhat benefits have you seen being a member Aby Rao has several years experience in IT industry and hasof an organization such as ISACA? working knowledge in applying various security controls andMCU: I am a member since 2000. During that time, I had implementing countermeasures related to Web Applicationsthe chance to get myself prepared, go through knowledge and Database. He is skilled at planning and leading all phasesand experience, have certifications in IT Audit (CISA), of Software Development Life Cycle, Project Management andSecurity (CISM), Governance (CGEIT), IT Risk (CRISC). Agile Software Development. Aby has a Bachelor EngineeringMoreover, we had the chance to establish an ISACA in Computer Science, Master of Science in Information Science,Chapter in Ankara, Turkey, together with colleagues Master of Science in Television Management and various ITand professionals, (same day with our sister Warsaw certi�cations including CISSP, CISA< Security+, ITIL, ISO/IECChapter), so that we could promote and share ISACA and 20000 etc. He is also an independent �lmmaker and currentlyits professional know-how and have a good networking resides with his wife in Durham, North Carolina, USA. 02/2012(2) Page 18 http://pentestmag.com
  18. 18. ����������������������������������������������������� ����������������������������������������������� �������������������������������������������������� ���������������� ���������������������� ������������������ ��������������������������������������������������������������
  19. 19. SECURITY CONSULTING BUSINESSInterview withLukas RufDr. Lukas Ruf is senior security and strategy consultant withConsecom AG, a Swiss-based consultancy specialized in ICT Security andStrategy Consulting. He is one of the experts with application, systemand network security of Switzerland. He is specialized in network andsystem security, risk management, identity and access management,computer network architectures, operating systems, and computerarchitectures. He is an expert in strategic network/ICT consulting,security audits, and designer of security architectures for distributedplatforms. Dr. Lukas Ruf has been gaining experience in Security andStrategy Consulting since early 2000. Since 1988 he has been activewith in ICT application development as an architect, lead engineer,apprentice coach, consultant, educator and trainer. His proficiencybuilds on this long-term experience.Dr. Ruf, you are a very distinguished LR: At ETH, I enrolled for electrical engineering. Forprofessional with experience in academia personal interest, I concentrated on micro electronicsand industry. Please tell us more about and anything that was possible to study in the fieldyourself leading to how you got into Security of computer and network engineering. My mastersconsulting business. were then focusing on computer and networkLukas Ruf: Back in 1988, I started my first part-time job architectures. For one of my term thesis, I designed andbesides highschool as a computer supporter for one of implemented the first port of Topsy v1 to the ia32 PCthe (then) larger PC resellers. Before enroling for studies platform.at ETH Zurich (ETHZ), I began working as a software To continue research in system and network designengineer for a ten-person consultancy. In 1996, I was and engineering, I started my Ph.D. thesis in the fieldasked by my boss to present my reflections on web- of Active Networking. Active Networking explored thesecurity to one of our major customers. This led to my possibilities of breaking the strict boundaries of networkfirst web-penetration testing in 1998. Business evolved layers already within the network stack – and allowedand I started my first one-man security consulting in for dynamic re-configuration and update of functionality2000. That’s it, basically. provided therein. This research allowed me to gain an in-detphWhile you were studying at ETH Zurich what understanding of networking as well as system securitydid you study and what was your research and stability. Insights of which I benefit every day in myfocus. job as security consultant. 02/2012(2) Page 20 http://pentestmag.com
  20. 20. Is there enough innovation taking place inthe field of Information Security? Are youinvolved in any innovative projects yourself?LR: From an academical point of view: there is a lotof room for future research and innovation is takingplace heavily. In daily practice, fundamental issues arestill obstacles although you cannot gain any fame inacademia. Me as a security consultant serving customers alsoin the field of their strategic evolution, I am involvedin various client side projects that are cutting edge forindustry and academia.You have a strong engineering background,please tell us how that is helping you in yourcareer.LR: My strong engineering background helps meeveryday: first, it allows me to understand the issuesengineers face daily and to interprete them towardsmanagement. Second, it is the foundation for securedesigns and architectures. And, foremost, it supports theconception of processes and organizational structuresthat fit the need of business as well as operation. When it comes to reviewing solutions it is /the/ crucialpoint to deliver the required insights as well as theappropriate assessment to our customers.Tell us more about your consulting firm, it’ssize and it’s technical strengths.LR: We are a strong team of experts that, as a team,covers an extremely wide range of technologies.Based on a group of friends that did their PhDstogether at ETH, we have been able to grow to,currently, eight consultants and one administrativesupport person. Our effective strength consists in the pool of expertsthat are, first, open for critizism, and second, strong inmethod. We all benefit from our ETH background thatlaid the technological foundations on which we builtour current offering: we combine organization withtechnology.Where does EU stand in terms of preventingcybercrime compared to rest of the world.LR: As a security consultant supporting customersinternationally, EU faces exactly the same problemslike any other regions. In general, however, the EU ispositioned better to counteract attacks effectively thanother due to a good level of education and, hence,awareness of threats and daily mitigation measures.EU is known for it’s strict cyber privacy. Whatare your thoughts on privacy laws in EU?
