Social media is an addition to the toolkit – not something new and different. Small businesses need to focus on making a good product/service, marketing and distributing it effectively, and then supporting the customer. Social Media can add to all of these core pieces if used effectively. It may be free (or nearly free)
but the opportunity costs must be carefully weighed before investing precious resource into it.
3. EDITOR’S NOTE
Market 02/2012 (02)
Pentesting market is growing
The second issue of PenTest Market is out. We have for you next fresh dose of
interviews and articles devoted exclusively to pentesting business. First issue
was very popular, so we decided to make PenTest Market a free magazine. Now
access to our content will be easier than ever. Let’s look what have we prepared
for you in this issue.
On the cover you can see Victor Mehai Chrisiansenn, who is the Director of
Sales at SecPoint. Victor told us about pentesting market which, in his opinion,
is going to increase more and more in upcoming years. He has also described
SecPoint tools for penetration testers.
On the next pages we will „Walk through the penetration testing fundamentals”
with Pierluigi Paganini. The author explained why to conduct a penetration test
and showed that Penetration Test is a widespread need.
We have talked with two experts in the area of IT security auditing. Michael
Brozzetti told us what is the difference between an Internal Auditor and an
External auditor. We asked him also about transition from IT security to IT Auditing.
Furthermore, Mehmet Cuneyt recommended certifications, trainings and skills for
someone who wants to pursue a career in IT Security Auditing.
Another interesting person that we had a pleasure to talk with was Dr. Lukas
Ruf. He is a senior security and strategy consultant with Consecom AG. He has
shared with us his experience from security consulting business and told about
strict cyber privacy in EU.
Ian Moyse, a leader in Cloud Computing, has prepared for us a combination
of pieces focusing on adopting Cloud in a secure manner. He provided you
exemplary things to check before signing up with a cloud service provider.
„Have you M.E.T?” – a really intriguing title. Amarendra in his article writes
about what it takes to be a successful pen-tester. You just have to have M.E.T:
Mindset, Experience, Tools, techniques, and training.
Our next guests are Joe Hillis and Jay McBain. Joe is leading an initiative to
engage the technology community to help Small Businesses and Communities
with continuity and recovery of information systems following a disaster. Jay is an
accomplished speaker, author and innovator in the IT industry. They both have
much experience in IT security and you can learn from them a lot.
Our last but not least interview in this issue features Raj Goel. He is an IT and
information security expert with over 20 years of experience developing security
solutions for the banking, financial services, health care, and pharmaceutical
industries.
Finally we can present you the article by our great contributor, Aby Rao. He
provides you „10 ways to enhance your career in Information Security” based on
his personal experience. This article is primarily targeted towards people who are
at entry-level positions or are making a switch to IT Security from a different field
of work.
We hope you will find this issue of PenTest Market absorbing and uncommon.
Thank you all for your great support and invaluable help.
Enjoy reading!
Krzysztof Marczyk
& Pentest Team
02/2012(2) Page 3 http://pentestmag.com
4. CONTENTS CONTENTS
PENTESTING MARKET
Interview with Victor Mehai
06 Christiansenn
by Aby Rao
Pen test market has grown a lot during the last few years
and the good news is that this increase is not going to
stop as there will always be a new vulnerability and and
the remmedy for it is required instantly. So we always to
keep finding new possible loopholes and the customers
and end users do understand the need Pen-Testing as it’s
TEAM a proactive way of finding what might be coming to them
in the future and they do want stay prepared and prevent
Editor: Krzysztof Marczyk
krzysztof.marczyk@software.com.pl it on it. There is nothing better than Pen Testing and it just
going to increase more and more in the coming time.
