PenTest Mag - 2013 May

Cyber Security Auditing Software

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.com

Dear PenTest Readers, We have entered a new month. Therefore, it is high time we summarized May. As usual, in order to provide you with a detailed summary of what we did and what will be done this month, we have prepared PenTest Open – our regular line of PenTest Magazine which is available for free.

Editor in Chief: Ewa Duranc [email protected] Managing Editor: Ewa Duranc [email protected] Zbigniew Fiolna [email protected] Editorial Advisory Board: Larry Karisny, Amit Chugh, Jeff Weaver, Arnoud Tijssen, Varun Nair, Horace Parks, Jr.

We have chosen several articles for this issue, the majority of them has not been published yet, so it’s a great chance to take a look at our incoming issues on Smartphone Pentesting, ICS for Pentesters and Starter Kit. Thus, you wil learn what your smartphone is capable of! What is more, in this month’s PenTest Open you have a chance to read two articles selected from the newest ebook on Cybersecurity by William F. Slater, III. Equipped with this knowledge, you will be able to protect not only yourself, but also your company and the whole world from cyber attacks. Cybersecurity, cyberwarfare and cyberdeterrence generate a great deal of heated debate nowadays and that is why we wanted to provide you with this valuable souce of Information.

Proofreaders Ewa Duranc, Patrycja Przybyłowicz, Gavin Inns, Larry Karisny

Enjoy your reading! Ewa Duranc & PenTest Team

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic [email protected] Art Director: Ireneusz Pogroszewski [email protected] DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca [email protected] Publisher: Hakin9 Media 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

OPEN 05/2013

Page

4

http://pentestmag.com

CONTENTS

PENTESTING TRICKS

06

Social Engineering and Phishing Attacks Using Android Device By Domagoj Vrataric

Picture this: you are involved in penetration testing of a serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web applications, it is very important to make sure that all employees are introduced to risk of social engineering and phishing attacks.

14Using XSS in a Spear-Phishing Attack By Carlos A. Lozano

When a client asks for a social engineering tests, most part of security consultants try to perform a phishing. However, there is a lot of other possibilities to get better results without complexity. By reading this article you will learn how to mix simple techniques with malicious ones to evaluate security controls where people are involved.

20

Wireless Penetration Testing: Beyond the IEEE 802.11 Family of Standards

Integration of Cyberwarfare and 46 Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize

Responsible Control and Effectiveness by the U. S. National Command Authorities By William F. Slater, III

This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.

LET’S TALK ABOUT SECURITY

By Francesco Perna

The wireless penetration testing covers a large family of wireless protocols. Usually the penetration testing companies offer to their Customer only WiFI (IEEE 802.11 family of standards) penetration test, leaving out the others widespread wireless technologies.

CASE STUDIES

26Hacking a Bank

By Andrei Bozeanu

A couple of years ago, I was contacted by a major commercial bank in my country to conduct a series of Blackbox penetration tests against their external network, recently after they acquired a very costly Information Security Management System from a major international audit firm.

28Do No Harm By Jack Jones

There is no question that penetration testing, done well, can be incredibly valuable in helping executives make wellinformed decisions to better manage their company’s risk landscape. A pentest, however, can be worse than useless if it results in wasted resources and unnecessary business impact. The difference often hinges on the critical thinking you apply when interpreting test results.

WAR CAMP

32

One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries, organizations, and people who use networks computer resources connected to the Internet face because they are at risk of cyberattacks.

Applying a Security Compliance Framework to Prepare Your Organiza tion for Cyberwarfare and Cyberattacks

59SECUCON 2013 Conference Summary By PenTest Team

SECUCON 2013 – A conference hosted by SECUGENIUS – A unit of HARKSH Technologies Pvt Ltd at GGNIMT, Ludhiana with a vision to create awareness for the need of SECURITIES in social living and to spread a message of generating opportunities in the same field. The article covers a short summary of the event.

60

Smartphone a win-win product for both consumers and sellers By Rajiv Ranjan

Nowadays, Smartphones are the basic part of life for every corporate employee. They use smartphone devices to gain access to the companies credential and to check company specific mails and data. Thus security remains a big concern at the workplace. So penetration testing needs to be done at every available aspect whenever it is possible.

INTERVIEW

with Ian Whiting, CEO of Tita64Interview nia Company By PenTest Team

PRODUCT REVIEW

68Titania’s Paws Studio Review By Jim Halfpenny

By William F. Slater, III

OPEN 05/2013

Page

5


PENTESTING TRICKS

Social Engineering and Phishing Attacks Using Android Device

Picture this, you're involved in penetration testing of serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web applications, it's very important to make sure that all employees are introduced to risk of social engineering and phishing attacks. In this article I will show how is possible to make such attacks with Android device and a few applications.

I

n my opinion, every professional penetration testing should have social engineering and phishing attacks implemented as obligatory part of penetration testing solution offered to your clients. That is what makes the difference between good and better service. Imagine that you are given the assignment by CSO of Company X to test their employees to social component in malicious attacks. And now what ? Human weakness factor is easier to exploit than network security. You can have safest firewalls and VPN's, but in the end if you have a security senseless employees, you have potential problem. The idea is to make security assessment using Android device and applications, to be less suspicious it's good idea to use tablet or smartphone, not a laptop. The article describes the tools, techniques, strategy, preparation and the realization of such attacks. Complete Scenario section of article is fictional, does not reflect real situation in the wild. Idea is to bring closer thinking of performing penetration testing with mobile devices, in this case – Android tablet. It is very hard to perform attack like one described in this article, but on the other side, it is not impossible, and in general, there is a real threat to companies from attacks using social engineering and weakness in human psychology. And remember, focus of this article is to show penetration testers in which ways OPEN 05/2013

they could conduct penetration testing, and not to make universal way to test any corporation, bigger or smaller.

Platform and Tools

In my previous article I wrote about modified Android OS and few Android applications for penetration testing, including dSploit, penetration testing application with plenty of options for Man in The Middle (MITM) attacks. This Android penetration suite can help you while you're performing social engineering tricks. dSploit (see Figure 1) has an option to disconnect clients from wireless network, thus it's buying time for further improvisation. It also has ability to redirect clients to the specific website, so you'll have additional help for phising attack. The core of this application are features from nmap, iptables,tcpdump, ettercap and hydra. With Android PCAP Capture, which is essentially Kismet for Android, you're able to get more detailed informations, such as list of clients connected to accessible network, their MAC address, and other useful informations. The thing is, application doesn't work without external wireless card, on their official Web site is list of supported Android devices and USB cards which works without problems. For using of this application out-ofthe-box, you'll need OTG USB adapter or cable,

Page 6


wireless USB card with RTL8187 chipset, Android 4.0 or higher and support for USB host mode on your Android device. For phishing attacks, kWS – Android Web Server can help you with serving cloned Web sites. Wireless Mac Changer is used to change MAC address of your wireless adapter, so we could pretend to be wireless access point from specific vendor, and thus sniff network traffic. Besides that, there are standard Man in The Middle applications such as: DroidSheep, (see Figure 2) Droidsniff andDroidsteal, which are

Figure 2. DroidSheep – hijacking features

Figure 1. dSploit – MiTM options in suite a

d

v

e

r

i

s

e

m

e

n

t

PENTESTING TRICKS essentially the same application with features for capturing accounts (Facebook, Gmail, Twitter and similar Web services) when you're connected to wireless network. If you have special needs for applications such as Social engineering toolkit (SET), Metasploit or Aircrack-ng, you can install Kali Linux on your device with Complete Linux Installer (see Figure 3). For easier control of distribution, you can enable and configure VNC or SSH server on local device. By installing Kali you're getting full feature penetration testing distribution on your mobile device. Installation is very simple and it's done in few steps, first you need to download archive with image from official Web site of Complete Linux Installer. After downloading, extract archive to /sdcard/kalidirectory, add widget to tablet workspace and choose image file to load. Great feature of Kali is multi platform support, which also includes ARM architecture, usually running on Android devices (see Figure 4). Device used in this example is Nexus 7 GSM with 32 GB of storage, and to use Kali Linux, you will need at least 4 GB of free space on device.

Strategy

At the very beginning, you need to develop a strategy for attack. If you're performing “white box” penetration testing, you'll probably have access to internal network. If you're lucky, organization has wireless network, and if you want to gain unauthorized access to it, try with social engineering. Know

your target and inform yourself about it, the more informations you possess, the bigger is chance to succeed, information gathering and target research are crucial steps while performing social engineering. You could introduce yourself as someone who is highly ranked in target company, that fact will give you some credibility. To gain trust you can tell that you've come for a meeting with IT manager, or simple that you're someone from another division of the same organization who is in hurry or need help to connect to wireless network. If you are trying to get passwords from employees, play on “empathy card” and you'll have more chances to succeed, in human psychology there is a deepseated need to help others in trouble. If a company has vendor specific equipment you could introduce yourself as vendor technician, and to look convincingly get some t-shirt with vendor logo and name. If you can't get access to the wireless network as described above, try to make rogue wireless access point, in the other words, your own wireless network from where you can start sniffing network traffic, including hijacking sessions and using them with built-in browser. The attack with rogue access point is quite interesting way to obtain information you need. If the victim uses a wireless network and if it's located far from the access point, you can get close up to victim with your rogue access point (Android device). Your wireless beacon will have

Figure 3. Complete Linux Installer – loading image

Figure 4. Running Kali on Android OPEN 05/2013

Figure 5. Scrapbook – options overview Page 8


stronger signal than the actual access point, and victim wireless card will probably connect to your device. It's a good idea to change MAC address of your wireless card on tablet or smartphone to address of nearest access point with the best signal so it looks more convincing, same SSID, same MAC address. There is one important detail with raising rouge access point. If company has a wireless network, it is probably encrypted, but remember that when raising rouge access point, don't setup any encryption, so victim's laptop will automatically connect to rouge access point. Every big IT organization has its own information system which probably has some kind of internal Web application with login page, perhaps a CMS or webmail application. There are several ways to make a phishing Web site, one of them is to use Scrapbook, a Firefox add-on which has many options for saving Web pages (see Figure 5). Unfortunately, this plugin doesn't work on Firefox for Android on my device (Nexus 7) so I cloned website on desktop machine, and later transfer it to Android device. Now, when we have cloned Web page ready for phishing, we have to figure out a way to lure employees into our trap. One more thing you could do is installing trojan horse or password stealer on USB stick and leave the stick somewhere on the floor, so it looks like someone dropped it. Curious employee will pick up the stick and connect it into his PC or laptop to see the content on them. Chose place where you can be sure that someone will see it, not under desk, rather on place where people gather at pause break or a place where people naturally put things down, such as space around coffee machine.

to Metasploit and SET (Social Engineering Toolkit, but intended for information gathering, with many modules specially dedicated to find informations about employees, from auxiliary, contacts to pwnedlist – module used to “determine if email addresses are associated with leaked credentials”. You can stalk people via Twitter module to get to know them better and find out what things they like to be able to more easily develop communication and extract information we want from them. LinkedIn and Jigsaw are also supported with this tool. Another thing you could do is to create stickers with QR codes on them, that lead to malicious URL, SET has option to generate QR code and assist with that type of attack. For this type of attack you'll need to be patient for a while, a few days, just to be sure that enough number of employees noticed the QR code and depending on their curiosity and knowledge about QR codes, did or didn't scan QR. A good example would be to create a simple script that will record which employees scan the QR code, that redirected them to the script. Remember, you are trying to test employees, not to harm them in any way, and that includes installing malicious applications on their devices. Make good preparation for attack before you start it.

Preparation

Before you start with social engineering, it is wise decision to inform yourself about the target company before entering company area. That is most important thing in every type of penetration testing. Try to gather as much informations you can about employees, does they use some special phrases in their everyday communication, when is launch break, small hint: empty workspace in time of lunch, ideal time to explore area in search for valuable informations. Small things counts as most important in social engineering, they could make or break penetration test. Inform yourself which operating system does employees use, and thus you will have lesser testing scope in later testing. A great tool for information gathering about a specific person is recon-ng (see Figure 6), it is similar OPEN 05/2013

Figure 6. Recon-ng – list of basic commands

Figure 7. kWS Web server

Page 9


PENTESTING TRICKS Launching The Attack

So, now when you have both tools and strategy, you can start off another side of penetration testing, social engineering. Enter into organization area with self-confidence, so that no one would ever suspect that you came to test them, don't be too suspicious with you behavior. There is always someone at the entrance to the working area in organization. Introduce yourself as new network technical who received a call about problem with wireless network and ask for permission to test current wireless network. That is “pretexting”, the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. Raise rogue access point on Android device and persuade someone to help you while you're testing network issues by connecting to it and surfing, so you can check if corporate network and Internet are both working. In background, run dSploit and start sniffing traffic and hijacking sessions. Later, you could analyze .pcap file with Shark Reader or with Wireshark on laptop or PC. Leave dSploit sniffing in the background and run DroidSheep to capture sessions for Webmail, CMS or something similar which could be useful to malicious attacker. DroidSheep has a couple of helpful options to help you manage to capture user sessions, such as option to save cookies or export them

via email and add host to blacklist. Tell employee you're told that the most of Web services such as Webmail doesn't work, so both of you need to check them while you're capturing all network traffic with sessions. Next thing you could do is to clone targeted Web site to your Android device, run Web server and lure employee to visit phishing site after you “fixed” a problem with wireless network. Setup your /etc/hosts file on Android device, for example, on line should look like this: 127.0.0.1 webmail.companyx.com. So, when victim open specific URL such as above URL for corporate Webmail, while they are connected to you software access point on your device, you will redirect them to your cloned version of Webmail. The trick with phishing attack is that after victim tries to log-in into Webmail, a script will save credentials into text file, throw an error about wrong password, and redirect victim to real corporate Webmail. With little luck, penetration tester should easily obtain password (see Figure 7).

Figure 9. SET – generating malicious QR code

Figure 10. SET running inside Kali on Android

Figure 8. Wireless MAC changer – simple interface OPEN 05/2013

Figure 11. Running SSHDroid Page 10


Scenario

Company X is corporation with more than 300 employees, which gives Peter big chance to succeed in attack. Peter is penetration tester who works in a security company, and was commissioned to test the company Company X's employees on social engineering attacks. With reconng he manage to find out who are key people in company, in case he needed to cover up, he will know which person to mention to gain trust. He also discover which sectors does company have, and make sorted list of people which he previously put together, by the sector. That gave him good background. Before attack, he scanned wireless networks around the company building, and what he saw is that corporate wireless access points had first three column MAC address of vendor specific network equipment. So armed with this information, he decided to change MAC address and SSID of his wireless network card on tablet. With Wireless Mac Changer (see Figure 8) that was piece of cake. On the entrance he met doorman who's checking documents, employees had ID cards hanging from their neck, so they could enter without doorman checking them. He introduced as network support, wearing vendor t-shirt, which he got on E-bay, and noticed that hes received call from company's CTO to fix or replace broken network device, which enables

Internet link. Doorman let Peter inside office area, knowing that it's necessary for them to have Internet working. Peter drops few different USB sticks around the office, one in toilet, one next to coffee machine, and two on random office desks. While he was on way to coffee machine, he paste QR code to the wall next to machine, previously generated with Social engineering toolkit (SET) (see Figure 9, 10), so while waiting for coffee, people will surely notice that QR code, and if he's lucky, scan it. Peter left his tablet on the one office desk and turned on software wireless access point, connect it to the charger so he will solve two things with this move, battery will not drawn and it will be less suspicious if somebody see tablet connected to charger, because it's logical that employees charge their devices when they are empty. To lure people into connecting on his tablet he told few employees that he made backup solution for wireless, as network technician, while he launched deauthentication attack with aircrack-ng to proove them that corporate wireless network is not working as it should work. After that, clients start disconnecting from corporate wireless and start connecting on his “backup wireless” SSID, he run DroidSheep, a tool for man in the middle attack, set up fake phishing corporate Webmail for those who connect to his access point, and also traffic sniffer for Android – Shark. He turned

QR codes Wireless Mac Changer on Google Play

Shark for Root on Google Play

Complete Linux Installer on Google Play

SSHDroid on Google Play

Android PCAP Capture – Google Play

DroidSheep: http://forum.xda-developers. com/showthread.php?t=1593990

kWS – Android Web Server on Google Play

dSploit: http://cloud.github.com/downloads/evilsocket/dsploit/dSploit-1.0.31b.apk

OPEN 05/2013

Page 11


PENTESTING TRICKS On the Web

http://ctrlaltnarwhal.wordpress.com/2012/10/29/173/ – “Phishing Using Only a Android Phone”, https://www.os3.nl/_media/2009-2010/students/laurens_bruinsma/ssnproject_android_v1.0.pdf – “Compromising WiFi Security with Android”, http://www.kismetwireless.net/android-pcap/ – “Kismet (for Android)” documentation. http://www.social-engineer.org/framework/Pretexting_Defined – “Pretexting Defined” https://afreak.ca/blog/social-engineering-using-qr-codes/ – “Social engineering using QR codes” http://www.csoonline.com/article/479038/social-engineering-anatomy-of-a-hack – “Social Engineering: Anatomy of a Hack” http://hackaday.com/2011/10/04/wifi-jamming-via-deauthentication-packets/ – “WiFi jamming via deauthentication packets”

Glossary

Android Social engineering Phishing dSploit Kali Pentest Recon-ng Complete Linux Installer Social engineering toolkit (SET) DroidSheep

on kWS – Android Web Server and start hosting phishing sites. Now, he will have spying device inside company, without suspicious look from the employees. He installed the SSH server to his device so he could easily have access to Kali Linux from outside world, and run various attacks (see Figure 11). After few days, Peter manage to collect dozens of accounts trough phishing Web sites he cloned from original ones and trough Man in The Middle attack with Droidsheep. Also, few employees became victim of malicious QR codes and trojan horse dropper from USB sticks which infected their devices. After this demonstration about social engineering, managers from Company X realized that education of employees on social engineering attacks is essential part of education on IT security.

Summary

In this article I have tried to inspire and encourage readers to engage their imagination while they are planning their next penetration testing. Today, we're living in the era when managers invest into hardware and software protection, from firewalls to IPS/ IDS, but weakest link in an organization are still security uneducated employees. It isn't hard to exploit employees who don't know much about such attacks and protection from them. You don't need to have much experience with social engineering to conduct above described attacks with mobile devices, for example tablets are widely used in orgaOPEN 05/2013

nizations, so when you see somebody using tablet or smartphone, it's common and everyday stuff. The thing is that nobody will suspect you're holding hacking device in your hands. Devices for above described attacks, are tablet Nexus 7 and Nexus S, a mobile phone. Nexus 7 isn't expensive and it has sufficient resolution for comfortable work, 1280×800 WXGA pixels, quad-core ARM Cortex-A9 CPU, and Nexus S could be a good backup device if something doesn't work as planned.

