Professional Documents
Culture Documents
cigital
SecureAssist
Find and Fix Security Defects
During Development
Plug-in for Eclipse and Visual Studio identifes common
security vulnerabilities and provides remediation guidance
Contextual
Guidance and examples
specifc to the language
Customizeable
Incorporate organizational
standards into guidance
Expert validated
Based on Cigitals experience in
thousands of code reviews
Actionable
Code examples explain the right
way and place to fx defects
Free 30-day trial: www.cigital.com/hakin9
Securing Assets Across Europe
14th & 15th October 2014
MCE, Brussels, Belgium
www.isse.eu.com ISSE
2014
Europes leading independent, interdisciplinary
security conference and exhibition
Over the past decade, Information Security Solutions Europe (ISSE) has
built an unrivalled reputation for its world-class, interdisciplinary approach
and independent perspective on the e-security market.
This year, ISSE will take place on 14th & 15th October in Brussels.
Regularly attracting over 300 professionals including government,
commercial end-users and industry experts who will come together for
a unique all-encompassing opportunity to learn, share and discuss the
latest developments in e-security and identity management.
Programme Topic Areas
Trust Services, eID and Cloud Security
European trust services and eIdentity regulation, governance rules,
standardization, interoperability of services and applications, architectures
in the cloud, governance, risks, migration issues
BYOD and Mobile Security
Processes and technologies for managing BYOD programs,
smartphone/tablet security, mobile malware, application threats
Cybersecurity, Cybercrime, Critical Infrastructures
Attacks & countermeasures against industrial Infrastructures; CERT/CSIRT
European & global developments, resilience of networks & services,
surveillance techniques & analytics
Security Management, CISO Inside
CISOs featuring the latest trends and issues in information security, risk
mitigation, compliance & governance; policy, planning and emerging areas
of enterprise security architecture
Privacy, Data Protection, Human Factors
Issues in big data & cloud, privacy enhancing technologies, insider threats,
social networking/engineering and security awareness programs
Regulation & Policies
Governmental cybersecurity strategies, authentication, authorization &
accounting, governance, risk & compliance
For more information visit www.isse.eu.com
In partnership with
@ISSEConference
4
Advanced Exploits with Metasploit
Copyright 2014 Hakin9 Media Sp. z o.o. SK
Table of Contents
Exploitation Of Hash Functions
By Deepanshu Khanna and Er Laveena Sehgal
The term cryptography is being defined as the method or protocol for developing the security
of the information over an insecure channel on which the two parties are communicating. For
instance, lets assume the two parties, which are very famous in the field of cryptography, are
ALICE and BOB. Lets assume Alice wants to communicate or share some information with
Bob. The main problem that arises here is how to share the data over such an insecure channel.
So, Cryptography comes to the rescue. Hence, cryptography provides us the way to securely (neq
100%) communicate even on the insecure channel.
Dr. Web for Android
By Amit Chugh
The Dr.Web Anti-virus solution keeps your Android mobile safe from known viruses in the
Internet. This application is designed to protect the mobile from known threats. Because of their
popularity, Android-based devices are rapidly becoming a target for a surging tide of malware
and spyware. The Dr.Web Anti-virus solution ensures that infections are eliminated. It also scans
mobile devices for hidden malicious data.
Building a Successful Disaster Recovery Program
By Michael Lemire
Today, business is dependent on the continuous availability of technology infrastructure,
platforms and services. For this reason, disaster recovery planning continues to gain prominence
as a critical part of risk management. This article aims to summarize how to implement a
successful disaster recovery program.
Step by Step Guide for Pentesting VoIP Devices (VoIP Hacking)
By Omkar Joshi
VOIP (Voice over IP) is technology applied to deliver voice & streaming sessions over IP (SIP)
General purpose protocol used for managing sessions. This protocol provides method for voice
signaling. VOIP actually applies Session Initiation Protocol (SIP) to perform its methodologies
like setting up, terminating & modifying voice & voice calls. These voice & video calls are
transported by other protocols like RTP (Real time transport protocol).