Associate Editor: Aby Rao
Betatesters / Proofreaders: Massimo Buso, Daniel Distler,
Davide Quarta, Jonathan Ringler, Johan Snyman, Jeff Weaver,
Edward Werzyn PENTESTING
Senior Consultant/Publisher: Paweł Marciniak FUNDAMENTALS
Walk Trough the Penetration Testing
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl 08 Fundamentals
by Pierluigi Paganini
Art Director: Ireneusz Pogroszewski The figure of the pen tester is a critical figure, he must think
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski like an hacker paid to break our infrastructures and access
to the sensible information we possess, for this reason the
Production Director: Andrzej Kuca choice of reliable and professional experts is crucial. The
andrzej.kuca@software.com.pl risk to engaging the wrong professionals is high and it is
also happened in the history that companies have wrongly
Marketing Director: Ewa Dudzic
hires hackers revealed in the time cyber criminals. The
ewa.dudzic@software.com.pl
information is power, is money and the concept of „trust”
Publisher: Software Press Sp. z o.o. SK is a fundamental for this kind of analysis.
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
IT SECURITY AUDITING
www.pentestmag.com
Interview with Michael Brozzetti
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
12 by Aby Rao
All trade marks presented in the magazine were used only for IT security professionals can make excellent candidates
informative purposes. for IT auditors because it’s like looking through the
other end of the lends. IT Auditors are independent of
All rights to trade marks presented in the magazine are
reserved by the companies which own them. operations, so an IT security professional transitioning
To create graphs and diagrams we used program has the practical experience to know where vulnerabilities
by
might exist or where operations personnel might be
prone to taking “short-cuts.” This operational experience
Mathematical formulas created by Design Science MathType™
can certainly help them make sound recommendations
for organizational improvement if they decide a transition
into IT Auditing.
DISCLAIMER!
The techniques described in our articles may only
Interview with Mehmet Cuneyt Uvey
be used in private, local networks. The editors
hold no responsibility for misuse of the presented 16 by Jeff Weaver
techniques or consequent data loss. The profession of Auditing is one of the oldest ones in
human history. There are many different types (Financial,
Quality, Operational, Health and Safety, etc.) and levels of
02/2012(2) Page 4 http://pentestmag.com
5. CONTENTS
auditing. The first requirement for the auditors is to know leaders. The “best” method is generally driven by a
the business that they are auditing. Risk assessment business’s operational needs and budget, but involves
know-how is a must. Auditors need more Technical skills, the common underlying process of making systems and
understand Project Management and should also spend data available after a catastrophic event. For some, it
time for learning the SDLC (Systems Development Life simply means having access to data files within 3 days;
Cycle) for the relevant business processes so that they can while others may require continuous access to systems
look underneath the numbers (business results), but also and data, regardless of the event.
to the systems and processes that create those numbers.
SOCIAL MEDIA
SECURITY CONSULTING Interview with Jay McBain
34 by Aby Rao
BUSINESS Building a personal brand is key in today’s „flat” world.
Interview with Lukas Ruf
20
Social media is one of the tools that blend with a more
by Aby Rao physical presence through local communities, charities,
As a security consultant supporting customers inter- industry events, associations and peer groups. Social
nationally, EU faces exactly the same problems like any media can build large, targeted virtual peer networks and
other regions. In general, however, the EU is positioned has an ability to amplify thought leadership more than
better to counteract attacks effectively than other due to a any medium in the past.
good level of education and, hence, awareness of threats
and daily mitigation measures.
IT SECURITY
Interview with Raj Goel
CLOUD COMPUTING 40 by Aby Rao
Securing Clouds
24
At a very high level, CEOs and CFOs are primarily
by Ian Moyse concerned with lowering costs, increasing revenues. IT
Cloud computing is a new concept of delivering computing security doesn’t really matter to them – I’m met very few
resources, not a new technology. Services ranging from CEOs or CFOs who actively seek out IT compliance or
full business applications, security, data storage and IT audit services. If they could avoid them, they would
processing through to Platforms as a Service (PaaS) are – with the exception of Sarbanes-Oxley (SOX) compliance
now available instantly in an on-demand commercial model. – that’s the only regulation that captured their attention
In this time of belt-tightening, this new economic model for and budgets.
computing is achieving rapid interest and adoption.