Domagoj Vrataric

Domagoj Vrataric is IT Security Manager at Aduro Ideja Ltd., a company from Croatia who offer software solutions for telecom industry, high volume data processing, real-time systems, penetration testing services and mobile application security. He has experience with penetration testing (OWASP methodology), mostly in telecommunication industry, eCommerce (osCommerce, ZenCart, OpenCart) and media industry. 10 years experience with Linux, 8 with IT security, knowledge about hackers culture and way of thinking. He is currently involved in penetration testing and project manager on several security projects. Additionally in charge of security in Aduro Ideja, from monitoring IT infrastructure, administration of Debian servers, security policies on computers and mobile phones, to Android reverse engineering.

Page 12


Cyber attacks are on the rise.

So, you think your systems and networks are secure? Think again – you’ve already been attacked and compromised. And, we should know because we did it in less than four hours. Here’s the good news: we’re the good guys. We can tell you what we did and how we did it, so you’ll be prepared when the bad guys try it – and they will. We’ll show you how.

4 Combat cyber attacks

4 Ensure resilience

4 Mitigate risk

4 Improve operational efficiency

Visit www.KnowledgeCG.com to learn how KCG’s experienced, certified cybersecurity professionals help our government and commercial customers protect their cybersecurity programs by knowing the threat from the inside out.

Trusted Cyber Advisor

PENTESTING TRICKS

Using XSS in a Spear-Phishing Attack When a client asks for a social engineering tests, most part of security consultants try to perform a phishing. However, there is a lot of other possibilities to get better results without complexity.

N

owadays, it is very common for the companies to use security services that include social engineering and physical security evaluations. Sometimes, as a part of an integral analysis or only as unitary tests to accomplish with corporate or government requirements. However, the concept of social engineering is very broad. Formally, it refers to the practice of getting confidential information through legitimate user manipulation. Likewise when we think about social engineering the first thing to come into our minds are Kevin Mitnick’s stories where he’s compromising information systems leveraging human weaknesses. From here we can conclude that the real purpose of social engineering evaluations is analyzing the corporate process consistency. For example, analyzing a financial information consulting process where no employee is allowed to offer sensitive information without a lot of identity validations controls. At the same time at the beginning I mentioned the physical security evaluations because I believe that both the physical security and the social engineering are tightly related due to the fact that by getting sensitive information mal-intentioned users can perform physical security control violations. The complexity and the number of companies’ processes, which are directly proportional to the OPEN 05/2013

companies’ size reminds us of endless possibilities to analyze the reliability of the security controls implemented. The main idea for this article is to demonstrate some kind of attacks I conducted on companies as part of security evaluations, showing the vulnerabilities that allowed successful attacks, as well as possible implications and corrections. Those last needs to be analyzed by each company due to the fact that the security controls to implement will differ because of company size, business focus, resources, internal politics, etc.

Conducting a Phishing Attack

I have found that XSS is common, especially because the majority of penetration testers show in their reports pop-ups from a JavaScript such like this one: <script>alert(“Hello world!”); Although it is true that this is evidence of the vulnerability, a really mal-intentioned user will not limit his attack to the pop-up, he will exploit the simple vulnerability to get more benefits. What follows is the most common, easy and very effective scenario to exploit a XSS. This test mix different vulnerabilities and information obtained in the scouting phase to exploit a XSS with a lot of effectiveness. First, we need to send the XSS to the application users. There is a lot of ways, but the most common

Page 14


is sending e-mails. We can try to send an e-mail of the corporate format from public address using Gmail, Outlook, etc, but that will reduce the effectiveness to zero. Also there are anonymous e-mail senders, but the most part of these public services is banned by the e-mail servers, so our e-mails will be detected by the company. The best way to send e-mails effectively is using open relays of the companies’ servers directly. It is very common that companies have a lot of email servers on UNIX platforms which aren’t configured, merely executing because of bad or default configurations. First of all you need to detect the mail servers. To do so you can use the following command: nmap -vv -sV -P0 –p25 [range of IP]

After that you need to verify the open relay in each mail server, with the purpose to check if it is possible to use it for sending our XSS attack payload. You can use Telnet to test each server: >helo domain.com from: [email protected] rcpt to: [email protected] subject: Test Data Hello world! .

If we’re skilled developers we can write and script to perform this verification automatically for each mail server detected by Nmap. Once we have verified the mail server permits send anonymous e-mails, we can use them to send our XSS attack using the corporate image to an only a reduced number of users. Why a reduced number of users and not to all the employees? Because if we send a lot of e-mail is more possible that someone call to security office to validate the information. If you send an e-mail to specific targets is most effectiveness and generates less noise into the company. While it is known by a lot of people that managers and directors are the most vulnerable targets because of their poor knowledge of IT sector, my recommendation is to abstain to select those kind of people at the first time, and only do so if it is the only way to perform an attack. It is because usually this group of people have more influence into the internal security processes, and a warning by them has faster impact than warnings by others. OPEN 05/2013

After that, all warnings will be attended by the IT or security department, so in this kind of attacks speed is very important. Now we can use a web server installed and configured by us to exploit the XSS vulnerability or directly inject a frame into the web application. It depends on attacker’s imagination and skills. Remember that this is an authorized evaluation, and for our client would be important not only to log access credentials in our attack, also it is important to save timestamps in each event, for example when the users read the e-mail, when access to the fake website took place, when entering information and when leaving from our fake website. Using this information we can evaluate the time taken by users, IT and security areas to manage the incident. The reason for this kind of attack being successful, in spite of its simplicity, is the trusted behavior. In the first instance, the victim reads the corporate domain address of the e-mail sent by the attacker which can be considered to be very trusted and if the user follows the link attached into the e-mail and notices a copy of the corporate website the trust increases. As a curious fact, in penetration tests, where I performed this kind of attack, the kind of people who detected attacks where assistants, which are skilled people who can detect differences between previous e-mails and the malicious one. Actually a lot of attacks were detected because of misspellings (Figure 1).

Attacking From a Cafeteria

I declare myself a fan of Hak5, and for me some of their devices are great. One of the most versa-

Figure 1. The most common XSS exploitation

Page 15


PENTESTING TRICKS tile devices is the WiFi Pineapple (http://hakshop. myshopify.com/products/WiFi-pineapple). Thanks to using this device it is possible to perform social engineering attacks. The WiFi pineapple is a small device modified with an installation of OpenWRT, which a Linux distribution oriented towards little network devices. And Jassager, an interface that permits to interact with the WiFi Pineapple. In its most simple attack, the Pineapple has an option called “Karma” which accepts all the request generated by the near devices, when they are looking for their preferred networks. The WiFi Pineapple always accepts these connections, and we have the option to redirect the traffic intercepted with the Pineapple to another networks, for example the Internet or an Intranet, if you’re testing an internal network.

Figure 2. WiFi Pineapple

With the WiFi Pineapple we have an option to perform DNS spoofing attacks. We can redirect websites visited by the users to fake websites mounted by us. So we can copy the index from any internal or external website and put into our web server, inclusive into the WiFi Pineapple’s webserver, modify the HTML code and use the fields to save users and passwords. After saving important information we can then redirect the user to the real site and start a session for the attack to be transparent to the user. At the Pineapples’ wiki you can get commonly used pages like Facebook, Gmail, Yahoo, etc. which can be used to catch users from these public services or you can use a personalized page, depending on your requirements. What follows is a snippet of code shown in Listing 1, you can use to catch users, passwords or whatever you want. This simple code was used in a real example mixed with the WiFi Pineapple against an internal application. Using this code we cached more than 100 Windows domain and mainframe accounts. Also the characteristic of the WiFi Pineapple permitted that it wasn’t required for the attack to be performed from company facilities. Perfoming it from a cafeteria located at side was enough. This avoids the complicated physical access. That code doesn’t use a DBSM or sophisticated modules, even it can be saved into the WiFi Pineapple’s webserver and then the attacker can access by SSH to review the information captured. I have to say that the complexly around the attack is not the important thing here, opposite, the important thing here is the easiness with a mal intentioned user can access to sensitive information and resources in a network without complex task as exploit execution, ARP poisoning or another other resource. Other important feature of the WiFi Pineapple is the use of rechargeable batteries, so an attacker can put inside a company a Pineapple to catch information forgetting it for some hours. It would be very complicated to locate.

Unauthorized Access

Figure 3. Basic MITM using a WiFi Pineapple OPEN 05/2013

As I said at the beginning, physical security and social engineering tests are close related. Below I will describe some examples in which is mixed social engineering attacks to get physical access to facilities with the purpose of extract information, laptops and devices or only to review security controls implemented by the company. Page 16


Usually the first security control is the identification of a person to get access to facilities, is common the use of PVC credentials with the employee photograph, name, charge, etc. These credentials can be printed in a stationery with a proximally cost of $1.5 dollars per credential. We can print the information we want, and can show as a valid credential with our data in the security control as an authorized person. In my experience, even with this kind of credentials, can be complicated access to unauthorized areas, mainly when we want access to principal facilities, however small facilities or branches are easier. For example, during an evaluation a client ask me for determine the complexly level to access to a bank facilities. After studied the bank, I determined access to main facilities was very, very complex.

First security control was a policeman at the door, to access to the bank I needed present a credential and write my personal information and the serial number of my laptop. This control should be passed by employees and guests, after that I needed to wait for a personal who sign my access, writing the visit purpose; el guest needed to be escorted by an employee, even if you wanted visit the bathroom. Try to impersonate an employee will be failed because of biometric access control for open the doors. There are techniques to avoid this kind of controls, like pass the doors closed to other person, pretend be an office boy, etc. but if you tried to perform this kind of techniques you know is not very easy. After my analysis, I determined that access to main facilities was impossible, however during a tour with the CSO I saw a branch office, and in

Listing 1. Getting passwords << Getting passwords>> <script> alert(‘Ocurrio un error en la transaccion\nIntentelo mas tarde’) <META HTTP-EQUIV=”REFRESH” CONTENT=”1;URL=http://www.client.com>
OPEN 05/2013

Page 17


PENTESTING TRICKS each branch office there are servers to communicate local financial operations to the main servers. The physical security controls at branch offices were poor; the CSO only presented a business card to the manager, said “Hi, I’m the CSO and I member of the directors board”, presented his credential and the manager officer all kind of support to his work. After I saw that, I printed a PVC credential with my photograph, name and the charge “security auditor”. Also, I printed business cards with same data; and at the next I arrive a random branch office, I dressed a suit and tie; and I asked for the manager; I showed my credential and give him a busi-

office never perform any operation on the server, but sometimes support area call them for help, to avoid move from the main facilities to all local branch offices, support area create generic users and ask to local employees for easy activities like reboots server, turn down devices, etc. I asked to the manager for this generic user, he gave me another post-tip. I started a little scouting on the networking, using an old Windows Server 2003, I downloaded windows hashes, looked installed software where I found a SQL Server 2005. The generic user was into the built in group and I accessed to the database to see in detail the content. I found all operations performed by this local branch office.

Figure 4. Samples of printed credentials

ness card. I explained I was performing an auditory and as part of it I needed access to the server. The manager, very friendly gave me access to servers. During my visit I performed two tests; first I asked to an employee for access to the bank system, using his user and password, which were domain credentials; he, very friendly again, gives me in a post-tip his credentials. After I asked for access to the rack where server a network devices were. Employees at local branch OPEN 05/2013

This kind of attack, very focused, not represented the same risk that enters to main facilities, and basically I accessed to more sensitive information than the information I could accessed at the main facilities. While in the main facilities the security area has implement biometric controls, NAC, cameras, etc. at branch offices all the security was broken by the trust from the manager on my fake credential and business cards. I got more network details and software details with my ap-

Page 18


proach, even domain users to start a complex to attack to their infrastructure. At datacenters is common to perform computer and laptop extractions to evaluate security controls, and after that review for information cypher, password policy, BIOS hardening, etc. At datacenter and companies in general, there are logs about electronic devices access both employees and guests; one of the common ways to control de access is using a sticker with a bar code printed in it. So, I went to stationery to print some stickers, the cost was around $200 dollars per 50 stickers. I accessed to datacenter facilities as any guest would have done, walked to the main conference room and steal a computer there. Quickly I leave from the datacenter, and in the security control a policeman asked me for the code bar. He scanned my fake sticker and obviously an error was showed by the system; I told to him “maybe is because I’m new here”, excellent answer, the policeman offered me apologies and told me “yes, it’s very common this error with new employees, please write the serial number, and I will check later”. I reviewed the computer, this computer was used for all managers and directors to present slides, and I found financial reports, information about new projects, new products, weaknesses, and a big etcetera. Was very easy extracted a laptop from the datacenter, and actually all computers there have cypher, but this computer as a public computer where all people could transfer their files to show them… no.

Summary

I could spend a lot of time writing about my professional experience related with social engineering tests, and maybe all of you have your stories, a lot of them very different depending on your country, approach and maturity level of security controls implemented by companies, government and organizations. However I have some conclusions that you can take regardless all the differences, and these conclusions beyond about persons trust and goodwill. Trust and goodwill in persons are good, but the authority is better. Persons feel good helping others, but the reaction would be faster if the order involves someone of higher authority in the hierarchical structure of the company. As I showed in bank scenario, the manager was very friendly with me because I presented myself as an important employee from corporate facilities; this genOPEN 05/2013

erates a responsibility feeling in people involved in the attack, as result he offered all possible information. However you need to be very careful and not exaggerate also is normal that someone who feels frightened by other try to identify mistakes in his behavior to not offer support. It’s a human reaction; you need to be polite but strong, like a boss. Don’t limit your imagination in simple attacks, use all information gathered to perform complex attacks. Not only attacks to random users, take care selecting a sample of users from the information gathered previously, take your time in fake images and corporate formats, take care about spelling and grammar; if it is possible don’t use scripts to send e-mails, write each e-mail by hand and personalize it for each target, be careful with that. When you show the test results remember orient them to business, the important thing for your clients is not listings with users and passwords, or other kind of sensitive information; but the impact to his business, the strategy needed to avoid weaknesses and total cost of it. Collect all the possible information. As a penetration test has an information gathering phase active and passive, the social engineering tests also has an information gathering phase where you need to obtain a lot of information about security controls implemented and processes. You can get information using tools like Maltego and FOCA which ones from public information can get private information useful for you tests; as names, key persons into the company, telephones, addresses, documents, formats, e-mails, etc. Always orient your results to business. I’m being very repetitive, but it is important. Mainly because companies pay a lot of money for this kind of tests is to know their weaknesses, but beyond to design a strategy to avoid them in the future, is necessary be detailed with descriptions about access methods, human errors, security awareness, security controls implemented and nice to have recommendations.

Carlos A. Lozano

Carlos A. Lozano has been working as Chief Technology Officer in blue Mammut Computer Security Services, a little company focused on application and network security for past 6 months, before worked as security advisor in some companies specialized in security fields. He founded BugCON Security Conference; the largest security conference in Mexico and he’s interested on exploitation techniques, research and reverse engineering.

Page 19


PENTESTING TRICKS

Wireless Penetration Testing Beyond the IEEE 802.11 family of standards The wireless penetration testing covers a large family of wireless protocols. Usually, the penetration testing companies offer to their customers only WiFi (IEEE 802.11 family of standards) penetration tests, leaving out the others widespread wireless technologies. Wireless protocols like Bluetooh, ZigBee, RFID, NFC, GPRS/EDGE/ HSPA, SAT are often used by companies in the mission-critical environments, but the security problems are often upstaged by the business needs until a threat agent learns how expensive is a breach in terms of money and reputation.

W

hile the end users have discovered the joys and sorrows of the wireless communications in the last ten years, the industry has been using these technologies at least for thirty years. At the beginning their devices were interconnected using very basic proprietary RF technologies meant to transmit few control data, but over the years, systems have evolved adopting more and more sophisticated technologies used for many different purposes: the wireless technologies was initially born from the need to manage devices and sensors, regardless of their distance from the control station. It became almost ubiquitous in the companies. Despite the technological evolution, what remains almost the same is the approach to the design of the systems using these technologies: the assumption made by engineers who decide to use wireless communications in their systems is that there is no possible hostility in the usage made by users or by the parties joining the wireless communications. We know that it is simply not true, in the Stuxnet era even my mother could be hostile without knowing it. Also, in the rare cases where the engineers designed their systems thinking that the user could be hostile, they fail because too often the OPEN 05/2013

security is implemented trough obscurity instead instead of using the best practices and well-known security protocols and algorithms. In this article we will present an overview of the security problems and the penetration testing techniques related to the non WiFI (IEEE 802.11 family of standards) wireless technologies. Therefore, the use of the term wireless in the next paragraphs, should be explained in this sense.

The Wireless Communication’s Security Big Deal

The big innegable problem in wireless communications is represented by the shared communication channel (the air). The sentence may sound trivial, but during the development of systems that will be using the wireless technologies, engineers often seem to forget this fundamental fact. I tell that because in my work experience, also in the case of systems designed to be equipped with wireless technologies which provides security features, the security features were switched off. The point is not purely technological, but resides in the technical background of the system designers that have survived unchanged during the years along the technological evolution.

Page 20


The paradigm adopted in the design of this kind of system is something like “it has to work” rather than “it must work securely” because of the following common belief: the “Triassic” designers and the companies that rely on their convictions, “who do you think would be interested\able to break into our super tested proprietary system?” The problem becomes most serious considering that such technologies are usually used in costly systems resilient to the changes. Imagine a company that has just invested hundreds of thousands euro to deploy a system. Imagine telling them that their system is intrinsecally insecure, how do you think they would react? They, for sure, will not change anything unless it’s practically demonstrated that a threat agent can damage their business. Selling the wireless security services in this scenario is difficult, and is even more difficult to identify practical and cost effective solutions but our experience says that once you find the key to let your customers understand how risky it is to keep operating a system relying on insecure wireless technologies, they will promote actions to mitigate the risks, involving the security consultants in the review of the whole system. The question arises: what is the key to let the customer understand the risks in poorly designed devices equipped with wireless technologies in terms of security? In my experience penetration tests in these environment have always been planned and executed following these principles:

Pre Sales\Sales

The approach to the sell of the test has been made with a specific know-how on the topic. We try to sensibilize the customer about the threats affecting this kind of technologies without being “terrorists”. First of each sales meeting we try to catch the needs for the Customer’s business and we try to figure out how a threat agent may affect its business model. Our testing idea is then discussed with the customer to identify exactly its needs. From our point of view, it is crucial that the proposition is both technical in the analysis of the attack vectors to test and business oriented in order to allow the customer to uderstand what the test is intended for. In general, be consistent in the proposition with an approach inspired by real life security issues more than on the academic concerns.