Exploiting Adobe
for
Android which is a unique technology to detect
malware for detecting new virus families using
knowledge about previous threats. Origins Tracing
for Android can identify recompiled viruses, e.g.
Android.SMSSend, Android.MobileSpy, as well as
applications infected by Android.ADRD, Android.
Geinimi, and Android.DreamExploid. The names
of the threats detected using Origins Tracing
for
Android are Android.VirusName.origin.
Full scan: Allows you to check the entire phone
for possible infections, malware, or unwanted apps
such as Adware.
On-Access scan: Automatically scans apps as soon
as they are installed on your device notifying you
immediately of any malicious or suspicious apps.
Always up-to-date: Comprehensive virus detection thanks to SpIDer Guard (File Monitor) which delivers
up-to-the-minute protection. It resides in the memory of the device and checks files as they are modified and
saved. This monitoring ensures that the device is always protected from viruses.
Installation ease: The client is very easy to install on Android OS.
Minimal battery usage: Even though the app is constantly running in the background, the battery usage and
also the Operating System performance hit was minimal.
Configurable scan: Option of performing a need-based full scan / customized scan.
Real-time anti-virus protection.
Filtering phone numbers: Ability to filter calls & SMS from specified numbers. This list can be edited through the
UI. This list can be used to either block / allow calls / SMS from the specified numbers in the list i.e., this list can
be used ass a whitelist / blacklist which allows / prohibits call / SMS from the specified numbers in the list.
URL filter Cloud Checker: This feature allows filtering categories of dangerous websites.
Protecting data by Anti-theft feature: A mobile can be controlled in case of loss, thereby protecting precious
data available on the mobile. The anti-theft feature can be managed by sending SMS to the device.
Advanced Exploits with Metasploit
Internet usage checker: This tool allows to limit the use of Mobile Internet. A traffic volume limit can be set
along with the duration period (day, week, or month). This is showcased using the graphic interface.
Application traffic usage: This tool provides an option to filter data traffic per application. This helps in
understanding the Internet traffic being used by various applications running on the device. It can further be
used to configure connection rules per application.
Connection Rule setup: By monitoring the current internet activity, allow / block rules can be set to allow /
block connections from specified ports / IP Addresses of a particular application.
Log view: The application also provides the ability to view firewall / application logs. There is also an option to
clear the logs and statistics. This can be used to monitor the logs manually (if required) to view suspicious activity.
About the Author
Amit Chugh CEH, ISO 27001 LA is working as an Information Security Architect at Tech Mahindra.
advertisement
Advanced Exploits with Metasploit
29
Building a Successful Disaster
Recovery Program
by Mike Lemire
Today, business is dependent on the continuous availability of technology infrastructure,
platforms and services. For this reason, disaster recovery planning continues to gain
prominence as a critical part of risk management. This article aims to summarize how to
implement a successful disaster recovery program.
The first question one must ask when developing disaster recovery strategies is this: what are the systems,
platforms and services which, if they were not available, would cause financial loss to your business.
There are really two primary areas here: systems which service customers and systems which your
employees require in order to do their job functions. The loss of either type of system may negatively impact
your business, but in different ways. Lets explore how.
Customer facing systems are the IT based platforms which your customers utilize in order to procure goods
and services. Additionally, in the case of SaaS and similar services, those systems may indeed be the primary
way your company provides your service to your customers. Downtime of customer facing systems means
your company may not be able to sell your products to your customers or worse, prevent your business from
providing its services to its customers. The financial impact of downtime to customer facing systems can
be severe including loss of revenue and SLA penalties with your customers and there is the added risk of
reputational risk to your company for customer facing platforms which are public in nature.