KNOW-HOW
SUCCESSFUL PENTESTER 10 Ways to Enhance Your Career in
Have you M.E.T? 44 Information Security
28 by Amarendra by Aby Rao
Due to the large gray area in the field of software At first glance, this may look like one of those self-
security, it is very difficult to spot a good help articles promising that your life will turn around
penetration tester. Add to it the „ethical” baggage, 360 degrees if you follow the advice offered. Sadly, I
and things get even more murkier. Based on am making no such promises. It could very well be 30
experience, the author discusses the elements that make a or 50 ways to enhance your career, but I have limited it
successful penetration tester. Hopefully, these ideas shall to 10, based on my personal experiences. This article
help your organization in making a well-informed choice. is primarily targeted towards people who are at entry-
level positions, or are making a switch to IT Security
from a different field of work. Experienced professionals
DISASTER RECOVERY shouldn’t have a problem running through the list fairly
Interview with Joe Hillis
30
quickly.
by Aby Rao
Disaster Recovery is a subjective area; typically viewed
differently by technology professionals and business
02/2012(2) Page 5 http://pentestmag.com
6. PENTESTING MARKET
Interview with
Victor Mehai
Christiansenn
Victor Christiansenn is the Director of Sales at SecPoint. He established
the SecPoint security firm in 1998, at the tender age of 16, in the
basement of his parent’s house. Since then, the young entrepreneur
has been working with in IT security industry full-time for more than
11 years. His passions are Wifi Security, Vulnerability Scanning, UTM
Appliance. He is interested in Freemason.
SecPoint is a world-renowned IT company. this increase is not going to slow down and there will
What is the key to success of your company? always be a new vulnerabilities and the need to find a
Victor Christiansenn: Innovation and Continuous remedy for them is required as fast as possible. So, we
Development. Doing things differently than everybody always try to keep finding new potential loopholes and
else and opening up new markets, like with the Portable the customers and end users do understand the need
Penetrator. Also to quickly adapt to new requirements for Pen-Testing as a proactive way of finding what might
in the market. be coming to them in the future and they do want stay
prepared. There is nothing better than Pen Testing and
You have been on the market since 1998. it just going to increase more and more in the coming
What was the most challenging at the time.
beginning of your career?
VC: Every day is a challenge! Once you love your job What would you advise to people who want
you do not see it as as a challenge. to start their own company in the IT field?
VC: Go for it! The whole Internet is waiting for you. As I
How has the pentesting market has said, the threats are something that will never go away.
changed during these several years? Do you You will always find some news about the new threats
consider anything as a turning point for the discovered. It requires a lot of manpower and skills to
market? be able to be the one who finds it before anyone else.
VC: It has changed a lot. We have seen sales of the Then comes the part to find the solution and integrating
Penetrator and Portable Penetrator increase, especially it into the Pen-Testing Product, so that the scanner can
the last three years. There has been a turning point scan for it and find if that vulnerability is indeed present
where customers have realized the need for pentesting. on the network.
Plus, every other day a new vulnerability is found and
as an IT Security company we are always strive find the Please, tell us more about your products
solution to the vulnerability. (SecPoint Protector, SecPoint Penetrator,
SecPoint Portable Penetrator).
How do you see this market in the future? VC: Protector is an advanced UTM (Unified Threat
VC: Growing big time. Pen test market has grown a Management), which ensures Real-Time all round
lot during the last few years and the good news is that protection for users connected on your Wired Network.
02/2012(2) Page 6 http://pentestmag.com
7. Protector comes with Advanced IT Security features How can you become a SecPoint employee?
like Firewall, Real-Time Intrusion Prevention IPS, What traits and skills are highly appreciated?
Anti-Spam, Multiple Anti-Virus suites, Web Filter, Web What may discourage you in hiring a
Proxy, Anti Phishing, Content Filter, Full Mail Archiver, potential employee?