Penetration Test Plan

The test plan definition is important for each kind of test. In wireless testing it is even more important because unless your company has its own logistic OPEN 05/2013

division equipped with trucks to carry all the devices and the stuff you need to test the wireless infrastructure, you have to define the technlogies being tested and the kind of test to perform. It’s really important that an highly skilled Analyst, in the field of wireless communications, is involved in this phase. Just to give you a pratical example, the wrong antenna choice could compromise your analysis. A different story is a black box test, where you definitively need a truck to carry all the needed devices to analyze an unknown wireless signals. I definitely do not recommend to plan such a generic wireless test unless you and the customer are really aware of the complexity and the trouble you may have to face.

Penetration Test Execution

Apart from methodologies which are always important in penetration testing, remember that dealing with wireless technologies is not a kiddie game, so please consider your safety, and the safety of the people around you, while operating with wireless devices (especially high power ones). Usually we try to carry out these kind of penetration test in a laboratory environment where we can take all the necessary protections in terms of safety and security but, if the Customer requires the analysis in a production environment, we advice him of the potentials security and safety risks. Moreover before starting the analysis we have a meeting with all the Customer staff working in the range of our wireless devices, to inform them about the safety measures to adopt while we’re working on the penetration test. In a production environment you have also to keep in mind that your test may affect more devices than in your targets scope, so you have to be very careful in evaluating every possible side effect resulting from the analysis activity. With this in mind and all the needed precautions, yours analysis can be done without harming anyone or anything outside your targets scope.

Wireless Penetration Testing Domains

Depending on the wireless technology being tested, the testing strategy will verify certain aspects related to the information security besides the technologies specific vulnerabilities. In general, during a wireless penetration test you have to verify, if applicable for the technology, at least the following security domains:

Confidentiality of the Information

Due to the shared communication channel the confidentiality of the information should be veri-

Page 21


PENTESTING TRICKS fied during a penetration test. The level of confidentiality and the impacts depends on the technology being tested, however you have to verify that the transmitted information are accessible only to those who are authorized to access it. For example, imagine an HTTP conversation over an asymmetric satellitar link (eg. DVB satmodem where the upstream channel transit over internet, and the downstream channel transit over the air), if the channel is not properly protected a threat agent could be able to access the response from the server containing sensitive information (eg. cookie, clear text password returned in later response, company infromation contained in the response pages, etc.).

Communications Integrity

It is fundamental to ensure that information is not being corrupted during the transit. Particularly during a test you have to check that it is not possible to inject forged traffic in a communication, or to reinject part of the listened traffic in the same channel.

Authentication and Authorization

Like any other communication technology, also for the wireless ones you have to ensure that authorization and authentication mechanism work properly. In wireless communications these controls are shared between the parties, so you have to check that each player involved in the communication is doing its job. For example, in a tipical “private” mobile network (where the Customer has its own APN) the telcos provides the authorization services and the Customer implements the authentication ones. A lack of authorization is represented by the ability to access the network with a generic (U) SIM, not owned by the Customer, to the “private” mobile network because the CUG (closed user group) is missing. Depending on the technology, the way you perform the test may vary both on the used tools and on the attacked area. In the next paragraphs we will briefly cover the tools, the devices and the techniques used to perform a wireless penetration test.

RFID Penetration Testing

The RFID technology was born in military area and at the beginning used as IFF (identification friend or foe, an identification system to determine if a target is a friend or enemy) transponder. Nowadays this technology has many applications such as smart card, cars, retail stores for inventory tracking, chips for animals, corporate badges and so on. In a corporate environment usually the following hardware components are parts to be included in the penetration testing process: RFID Readers, RFID Tags and RFID Antennas. Figure 1 shows a typical RFID architecture. RFID are usually used in two ways:

Unique ID (UID) Transponders

A transponder operating in this mode uses the LF band (100 to 150 kHz) for the wireless transmission. The transponder is programmed by the manufacturer and the chip comes with its own identification number written in the memory. When the transponder is in the range of the reader, the memory content is transmitted to it. In this operating mode there is no communication origin authentication so the transponders can send data to anybody and the reader can receive data from anybody.

MIFARE

A transponder operating in this mode uses the HF band (13.56 MHz) for the wireless transmission. In this mode you can find basically two ways of usages: the first one is equivalent to the Unique ID (UID), the second mode provides a “cryptographic” technology used to mutual authenticate the transponder and the reader. Unfortunately for the ones who adopted these technology both the operating modes were totally compromised, leaving several attack scenarios to a threat agent. The following are some of the typical attacking scenario that you can analyze during a penetration test.

Relay Attacks

In this scenario a threat agent is able to perform a man-in-the-middle attack. Using a device, placed be-

Figure 1. Typical RFID architecture OPEN 05/2013

Page 22


tween a legitimate RFID tag and reader, the threat agent is able to intercept and modify radio signal.

Network/Transport Layer

In this scenario are included the attacks based on the way the data are exchanged between the entities (tags, readers) of an RFID network. We have to distinguish the attacks against tags, readers and network protocol. Talking about tags, a threat agent could both clone and spoof the victims tags. Regarding the readers we could choose both the impersonation and the eavesdropping attacks (an unauthorized user uses an antenna in order to record RFID communications). Also consider that RFID systems are often connected to the back end databases and networking devices, so they are susceptible to the same vulnerabilities of general purpose network devices.

Application Layer

In this scenario a threat agent could take advantage of the aforementioned attacks to exploit the back-end software vulnerabilities. The RFID becames the vector for classic attacks such as BoF, SQL-Injection and so on, depending on the backend business application. Depending on your electronics skills you can build your own professional RFID penetration test kit starting from 250 up to 1500 €. For example over the Internet you can find a lot of tutorial to start playing with RFID using the Proxmark III [1], a general purpose RFID device.

Physical Attack

Many ZigBee devices use hard-coded encryption key to encrypt the network traffic. During the boot process the key is moved from the flash memory to the RAM which lets a threat agent with physical access to the device retrieve it. Consider to plan this kind of test only in a test environment since you will have to disassemble the device in order to connect the probes needed to access the memory.

Key Provisioning Attack

ZigBee uses a protocol known as Over the Air (OTA) for the delivery of the keys used to encrypt the network traffic. ZigBee networks typically utilize OTA in large networks, because the ease of updating, in order to guarantee the transmissions security. Unfortunately, due to a little lack in the protocol design (the cryptographic keys are sent unencrypted), this mecanism is almost useless from the point of view of a threat agent because once obtained the keys, it should be able to decrypt the PAN traffic.

Replay Attack

ZigBee has a really basic replay protection so a threat agent able to intercept the network traffic is able to inject any previously observed packet until the key rotation. Especially in a production environment be careful while playing with this: since you have no idea of what you’re injecting consider that you can cause service disruption or even worse damages.

ZigBee Penetration Testing

ZigBee (IEEE 802.15.4 which defines the physical and MAC layers) is a wireless transmission technology that operate at 868/915 MHz and 2.4 GHz frequencies range, originally developed in 1998. Zigbee was designed to be a short range protocol to be used in embedded device thanks to its simplicity. Figure 2 shows the Zigbee Protocol Stack. There are a lot of implementation scenarios but the built-in protocol supports both mesh and starbased network topologies. In a typical ZigBee network there are two types of devices: the Target and the Controller. The first device type is responsible for the PAN network creation and coordination, the second device type can join the network created by the Target by pairing with it. Although the ZigBee protocol stack have been designed with security in mind, the researchers have found vulnerabilities that allow a threat agent to harm a ZigBee PAN. The following are the known ZigBee vulnerabilities you can analyse during a penetration test: OPEN 05/2013

Figure 2. Zigbee Protocol Stack, Source Wikipedia

Page 23


PENTESTING TRICKS The physical attack to the ZigBee devices could be made using Bus Pirate [2] or GoodFeet [3]. The other attack simulations can be carried out using KillerBee[4] and the suggested ZigBee hardware. Depending on your electronics skills you can build your own professional ZigBee penetration test kit starting from 100 up to 350 €.

Bluetooth Penetration Testing

Bluetooth (802.15.1) is is a wireless transmission technology that operates at 2.4 GHz frequencies range. Bluetooth was designed to be a short range protocol with low power consumption. The radio technology used by the Bluetooth is known as frequency-hopping spread spectrum, which splits and transmits the data being sent to the other devices on up to 79 frequencies. The Bluetooth protocol stack is anything but simple: it can operate in several different ways and the testing scenarios are as wide as the protocol specifications. While you can find several excellent resources on the Internet regarding the Bluetooth security and penetration testing (eg. [5][6]) I will focus on the analysis of the security testing scenarios related to the embedded devices and industrial automation world. The following are the known Bluetooth vulnerabilities you can analyse during a penetration test:

Pairing Eavesdropping

Depending on the Bluetooth version the PIN/Legacy Pairing and LE Pairing are susceptible to eavesdropping attacks. A threat agent able to collect all pairing frames can recover the secret key(s) which allows device impersonation and data decryption.

PIN Enumeration

Often, especially with older Bluetooth versions, the PIN used to pair with a device is weak. Since the pairing mechanism has no bruteforce prevention, and also considering that often the PIN is a number composed by 4-5 digits, could be trivial for a threat agent to retrieve the PIN used for the devices pairing.

Secure Simple Pairing Attacks

The SSP is a method used to establish a secure connection betwen bluetooth devices. Despite the secure mechanism a threat agent could abuse some of the protocol flaws to perform a man-inthe-middle attack.

Application Layer

In this scenario a threat agent could take advantage of the aforementioned attacks to exploit the OPEN 05/2013

back-end/device software vulnerabilities. The Bluetooth becames the vector for classic attacks such as BoF and so on, depending on the backend business application. Because of the frequency hopping, the hardware investments needed to intercept bluetooth communications could be expensive. There are a couple of cheap alternatives that works well with older bluetooth version[5] but a professional solution[7] could be the only choice in certain scenarios.

SAT Penetration Testing

Probably the sat link communications is one of the oldest wide band technologies adopted by companies. Originally developed for military uses, this technology have evolved becoming more accessible. Nowdays DVB-S2 is the de facto standard (ratified by ETSI EN 302307) for audio, video and data connections via satellite. The data connection using the DVB technology are implemented in the following way:

Sat Modem

The client uses only the satellite downstream, it is not able to transmit data over the sky. The request are made trough internet, usually using a PSTN or an HSPA connection, and the responses are received trough the satellite link.

Astro Modem

Both the client and the provider exchange information using the satellite link. The requests are sent by the client to the satellite that forwards them to provider. The responses follow the same path. The following are some of the typical attacking scenarios that you can analyse during a penetration test:

Data Analysis

Depending on the link scenario the impact of this may vary, in fact in the case of sat modem, a threat agent could be able to intercept only the connection responses to its requests. Usually, this kind of connection is not encrypted thus all the unprotected information can be accessed by everyone with sat coverage.

TCP/IP Attacks

Over a sat link a threat agent can try to exploit all the known flaws of the TCP/IP suite. For example it is possible to try to poison the DNS cache, or to hijack the TCP/IP connections. Moreover, if the scenario allows it, you can try to access applications not directly exposed trough the Internet.

Page 24


References

[1] proxmark3 – https://code.google.com/p/proxmark3/ wiki/HomePage [2] Bus Pirate – http://dangerousprototypes.com/docs/ Bus_Pirate_v3.5 [3] GoodFeet – http://goodfet.sourceforge.net [4] KillerBee – https://code.google.com/p/killerbee/ [5] Bluetooth Penetration Testing Framework – http:// bluetooth-pentest.narod.ru/ [6] Martin Karger’blog – http://www.evilgenius.de/category/bluetooth/ [7] Bluetooth protocol analyzer – http://www.fte.com/ products/BPA600.aspx [8] Skystar Adapter – https://www.technisat.com/en_XX/

Despite one can think, the equipment needed, at least for the sat modem scenario, is not expensive, you can setup a basic tool kit starting from 100 €. All you need is a good parabolic antenna and an adapter SkyStar 2 TV DVB [8].

Conclusion

As shown in the article, the wireless technologies could harm your Customer business if the data that are using them are not meant to be delivered across a shared media and the technologies itself are not properly protected. Proposing a wide spectrum of security services for wireless technologies is a plus even if in some cases the initial investment may be significative. Remember that, especially in these kind of penetration test, the analysis itself is only the starting point: the real challenge is to help the customer find a pratical and cost effective solution to mitigate the identified vulnerabilities.

Francesco Perna

Computer enthusiast since childhood, has spent more than 15 years on the research of security issues related to applications and communication protocols, both from the offensive and defensive point of view. He is a partner and technical director of Quantum Leap s.r.l., a company that offers security services to companies and organizations. http://www.linkedin.com/in/francescoperna – [email protected] – www.quantumleap.it

Pietro Minniti

Security Professional from over 10 years, he focused his research mainly in the ERP security field. As application security specialist in Quantum Leap, he performs the security analisys on corporate networks and national critical infrastructure environment. http://www.linkedin.com/in/pietrominniti – [email protected] – www.quantumleap.it OPEN 05/2013

CASE STUDIES

Hacking a Bank Putting million dollar locks on Barbie’s house This story is a real life event that took place while I had a blackbox external pentest for a client in the financial industry, but actually, the same scenario could happen in any other sector.

A

couple of years ago, I was contacted by a major commercial bank in my country to conduct a series of Blackbox penetration tests against their external network. Recently, after they acquired a very expensive Information Security Management System from a major international audit firm. The real reason they contracted my services was in fact to see how their newly employed system would react in a real life scenario and the scope of my actions was to gain access to their internal network, and no one, myself included, thought this was going to be an easy task. Challenge accepted! According to the contract terms, I was permitted to perform the attacks at any time, just like a real life attacker. So, at first I thought it would be wise to perform the initial assessment during the day, in order to disguise my probes inside the regular working hour traffic. The network scan didn’t reveal any interesting open ports, in fact, the only open active servers were the two servers running DNS, two different mail servers running on SSL and one server running HTTP and HTTPS. All services were up to date and apparently well enough configured to resist simple attacks, so I decided that I should take a look at their web application in hope of finding a way inside. OPEN 05/2013

The web application was built with PHP and Javascript on a Unix commercial platform. By manually browsing the website, I saw a lot of interesting places that showed a lot of promise for launching further attacks, so, naturally, I decided to start an automatic crawl of the website. At first sight the application seemed very complex and with many pages so I decided to start an aggressive crawl with a few tenths of concurrent threads against it. After few minutes, I noticed my crawler hanged and I realized their IPS was blocking my probe attempts, probably due to a throttling mechanism. So I changed my IP address (remember, it was a ‘blackbox pentest’) and started a new, less aggressive crawl. After a few minutes, the same result: my crawler hangs because my IP address was blocked again. Getting more and more frustrated I decided to start a manual crawl of the application, just to see how it reacts, and how I should set up the things for a successful automated crawl. Indeed, the IPS didn’t block my manual crawl. But setting the automated crawler to perform its task at a human pace would’ve meant an incredible amount of time. I took that bet and I let it crawl while I started poking and probing around, playing with different parameters just to see how the application would react to a fuzzing tool. And I managed

Page 26


to make it spill out a few application error messages. Nothing great, I know, but still, it was something. Soon, I started fuzzing the parameters I discovered earlier as being prone to errors hoping I can make them spill out even more interesting error messages, such as SQL errors or at least some input validation application errors. To my despair, the IPS rules were perfectly set to match my attacks and I was growing way too frustrated to have the patience of discovering the limitations they implied. So I decided to leave it for later, and go out for a hot espresso just to clean up my mind. I returned to the office at around 22:00 PM, eager to work. I decided I should re-do everything from step 1, just in case I might have missed something earlier, so I started a new external network scan. I never hoped for anything to be different but as soon as I started reading the output file, I noticed a new IP address as active, running a service on a very high port, 56635. Grabbing the banner on this port didn’t reveal anything so I decided to run AMAP. ‘Protocol on xx.xxx.xxx.xx:56635/tcp matches ssl’. Immediately I start a browser and.. What do I see? The login page to a PhpMyAdmin interface. I find out the version running and start looking around the Web for useful information about it, but the only thing I learned was that this was one of the newest versions, bearing little to none vulnerabilities. The only place I had left to try was to attack the parameters in the login page itself, so I started fuzzing those in hope of finding SQL injection or similar. But I never expected what was next to happen. My fuzzing tool warned me that something really weird was happening. Not in terms of error messages. Instead the server replied with HTTP/1.1 200 OK to a request that was specially crafted to be erroneous. Analyzing the ‘messy’ request, I realized it was a command injection request, one that should have never worked, not since 2003 anyway: I couldn’t believe my eyes, but there was an Apache webserver running a vulnerable mod_ auth_any, an Apache Module which allows the use of third-party authentication programs. The problem with the module is a command injection vulnerability, and only feeding the ‘;’ character in either the username or password field granted me access to the PhpMyAdmin interface. But that was nothing. By crafting a special request I managed OPEN 05/2013

to bind a netcat to a free port, thus granting me access to the operating system: MISSION ACCOMPLISHED! From what I learnt later, that server was an internal web portal, with file sharing capabilities. Normally, no services were running on the public interface of the server, but because administrators needed remote access to the administration panel, they thought it would be safe to have PhpMyAdmin binding a high port on internet facing interface after work hours. That is why the first audit firm didn’t discover the ‘cloaked’ service; this is why my initial working hours, assessment didn’t find it either. This is how, due to laziness, system administrators can introduce risks even in the most expensive information security management system, making hundreds of thousands of dollar worth as much as an outdated Apache version running a vulnerable and outdated authentication module. The contractor was shocked that I was able to circumvent very expensive security mechanisms, especially because, being a hacker I could have easily gotten access to the internal network, thus being able to further expand the compromise. The biggest problem was that the attack went undetected, all they could catch on their IDS was my initial crawl of their main application, as no tools were needed to perform the actual attack, all I did was typing ;nc –l –p 31337 –e /bin/bash in the authentication’s form username field. The conclusion I might draw is that expensive security can be rendered useless using only tools like nmap, amap and pure intuition.

