Editor's note

Recommendations

Info

If we have made an in-depth risk analysis (sorry if I insist), we should know that even when these devices are not company-owned, we still need to include them in the strategic security plan; to say it clearly: wherever there is company valuable information, there are no excuses for not protecting it. Illegal Software, Dual Problem I Unfortunately it is true that many people use illegal software as a protection method! Besides being a logical nonsense, it entails a severe risk since there are many documented threats hidden in antivirus software or other kinds of allegedly fake antimalware; not to mention illegal software infection rates, usually downloaded from sites specialized in these matters. We are all responsible for bringing awareness both to companies and individuals; similarly we are accountable for pursuing the necessary know-how to understand this world we live in and decrease risk exposure. Keep One’s Eyes On The Ball Many of the APT type attacks have been targeted to access and expose an organization’s sensitive information. In some cases, information disclosed was not that valuable per se; but the discredit caused by such a disclosure was! What would happen if we could protect information in such a way that even when accessed by an attacker the same could not be used? Well, that’s what I mean when I say we should keep one’s eyes on the ball! Some experts recommend use of different encryption techniques (more or less complex and focused on different devices) as a way to reduce information exposure degree. Even when information could be accessed and extracted from the organization, decryption would be such a complex process that it would take hundreds or thousands of years to decrypt, using last generation computers, thus making its practical use impossible. This clearly raises many other technical nature challenges, e.g. digital certificates custody, though if we consider we still have the chance to apply much simpler techniques for applications like files encoding and database encryption for applications, just to mention a few, this kind of risk mitigation techniques could have their preferential space in the next future of information security. Give Him An Inch And He Will Take A Mile Stuxnet, Operation Shady RAT and the attacks against the International Olympic Committee and the World starterkit 02/2011(2) SOCIAL FRAUD Anti-Doping Agency (reportedly hidden and active at least during 5 years), among many others, are clear examples of what could happen but are not decisive when it comes to analyzing the future; all we can attest is not knowing what new threats will appear. However, we’ve got so much to do before giving up, some people even say that this is a war and that we can win it; I believe it’s too soon to say that, though without a doubt there’s plenty of room for improvement in most companies and public agencies information security management systems. There is one point where many experts agree; i.e. that new attacks call for new monitoring, detection, and prevention techniques; however these techniques do exist, the problem is just that they are not used widely enough. Just to give you an example; the SIEM (Security Information and Event Management) notion is practically unknown and partially implemented by many organizations, missing the opportunity to have at least integral monitoring systems that enable threat detection from the behavioral standpoint, supplementing pattern detection systems and other heuristic techniques; a value added for this kind of systems is that they enable audit leads, very useful to minimize impact in the event of an attack! GABRIEL MARCOS Twitter: @jarvel Page 34 http://pentestmag.com
If we have made an in-depth risk analysis (sorry if I insist), we should know that even when these devices are not company-owned, we still need to include them in the strategic security plan; to say it clearly: wherever there is company valuable information, there are no excuses for not protecting it. Illegal Software, Dual Problem I Unfortunately it is true that many people use illegal software as a protection method! Besides being a logical nonsense, it entails a severe risk since there are many documented threats hidden in antivirus software or other kinds of allegedly fake antimalware; not to mention illegal software infection rates, usually downloaded from sites specialized in these matters. We are all responsible for bringing awareness both to companies and individuals; similarly we are accountable for pursuing the necessary know-how to understand this world we live in and decrease risk exposure. Keep One’s Eyes On The Ball Many of the APT type attacks have been targeted to access and expose an organization’s sensitive information. In some cases, information disclosed was not that valuable per se; but the discredit caused by such a disclosure was! What would happen if we could protect information in such a way that even when accessed by an attacker the same could not be used? Well, that’s what I mean when I say we should keep one’s eyes on the ball! Some experts recommend use of different encryption techniques (more or less complex and focused on different devices) as a way to reduce information exposure degree. Even when information could be accessed and extracted from the organization, decryption would be such a complex process that it would take hundreds or thousands of years to decrypt, using last generation computers, thus making its practical use impossible. This clearly raises many other technical nature challenges, e.g. digital certificates custody, though if we consider we still have the chance to apply much simpler techniques for applications like files encoding and database encryption for applications, just to mention a few, this kind of risk mitigation techniques could have their preferential space in the next future of information security. Give Him An Inch And He Will Take A Mile Stuxnet, Operation Shady RAT and the attacks against the International Olympic Committee and the World starterkit 02/2011(2) SOCIAL FRAUD Anti-Doping Agency (reportedly hidden and active at least during 5 years), among many others, are clear examples of what could happen but are not decisive when it comes to analyzing the future; all we can attest is not knowing what new threats will appear. However, we’ve got so much to do before giving up, some people even say that this is a war and that we can win it; I believe it’s too soon to say that, though without a doubt there’s plenty of room for improvement in most companies and public agencies information security management systems. There is one point where many experts agree; i.e. that new attacks call for new monitoring, detection, and prevention techniques; however these techniques do exist, the problem is just that they are not used widely enough. Just to give you an example; the SIEM (Security Information and Event Management) notion is practically unknown and partially implemented by many organizations, missing the opportunity to have at least integral monitoring systems that enable threat detection from the behavioral standpoint, supplementing pattern detection systems and other heuristic techniques; a value added for this kind of systems is that they enable audit leads, very useful to minimize impact in the event of an attack! GABRIEL MARCOS Twitter: @jarvel Page 34 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33: analysis that should not be made by
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?