Corporate facing systems are the IT based platforms which your employees depend on. Corporate facing
systems include communications such as email and telecom, workflow, ERP, financial processing and those
systems which staff utilize in order to develop new products. The financial impact of downtime of corporate
facing systems primarily deals with loss of productivity. After all, payroll is typically the largest financial
burden to an organization and time wasted is money wasted. These costs can quickly escalate when systems
which the entire business is dependent on are not available.
A Risk Assessment (RA) process begins with identifying and documenting each of these critical customer
and corporate facing systems which, if they were to become unavailable, will cause financial loss to your
organization. In addition, your business is very likely dependent on other vendors. Identifying key vendors
and ensuring vendor risk assessments are conducted which look in detail at your vendors Disaster Recovery
plans is a critical function of a Vendor Risk Management program. Lastly, the RA must identify people
(or, hopefully, teams of redundant people) within your organization who are critical to maintaining your
production systems.
A Business Impact Analysis (BIA) attempts to quantify what would be the financial loss to the business if
these systems were to become unavailable. Negative financial impact comes in two flavors: quantitative and
qualitative. Quantitative impacts are easier to itemize. For example, how much business does your web site
generate per day? What would be the SLA penalties if your business was unable to provide its services to its
customers? Qualitative impacts are those which negatively impact the reputation to your business, and what
would the impact to future sales be if your reputation was damaged by your services not being available?
Because there are many factors which could lead to financial loss and reputational damage the BIA can
certainly be an imperfect science.
The RA and BIA exercises will produce two very important outcomes:
what are your most critical technology platforms?
what investments in disaster recovery planning make the most sense to the business?
Advanced Exploits with Metasploit
30
The RA and BIA will inform the business of risks and importantly then demonstrate the justification for
investing in Disaster Recovery programs. A mature Disaster Recovery program does not come cheaply;
it requires personnel who create DR plans (including you, the Disaster Recovery planner),equipment,
redundant infrastructure and capacity. For this reason the Risk Assessment and BIA must be socialized
within the business to key stakeholders. These stakeholders may include, depending on the size of your
organization, business leadership and boards of directors. Additionally compliance, legal and information
security teams must be consulted as your organization may have regulatory, legal or contractual obligations
which necessitate Disaster Recovery plans be in place and tested.
Disaster Recovery More Than Just Planning for
Disasters
Disaster Recovery is often thought of just as its named: how to recovery from a disaster. When we think
of disaster we tend to think of what is typically and legally called an act of God events out of human
control such as a flood, fire, hurricane or earthquake. These types of events may take down an entire
geography, data center or office. Impact scenarios attempt to quantify what are the most likely of such
events. For example, if your data center is located in a geographic fault zone then perhaps the risk of an
earthquake is more realistic than if not. Other impact scenarios include political instability or regional events
which may take down a power grid.
While disasters do occur and must be planned for appropriately, the truth is that outages to production
systems are more commonly the result of other types of issues. However the DR planning should encompass
and aim to reduce the risk of any incident which can cause a production system to become unavailable.
Chief among the types of incidents which cause production outages are Change Control (changes introduced
into the production systems by developers or system administrators) and failure of hardware or software
components which is a Single Point of Failure (SPoF). A SPoF is any hardware or software component
which upon failure result in the entire system becoming unavailable. A mature Disaster Recovery (and
Business Continuity) program identifies and mitigates weaknesses in Change Control processes and
identifies and mitigates SPoFs.
Disaster Recovery Strategies
IT systems are ran from data centers and a Disaster Recovery strategy considers what are the contingency
plans if that data center were to become unavailable. Your data center may be owned and managed by your
organization or run by a service provider in a co-location arrangement. There are several approaches to
recovery strategy with varying levels of investment required from small to great. Your RA and BIA will help
you determine the appropriate strategy for your organization.
Single data center, recover on site. Even if your organization runs its platforms from a single data center and
after a RA and BIA have been conducted it has been determined a single data center deployment is sufficient
investment, plans should be developed to recover if a disaster were to affect that data center. For example,
the data center itself should have layers of redundancy and failover and backup plans for loss of power and
network connectivity. Data should be regularly backed up and taken or replicated off site to a secure location
so that it may be recovered elsewhere.