Andrei Bozeanu

AB Consultancy Software SRL is a newly merged computer security company located in Bucharest, Romania whose main area of activity is penetration testing and forensics examination. Our experts have over 20 years of international experience in the field of computer security research, both offensive and defensive security, ranging from malware and antimalware research, software audit, exploit developpment or cryptology. Our customers are government, military or financial industries, both based in Romania or abroad.

Page 27


CASE STUDIES

Do No Harm A few years ago I engaged a global security consulting practice to perform an attack and penetration exercise on the company I worked for as the CISO. Shortly into the engagement, the consultants approached me with some dire news. They had discovered several High Risk vulnerabilities in one of the most important corporate web applications, and were recommending aggressive remediation measures.

M

ore recently, I worked with a company that had just completed a security scan of its primary web application and had discovered literally hundreds of High Risk vulnerabilities. I was in the meeting when the CISO presented this information to executives, and you could almost see the blood drain from their faces. Very quickly, the dialog in the room began focusing on aggressive options for attacking the problems. Infosec to the rescue, right? Unfortunately, no.

Misinformation

These days, everyone is pretty aware of the need to minimize the likelihood for penetration testing activities to adversely affect production data and systems. In most cases, significant care is taken to coordinate activities and get appropriate approvals before work begins. Yet a more subtle but equally critical problem is often overlooked – misinforming the people we serve. An executive’s plate is filled with aggressive competitors, regulators who seem to want to bury them in paperwork, technology that can fail at just the wrong moment, market forces that seem to change on a whim, human resource issues that would make Ghandi reach for a stick, and, oh yeah, cyber security issues. Improperly managed, any of these issues can ruin an organization. Because there are OPEN 05/2013

never enough resources to cover everything, executives must choose which of the many challenges they face will get their limited resources. To make good choices they need good information regarding expected costs and benefits. Relying upon impaired or incomplete information can seriously affect decision quality and company welfare.

Back to the Scenarios

In the first scenario at the beginning of the article, I examined the pen test findings and pushed back on the consultants. Yes, they had identified weaknesses, but had they considered the frequency of the kinds of attacks that would leverage those weaknesses? How about the frequency of any sort of attack against that application and especially the part of application where the weaknesses existed? How much skill was required to exploit those weaknesses? What kind of access to underlying sensitive data would be gained and/or what level of control over the underlying systems? After talking through these considerations, the consultants backpedaled and changed the High severity of their findings to Medium, and in several instances, to Low. As a result, my organization was able to appropriately prioritize its remediation efforts and avoid unnecessarily impacting key projects and business operations.

Page 28


In the second scenario, I intervened with some questions for the CISO before the decision-making went too far: • Was the application new, or had it been on the Internet for some time? (Answer: It had been in place for years.) • Were these weaknesses new, or had they likely been there a while? (Answer: Most were believed to have been there for months or years.) • Was the application subject to threat events with any regularity? (Answer: Yes, it was constantly being attacked.) • Given the above, how come their company was still in business? (Answer: Blank stare) • Had the organization regularly engaged outside consultants to attack the application? (Answer: Yes, annually.) • Were they hiring competent consultants? (Answer: Yes) • Had those consultants successfully breached the application at any time? (Answer: No) Clearly, something wasn’t making sense. Was the application scanning tool to be believed, or the penetration testers? Or, perhaps neither? Regardless, everyone recognized that to rationally solve the problem and to avoid wasting resources we needed more, and better, information.

What’s Wrong?

Risk management is a probability issue. You can talk to me all day long about what’s possible, but until I understand the probable frequency and magnitude of an event, I have no way to properly gauge its relevance among all of the other issues I face. Only when you apply some critical thinking and a reasonably accurate understanding of risk can you make decent estimates of the probable frequency and magnitude of an event.. Unfortunately, too often, I’ve seen testers rely on their tools’ “risk” ratings. Newsflash folks – I have never seen testing tools get risk right because they use models and analytic formulas that are broken in a number of important ways. At other times, I’ve seen pen test results that clearly reflect the tester’s technical understanding of what’s possible but completely disregard what’s probable. For example – “The hackers could take control of this machine, navigate to that machine, and then have access to the organization’s crown jewels!” Yes, certainly, that could happen. In some cases, though, the odds of an asteroid striking the organization’s data center next year may OPEN 05/2013

CASE STUDIES be higher. If executives had to address everything bad that could happen to their organizations they would be out of business very quickly.

Getting Risk Right

A full treatise on risk analysis would require a book. Nonetheless, some basic critical thinking is all that’s required in most cases to avoid gross misrepresentation of pen test results. Risk boils down to “How often bad things are likely to occur, and how bad they will likely be when they do occur.” When we think in these terms from a pen test perspective, some basic considerations and questions will help us more accurately interpret the level of risk our findings represent. Think of these as critical thinking “litmus tests” for pen test results. • How long have the weaknesses existed in the system/application? Consider the two dimensions to this question – 1) how long an exploit for the weakness has existed, and 2) how long the system/application being tested has had this weakness. In some cases, the system/ application may have had this defective code from its inception, but the discovery of exploitation methods is recent. • Have there been any known compromises at this organization as a result of these weaknesses? • What can/do the logs tell us about how often the system/application comes under attack? (And it is often critical to differentiate “casual” scanning/probing from focused attacks.) • Which threat communities would consider the organization to be a target, and what threat intelligence do we have that helps to inform us about the level of attention this organization is getting from the bad guys? • What is the value proposition of the target or organization to the relevant hacking communities? • How often is this weakness subject to attack in the wild? • What kinds of skills are required to leverage this weakness? As the exploit’s difficulty rises, the number of capable threat agents falls, which should reduce the frequency of attacks. • Would an automated attack work for this weakness or would it require a manual effort? • How noisy would an attack have to be in order for the attacker to discover and then leverage the weakness? In other words, how likely is it that an attack would be noticed (given the detection technologies in place)? OPEN 05/2013

• Where does the weakness reside within the system/application? Do attackers have to authenticate before they even have the ability to discover and leverage the weakness? • Are there controls in place or inherent difficulties that reduce the likelihood that an attack will be successful? • How large in volume is the sensitive data at risk? Could it be acquired quickly, or would it require a prolonged effort? Critically thinking through penetration test findings would undoubtedly include other considerations that depend upon the organization, system/application, and threat landscape. Regardless, merely asking these questions helps ensure that we accurately inform decision-makers. Bottom line: Any pen test finding you label “High Risk” represents your professional opinion of a condition that warrants immediate (and sometimes costly) organizational attention. That being the case, ask yourself this – if you’re sitting across the table from a risk-focused client like me, can you professionally, rationally, and logically defend your claim? Consultants have told me that sitting across the table from me can be very uncomfortable when I start challenging them about their assigned risk ratings.

In Summary

There is no question that penetration testing, done well, can be incredibly valuable in helping executives make well-informed decisions to better manage their company’s risk landscape. A pen test, however, can be worse than useless if it results in wasted resources and unnecessary business impact. The difference often hinges on the critical thinking you apply when interpreting test results.

Jack Jones

Jack Jones has worked in technology for thirty years, specializing in information security and risk management for twenty-four of those years. During that time he’s worked as a pen tester, written viruses (restricted to laboratory environments) and keystroke loggers, and disassembled malware as a hobby. He’s also been a CISO for three different companies, including a Fortune 100 insurance company, a bank, and a consumer information bureau. Based on the lessons he learned dealing with executives as a CISO, Jack shifted his focus from being a “hacker of technology” to being a “hacker of risk”, leading him to develop the Factor Analysis of Information Risk (FAIR) framework for measuring risk. He is currently co-founder and President of CXOWARE, Inc.

Page 30


Cyber Security Industry Transaction Map 2004-2013

Our Role

Our Advantage

Delling Advisory is a boutique advisory firm, providing merger and acquisition related consulting, advisory and transactional services to companies in the information security industry.

We have unsurpassed industry knowledge built through a successful career in the information security market in Australia, and as a principal in transactions buying, merging, and selling companies in the information security industry.

www.dellingadvisory.com

www.dellingadvisory.com/blog (Research)

WAR CAMP

Applying a Security Compliance Framework to Prepare Your Organization for Cyberwarfare and Cyberattacks On Monday, CNN posted a web article with this headline, Nations Prepare for Cyberwar, describing the inevitability of a cyberwar that is coming or is possibly already here (Goldman, 2013).

O

ne of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries, organizations, and people who use networks computer resources connected to the Internet face because they are at risk of cyberattacks that could result in anything ranging from denial service, to espionage, theft of confidential data, destruction of data, and/or destruction of systems and services. As recognition of these dangers, national leaders, business leaders, and the military leaders of most modern countries are now acknowledging that the potential and likely eventuality of cyberwar is very real. This article will introduce come concepts about the realities and weapons of cyberwarfare and discuss how an organization can use a security compliance framework of controls to mitigate the risks of cyberattacks and cyberwarfare.

The Simple Truths of this Article 1. Cyberwar is coming or could be already here. All the signs and news media coverage and publicly known actions of the U.S. Government confirm it 2. If you use have an IT infrastructure that is important to your business operations, you need OPEN 05/2013

to protect your business from Cyberattacks and Cyberwarfare 3. There are many things you can do, and things you cannot legally do if you are in the United States, to protect your business from Cyberattacks and Cyberwarfare. Restrictions inside the U.S. Code, Title 10, and other various cyber legislation strictly prohibit retaliation or going on the offensive. But you can prepare and protect yourself from cyberattacks. 4. In any organization, Management Support is required to understand and allocate the resources to defend against cyberattacks. 5. Understanding risk identification, threats, vulnerabilities, controls, performing risk assessment, and risk management are essential to becoming an effective protector of IT assets. 6. Because of the complex nature of most IT infrastructures and assets and how they integrate with an organization’s business operations, it is better to use some type of proven framework with which to assure that all the important aspects of compliance and infrastructure security have meet address and are being measured.

Cyberwar Concepts

Cyberattacks and cyberwarfare tactics, by some expert estimates, date back to the early 1980s

Page 32


when there was a set of suspicious explosions that were likely generated in control systems on some pipelines in Asia, though this has never been conclusively confirmed. However, the idea of using computers and software to attack another entity via networks dates back to the early 2000s and by some accounts, well before that. The diagram from Lewis University shows a brief graphic history between 2000 and 2009.

Cyberweapons That We Know About

Cyberattacks and cyberwarfare tactics have typically been in the realm of Distributed Denial of Service (DDoS) attacks with some more sophisticated attacks as shown in the Technolytics diagram below (Figure 2). Since 2007, as the existence of well-orchestrated cyberwar attacks such as the DDoS attacks on Estonia (2007), Georgia (2008), and Kyrgyzstan (2009), as well as the Stuxnet (2010), Duqu (2011), and Flame (2012) have all become known to the world through security researchers, their victims, and the media. As a result, it has become apparent most who are watching this area that cyberspace has now become the new realm onto which the field of international conflict has been extended, and that cyberwarfare is now no longer a theoretical issue that could one day threaten those par-

Figure 1. A Brief History of Cyberwarfare by Lewis University, Romeoville, IL OPEN 05/2013

Figure 2. Classes of Cyberweapon Capabilities, by Technolytics

Page 33


WAR CAMP ticipants and systems that rely upon connections to the Internet and Internet-connected networks. Unfortunately however, despite the emergence of a new breed of intelligent cyberweapons (i.e. Stuxnet, Flame, Duqu, and Shamoon) with the ability to strike with precision and accuracy, the present findings and research on cyberwarfare related events shows that the U.S. is playing catch-up and doing so badly (Turanski and Husick, 2012). The diagram below shows the rapid evolution of cyberweapons over time. It is obvious that according to this diagram, starting in about 2008, until what is predicted to be about 2020, the evolution of the sophistication of cyberweapons will be be quite significant. This rapid rise in sophistication and capabilities of cyberweapons, coupled with their relative ease of use, proliferation and economic benefit, will make these weapons very compelling for military and strategic use, and make the likelihood of cyberwar increasingly significant for the foreseeable future (Figure 3).

Who Is the “Enemy” or the “Adversary?”

In the world of cyberattacks and cyberwarfare, the issue of who your adversary usually depended on your perspective. From the perspective of the U.S. and its allies, the adversary usually falls into one of these five categories: Russia, China, North Korea, Iran, or non-state actors. Much is already known about our potential adversaries, such as Russia, China, North Korea and Iran, but what is perhaps less understood is the degree to which they have been successful in integrating cyberwarfare and cyberdeterrence capabilities into their own national war plans. Nevertheless, due to the previous extensive experience of China, Russia and the U.S.

Figure 3. Evolution of Cyberweapon Capabilities, 1994 – 2020, by Technolytics OPEN 05/2013

with strategic war planning, it is more likely that each of these countries stand the greatest chance of making integrating cyberwarfare and cyberdeterrence capabilities into their respective war plans. Yet, as far back as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would create the terms under which cyberwarfare operations could and would be conducted (Markoff, J. and Kramer, A. E., 2009).

DDoS as a Service, as low as US$20 Per Hour

We now live in a world where the Internet and malware have made it possible to buy services such as DDoS attacks against an enemy or a competitor for prices as low as $20 hour. When you consider the implications of this idea, the economic will make the idea of tactical cyberattacks more appealing to organizations. I know some of the URLs where these services are available, but rather than give them advertisement, I would just invite you to do an Internet search using your favorite search engine.

What Is an ISMS?

The fast-paced, electronically-enabled business environment of the 21st century is characterized by the tactical and strategic uses of information as business enablers. In practically every organization, information is now seen as a primary asset and as such, it must be protected. Yet the proliferation and reliance on information in an organization also introduces responsibilities and risks which if not addressed, can subject the organization to extraordinary risks that could severely impact the viability of the business. The best strategy for an organization to manage these new business realities is to adopt a strong compliance management posture in the area of Information Security to ensure that its information assets are protected in the most comprehensive, standardized manner possible. Presently, the best tool to manage the challenges of Information Security is an enterprise Information Security Management System (ISMS). The ISMS is a centralized system of policies, procedures, and guidelines that when created and uniformly applied will provide the best practices to help ensure that an organization’s Information Security is being managed in a standardized way using documented best practices. The introduction of an ISMS into an organization’s business operations will serve to identify, document and clas-

Page 34


Figure 4. Risk relationship diagram, from ISO27001.org

Figure 5. Relationships between IT security management controls, Threats and Assets (Exposures), Jaquith, 2007 OPEN 05/2013

Page 35


WAR CAMP sify information assets and risks and then document the mitigation of risks using established, documented controls. When an organization has chosen the standardized ISO 27001 Security Management Framework the key benefits to implementing an ISMS would be: • The implementation of a standardized Information Security Management System into the organization • Better management and fulfillment of the Information Security requirements from the organization’s Clients • Reduction of risks related to cyberattacks and cyberwarfare • Reduction of risk of loss of existing customers • Increased opportunities for new business • Reduction of risk to regulatory penalties • Reduction of risk reputational damage • The creation of an Information Security-aware culture at the organization • Enabling ISO27001-compliant offices to communicate and conduct business in areas affected by Information Security in a standard way • Better management of IT assets and their associated risks • The ability to have an Information Security Management System that is based on the Deming model of Plan – Do – Check – Act for continuous process improvement

• The adoption of the most widely recognized internal standard for implementing an ISMS Note that the Information Security has rapidly risen to the forefront as a serious business issue. Because of its rapid rise to prominence and the dynamic and evolving nature of threats and the associated risk management efforts, the models to measure and quantify the value of such projects can often seem frustrating at best. So while this ISMS project may difficult to quantify using traditional methods such as return on investment, it is clear that the benefits of continued customer relationships as well as the ability to attract future customers through a demonstrated strong and continually improving posture of Information Security compliance management will far outweigh the costs associated with an ISO 27001project. Indeed, after implementing the ISMS under ISO 27001 standards, an organization will have better control of the Information that is the lifeblood of its business, and it will be able to demonstrate to its customers and its business partners that it too has adopted a strong posture of compliance in the area of Information Security.

What is ISO 27001?

ISO 27001 is an international standard with 133 controls in 11 domains which provide structured standard for the creation of an Information Securi-

Figure 6. A Fast-track ISMS Implementation Project Timeline, William Slater, 2012 OPEN 05/2013

Page 36


ty Management System based on strongly focused risk management and continuous process improvement under the Plan – Do – Check- Act model. The present version was developed in 2005 and an updated version is expected to be published by ISO sometime in 2013. This version is predicted to have several additions that will focus on Cloud Computing and also standardized IT services and service management as described under ITIL and ISO 20000. In fact, in October 2012, the ISO 27013 standard was published and it demonstrates how to integrate an ISO 2000 – based Service Management System with an ISO 27001-based Information Security Management System.

Certificate Registrants is expected to double each year in North America for the foreseeable future.

Is Compliance with the ISO 27001 Standard or Some Other Security Compliance Framework Still Important Even If Your Organization Doesn’t Get Certified?

It is possible to create and implement an ISMS using a fast-track method as shown in figure 6 below. Note that management must support such a project in terms of resources (monetary, people, and assets) and politically in order for it to be successful. Nevertheless, it is possible to accomplish such a project if management and the project team have the will and resources to succeed.

Personally, I believe that the chief responsibility of the leadership of organization is to recognize risks and reduce them, as cost effectively as possible to manageable levels, and to comply with the laws and regulations that impact its operating environment. Even if an organization does not seek or achieve a certification under a security compliance standard such as ISO 27001, the organization can embrace and comply with the security controls of a security compliance standard, and thereby significantly reduce its business and security risks. The value in each of these security compliance frameworks (i.e. ISO 27001, PSC DSS. FISMA, HIPAA, etc.) is that each offers a set of well defined controls that are structured in a way to allow the organization that adopts then to visibly demonstrate its efforts to reduce risks to its assets and its operating environment.

Should You Get Your Organization Certified in ISO 27001?