DLP (Data Leak Prevention), Incoming and Outgoing VC: We ONLY working with the best. If you have the
Mail Backup, and more. Protector is available as an skills, we have the right place for you. The IT Security
Appliance, as well as in VMWare. Protector is easy to Industry always welcomes talented people. „Skills” and
install and comes with a fully-customizable easy to use „Results on time” is highly appreciated everywhere. It is
Interface. nothing but the game of speed, where you need to be
Penetrator is a complete Penetration Testing, able to find a possible loophole, then find the solution,
Vulnerability Scanning Suite. Portable Penetrator can and then integrate it into the scanner. It is a game of
scan any IP over a Wired Network for vulnerabilities. Speed and Skills. The better the skill, the faster and
The system scans and searches for over 50,000 types more accurate your output will be.
of vulnerabilities on any IP address. Further you can
Launch Real Exploits in order to check how secure your How will SecPoint surprise us in the future?
network is. Penetrator is available as an Appliance as What are the long-term plans of the
well as a VMWare version. company?
Cloud Penetrator is an online Vulnerability assessment VC: Watch out for 2012 and 2013! Many new things
utility that is used to check Vulnerabilities on Public IP are coming. We are working around the clock in order
addresses. It has an advanced Crawler that crawls to get more and more features built. By mid-2012 we
through each and every page of the Website/Websites are planning to add some exciting new features to our
present on a Public IP Address and looks for over 50,000 products and the development phase is a never ending
types of vulnerabilities. It is a complete vulnerability process.
assessment tool for a Public IP address. For example
– SQL Injection, XSS Cross Site Scripting, Command
Execution, etc. For more information you can visit our
FAQ section on our web site: http://shop.secpoint.com/
shop/cms-faq.html.
Are SecPoint Penetrator and SecPoint
Portable Penetrator intended for all
pentesters regardless of their skill level?
VC: Yes. Penetrator and Portable Penetrator comes
with an easy to use interface and scanning can be
initiated with just three clicks. So, it is quite easy to use.
The reports have Executive Summary and in-depth
Technical details for the Technical Team. Customers
can also host our Products as a Cloud SAAS Service.
It is a new trend that is quite rewarding and is getting
more and more famous everyday around the globe.
8. Which companies would benefit the most ABY RAO
from your services? In which part of the world Aby Rao has several years experience in IT industry and has
do you the most business contacts? working knowledge in applying various security controls and
VC: Apart from the enterprise level products, we implementing countermeasures related to Web Applications
also have entry level products for Small and Medium and Database. He is skilled at planning and leading all phases
Businesses. So, we try to serve all sectors. We have the of Software Development Life Cycle, Project Management and
biggest customer base in Europe and USA. Agile Software Development. Aby has a Bachelor Engineering
With SecPoint’s ‘No Hidden Cost Policy,’ customers in Computer Science, Master of Science in Information Science,
get the convenience of obtaining the solution they need Master of Science in Television Management and various IT
at no extra cost. Products come with many features certi�cations including CISSP, CISA< Security+, ITIL, ISO/IEC
and upgrades, but they do not need to pay for them 20000 etc. He is also an independent �lmmaker and currently
separately. resides with his wife in Durham, North Carolina, USA.
02/2012(21) Page 7 http://pentestmag.com
8. PENTESTING FUNDAMENTALS
Walk trough the
penetration testing fundamentals
Talking about penetration testing fundamentals and their introduction
in private and military sectors. The growing request for experienced
IT professionals is demonstration of the awareness in the matter, it’s
expression of the need to deep analyze every aspect of technology
solutions.
T
he level of security and confidence requested by are planned as the part of the design phase and
the market requires a meticulous approach in the assigned to internal or external staff in relation to the
testing phase of the architectures, the methods type of checks that are to be conducted.
introduced in recent years have become an integral part A first classification of penetration tests is made on
of the production cycle of each solution. the knowledge of the technical details regarding of
the final target distinguishing Black box testing from
Why conduct a penetration test? White box testing. Black box testing assumes no prior
The penetration testing is a fundamental method for knowledge of the system to test. The attacker has
the evaluation of the security level of a computer to first locate the target identifying its surface before
architecture or network that consists in the simulation of starting the analysis. Whit the term of white box testing
an attack to resources of the system under analysis. we identify an attacker with complete knowledge of the
Of course the investigation can be conduced by infrastructure to be tested.