  21. 21. SECURITY CONSULTING BUSINESSLR: Laws are on the right track. From my point of view, Cloud computing is gaining tremendousthe protection of users’ rights should be extended to popularity in US, what is it’s status in EU?protect also the unknowning, common user: I have great LR: Cloud computing is gaining popularity in the EUconcerns when it comes to the willingness of people to tremendously as well. A big challenge – for good – is thepost any private fluffy triviality that, if combined correctly, strict interpretation of laws on privacy when it comes toprovides a very detailed profile of the user. People must customer identifying data in health care or similar. Thebe protective of their self dipslay – they do not know problem there is that users of cloud computing oftenwhat they are currently doing. neglect the laws focusing just on commercial benefit. Similarly, all kind of user tracking by cookies with I hope that EU-wide initiatives strengthen the right of‘like-it’ buttons must be prohibited by law. It must not be end-users there too.possible for any – private or governmental – institutionto screen any activity of the people. ‘1984’ is not far from Consecom AG is involved in SEBPS – Thewhere we are today. Secure Browsing Platform for Switzerland ? Please tell us more about that initiative.When you are consulting, how do you ensure LR: You can download SEBPS from www.sebps.net forthat your client is educated on various free. SEBPS is our contribution to the public to protectsecurity risks and issues related to their their web-activities against fraud while being usable.environment? Our goal has been to provide a drastic increase in web-LR: I tell them. :) browsing security for ‘my gand-mother’, i.e. the 99% of users in the world that need not know how to configureWhat are some of the security threats a linux kernel such that they can be safe against mostcompanies in EU are worried about? of the cyber attacks that affect common users. WeLR: Fraud. Based on identity theft, fraud is committed have accomplished this goal by providing a VM-based,every second. The protection of identities is crucial to hardened Firefox on Linux platform that renders theecommerce and egovernment – as well as private life. process-persistent installation of malware impossible.Please share with us some of your Switzerland is a beautiful country. How doexperiences in Identity and Access you make the best use of it’s natural beauty?Management. LR: I enjoy spending as much time as possible outdoorLR: Being very active also in IdM and IAM, I came with friends and family. In Switzerland, I enjoy hiking asto the conclusion that all business face an endless well as skiing. When at the sea, I have been enjoyingendeavor if they do not follow a correct and strong windsurfing for the past thirty years.method to introduce to IAM. Important is that theconcept is sound and meets the requirement ofbusiness. If IAM is an initiative carried out by operationonly, it rarely meets the effective requirements otherthan administration.You have some experience in securityarchitecture, what are some of the challengesin security architecture of large scale webapplications? ABY RAOLR: I have had the opportunity to support various Aby Rao has several years experience in IT industry nad hascustomers with developing the security architecture working knowledge in applying various security controls andof web-portals based on JSR 168 and JSR 286. implementing countermeasures related to Web ApplicationsThere, I had to learn that engineering must not follow and Database. He is skilled at planning and leading all phasesbasic concepts without reflection of the specific target of Software Development Life Cycle, Project Management andsolution. For large scale web application, performance Agile Software Development. Aby has a Bachelor Engineeringis always an issue to deal with the huge amount of data in Computer Science, Master of Science in Information Science,such that today’s end-customers do not klick away – Master of Science in Television Management and various ITwhile guaranteeing the appropriate level of protection certi�cations including CISSP, Security+, ITIL, ISO/IEC 20000for the company as well as for the end-customer. etc. He is also an independent �lmmaker and currently resides with his wife in Durham, North Carolina, USA. 02/2012(2) Page 22 http://pentestmag.com
  22. 22. CLOUD COMPUTINGSecuring CloudsThe most common objections for holding back SaaS (Software asa Service) adoption as reported from end customers, are named as‘security’ and ‘reliability’. This is interesting when you consider that SaaSSecurity is consistently reported as the fastest growth area of SaaS.T his ‘security’ objection usually stems from the tightening, this new economic model for computing is customers’ perspective; they are concerned achieving rapid interest and adoption. about the security of their data held outside their Cloud represents an IT service utility that enablesperimeter by the cloud provider. organisations to deliver agile services at the right cost Yet despite these concerns there has been a and the right service level; cloud computing offers thethunderstorm of growing noise surrounding cloud potential for efficiency, cost savings and innovationcomputing in the past 24 months. Vendors, analysts, gains to governments, businesses and individualjournalists and membership groups have all rushed to users alike. Wide-scale adoption and the full potentialcover the cloud medium, although everyone seems to of cloud will come by giving users the confidence andhave their own opinion and differing definition of cloud by demonstrating the solid information security that itcomputing. Similar to many new sectors of technology, promises to deliver.the key is to separate the truth from the hype before Computing is experiencing a powerful transformationmaking educated decisions on the right time to across the world. Driven by innovations in software,participate. hardware and network