Mapping to Achieve Compliance with Two or More Security Compliance Frameworks

What Cyberattack / Cyberwarfare Risk Remediation Project Using ISO 27001 Might Look Like

Should you get your organization certified in ISO 27001 if you make the effort to remediate your cyberattack and cyberwarfare risks using an ISO 27001 ISMS control framework? The quick answer is, it depends. Currently, there are less than 9000 ISO 27001 ISMS certificate holders worldwide. Despite the apparent emphasis on security and risk reduction, quite often, organizations will pursue the ISO 27001 certification either to comply with regulatory requirements (as is required in India), or as a business enabler, because their business partners and/or customers expect it or have greater confidence in an organization that has an ISO 27001 certification. Though is not easy or inexpensive in terms of resources to earn or maintain and ISO 27001 certification, the return on investment, particularly in areas like the North America and South America where the ISO 27001 certification is still relatively rare, can be quite significant. Figure 7 below shows the numbers of ISO 27001 ISMS Certificate Registrants by continent as of 2011. Note that according the PECB, a certification body that trains and certifies ISO 27001 implementers and auditors, the number of ISO 27001 ISMS OPEN 05/2013

When an organization is required to comply with two or more security compliance frameworks, a process known as “mapping” using a table showing the similarity of various controls is used to understand and communicate the specific controls of each standard, and usually on a one to one basis. Typically, the standard that is already in place or the one that is the most familiar is represented on

Figure 7. ISO 27001 ISMS Registrants by Continent as of 2011 (source unknown)

Page 37


WAR CAMP the left column, and the newer standard that is required for a new compliance initiative is located on the right column. An example is shown in figure 8 below.

Using ISO 27001 Controls to Defend Against Cyberwarfare and Cyberattacks

Of the 133 controls defined in Annex A of the ISO 27001 standard, not all of these are required to reduce the risk of cyberattacks and cyberwarfare. However, using my knowledge of the ISO 27001 standard framework of 133 controls, and my knowledge of the various characteristics and aspects of cyberattacks and cyberwarfare, I created the table in Appendix A that can be used to understand how

these various defined controls can be used to mitigate the risks associated with cyberattacks and cyberwarfare. The right-most column gives a simple yes or no to indicate the usefulness of the control in the mitigation of risks associated with cyberattacks and cyberwarfare.

Recommendations

The section has been divided into recommendations for four distinct groups of people that will probably comprise the population of this magazine’s readers. I deliberately omitted government officials and military officials because they have their own elite teams of cyberwarfare experts to advise them on these issues. In addition, they have a perspec-

Figure 8. Mapping ISO 27001 Annex A controls to NIST 800-53 Controls (FISMA) OPEN 05/2013

Page 38


tive of cyberattacks and cyberwarfare in which they must consider battle plans and strategies that include both offensive and defensive operations. To best understand the true nature of cyberdeterrence and cyberwarfare, everyone would be well advised to read many of the materials in the reference section of this article, and in particular, read Martin Libicki’s book, Cyberdeterrence and Cyberwar, because I consider it to be the best unclassified reference on the market.

For IT Professionals • Educate yourself, continually about Cyberwarfare. • Stay abreast of the threats and vulnerabilities associated with your infrastructure and the information technologies that you work with. • Stay abreast of the security controls required to mitigate the risks associated with the information technologies that you work with. • Where possible, get professional training and certifications associated with IT security and your job positions.

For IT Managers 1. Learn the security compliance standard or standards that will enable you to help your organization effectively lower risk to acceptable levels. 2. Learn risk management in the IT world. 3. Learn what your teams do and keep them motivated to be the best at what they do.

For Executives and Business Owners • Remember your responsibilities to the Board of Directors, your shareholders and other stakeholders in your organization: Cyberattacks and cyberwarfare represent serious threats that can

Resources • •

•

• •

For Hackers • Consider becoming legitimate because the need for experienced cybersecurity professionals to defend organizations and countries has never been greater and in the long run, the compensation will probably be much more lucrative. • Make sure that if you do join a team that it is a winning team.

Conclusions

This article has covered some of the better known aspects of cyberattacks and cyberwarfare, and attempted to show that risks can be managed by applying security compliance frameworks such as ISO 27001. While this has only been an introduction, because scores of books have been written on these topics since 2005, it is important to understand these basic concepts and take them seriously. The future of your business, the satisfaction and confidence of your stakeholders, business partners, and your customers all depend on your ability to protect your business and its operations capabilities in the day and age of cyberattacks and cyberwarfare. •

Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press. Brewer, D. and Nash, M. (2010). Insights into the ISO/IEC 27001 Annex A. A paper written published by Dr. David Brewer and Dr. Michael Nash to explain ISO 27001 and Risk Reduction in Organizations. Retrieved from http://www.gammassl.co.uk/ research/27001annexAinsights.pdf on March 10, 2011. Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.whitehouse.gov/cybersecurity/comprehensivenational-cybersecurity-initiative on January 5, 2012. Calder, A. and Watkins, S. (2012). IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 5th edition. London, U.K.: IT Governance Press. Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: O’Reilly.

OPEN 05/2013

obliterate an organization’s ability to function (see the 2007 cyberattacks in Estonia, or the 2008 attacks in Georgia if you require more proof). If you plan for your organization to be an ongoing concern for the foreseeable future, you have no alternative than to ensure it is protected from cyberattacks and the effects of cyberwarfare. • Learn the security compliance standard or standards that will enable you to help your organization effectively lower risk to acceptable levels. • Learn risk management in the IT world. • Learn what your managers and your teams do and keep them motivated to be the best at what they do.

•

• •

•

Page 39

Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins Publishers. Crosston, M. (2011). World Gone Cyber MAD: How “Mutually Assured Debilitation” Is the Best Hope for Cyber Deterrence. An article published in the Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012. Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press. Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit – A Users Conference, in Chicago. Retrieved from http:// www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011. Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.


WAR CAMP • •

•

•

•

• •

•

•

• • •

•

• • • •

•

•

•

•

• •

Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan. Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from http://www.zdnet.com/blog/government/theobama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012. Gjelten, T. (2010). Are ‘Stuxnet’ Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.org/2011/09/26/140789306/security-expert-u-sleading-force-behind-stuxnet on December 20, 2011. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011. Gjelten, T. (2011). Security Expert: U.S. ‘Leading Force’ Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from http://www.npr.org/2011/09/26/140789306/securityexpert-u-s-leading-forcebehind-stuxnet on December 20, 2011. Gjelten, T. (2011). Stuxnet Raises ‘Blowback’ Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowbackrisk-in-cyberwar on December 20, 2011. Goldman, D. (2013). Nations prepare for cyber war. An article published at CNN on January 7, 2013. Retrieved from http:// money.cnn.com/2013/01/07/technology/security/cyber-war/index. html?hpt=hp_c3 on January 7, 2013. Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation. ISO. (2005) “Information technology – Security techniques – Information security management systems requirements”, ISO/IEC 27001:2005. Retrieved from http://www.ansi.org on February 1, 2011. Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley. Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on How to Use the Bomb. Stanford, CA: Stanford University Press. Kerr, D. (2012). Senator urges Obama to issue ‘cybersecurity’ executive order. An article published at Cnet.com on September 24, 2012. Retrieved from http://news.cnet.com/8301-1009_357519484 - 83/senator-urges- obama-to-issue-cybersecurityexecutive-order/ on September 26, 2012. Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University. Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011. Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation. Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28, 2009. Retrieved from http://www.nytimes.com/2009/06/28/ world/28cyber.html?pagewanted=all on June 28, 2009. Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banksin-cyber-war on September 22, 2012. McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC STRATEGY RESEARCH PROJECT. Retrieved from http:// www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012. Obama, B. H. (2012). Defense Strategic Guidance 2012 – Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3, 2012. Retrieved from http://www.defense.gov/news/ Defense_Strategic_Guidance.pdf on January 5, 2012. Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.whitehouse.gov/sites/default/files/rss_viewer/ international_strategy_for_cyberspace.pdf on May 16, 2011. Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press. Pry, P. V. (1999). War Scare: Russia and America on the Nuclear

OPEN 05/2013

•

•

• • •

• • •

• •

•

•

•

•

Brink. Westport, CT: Praeger Publications. Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.scmagazine.com/cyber-cold-war-espionage-andwarfare/article/254627/ on September 7, 2012. Saini, M. (2012). Preparing for Cyberwar – A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation. Retrieved from http://www.vifindia.org/article/2012/ july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012. Sanger, D. E. (2012). Confront and Coneal: Obama’s Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers. Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc. Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17, 2011. Retrieved from http://www.nytimes. com/2011/10/18/world/africa/cyber-warfare-against-libya-wasdebated-by-us.html on October 17, 2011. Slater, W. F. (2013). ISO 27001 Resource Page. Retrieved from http://billslater.com/iso27001 on January 12, 2013. Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes. Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September 28, 2012. Retrieved from http://www.businessweek. com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-exposecomputer-vulnerability on September 30, 2012. Technolytics. (2012). Cyber Commander’s eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on September 26, 2012. The ISO 27000 Directory. (2012). An Introduction to ISO 27001, ISO 27002....ISO 27008. Retreived from http://www.27000.org/index. htmhttp://idcontent.bellevue.edu/content/CIT/cyber/615/compliance on December 7, 2012. Turzanski, E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won’t Be Like Pearl Harbor At All...” A webinar presentation held by the Foreign Policy Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024. webinar.cyberwar.html on October 25, 2012. U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the President’s Commission on Critical Infrastructure Protection. Retrieved from http://www.carlisle.army.mil/DIME/ documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012. U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012. Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.

William F. Slater, III

William F. Slater, III is an IT security professional who lives and works in Chicago, IL. He has over 20-security related certifications, including a CISSP, SSCP, and a CISA certification. In March 2013 he completes his M.S. in Cybersecurity Program at Bellevue University in Bellevue, Nebraska. He has written numerous articles on IT Security and Cyberwarfare. Mr. Slater is also an adjunct professor at the Illinois Institute of Technology and the devoted husband of Ms. Joanna Roguska, who is a web developer and a native of Warsaw, Poland. You can read more about Mr. Slater at http://billslater.com/interview.

Page 40


Appendix A – ISO27001 Domains, Control Objectives and Controls ISO 27001:2005 Controls

Clause

Security Policy

Section

Control Objective/Control

5.1

Information Security Policy

5.1.1

Information Security Policy Document

Yes

5.1.2

Review of Information Security Policy

No

Organization of Information security

Asset Management

Human Resource Security

Does It Apply to Defending Against Cyberattacks and Cyberwarfare?

6.1

Internal Organization

6.1.1

Management Commitment to information security

Yes

6.1.2

Information security Co-ordination

No

6.1.3

Allocation of information security Responsibilities

Yes

6.1.4

Authorization process for Information Processing facilities

No

6.1.5

Confidentiality agreements

No

6.1.6

Contact with authorities

No

6.1.7

Contact with special interest groups

No

6.1.8

Independent review of information security

No

6.2

External Parties

6.2.1

Identification of risk related to external parties

No

6.2.2

Addressing security when dealing with customers

No

6.2.3

Addressing security in third party agreements

No

7.1

Responsibility for Assets

7.1.1

Inventory of assets

Yes

7.1.2

Ownership of Assets

Yes

7.1.3

Acceptable use of assets

Yes

7.2

Information classification

7.2.1

Classification Guidelines

Yes

7.2.2

Information Labeling and Handling

Yes

8.1

Prior to Employment

8.1.1

Roles and Responsibilities

Yes

8.1.2

Screening

Yes

8.1.3

Terms and conditions of employment

No

8.2

During Employment

8.2.1

Management Responsibility

Yes

8.2.2

Information security awareness, education and training

Yes

Physical and Environmental Security

Communications and Operations Management

8.2.3

Disciplinary process

No

8.3

Termination or change of employment

8.3.1

Termination responsibility

No

8.3.2

Return of assets

Yes

8.3.3

Removal of access rights

Yes

9.1

Secure Areas

9.1.1

Physical security Perimeter

Yes

9.1.2

Physical entry controls

Yes

9.1.3

Securing offices, rooms and facilities

Yes

9.1.4

Protecting against external and environmental threats

Yes

9.1.5

Working in secure areas

Yes

9.1.6

Public access, delivery and loading areas

Yes

9.2

Equipment security

9.2.1

Equipment sitting and protection

Yes

9.2.2

Support utilities

Yes

9.2.3

Cabling security

No

9.2.4

Equipment Maintenance

No

9.2.5

Security of equipment off-premises

Yes

9.2.6

Secure disposal or reuse of equipment

Yes

9.2.7

Removal of Property

Yes

10.1

Operational Procedures and responsibilities

10.1.1

Documented operating Procedures

Yes

10.1.2

Change Management

Yes

10.1.3

Segregation of Duties

Yes

10.1.4

Separation of development and Operations facilities

Yes

10.2

Third Party Service Delivery Management

10.2.1

Service Delivery

No

10.2.2

Monitoring and review of third party services

No

10.2.3

Manage changes to the third party services

No

10.3

System Planning and Acceptance

10.3.1

Capacity management

Yes

10.3.2

System acceptance

Yes

10.4

Protection against Malicious and Mobile Code

10.4.1

Controls against malicious code

Yes

10.4.2

Controls against Mobile code

Yes

10.5

Back-Up

10.5.1

Information Backup

10.6

Network Security Management

Yes

Communications and Operations Management

Information Security Incident Management

10.6.1

Network controls

Yes

10.6.2

Security of Network services

Yes

10.7

Media Handling

10.7.1

Management of removable media

Yes

10.7.2

Disposal of Media

Yes

10.7.3

Information handling procedures

Yes

10.7.4

Security of system documentation

Yes

10.8

Exchange of Information

10.8.1

Information exchange policies and procedures

Yes

10.8.2

Exchange agreements

Yes

10.8.3

Physical media in transit

Yes

10.8.4

Electronic Messaging

Yes

10.8.5

Business Information systems

Yes

10.9

Electronic Commerce Services

10.9.1

Electronic Commerce

Yes

10.9.2

On-Line transactions

Yes

10.9.3

Publicly available information

Yes

10.1

Monitoring

10.10.1

Audit logging

Yes

10.10.2

Monitoring system use

Yes

10.10.3

Protection of log information

Yes

10.10.4

Administrator and operator logs

Yes

10.10.5

Fault logging

Yes

10.10.6

Clock synchronization

Yes

12.4.3

Access control to program source library

12.5

Security in Development & Support Processes

12.5.1

Change Control Procedures

Yes

12.5.2

Technical review of applications after Operating system changes

Yes

12.5.3

Restrictions on changes to software packages

Yes

12.5.4

Information Leakage

Yes

12.5.5

Outsourced Software Development

Yes

12.6

Technical Vulnerability Management

12.6.1

Control of technical vulnerabilities

13.1

Reporting Information Security Events and Weaknesses

13.1.1

Reporting Information security events

Yes

13.1.2

Reporting security weaknesses

Yes

13.2

Management of Information Security Incidents and Improvements

13.2.1

Responsibilities and Procedures

Yes

13.2.2

Learning for Information security incidents

Yes

13.2.3

Collection of evidence

Yes

Yes

Yes

Business Continuity Management

Compliance

14.1

Information Security Aspects of Business Continuity Management

14.1.1

Including Information Security in Business continuity management process

Yes

14.1.2

Business continuity and Risk Assessment

Yes

14.1.3

developing and implementing continuity plans including information security

Yes

14.1.4

Business continuity planning framework

Yes

14.1.5

Testing, maintaining and re-assessing business continuity plans

Yes

15.1

Compliance with Legal Requirements

15.1.1

Identification of applicable legislations

Yes

15.1.2

Intellectual Property Rights ( IPR)

Yes

15.1.3

Protection of organizational records

Yes

15.1.4

Data Protection and privacy of personal information

Yes

15.1.5

Prevention of misuse of information processing facilities

Yes

15.1.6

Regulation of cryptographic controls

Yes

15.2

Compliance with Security Policies and Standards and Technical compliance

15.2.1

Compliance with security policy

Yes

15.2.2

Technical compliance checking

Yes

15.3

Information System Audit Considerations

15.3.1

Information System Audit controls

Yes

15.3.2

Protection of information system audit tools

Yes

Renub Research Sharing Knowledge

www.renub.com

Renub Research is a leading Management Consultancy and Market Research Company. We have more than 10 years of experience in Research, Survey and Consulting. We partner with clients in all sectors and regions to identify their highest-value opportunities, address their most critical challenges, and transform their businesses. Our core team is comprised of an experienced people holding graduate, post graduate and Ph.D. degrees. We support many blue chip companies by providing them findings and perspectives across a wide range of markets.

Renub Research - Technology Reports (Recently Published) South Africa Mobile Service Market, Subscribers & Companies Forecast to 2015 Private Cloud Computing Market & Forecast to 2015: Worldwide Analysis India E-Retail (E-Tailing) Market, Companies Revenue Analysis & Forecast to 2015 Mobile Payment Market, Users Worldwide & Countries Forecast to 2014 India Smartphone Market & Operating System Analysis Forecast 4G (LTE and WiMAX) Service Revenue/Market Analysis and its Opportunities for Industries Semiconductor Industry Market Analysis & Future Trends Worldwide (2010 – 2013) China Business Process Outsourcing (BPO) Market 2011 & Cities Outsourcing Analysis Worldwide Tablet PC Present and Future Market Scope (2010 – 2015) and its Impact on various Sectors Worldwide vulnerability Assessment Market and 13 Companies Analysis Web 2.0 (Social Networking, Professional Networking, Microblogging, Blogging, Online Dating) Market World Worldwide & Future Forecast Cloud Computing – SaaS, PaaS, IaaS Market, Mobile Cloud Computing, M&A, Investments, and Future Forecast

WAR CAMP

Integration of Cyberwarfare and Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the U. S. National Command Authorities This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.

O

ne of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries, organizations, and people who use networked computer resources connected to the Internet face because they are at risk of cyberattacks that could result in one or more cyber threat dangers such as denial of service, espionage, theft of confidential data, destruction of data, and/or destruction of systems and services. As a result of these cyber threats, the national leaders and military of most modern countries have now recognized the potential for cyberattacks and cyberwar is very real and many are hoping to counter these threats with modern technological tools using strategies and tactics under a framework of cyberdeterrence, with which they can deter the potential attacks associated with cyberwarfare.

Nature of the Threat

During my studies prior to and as a student in this DET 630 – Cyberwarfare and Cyberdeterrence course at Bellevue University, it occurred to me that considering the rapid evolution of the potentially destructive capabilities of cyberweapons and the complex nature of cyberdeterrence in the 21st century, it is now a critical priority to integrate the cyberwarfare and cyberdeterrence plans into OPEN 05/2013

the CONOPS plan. Indeed, if the strategic battleground of the 21st century has now expanded to include cyberspace, and the U.S. has in the last five years ramped up major military commands, training, personnel, and capabilities to support cyberwarfare and cyberdeterrence capabilities, the inclusion of these capabilities should now be a critical priority of the Obama administration if has not already happened.

How large a problem is this for the United States?