Cold standby data center. In a cold standby data center scenario your organization data is (ideally
continuously) replicated to a secondary data center where means and plans to bring production systems back
online do not exist but must be built, configured and tested before they would become available.
Warm standby data center. A warm standby data center builds on the cold standby approach by ensuring
equipment is available and pre-configured to serve as the production environment but not brought up
unless a disaster brings down the production data center.
Hot standby data center. A hot standby data center is continuously available in case the production data
center suffers a disaster.
Advanced Exploits with Metasploit
31
Highly Available (HA) data centers. A HA data center arrangement is the most ideal from a disaster recovery
perspective. Two data centers with some regional diversity are both live and serving customers and/or
the organization simultaneously. Either data center can go down; production systems are maintained but
at diminished capacity. An important limitation in this approach is distance; HA data centers require data
continuously be replicated between both data centers. Synchronous database replication in particular is
contingent on the databases being close enough together geographically so that latency does not negatively
impact the ability of the databases to be in sync as it is continuously updated.
Critical Components of your
Disaster Recovery Plan
It is important to recognize the DR plan will be most needed during a disaster. No one has time to read
extraneous information which is not related to what steps need to be taken to recover from a disaster. For this
reason the DR plan should be concise and to the point.
The most critical components of your DR plan are the details of how an incident should be escalated and
communicated within your organization. Rapid response to a disaster is critical and key decision makers
may need to be called in to declare a disaster or initiate the DR plan. The plan should clearly establish
what constitutes a disaster and who should be contacted and how. There may be several escalation and
communications paths in your plan. Operations and support teams must be notified and brought in to begin
recovery processes which are documented in your plan. Additionally legal, public relations and/or marketing
teams should be escalated too so that customers and, if needed, the general public are provided timely and
accurate status as to the resumption of production processes. Communication plans may include establishing
phone conference lines, email groups and updates to intranets and/or Twitter feeds. The communications
paths themselves should have redundant paths because any of them may also be affected by a disaster.
Naturally your DR plan will detail the actions your teams will take to recovery production systems and may
include details pertaining to how to fail over systems, contact critical vendors or bring up secondary sites.
Finally your DR plan will detail expected SLAs particularly for communication escalations; operations
or support personnel must understand the importance of prompt escalation of contingency events and this
should be detailed in your plan.
Integrating Disaster Recovery Plans
in your Organization
A successful disaster recovery plan is not a plan which sits on a shelf which no one knows about or where
to find when a disaster occurs. The DR plan must be socialized and integrated into other organizational
processes including support, operations, engineering and leadership teams. The DR plan must be made
available to these teams and integrated into their escalation and communication processes. Access to the DR
plan must itself be disaster proof. What good is a DR plan if its stored on a production system which is
unavailable in a disaster?
Testing the Disaster Recovery Plan
Minimally, disaster recovery plans should be updated continuously as new platforms are introduced and
adjusted as the IT landscape changes. A once per quarter year review is typical. Additionally, DR plans need
to be tested at least once per year. A test of a DR plan may be started with a walk through of the plan with all
stakeholders, a componentized testing of failover capabilities for platforms and services to full scale disaster
simulations and data center failover tests.
Advanced Exploits with Metasploit
Summary
A successful Disaster Recovery program begins with understanding what are the most critical systems to
your organization and enables the business to prioritize disaster recovery investment decisions.
The program will also reduce risk of outages to production platforms and the potential for negative financial
and reputational impact and finally provides your organization with a solid plan for recovering from a
disaster as quickly as possible.
About the Author
Mike Lemire is currently a Business Information Security Officer at Pearson, a global education and
publishing company and has been involved with disaster recovery planning for nearly a decade. Mike is
on twitter at @mike_lemire.
advertisement