capacity, the traditional model of While still evolving and changing, cloud computing computing, where users operate software and hardwareis here to stay. It promises a transformation – a move locally under their ownership, is being replaced by zerofrom capital intensive, high-cost, complex IT delivery local infrastructure. You can leverage a simple browsermethods to a simplified, resilient, predictable and a access point through to powerful applications and largecost-efficient form factor. As an end user organisation amounts of data and information from anywhere at anyof different sizes, you need to consider where and when time, and in a cost effective manner.cloud may offer benefit and a positive edge to your Cloud computing offers substantial benefits includingbusiness. efficiencies, innovation acceleration, cost savings Cloud computing is a new concept of delivering and greater computing power. No more 12-18 monthcomputing resources, not a new technology. Services upgrade cycles; as huge IT burden like system orranging from full business applications, security, software updates are now delivered automatically withdata storage and processing through to Platforms as cloud computing and both small and large organisationsa Service (PaaS) are now available instantly in an can now afford to get access to cutting-edge innovativeon-demand commercial model. In this time of belt- solutions. Cloud computing also brings green benefits 02/2012(2) Page 24 http://pentestmag.com
  23. 23. such as reducing carbon footprint and promoting well as internal threats. In a time of financial challengesustainability by utilising computing power more protecting against the disgruntled employee is also toefficiently. be taken seriously. Cloud computing can refer to several different service There is no doubt cloud is bringing change. Withtypes, including Software as a Service (SaaS), Platform the Internet and technology, we have a generation ofas a Service (PaaS) and Infrastructure as a Service users demanding access to their applications from their(IaaS). SaaS is generally regarded as well suited to iPhone, iPad, BlackBerry or Android devices. We havethe delivery of standardised software applications and entered an era where infinite IT power and informationplatforms, like email, CRM, accounting and payroll. is available to a user on the smallest of devices, on theThe development of the SaaS business model has move and at an affordable price. As devices get morebeen rapid and it is now being used to provide high powerful, the Internet faster, the demand and supply ofperformance, resilient and secure applications across a cloud applications will skyrocket and the power in therange of company sizes and industries. hands of the user will be greater than we have ever However as already mentioned in end user survey, delivered before. Expect the marriage between mobilityafter survey, the top 2 issues that surface to the top and the cloud to continue to grow.are security (data being the typical lead in this) and So as you extend your footprint into utilising anreliability (being availability and accessibility). A good increasing number of cloud based services so you needreference point for this being the Cloud Industry Forums to consider the security aspects from an access control2011 survey extract below. perspective ie. who can access what, from where and Is this so different when you consider the traditional on what device and what are the additional risks if any ofnetwork form factor? Consider the increasing number of this. For example can a user store their login details onrecent and well publicised data breaches and reliability their personal Ipad and is that device secured enoughissues from the likes of Sony, Blackberry and TK-maxx. that if they lost it your cloud systems access would notOften these are tarred with the cloud brush, however be breached.these are breaches where the company was hosting its Cloud or SaaS does not provide one-size-fits-allown solution as a provider and yet was hacked from solutions, and not every application in the cloud willoutside. These are sizeable targets and with larger IT be right for your business. You should consider inteams and budgets than the average size business in what areas it makes sense to utilise the cloud. Wherethe market today. can your organisation gain improvement in areas of Look at end user surveys on IT challenges in general business efficiency, resilience and cost reduction? Lookand managing the complexity of security appears high to others in your sector and what they have done, andif not top of those lists, with other contributors around look for simplicity and obvious choices in your first cloudlack of IT expertise or not enough IT staff. Increasingly solution adoptions.businesses are concerned about protection of the Review your shortlisted vendors carefully andorganisations information assets both from external as compare them across multiple areas but not justTable 1. What are your most signi�cant concerns, if any, about the adoption of cloud your business? Only asked of respondents who either currently use cloud or will do at Total No. employees 20-200 More some point in the future Fewer than 20 than 200 Data security 64,00% 62,00% 61,00% 68,00% Data privacy 62,00% 68,00% 61,00% 60,00% Dependency upon internet access 50,00% 53,00% 58,00% 42,00% Con�dence in the reliability of the vendors 38,00% 32,00% 38,00% 41,00% Contract lock-in 35,00% 30,00% 43,00% 30,00% Cost of change/ migration 32,00% 27,00% 35,00% 33,00% Contractual liability for services if SLAs are missed 31,00% 16,00% 38,00% 33,00% Con�dence in knowing who to choose to supply service 28,00% 27,00% 29,00% 28,00% Con�dence in the vendors business capability 24,00% 16,00% 25,00% 26,00% Con�dence in the clarity of charges (ie will they be cheap on-prem) 22,00% 16,00% 26,00% 21,00% Lack of busines case to need cloud service 21,00% 11,00% 27,00% 22,00% Base 323 73 112 95 02/2012(21) Page 25 http://pentestmag.com

×