Without the integration of cyberwarfare and cyberdeterrence technologies, strategies, and tactics into the CONOPS Plan, the national command authorities run a grave risk of conducting a poorly planned offensive cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash a whole host of unintended negative and potentially catastrophic consequences. In non-military terms, at least four notable cyberspace events caused widespread damages via the Internet because of the rapid speed of their propagation, and their apparently ruthless and indiscriminant selection of vulnerable targets. They are 1) the Robert Morris worm (U.S. origin, 1988); 2) the ILOVEYOU worm (Philippines origin, 2000); the Code Red worm

Page 46


(U.S. origin, 2001); and the SQL Slammer worm (U.S. origin, 2003). If not executed with great care and forethought, a cyberweapons could potentially unleash even greater damage on intended targets and possible on unintended targets that were connected via the Internet.

berdeterrence capabilities into their respective war plans. Yet, as recently as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would create the terms under which cyberwarfare operations could and would be conducted (Markoff and Kramer, 2009).

Other Not So Obvious Challenges for Cyberweapons and Cyberdeterrence

Is it problematic for these countries in the same ways or is there variation? What kind?

The cyberspace threat and vulnerability landscape is notable in that it is continually dynamic and shifting. Those who are responsible for protecting assets in cyberspace have many more challenges on their hands than their military counterparts who utilize weapons like guns, explosives, artillery, missiles, etc. For example, there are by some estimates over 350 new types of malware that are manufactured each month. There are also monthly patch updates to most Microsoft software and operating systems, and phenomena such as evil hackers and zero-day exploits are apparently never ending. Therefore, the inclusion of cyberweapons and cyberdeterrence capabilities into the CONOPS Plan would require more frequent, rigorous, complex, and integrated testing to ensure that it was always effective and up to date. In the dynamic world of cyberspace with its constantly shifting landscape of new capabilities, threats and vulnerabilities, the coordination of the constant refresh and testing of a CONOPS Plan that integrated these cyberwarfare and cyberdeterrence capabilities would be no small feat. In addition, constant intelligence gathering and reconnaissance would need to be performed on suspected enemies to ensure that our cyberweapons and cyberdeterrence capabilities would be in constant state of being able to deliver the intended effects for which they were designed.

Is it a problem for other countries?

The careful planning and integration of cyberweapons and cyberdeterrence is likely a challenge for every country with these capabilities. For example, much is already known about our potential adversaries, such as Russia, China and North Korea, but what is perhaps less understood is the degree to which they have been successful in integrating cyberwarfare and cyberdeterrence capabilities into their own national war plans. Nevertheless, due to the previous extensive experience of Russia and the U.S. with strategic war planning, it is more likely that each of these countries stand the greatest chance of making integrating cyberwarfare and cyOPEN 05/2013

Every country that is modern enough to have organizations, people, and assets that are connected to computers and the Internet faces similar challenges of planning and managing cyberweapons and cyberdeterrence, and the poorer the country, the more significant the challenges. For example, when a small group of hackers from Manila in the Philippines unleashed the ILOVEYOU worm on the Internet in 2000, it caused over $2 billion in damages to computer data throughout the world. Agents from the FBI went to Manila to track down these people and investigate how and why the ILOVEYOU worm catastrophe occurred. To their surprise, they learned that each of these hackers who were involved could successfully escape prosecution because there were no laws in the Philippines with which to prosecute them. So actually most countries lack the technological and legal frameworks with which to successfully build a coordinated effort to manage the weapons and strategies of cyberwarfare and cyberdeterrence, despite the fact that most now embrace cyberspace with all the positive economic benefits it offers for commerce and communications.

What are the consequences to the U.S. and others if this threat is left unchecked?

As stated earlier, without the careful integration of cyberwarfare and cyberdeterrence technologies, strategies, and tactics into the CONOPS Plan, the national command authorities run a grave risk of launching a poorly planned offensive cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash a whole host of unintended negative and potentially catastrophic consequences.

What consequences has the threat already produced on American/global society?

The absence of well-defined cyberwarfare and cyberdeterrence strategies and tactics in the CONOPS Plan has already produced some situations that have either damaged America’s image abroad, or that could imperil its image and have

Page 47


WAR CAMP far more negative consequences. For example, operates such as Stuxnet, Flame, Duque, etc., might have either been better planned or possibly not executed at all if cyberwarfare and cyberdeterrence strategies and tactics were defined in the CONOPS Plan. Also, the news media indicated during the revolution in Libya that resulted in the fall of Qaddafi, cyberwarfare operations were considered by the Obama administration. The negative reactions and repercussions on the world stage might have far outweighed any short term advantages that could have resulted from a successful set of cyberattacks against Libyan infrastructure assets that were attached to computer networks. Again, a comprehensive CONOPS Plan that included well-defined cyberwarfare and cyberdeterrence strategies and tactics could have prevented such possible cyberattacks from even being considered, and it could have prevented the news of the possible consideration being publicized in the press (Schmitt, E. and Shanker, T., 2011). Without such restraint and well-planned deliberate actions, the U.S. runs the risk of appearing like the well-equipped cyber bully on the world stage, and an adversary who is willing to unleash weapons that can and will do crippling damage to an opponent, using technologies that are rapid, decisive, and not well-understood by those for whom they are intended. A similar effect and world reaction might be if U.S. Army infantry troops were equipped with laser rifles that emitted deadly laser blasts with pinpoint precision across several hundred yards.

The Rapid Evolution of Cyberthreats

As predicted in the Technolytics chart below, cyberweapons have rapidly evolved over time.

Since Stuxnet was released in 2010, countries and the general public are now aware of some of the offensive, strategic and destructive capabilities and potential of cyberweapons (Gelton, T., 2011). The changes that produced Stuxnet and other recent, more modern cyberweapons were a national resolve to excel in the cyberwarfare area, coupled with excellent reconnaissance on desired targets, and partnering with computer scientists in Israel. The political consequences are not well understood yet, except to say that the U.S. and Israel are probably less trusted and suspected of even greater future capabilities, as well as having the will to use them. Again, having well-planned cyberwarfare and cyberdeterrence strategies and tactics defined in the CONOPS Plan might indeed, restrain such possibly reckless decisions as to unleash cyberweapon attacks without what the world might consider the correct provocation.

Part 1 Final Thoughts about Cyberwarfare Operations

In the words of Deb Radcliff, in an article published in SC Magazine in September 2012, “we are already in a cyberwar” (Radcliff, D., 2012). But as I was performing my research, it occurred to me that a country like the U.S., might in the future unleash such a devastating cyberattack that it could cripple the enemy’s ability to communicate surrender. I think that the moral implications of such circumstances need to be justly considered as a matter of the laws of war, because if a country continues to attack an enemy that has indicated that they are defeated and want to surrender, this shifts the moral ground from which the U.S. may have it was conducting its cyberwarfare operations. This is one other unintended consequence of cyberwarfare and one that needs to be carefully considered.

Part 2 – U.S. Policy Appraisal Related to Cyberwarfare and Cyberdeterrence

This section will examine current U.S. Policy related to cyberwarfare and cyberdeterrence.

Current U.S. Policy Covering Cyberwarfare Threats

Figure 1. Evolution of Cyberweapons (Technolytics, 2012) OPEN 05/2013

The current written policy related to cyberwarfare threats can be found in President Obama’s Defense Strategic Guidance 2012, a 16-page policy documented that was published on January 3, 2012. The excerpt related specifically to cyberwarfare and cyber threats is shown below: Page 48


“To enable economic growth and commerce, America, working in conjunction with allies and partners around the world, will seek to protect freedom of access throughout the global commons – those areas beyond national jurisdiction that constitute the vital connective tissue of the international system. Global security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State and non-state actors pose potential threats to access in the global commons, whether through opposition to existing norms or other anti-access approaches. Both state and non-state actors possess the capability and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible severe effects on both our military operations and our homeland. Growth in the number of space-faring nations is also leading to an increasingly congested and contested space environment, threatening safety and security. The United States will continue to lead global efforts with capable allies and partners to assure access to and use of the global commons, both by strengthening international norms of responsible behavior and by maintaining relevant and interoperable military capabilities (Obama, 2012).” The first explicit Obama Administration policy acknowledging the realities of cyber threats were published in a 30-page document titled International Strategy for Cyberspace in May 2011.

“Today, as nations and peoples harness the networks that are all around us, we have a choice. We can either work together to realize their potential for greater prosperity and security, or we can succumb to narrow interests and undue fears that limit progress. Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information. “The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place OPEN 05/2013

where the norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. It is one of the finest examples of a community self-organizing, as civil society, academia, the private sector, and governments work together democratically to ensure its effective management. Most important of all, this space continues to grow, develop, and promote prosperity, security, and openness as it has since its invention. This is what sets the Internet apart in the international environment, and why it is so important to protect. “In this spirit, I offer the United States’ International Strategy for Cyberspace. This is not the first time my Administration has address the policy challenges surrounding these technologies, but it is the first time that our Nation has laid out an approach that unifies our engagement with international partners on the full range of cyber issues. And so this strategy outlines not only a vision for the future of cyberspace, but an agenda for realizing it. It provides the context for our partners at home and abroad to understand our priorities, and how we can come together to preserve the character of cyberspace and reduce the threats we face (Obama, 2011).” Though the Obama Administration reviewed and approved President Bush’s CNCI policy in May 2009, Obama, who is regarded as the most technology-savvy president that has ever occupied the White House, went much further to acknowledge the importance of cyberspace to the American economy and the American military, and the importance of defending the U.S. from adversaries that could threaten us via cyberspace. Obama’s policy also acknowledges the reality that future wars will be fought on the realm of cyberspace, and has thus funded the preparation of the U.S. armed forces to prepare for conflict in cyberspace (Gerwitz, 2011).

What is the effectiveness of current policy when it concerns this particular threat issue?

The Obama Administration’s policies have been effective in raising the awareness of the U.S. population as to the importance of protecting assets that are connected in cyberspace. These policies have also been effective in providing for the preparation of the U.S. military to deal with conflict in

Page 49


WAR CAMP cyberspace. However, the present policy has not been effective as a deterrence to cyber threats presented by potential national enemies and nonstate actors. As recently as September 23, 2012 – September 30, 2012, cyber attacks in the form of distributed denial of service (DDOS) attacks from the Middle East against several major U.S. banks based have publicly demonstrated the ire of the attackers and also the vulnerabilities of banks with a customer presence in cyberspace (Strohm and Engleman, 2012).

Short-Term and Long-term Ramifications of Current Policy

In the short-term, the Obama Administration’s policies regarding cyberspace have done much to raise the awareness of cyberspace as an area that requires protection for the public good and prosperity of the American people. These policies have also served to show our allies and our potential enemies that the U.S. has the intention of defending cyberspace and all our interests that are connected to it. In the long-term, these policies will probably evolve to reveal in a general, unclassified way, stronger defenses, stronger deterrent capabilities and probably offensive cyberweapons. On the legislative front, as recently as September 23, 2012, Chairman of the Senate Homeland Security Committee, Senator Joseph Lieberman (D., Connecticut), realizing that Congress would fail to pass cybersecurity legislation to designed to help protect the United States and its people, sent an urgent letter to President Obama to ask for the creation of a new Presidential Executive Order that would address several current cybersecurity issues, that includes how and when and where law enforcement can become involved in cybersecurity issues (Kerr, 2012). Though many digital privacy rights advocates, including the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the American Civil Liberties Union have strenuously fought recent cybersecurity legislation, it is expected by many cybersecurity experts that if President Obama is reelected in November 2012, an Executive Order drafted and signed by the Obama Administration provide the tools that the federal government wants. Even if President Obama is not reelected in November 2012, it is expected that some expedient action on the part of the new president would probably take place even before Congress could successfully agree upon and pass such legislation. OPEN 05/2013

Allies and Adversaries Connected to this Specific Policy?

It is entirely likely that there are classified versions of the International Strategy for Cyberspace policy that address the nature of how U.S. policies regarding the defense of cyberspace will affect our allies and our adversaries. But since it has been publicly revealed that the Obama Administration has conducted offensive cyberwarfare operations against Iran between June 2009 and June 2010, it is also likely that both our allies and our enemies have a clearer understanding of U.S. capabilities as well as the intent to use cyberweapons when it deems it is in its best interests to do so.

Part 2 Conclusion

The good news is that President Obama and his Administration apparently have an acute awareness of the importance of the cyberspace to the American economy and the American military. The bad news is that because we are already in some form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks and the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our way of life. Nevertheless, it will be necessary to act prudently, carefully balancing our freedoms with our need for security, and also considering the importance of enabling and protecting the prosperity of the now electronically connected, free enterprise economy that makes the U.S. the envy of and the model for the rest of the world.

Part 3 – Strategic Comparative Analysis in Cyberwarfare and Cyberdeterrence

This section will present a strategic comparative analysis of the present state of cyberwarfare and cyberdeterrence issues as that relate to other countries that could be considered adversaries, now or in the not too distant future.

What Other Countries / Regions of the World Are Concerned with This Same Threat Issue?

The countries that are primarily concerned with cyberwarfare and cyberdeterrence threat issues are the same countries that already have the greatest cyberwarfare capabilities and also the most to lose in the event of a full-scale cyberwarfare attack. The diagram below from a 2009 study shows the comparative cyberwar capabilities of the 66 largest countries in the world (Figure 2).

Page 50


Countries Regions of the World That Do Not Place a High Priority on This Threat Issue

Countries that are more focused on the survival and welfare of their citizens, coupled with the fact that they are largely consumers of Internet and computer capabilities versus being able to afford to channel resources into the development of cyberweapons or the resources required to develop a credible cyberdeterrence strategy. It is also ironic that the U.K. with its stature and status does not rank higher on the list shown in table 1.

Some of the Current Policies Being Employed by These Other States / Regions in Regards to the Threat

China, Russia, and India, each of which are in the top four of the countries listed in Table 1, have well-defined cyberwarfare policies and strategies. Ironically, the U.S., which occupies the number 2 position in that same table, does not yet have welldefined cyberwarfare policies and strategies. For

comparison, Table 2 below shows a summary of the policies and strategies of China, Russia and India.

Successes and Failures of the Various Alternative Policies around the Globe

Despite some of the negative press from the Stuxnet virus, this collaborative effort by the U.S. and Israel has been looked at with both fascination and as an event that has quickly and successfully heralded in a new age of warfare, the age of cyberwarfare. However, many still feel that in the absence of publically defined policies and strategies by the Obama Administration, it invites a secretive and even random appearance of and the continued use of cyberweapons (Sanger, 2012).

Areas of Joint Communication / Operation / Cooperation that Exist or Should Exist Across Countries Dealing with This Threat Issue

Apparently, the U.S. has already created one or more rather sophisticated cyberweapons with the help of Israeli cyberweapon experts. At least one of these cyberweapons, the Stuxnet Worm, was effectively used to impede the development of Iran’s nuclear material refinement program from 2009 to 2010 (Langer, 2010). It is likely however, that through the auspices of the United Nations, or perhaps some G20 accord, there may be some general consensus on the importance of defining the appropriate uses cyberweapons. There also needs to be some agreement on types of response to cyberattacks, and effective methods of cyberdeterrence.

China and Its Role in Cyberwarfare Capabilities

Figure 2. Country Cyber Capabilities Ratings (Technolytics, 2012)

OPEN 05/2013

Page 51

China is probably doing a better job than the realm of cyberwarfare for three reasons: 1) the government has invested considerable resources into their cyberwarfare capabilities; 2) the number of personnel devoted to cyberwarfare efforts is reportedly in the tens of thousands; and 3) the Chinese government is able to easily operate under a cloak of secrecy and conduct operations without fear http://pentestmag.com

WAR CAMP of cyberwarfare activities being leaked to Chinese press agencies (Hagestad, 2012).

Part 3 Conclusion

This paper has presented a brief strategic comparative analysis of countries with cyberwarfare capability.

Part 4 – Conflict Resolution in Cyberwarfare and Cyberdeterrence

This section will present the ideas of conflict analysis and resolution as they relate to cyberwarfare.

Current Academic Research on This Threat Problem

Since 2007, as the existence of well-orchestrated cyberwar attacks such as the DDoS attacks on Estonia (2007), Georgia (2008), and Kyrgyzstan (2009), as well as the Stuxnet (2010), Duqu (2011), and Flame (2012) have all become known to the world through security researchers, their victims, and the media. As a result, it has become apparent most who are watching this area that cyberspace has now become the new realm onto which the field of international conflict has been extended, and that cyberwarfare is now no longer a theoretical issue that could one day threaten those par-

ticipants and systems that rely upon connections to the Internet and Internet-connected networks. Unfortunately however, the present findings and research on cyberwarfare related events shows that the U.S. is playing catch-up and doing so badly (Turanski and Husick, 2012).

Intellectual Positions and Theoretical Explanations That Have Been Staked Out on This Threat Problem

As recently as the 2008 – 2009 timeframe, John Boyd’s conflict model known as Observe – Orient – Decide – Act (OODA) began to be applied to analyze the ideas of “cybernetic warfare” and “net-centric warfare.” The model itself has been analyzed for its ability to simply demonstrate the nature of the complexity of conflict, complete with factors of ambiguity, unpredictability, and so the model has also been used to define the nature of life itself. Yet, the model is also impacted by the chaotic nature of life and reality. The further shows the similarity between actual cyberwarfare events and this model. Other characteristics of the OODA loop model are its continuous nature and the feedback loops that provide data on which to base some form (or forms) of decision and action. The OODA Loop model is shown in the Figure 3.

Table 1. Summary of Cyberwarfare Policies and Strategies of China, Russia, and India Country

Policy

Strategy

China

China supports cyberwarfare capabilities, especially providing such capabilities in the People’s Liberation Army.

The Chinese will wage unrestricted warfare and these are the principles: Omni-directionality Synchrony Limited objectives Unlimited measures Asymmetry Minimal consumption Multi-dimensional coordination Adjustment, control of the entire process (Hagestad, 2012).

Russia

Russia supports cyberwarfare capabilities, especially providing such capabilities in the Russian Army. The nature of cyberwarfare and information warfare requires that the development of a response to these challenges must be organized on an interdisciplinary basis and include researchers from different branches – political analysts, sociologists, psychologists, military specialists, and media representatives (Fayutkin, 2012).

The ability to achieve cyber superiority is essential to victory in cyberspace. (Fayutkin, 2012).

