Editor's note

Recommendations

Info

and nonsense information displayed. This attack uses password cracking to penetrate websites that the attacker wants to deface. Some of the common ways to get into a website is by dictionary attack. A dictionary file (a text file full of dictionary words) is loaded into a cracking application, which is run against common user accounts used by the application or website login. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to do the job. Packet Sniffing Packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network. Key Loggers These are programs that record keystrokes made by a user, allowing crackers to discover passwords and login codes. Rootkits and Backdoors Rootkits are a collection of programs that permits administrator-level control of a computer. Hackers use rootkits to control computers and evade detection. Backdoors are methods of circumventing the normal operating-system procedures, allowing a cracker to access information on another computer. Spoong attack (Phishing) A spoofing attack usually involves a program, system, or website masquerading as another thereby being treated as a trusted system by a user or another program. The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker. Vulnerability Scanner A vulnerability scanner is a tool used to check computers and networks for known weaknesses. Hackers also commonly use port scanners. These softwares check to see which ports on a specified computer are open or available to access the computer. Once open ports are discovered smart programmers can access the computer or network and cause havoc. So how do you protect your organization from such attacks? The simple answer of avoiding the internet is not a feasible answer because the global economy now depends on the internet, and you cannot opt out of it. Hence, customers, businessmen and governments need additional confidence that their money, confidential documents, military secrets, starterkit 02/2011(2) SOLUTIONS etc., are not compromised by pranksters and enemies. Providing this additional confidence lies in implementing a proper cyber security system to prevent unauthorized entry into a computer network. However, an important question that arises in all these discussions is – who are the owners of cyber security in an organization? Most would immediately say the owners would (or should) be the person(s) supporting the IT equipment. After all, you might argue those techies are the ones babysitting the computer systems. But this is an incorrect assumption. Actually, the true owners of cyber security are the business managers of your organization. Though your organization may have hired some IT staff or external vendors to manage the IT infrastructure, but from a business perspective they are not the owners of your cyber security. For example, if your server gets hacked and funds stolen from customer accounts the techies cannot be solely blamed for the crime and reputation damage. They may technically operate the system, but it is your business managers who should understand the potential loss in terms of financial, reputation or legal aspects of cyber attacks. In most organizations business managers do not understand (or try to understand) the technical department’s work and constraints, and technical people do not understand (or try to understand) the business people’s needs. While this does not mean the business manager become techies themselves, they can assist in implementing cyber security by doing the following good deeds for their techies. Knowledge The advancement and easy availability of new and useful technologies today have enabled thousands of organizations worldwide to implement and become heavily dependent on technology for running their businesses. Today, it is not possible to run any organization, small or big, without the use of some computer- or telecom-related technology. With so much proliferation of hardware, software and networking equipment, it is necessary for business managers to be aware of the advantages and disadvantages of using technology. While it does not mean they start operating the computers themselves, business managers must understand what the loss is in terms of financial, reputation, regulatory or legal consequences for disasters related to cyber threats. Financial Support Provide necessary budgets for comprehensive maintenance of hardware, software, telecom equipment, spares, backup devices, etc. For example, suppose Page 42 http://pentestmag.com
your business managers do not approve the purchase of a good firewall and intrusion protection system, or fail to enroll into hardware maintenance for an important server – the IT staff will not be able to do much in the event of a hacking, data loss or some other technical problem on that server. Provide Proper Manpower Reduced manpower and facilities in critical areas will inevitably, directly or indirectly, affect the business. It is worth highlighting that no matter how secure the technology is people are still the key to real security. If employees do not see security as a top priority, then even the most secure system can easily be broken into. Even with robust technology, there is always a need for high-quality employees and a proper education in place between business and employee. After all, unprofessional or disaffected users all too often pass critical information like passwords, loopholes, codes, etc., to others. Secondly, your business managers must ensure that departments have the necessary manpower in all areas. It is very common in organizations to skimp on manpower when it comes to support, maintenance, etc., but demand the best from a slave-sized workforce. The common saying Hire an Einstein, but refuse his request for a blackboard describes a situation that is prevalent in many organizations worldwide. Implement recommendations Your business managers must listen to recommendations proposed by technical staff, support staff, etc, for implementing a proper hacker prevention environment. Establishing such a system is an expensive business. Not every critical IT function can be worked around with a low-cost alternative. It is a common practice in many organizations to ignore or avoid IT and non- IT recommendations by giving standard excuses, like cost, even though organizations will be perfectly capable of affording it. If you are serious about intrusion prevention, then your senior management must support the necessary costs and budgets for implementing all sensible recommendations, industry standards and workarounds necessary for intrusion prevention. Get involved Senior management, including the CEO, must get involved in all aspects of their organization’s intrusion prevention processes. You must have a Show me or Prove it to me attitude to ensure your business is truly protected. Nowadays, having a proper cyber security system for many organizations is a mandatory business and audit requirement. So it should not be taken lightly. starterkit 02/2011(2) Policies Just like other essential policies in HR, finance, etc, a proper intrusion prevention policy must be enforced for all critical systems by the senior management. Secondly, all concerned employees must be properly trained to handle and report suspicious activities on their computer systems. Periodic audits must be conducted to ensure employees are following all policies and processes. Sustained commitment Cyber security is like insurance and costs money constantly. It is not enough to show interest and invest some money on a one-off basis. One of the primary roadblocks for cyber security will be lack of sustained top management commitment. For example, the top management may approve the establishment of a good cyber security system at a time when they are particularly influenced by business and competitive pressures. But later they may not be willing to invest the necessary ongoing budgets and manpower to keep the system fully operational at all times. This can result in their systems becoming outdated and become vulnerable to attacks. So continuous commitment and expenditure are required to establish the latest proper cyber security standards. In spite of all the precautions it is still possible to get hacked. Nevertheless, with the above kinds of involvement by business managers your organization can be assured of a highly secure cyber security system that can handle almost all types of hackings. Finally, we can end this article with a quote by David Brower who says – All technology should be assumed guilty until proven innocent. THEJENDRA Thejendra is an IT manager from India. He is also the author of Practical IT Service Management, Disaster Recovery & Business Continuity, God is No Angel, etc. Visit his web cave – www.thejendra.com for more details. Page 43 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41: etc., and create mayhem. And all of

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?