India

India supports cyberwarfare capabilities, especially providing such capabilities in the Indian Army. “It is essential for efficient and effective conduct of war including cyber-war. The war book therefore needs to specify as how to maintain no-contact cyber war and when the government decide to go for full-contact or partial-contact war then how cyber war will be integrated to meet overall war objectives (Saini, 2012).”

Strategies are still under development, but will follow the guidance of policies related to the conduct of war. (Saini, 2012)

OPEN 05/2013

Page 52


However, one key distinction between Boyd’s OODA model and cybernetic warfare is Boyd’s “focus on the conditions of emergence transformation of systems through information rather than merely the manner in which information is processed by a fixed organizational schema.” Boyd would argue that Claude Shannon and others tend to overemphasize the view of information related to structure as opposed to information as a process (Bousquet, 2009).

To further illustrate the intent of the Joint Chiefs of Staff to the Figure 5 to visually explain the interconnected nature of the realms related to the operational environment of conflict and the nature of the systems analysis required for decision making. The JCS also described the environment of conflict as a place where simultaneity of operations would and this environment would include the information environment and cyberspace:

Joint Publication (JP) 5-0, Joint Operation Planning

“Simultaneity refers to the simultaneous application of military and nonmilitary power against the enemy’s key capabilities and sources of strength.

As recently as December 2006, the Joint Chiefs of Staff provided an inside look into how the U.S. National War Plan was created and maintained. In the document titled, Joint Publication (JP) 5-0, Joint Operation Planning. While this publically available, 264-page, document is unclassified, it does provide an extraordinary look into the strategic military thinking, principles, and guidance of the Joint Chiefs of Staff and the National Command Authorities as they create policies and strategies that enforce the national strategic objectives of the United States. This document that was created during the Bush administration is also significant because it is one of the first official publically known such documents that included cyberspace as part of the operational realm of conflict, along with air, sea, land, and space for conducting military operations (U.S. DoD, JCS, 2006). The high-level diagram below shows simply the concept of the inputs and the outputs that lead to understanding the operational environment of conflict, and it compares somewhat to the OODA figure shown earlier: Figure 4.

Simultaneity in joint force operations contributes directly to an enemy’s collapse by placing more demands on enemy forces and functions than can be handled. This does not mean that all elements of the joint force are employed with equal priority or that even all elements of the joint force will be employed. It refers specifically to the concept of attacking appropriate enemy forces and functions throughout the OA (across the physical domains and the information environment [which includes cyberspace]) in such a manner as to cause failure of their moral and physical cohesion (U.S. DoD, JCS, 2006).” Therefore, the JCS also created a Course of Action framework for determining the best courses of action in a conflict environment, and here again, cyberspace is included in that realm of options in which a course of action could and would be developed (U.S. DoD, JCS, 2006) (Figure 6).

Figure 3. Boyd’s OODA Loop Model (Bousquet, 2009) OPEN 05/2013

Page 53


WAR CAMP Options in Conflict

Based on the current state of where the U.S. stands with the lack of coherent and cohesive incorporated into its National CONOPSPLAN, and the potential for unintended consequences where the unilateral use of cyberweapons can and will occur, I see three possible options for the U.S., and each of these options has advantages and disadvantages.

Part 4 Conclusion

Figure 4. Understanding the Operational Environment (U.S. DoD, JCS, 2006)

This section has presented a brief look at the U.S. Military’s recognition of cyberspace as an extension of the operational environment of conflict and a comparison of the options that exist for resolving the issues that threaten America’s ability to create the coherent and cohesive policies and strategies that will define its ability to effectively conduct cyberwarfare and cyberdeterrence in the future.

Part 5 – Policy Generation Related to Cyberwarfare and Cyberdeterrence

This section will present the ideas for the creation of national policy or enhancement of existing national policy related to cyberwarfare and cyberdeterrence issues.

Current U.S. Policy Covering Cyberwarfare Threats

As started earlier in the Part 2 – Policy Analysis, the current written policy related to cyberwarfare threats can be found in President Obama’s Defense Strategic Guidance 2012, a 16-page policy documented that was published on January 3, 2012. It has already been noted that this policy has not been efFigure 5. Understanding the Interconnected Nature of the Realms Related to the Operational Environment of Conflict and the Nature of the Systems Analysis Required for fective in deterring cyberattacks Decision Making (U.S. DoD, JCS, 2006) and other acts of cyberwar. OPEN 05/2013

Page 54


Challenges Related to Cyberwar and Cyberdeterrence Policy and Strategy Creation

The creation of policies and strategies related to cyberwar and cyberdeterrence are complicated by six major issues: 1. The lack of international definition and agreement on what constitutes an act of cyberwar (Markoff and Kramer, 2009). 2. The lack of the ability to clearly attribute the source of an attack (Turzanski and Husick, 2012). 3. The ability for non-state actors to conduct potent cyberattacks (Turzanski and Husick, 2012). 4. The inability to clearly define what the exact nature of critical infrastructure targets (Turzanski and Husick, 2012). 5. The massive proliferation and reliance on of ubiquitous, highly insecure, vulnerable systems based on SCADA technologies during the 1980s and 1990s (Turzanski and Husick, 2012). 6. The continually changing landscape of information technology including the vulnerabilities and threats related to systems that are obsolete, yet remain in operational use for several years past their intended useful life.

A Single Integrated Operational Plan for War

During the 1950s and 1960s, when it became evident that nuclear weapons could play a major role in strategic warfare, the United States, utilized a think-tank of individuals, both military and civilian, to craft the strategic war-fighting plans of the U.S. that would deal with very real possibility that tactical and possibly strategic nuclear weapons may be required during a major wartime scenario. The first such war plan was called the Single Integrated Operational Plan (SIOP). The process of its creation involved the use of intelligence data about potential enemies, a threat assessment process, and then a process whereby the identified likely targets would be prioritized and matched with weapons. The process of matching weapons to targets also included intricate sequence timings, and the various event triggers that would result in the execution of such attacks. In the 1980s, the SIOP evolved into something called the OPSPLAN and later, it was renamed the CONOPS Plan, but it has always been kept up to date and tested at least semiannually so that all involved would know their roles if the nation command authorities deemed it necessary to execute this intricate war plan (Freedman, 2003). Note that as far back as the 1970s, there were 24 defined levels of conflict between the U.S. and a potential adversary, ranging from a war of words,

Figure 6. Course of Action Development (U.S. DoD, JCS, 2006) OPEN 05/2013

Page 55


WAR CAMP all the way to strategic nuclear war. No matter what the name of it was, the national war plan has always been a key tool of the national command authorities for understanding what military responses would be required in the event of these various levels of conflict.

Recommendations for the U.S. Cyberwarfare Policy and Strategy

It is not unreasonable to assume that the path towards a coherent and cohesive U.S. policy and set of strategies regarding the use of cyberweapons will follow a path that is similar to the strategic war plan maturity path from Hiroshima to the SIOP. Today, in the absence of any clear policy on the use of cyberweapons, Crosston advocates the agreement on a policy of “Mutually Assured Debilitation” in which everyone with cyberweapons would come to a general understanding that the use of these weapons would result in the expectation that massive destruction would be unleashed on every participant’s assets (Crosston, 2011). This makes perfect sense considering that the “Mutually Assured Destruction” nuclear deterrence policy was effective and worked well during the Cold War from the 1950s through 1990s. Yet, today, I believe that once a coherent and cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the National Command Authorities, there should be an eight-step process that could result in the development and rapid maturation of a strong national strategy U.S. Cyberwarfare: 1. Define the doctrines and principles related to cyberwarfare and the needs under which cyberwarfare would be conducted. 2. Create the policies that embody these doctrines and principles.

3. Conduct the intelligence gathering to accurately understand the landscape of the cyber battlefield. 4. Perform the analysis to create the strategy 5. Create the strategic plan and tactics 6. Conduct regular war games, at least twice yearly to test the strategic plan and tactics 7. Analyze and document the results of the cyberwarfare war games. 8. Refine the strategies and tactics for cyberwarfare and cyberdeterrence based on the results of analyzing the outcomes of the cyberwarfare war games Note that it is also essential to continually assess the capabilities of Information Technology so that tools that our cyberwarfare fighters are using are state of the art and that they are effective and perform well as they are integrated into the cyberwar war fighting environment.

Recommendations for the U.S. Cyberdeterrence Policy and Strategy

A strongly worded, explicit U.S. national policy regarding cyber deterrence would serve to further strengthen the U.S. in cyberspace as well as protect critical infrastructure and our allies. According to a 1997 paper that was prepared by the U.S. Army for the Clinton administration, Toward Deterrence in the Cyber Dimension these would be recommended elements of such a policy: 1. Continue to design, create, possess, and use offensive cyber warfare capabilities when necessary 2. Develop a defensive system for surveillance, assessment, and warning of a cyber attack. (I think such capability presently exists now)

Table 2. Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S. National CONOPS Plan Option Description

Advantage

Disadvantage

1

Create policies that mandate the inclusion of cyberwarfare and cyberdeterrence into the U.S. National CONOPS Plan

Prevents unintended consequences of unilateral use or unplanned use of cyberweapons

Takes time, politics, skills, knowledge, and money

2

Limited creation and application of policies that Prevents some possible unintended mandate the inclusion of cyberwarfare and cyberde- consequences of unilateral use or terrence into the U.S. National CONOPS Plan unplanned use of cyberweapons

Still requires some time, political wrangling, skills, knowledge, and money

3

Do nothing whatsoever related to cyberweapons and U.S. National CONOPS Plan. Just continue to the present trend to continue to conduct cyberwarfare operations on an ad hoc basis in secrecy, and allow the situation with current cyberwarfare threats to continue (Sanger, 2012).

Saves time, political wrangling, and money

Unintended conse-quences of unilateral use or unplanned use of cyberweapons

OPEN 05/2013

Page 56


3. A declaration that any act of deliberate information warfare resulting in the loss of life or significant destruction of property will be met with a devastating response (U.S. Army, 1997). 4. I would also include Crosston’s idea of Mutually Assured Debilitation (Crosston, 2011).

Final Thoughts on the Creation of a National Policy on Cyberwar and Cyberdeterrence

According to Kramer, the table below contains the 10-step remedy for creating a policy that would protect the U.S. in cyberspace.

Part 5 Conclusion

ducting cyberwarfare and cyberdeterrence operations now and in the future.

Conclusion

This paper has presented a brief look at the importance of creating a clear set of publicly available, coherent and cohesive national policy. It then advocated the incorporation of strategies that will address U.S. intentions and capabilities to effectively conduct cyberwarfare and cyberdeterrence operations now and in the future, into the U.S. CONOPS Plan.

References •

This section has presented a brief look at the importance of creating a set of publicly available, coherent and cohesive national policies and strategies that will facilitate U.S. capabilities to effectively conduct cyberwarfare and cyberdeterrence operations now and in the future. At the present moment, the lack of such policies effectively represents a window of risk and uncertainty during a time when cyber threats and cyber attacks are growing at an exponential rate. That has the elements of a real potential for a cyber disaster if this weak policy situation is not resolved as soon as possible. Here, I presented a set of processes and a framework by which the U.S. can quickly address the national challenges of effectively creating the urgently needed national policies and integrated strategies for con-

•

• • •

• •

•

Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press. Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.whitehouse.gov/cybersecurity/comprehensivenational-cybersecurity-initiative on January 5, 2012. Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: O’Reilly. Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins Publishers. Crosston, M. (2011). World Gone Cyber MAD: How “Mutually Assured Debilitation” Is the Best Hope for Cyber Deterrence. An article published in the Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012. Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press. Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit – A Users Conference, in Chicago. Retrieved from http:// www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011. Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from

Table 3. A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009) Idea

Explanation

Unify Policy Direction

Effective policies will not be created by a single person or entity, but they require centralized leadership to unify their direction and intent.

Specialize Policy Direction

Recognizing that one size does not fit all, specialized policies need to be created for varies infrastructures and industries to ensure maximum protection.

Strengthen and Unify Regulation

Regulations must be strengthened to be more effective, or new, more effective regulations must be created.

Define State and Local Roles

A workable Federal policy must have the involvement of state and local authorities to be effective

Define International Interfaces

This is required because cyberspace is connected internationally and because there is still lack of international agreement on many aspects of cyberwar.

Mandate Effective Systems Engineering for Infrastructure-related Software

Ensure that there is a realization and commitment for the need to have higher minimum standards for the quality of software that is related to infrastructure.

Don’t Take No for an Answer

Ensure that stakeholders and those responsible participants realize the resolute, unwavering commitment toward a workable policy solution

Establish and Implement Clear Priorities

This will ensure the best allocation of financial and management resources.

Inform the Public Clearly and Accurately

The public needs to understand the efforts being made to protect the U.S.

Conduct a Continuing Program of Research

Keep the policy updated and relevant to changing technologies.

OPEN 05/2013

Page 57


WAR CAMP • •

•

•

•

• •

• • • •

•

• • • •

•

•

•

•

• • •

http://omicsgroup.org/journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012. Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan. Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from http://www.zdnet.com/blog/government/theobama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012. Gjelten, T. (2010). Are ‘Stuxnet’ Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.org/2011/09/26/140789306/security-expert-u-sleading-force-behind-stuxnet on December 20, 2011. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011. Gjelten, T. (2011). Security Expert: U.S. ‘Leading Force’ Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from http://www.npr.org/2011/09/26/140789306/securityexpert-u-s-leading-forcebehind-stuxnet on December 20, 2011. Gjelten, T. (2011). Stuxnet Raises ‘Blowback’ Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowbackrisk-in-cyberwar on December 20, 2011. Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance. Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation. Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley. Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on How to Use the Bomb. Stanford, CA: Stanford University Press. Kerr, D. (2012). Senator urges Obama to issue ‘cybersecurity’ executive order. An article published at Cnet.com on September 24, 2012. Retrieved from http://news.cnet.com/8301-1009_357519484 - 83/senator-urges- obama-to-issue-cybersecurityexecutive-order/ on September 26, 2012. Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University. Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011. Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation. Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28, 2009. Retrieved from http://www.nytimes. com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009. Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banksin-cyber-war on September 22, 2012. McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC STRATEGY RESEARCH PROJECT. Retrieved from http:// www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012. Obama, B. H. (2012). Defense Strategic Guidance 2012 – Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3, 2012. Retrieved from http://www.defense.gov/news/ Defense_Strategic_Guidance.pdf on January 5, 2012. Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.whitehouse.gov/sites/default/files/rss_viewer/ international_strategy_for_cyberspace.pdf on May 16, 2011. Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press. Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications. Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved

OPEN 05/2013

•

• • •

• •

• •

•

•

•

from http://www.scmagazine.com/cyber-cold-war-espionage-andwarfare/article/254627/ on September 7, 2012. Saini, M. (2012). Preparing for Cyberwar – A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation. Retrieved from http://www.vifindia.org/article/2012/ july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012. Sanger, D. E. (2012). Confront and Coneal: Obama’s Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers. Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc. Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17, 2011. Retrieved from http://www.nytimes. com/2011/10/18/world/africa/cyber-warfare-against-libya-wasdebated-by-us.html on October 17, 2011. Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes. Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September 28, 2012. Retrieved from http://www.businessweek. com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-exposecomputer-vulnerability on September 30, 2012. Technolytics. (2012). Cyber Commander’s eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on September 26, 2012. Turzanski, E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won’t Be Like Pearl Harbor At All...” A webinar presentation held by the Foreign Policy Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024. webinar.cyberwar.html on October 25, 2012. U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the President’s Commission on Critical Infrastructure Protection. Retrieved from http://www.carlisle.army.mil/DIME/ documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012. U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012. Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.

William F. Slater, III

William F. Slater, III is an IT security professional who lives and works in Chicago, IL. He has over 20-security related certifications, including a CISSP, SSCP, and a CISA certification. In March 2013 he completes his M.S. in Cybersecurity Program at Bellevue University in Bellevue, Nebraska. He has written numerous articles on IT Security and Cyberwarfare. Mr. Slater is also an adjunct professor at the Illinois Institute of Technology and the devoted husband of Ms. Joanna Roguska, who is a web developer and a native of Warsaw, Poland. You can read more about Mr. Slater at http://billslater.com/interview.

Page 58


S

SECUCON 2013

ECUCON 2013 – A conference hosted by SECUGENIUS – A unit of HARKSH Technologies Pvt Ltd at GGNIMT, Ludhiana with a vision to create awareness for the need of SECURITIES in social living and to spread a message of generating opportunities in the same field. Two young entrepreneurs Er. Harpreet Khattar & Er. Kshitij Adhlakha started this venture to provide specialized opportunities to the most technical species on this earth. They authored a book named 'Security Breached' which was launched on the same day by Chief Guest of the event Mr. Mahesh Inder Grewal, Advisor to CM Punjab alongwith Mr. A.S. Rai, Inspector General Punjab & Dr. Maninder Singh, Head Computer Deptt. Thapar University Patiala.

Session innaugrated by Chief Guest Mr. Mahesh Inder Grewal by a enlightning speech on the use of securities in society and launching the Book 'Security Breached' authored by Er. Harpreet Khattar & Er. Kshitij Adhlakha. Harpreet Khattar told how he started his company named SECUGENIUS & Harksh Technologies. As a team, with his partner Kshitij Adhlakha, they wanted to do something supporting the career of youth and to divert them into the upcoming field of Information Security. He discussed the platforms and opportunities provided by government for the effective use and utilization of resources and studies in the domain of securities followed by Kshitij Adhlakha & other esteemed speakers of the conference which generated the heat of securities

Audience in the conference experienced height of future belongings by the indepth knowledge of speakers from 3 countries on the most technical and social fields of IT Security and to curb hacking from society. Following is the list of speakers in the conference:

amongst audience which constituted four categories and four sessions in these 2 days i.e. 25th and 26thMay, 2013:

1. Er. Harpreet Khattar 2. Er. Kshitij Adhlakha 3. Dr. Maninder Singh 4. Mr. A.S. Rai 5. Dr. S.N Panda 6. Dr. M.S. Pabla 7. Ivneet Singh 8. Shenddy Jimenez 9. Nipun Jaswal 10. Shubhamoy Chakarborty 11. Theresa Michael 12. Dr. Parminder Singh 13. Col. Gurinder Singh Saini 14. Kailash D Agarwal

Political Dignitaries and Defence Forces Personnel Academicians Industry CEO’s & Community representatives Students and Social Communists The conference concluded by Dr. Gunwant Singh Dua (Director GGNIMT) on behalf of SECUGENIUS in Association with GGNIMT after launching a specialized course for the students and professionals in the same venue which will be going on for next 2 months with a vision that each student participating in this course could earn handsome opportunities in their future endurances. This conference was organized and managed by SECUGENIUS – A unit of Harksh Technologies Pvt Ltd. In coordination and support of venue by Gujranwala Guru Nanak Institute of Management & Technology and promoted by FTG Solutions. This conference was covered by various newspapers, media and other outstation magazines thereafter.

LET'S TALK ABOUT SECURITY

Smartphone a win-win Product for Both Consumers and Sellers In a world where technology can be used for multiple exchanges, the use of mobile phones is no longer limited to simple voice communication functions. Mobiles are now providing access to a growing number of services due to Smartphone.

A

smartphone is a mobile phone built on a mobile operating system, with more advanced computing capability connectivity than a feature phone. Now a days, phones aren’t just for basic needs like talking and texting, they have many advanced features like - internet, email, gaming, organizing, taking photos, playing music, shopping, watching movies and more. These features combined together constitute a smartphone. The building block of any smartphone is its operating system (OS). The smartphone market is among the largest and fastest growing markets in the world of consumer electronics. An operating system manages the hardware and software resources of smartphones. It is currently dominated by the Android and iphone smartphone, with BlackBerry and Symbian Phone at a distant 3rd and 4th position. Nowadays, Smartphones are the basic part of life for every corporate employee. They use smartphone devices to gain access to the companies credential and to check company specific mails and data. Thus security remains a big concern at the workplace. So penetration testing needs to be done at every available aspect whenever it is possible.

Body

Smartphone growth and adaptation is increasing rapidly worldwide due to their rich and versatile OPEN 05/2013

functionality. The versatility and convenience of these devices makes them priority from other similar devices like PDAs (Personal Digital Assistants) or Tablets. Today, a Smartphone is not just used to talk; rather it is utilized for a wide array of services viz., GPS, MP3 Player, a range of entertainment, electronic banking, reading e-books or attending office meetings online. Such a diverse mixture of services can only be delivered with the combination of strong compact hardware and high-speed reliable software with a good Operating System.

Smartphone Operating System

Google’s Android platform is expected to have the largest share of the global smartphone operating system market by 2014. Companies making Android devices include Samsung, HTC and Motorola Mobility, which Google owns. Samsung also makes phones running Bada, which is based on Linux. Nokia has traditionally relied on Symbian, but it is banking its future on Windows. Android and iOS have combined for 87.6% of the 2012 smartphone market. As per the shipment numbers, Android had 68% market share of worldwide smartphones in Q2, 2012 with iOS a distant second at 16.9%. Despite being down year-on-year, BlackBerry and Symbi-

Page 60


an came in third and fourth, while Windows Phone, which almost doubled its shipments, only had 3.5% of the Q2, 2012 market share (Figure 1). Samsung is the undisputed leader in the worldwide smartphone market. By the end of 1Q13, Samsung shipped more units than the combined shipment of the next four vendors. The Apple has held the second spot in the smartphone market. Apple’s mix of models shipped to market is increasingly diversified as it tries to reach new buyers. LG smartphone volume for the quarter was driven in large part by its 3G smartphone portfolio, namely the L series and the Nexus 4. LTEenabled devices, including the Optimus G series, also contributed to its success. LG is anticipated to continue its upward trajectory with the launch of the F and L series targeting the mid-range and entry-level segments. Huawei has shown significant improvement, it has decreased its de-

pendence on rebranded feature phones while growing its Ascend portfolio to address multiple customer segments with more branded smartphone offerings. In 2013, ZTE focus is to grow in North America and Europe. In China, where increasing price pressure has challenged vendors to grow profitably, ZTE will emphasize its higher-price products. In addition, ZTE will be among the first companies to launch a Firefox-powered smartphone in 2013 (Figure 2-4). In today’s fast paced corporate world, every employ no matter whether they are from IT or top executives all rely on having continuous real time access to company data. Probably, many employees access their company email and files on their smartphone devices. Companies at present have two alternatives; First, Issue Company owned smartphones to employees or Second: let employees to bring their own device to work to be integrated with the network. The security posture of

Figure 1. Global – Top Smartphone Operating System Market Share (Percent), Quarter2, 2012. Source: IDC Worldwide Mobile Phone Tracker, August 8, 2012

Figure 3. Global – Top Five Smartphone Vendors, Market Share (Percent), Quarter1, 2012. Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013

Figure 2. Global – Top Five Smartphone Vendors, Unit Shipments (Million), Quarter1, 2013. Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013

OPEN 05/2013

Page 61


LET'S TALK ABOUT SECURITY the smartphone in the workplace becomes a critical issue. With increasing utilization of smartphones in the workplace, sharing the network and accessing sensitive data, it is very crucial to be able to assess the security posture of these devices in the similar way we perform penetration tests on work-

About Us

Renub Research is a leading Management Consultancy and Market Research Company. We have more than 10 years of experience in Research, Survey and Consulting. We provide wide range of business research solutions that helps companies in making better business decisions. We partner with clients in all sectors and regions to identify their highest-value opportunities, address their most critical challenges, and transform their businesses. Our wide clientele comprises of major players in Life Sciences, Information Technology, Telecom, Financial Services (Banking, Insurance), Energy, Retail, Manufacturing, Automotive, and Social sector. Our clients rely on our market analysis and data to make informed knowledgeable decisions. We are regarded as one of the best providers of knowledge. Our pertinent analysis helps consultants, bankers and executives to make informed and correct decisions.

Few of our published reports on Telecom Sector

• South Africa Mobile Service Market, Subscribers & Companies Forecast to 2015 http://www.renub. com/report/south-africa-mobile-service-marketsubscribers-companies- forecast-to-2015-87 • Mobile Payment Market, Users Worldwide & Countries Forecast to 2014 http://www.renub.com/report/mobile-payment-market-users-worldwidecountries-forecast- to-2014-59 • India Smartphone Market & Operating System Analysis Forecast http://www.renub.com/report/ india-smartphone-market-operating-system-analysis-forecast-54

stations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide many facets of assessing the security posture of these devices. The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed in an environment. The tool allows for assessment of remote vulnerabilities, client side attacks, social engineering attacks, post exploitation and local privilege escalation. SPF tool allows users to assess the security of the smartphones in the environment in the manner they’ve come to expect with modern penetration testing tools. SPF is made up of several parts that may be mixed and matched to meet users’ needs: • • • •

SPF Console SPF Web based GUI SPF Android App SPF Android Agent

Conclusion

The smartphone market share trends point to the fact that Android is the market leader and going forward it is expected to be the undisputed leader, with the iPhone as a strong 2 player. Symbian seems to be dying out in terms of consumer mindshare and Windows Phone is struggling as well to gain the market share. Windows Phone 8 platform is also not gaining too much headway at this point. If Microsoft isn’t able to mount a serious push to become relevant as a third platform by 2013, it may open the door to competition from Firefox’s HTML based smartphone OS.

Rajiv Ranjan

Figure 4. Global – Top Five Smartphone Vendors, Market Share (Percent), Quarter1, 2013. Source: IDC Worldwide Mobile Phone Tracker, April 25, 2013 OPEN 05/2013

Rajiv Ranjan is working as Senior Research Analyst with Renub Research. He is holding a MBA degree and has more than 5 years of telecom domain experience. For more questions on this article mention author name and article title in the subject line and write to us [email protected].

Page 62


interview Interview with

Ian Whiting, CEO of Titania Company Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

Hello Ian, please tell us few words about Titania.

Titania was founded with the aim of developing easy to use security auditing software that performs a detailed analysis of systems that otherwise would require specialist knowledge. The software that we have released to date has assisted both government and leading businesses in better securing their networks. In the process, Titania has gained critical acclaim from leading industry analysts and several awards. Since opening our first office in December 2010, Titania has experienced considerable growth. We now supply our products directly, and through a network of global partners, to organizations in over 40 countries worldwide. Our customers tend to be those that are security conscious, in sectors such as finance, defense, telecommunications, auditing and manufacturing.

What is it like leading a company like Titania and what are some of your challenges you face? OPEN 05/2013

There are of course many technical and development challenges to running a business like Titania that specializes in cyber security auditing. However, as soon as we started trading or largest problem was responding to our customers’ requests to purchase the software and keep up with the demand for new features and functionality. In fact our largest challenge to date has been to manage the growth of the company. We are always looking to keep ahead of the competition and we have decided on a plan to achieve that goal through the technical capabilities of our products rather than through our companies marketing arm. So although we sometimes have a difficult time communicating our message, our products speak for themselves.

Do you offer any professional services?

We do not provide any professional services at present, though we are always continuing to review that situation. So we may add professional services at a later stage, both directly and through our network of global partners.

Page 64


Users of our software do not require training services as one of our development goals was always to make our products as easy to use as possible. I believe we have succeeded in that goal. I have personally seen non-technical people produce detailed and complex security audit reports using our software with no previous experience with the tool. This being said, we are not resting on our laurels and we continue to look at ways to further improve user interaction with our products.

How often do you refresh (update) your products to meet the latest security challenges and threats?

Our products are continually being updated and are evolving to meet the requirements of our customers and the new issues that emerge in the industry. Typically each of our products has a short release cycle with updates being made available monthly.

Can you mention some of your top-selling products?

Nipper Studio is our company’s flagship product. It takes the manual process of reviewing how network switches, routers and firewalls have been configured and automates it. This is not done using the intrusive method of scanning a network device, which would not give you the full picture of how the device has been setup, but by analysing their native configuration. The reports that are produced by Nipper Studio can contain security audit findings, compliance reporting, configuration reporting and more. The reports produced are equally detailed and specific, they were designed with technology that writes the report just like a human would. This is in contrast to traditional computer report writing technology that simply joins pre-written paragraphs of text together and rarely accurately describes how something specific has been configured. Our most recent product, Paws Studio, is a Windows compliance product for servers, workstations and cloud-based systems. It was developed based on very specific security requirements of our customers who work in highly secure environments, with very sensitive information. They needed a solution that could be run without installing software on the audited system. Therefore we built Paws Studio to be able to run over the network, on the local system or offline with no connection to the audited system. Although we have pre-configured Paws Studio with a number of different compliance check lists, OPEN 05/2013

you can define your own compliance checklist within the product. We have developed an Policy Editor that enables you to either modify one of the pre-defined compliance lists or create one of your own from scratch. All of our products have been designed to be integrated with bespoke and third-party systems, including continuous monitoring setups. They can easily be integrated using a scriptable interface and you can export the report data in a variety of different formats. We also release our products with multi-platform support covering Microsoft Windows, Apple Mac OS X, Red Hat Linux, Ubuntu, Fedora and so on. Our customers are very important to us and their needs play a key role in the development of all of our products. We base a lot of our development plans around their feedback and requests.

Where do you see Network Security heading in next few years? What are some of your predictions?

I see that security compliance is going to play an ever larger role within the industry than it does today. It is great to see progress towards an ever improving security baseline, but it also saddens me to see many organizations depending solely on compliance as the means to being secure. It is why I believe it is important that the security industry, in addition to enhancing security compliance lists, highlight the fact that being compliant does not mean you are secure. Unfortunately I can see there will continue to be security breaches in organizations who manage security risks with compliance instead of striving to ensure a truly secure environment. You can almost picture the victim company’s statement now. It would read something along the lines of, “The company had met their compliance standards and we are now reviewing our current operating practices to ensure how best future breaches could be avoided”.

Nipper Studio is fairly popular in the network security industry; can you give us some historical background on that product?

I have a background as a penetration tester and regularly performed manual assessments of various network devices. A proper assessment of a network device is not a five minute task, each aspect of how a device can be configured needs to be properly analysed and any potential security risks highlighted. Anyone who is simply reviewing firewall

Page 65


interview rules is not doing a thorough job. It is also a task that requires a high level of knowledge about the device being reviewed. It seemed to me that this is exactly the type of task that is suitable for automation. ***** It is worth noting that although penetration testers are typically both highly skilled and adaptable, they cannot be expected to have in-depth knowledge of every system they come across. The same is also true of the network administrators who manage those systems, they may not have the in-depth security background required to identify potential weaknesses in their systems. Nipper Studio is exactly the type of solution that could help each side. Giving penetration testers, device specific assistance and helping network administrators identify potential security weaknesses. *****

Although Nipper Studio originally started life simply identifying a limited number of security weaknesses with Cisco configurations, it soon grew to adding support for more devices, identifying more security weaknesses and eventually writing the security audit report for you.

At Titania, how do you strive to achieve top-quality software? What kind of quality control do the products go through?

This is a very challenging aspect of developing a product such as Nipper Studio. The number of moving variables involved with the development process is huge. We support a large number of different devices, the manufacturers of which are constantly updating and revising their platforms. Plus the vulnerabilities in each platform are forever evolving. We maintain a growing test environment that includes the different devices that we support, plan to support and some others that may never get added to Nipper Studio. These are all used during the development and testing process, together with different firmware versions. To help manage the development plan for this we employ a development and tracking system that enables us to

Titania

Titania was founded in 2009 and develops network security and compliance auditing software. We now provide our products to global organizations and government agencies in over 40 countries. Our flagship product, Nipper Studio, enables organizations to produce expert level reports in seconds on network devices (firewalls, switches, routers etc.), and has been recognized by multiple industry awards and nominations. Our customers are made up largely of organizations in the Financial, Telecommunications, IT Security, Government and Defense industries, however any organization that has networks to protect can benefit from using our security auditing tools.

OPEN 05/2013

manage all these variables together with improvements suggested by our customers. Each developer and tester knows from our tracking system what tasks they need to be working on next.

Nipper Studio supports various Cisco devices and some people may be under the impression it only supports Cisco devices. What would you like to say about that?

Nipper Studio does support a wide range of Cisco devices, it was originally developed with only Cisco support and it is used by Cisco. So it is easy to understand how historically Nipper Studio could be mistaken for supporting only Cisco devices. However, the latest versions of Nipper Studio support over 100 different devices from different manufacturers and are used internally by a growing number of those manufacturers. Even a network that predominantly uses devices made by a single manufacturer will undoubtedly have a number of network devices made by someone else. We are often approached by customers asking for us to add support for unusual systems and devices. The network devices that we see deployed in data centers has evolved over time with increasing deployments of some devices and the reduction in others. We have developed a plugin-based architecture for Nipper Studio to help us adapt to those changes, enabling us to quickly develop, test and deploy support for new devices.

Very often clients complain that they are not offered good product/customer support. How do you ensure good customer support?

It was important for us to achieve our ISO 9001 accreditation as it helps us to ensure that every customer receives the same high standard of support from the point that they first engage with the company to when they receive the product and the subsequent support process that follows. We believe that every customer deserves great customer service and technical support and we offer these services free of charge to every one of our customers. Our ISO 9001 conformance not only ensures that all of our staff deliver the highest level of support but also promotes continuous improvement throughout the company. We achieve this through collecting and reviewing customer feedback and auditing our customer care processes.

Page 66

Thank you Ian, for the interview. By PenTest Team http://pentestmag.com

Securing the Future in the Cyber Domain NATIONAL SECURITY

Trust. Inform. Protect. SAIC is helping secure the future by delivering trusted technology, advanced cybersecurity operations and actionable intelligence solutions. By empowering our customers with innovative advanced data management solutions that inform and protect in real time, SAIC helps provide our customers with a competitive advantage in the cyber domain. Learn more at saic.com/cybersecurity

© SAIC. All rights reserved.

NYSE: SAI

Titania’s Paws Studio Review Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a certain set of security requirements around our information assets. One important aspect is being able to demonstrate to yourself and to others that your systems meet the criteria set by your compliance regime. How do you ensure that your systems are compliant with your policies or those mandated by compliance standards? A program of auditing your systems will help you understand the state of your estate. Titania’s Paws Studio provides a means to audit Windows and Linux systems and provide compliance reports against a defined set of policies. It sets out to provide clear and detailed reports of the system’s level of compliance. Policy templates are editable and Paws Studio comes with predefined templates based on established policies and best practice including PCI, SANS and DoD STIG. Policy templates are essentially a group of compliance audit checks built from the check library provided by Paws Studio. Checks range from high-level tests such as the presence of antimalware software right down to individual file permissions and registry settings. There are two ways of creating and customising policy templates. The first is a wizard that guides you through creating your policy. Here you can define the rules that comprise your policy by clicking through a series of screen and selecting checks from the library. The interface is straightforward and self-explanatory and it is a great tool for less advanced users. However, the more technically minded user might find it time consuming and prefer to use the supplied Policy Editor instead which is undoubtedly the more powerful tool. The Policy Editor provides you with a tree layout of your policy, giving you a bird’s eye view on the ability to quickly navigate through the rules. In addition clicking on the advanced tab gives you a syntax-highlighted view of the raw policy XML. Whatever tool you choose, the result is an XML file defining the compliance checks for your policy and metadata used to generate the final compliance reports.

OPEN 05/2013

Page 68


Once you have your policy defined it’s time to audit your systems. In order to compile a report you need the compliance audit data collected from a machine. At this point you’ve three options. You can choose to audit the local machine where Paws Studio is installed. You can also audit a system over the network. To do this will need valid administrator credentials on the remote system. Paws Studio will scan the local network for hosts to audit or you can specify the IP address of the machines in scope.

The third option is to use the portable data collector software, a small executable that can be run from a thumb drive. This is particularly useful where you need to audit a system that is not on the network or is air gapped from your audit workstation. Run the Data Collector, choose an audit policy and it will create a .paws file with the audit results. Once you have collected your audit data you can produce a report on the audited system. Reports contain the result of each test on the system as well as summary charts showing percent tests passed and a breakdown of tests that failed by severity. Paws Studio creates a compliance audit report that can be saved as HTML, PDF, PostScript or Microsoft Word document. CSV and XML formats are also available so you can feed machine-readable reports into other reporting systems or build your own applications to consume your compliance data.

OPEN 05/2013

Page 69


Paws Studio is available for Windows, Mac OS X and various flavours of Linux and currently supports auditing of Windows and Linux systems. This software pitches to the SME market who could be priced out by enterprise-grade auditing software though they are unlikely to benefit from the bells and whistles these tools provide. If you need a cost effective and easy to use compliance reporting tool, Titania’s Paws Studio certainly merits a second look. By Jim Halfpenny

OPEN 05/2013

Page 70


Pescara Via Colle Scorrano, 5 65100 Pescara F. +39 0857992241 [email protected]

Roma Piazza G. Marconi,15 00144 Roma T. +39 0632803612 F. +39 0632803283

www.quantumleap.it

PenTest Mag - 2013 May

Recommend Documents