experts to audit the security level of the target but also The figure of the pen tester is a critical figure, he must
by cyber criminals that desire to exploit the system. think like an hacker paid to break our infrastructures and
The penetration testing process is conducted over access to the sensible information we possess, for this
the target searching for any kind of vulnerabilities reason the choice of reliable and professional experts
that could be exploited like software bugs, improper is crucial. The risk to engaging the wrong professionals
configurations, hardware flaws. is high and it is also happened in the history that
The expertize provided by professional penetration companies have wrongly hires hackers revealed in
testers is an irreplaceable component for the evaluation the time cyber criminals. The information is power, is
of the security of systems deployed in private and money and the concept of “trust” is a fundamental for
military sectors. In many sector for the validation of this kind of analysis.
any systems or component these kind of test are Over the years it has fortunately increased awareness of
requested. the risks attributable to vulnerabilities exploitable in systems
The testing approach has radically changed over the and related economic impact, this aspect is not negligible
years, similar tests were originally conducted mainly on because it has enabled a more robust commitment by
systems already in production or operation in order to management of companies that has requested more and
demonstrate their vulnerabilities, today’s test sessions more often penetration testing activities.
02/2012(2) Page 8 http://pentestmag.com
9. An effective penetration tests provides to the a company. It’s the starting point because starting
company a useful report on the status of their services from the report the company must proceed to
and its exposure to the main threat known. Don’t forget secure its infrastructures evaluating corrective
that many incidents registered last year were related actions and their impact on actual business. A
to unknown vulnerabilities of the victims systems and well-documented penetration test results, helps
misconfiguration of any kind of appliance. management to identify the right actions to secure
While the main objective of penetration testing is the structures and to size the budget for them.
to determine security level of the company, and in
particular of its infrastructures, it can have number of According the principal methodologies the whole
further objectives, including testing the organization’s process of a penetration test, from initial requirements
security incidents identification and response capability, analysis to report generation, could be applied to the
testing security policy compliance and testing employee following areas:
security awareness.
Main benefits of a well done penetration testing are: • Information security
• Process security
• Identifying and classification of the vulnerabilities • Internet technology security
of the systems. The aspect of the classification is • Communications security
essential to give right priority to activities needed to • Wireless security
improve security and securing infrastructure. • Physical security
• Identification of those critical components in
the surface of attack of a system that while not Standard & Regulations
vulnerable have characteristics that make them Activities of penetration testing are being object of
susceptible to attacks over time. regulation also by several standards, for example the
• Determining the feasibility of a particular set of Payment Card Industry Data Security Standard (PCI
attack vectors. DSS), and security and auditing standard, requires
• Helping organizations meet regulatory compliance. both annual and ongoing penetration testing. The PCI
• Identification of the vulnerabilities is the starting DSS Requirement 11.3 (https://www.pcisecuritystand
point for a deeper analysis made to assess the ards.org/pdfs/infosupp_11_3_penetration_testing.pdf)
potential impact on the business of the company. addresses penetration testing like the attempts to exploit
• Providing evidence of real status of the systems the vulnerabilities to determine whether unauthorized
providing a detailed report to the management of access or other malicious activity is possible.
Figure 1. How safe is your computer?
02/2012(21) Page 9 http://pentestmag.com
10. PENTESTING FUNDAMENTALS
The standard also include network and application Just to give a complete view on the standards and
layer testing as well as controls and processes around methodologies in penetration testing we can remind the
the networks and applications, and should occur from others guidelines available worldwide recognized:
both outside the network trying to come in (external
testing) and from inside the network. • Standards for Information Systems Auditing (ISACA),
The most important factor for a successfully introduced in 1967. This ISACA organization
penetration test is the adopted methodology that’s the provides the basic and the most important among
reason why the discipline is evolved starting its origin the audit certifications useful to demonstrate to the
in 1970’s. market mastering the concepts of security, control
Professionals during the years have proposed and audit of information systems.
and developed efficient frameworks for conducting a • OWASP: The Open Web Application Security
complete and accurate penetration test. Project (OWASP) is an open source community
The Open Source Security Testing Methodology project developing software tools and knowledge
Manual (OSSTMM) by Pete Herzog has become a de- based documentation that helps people secure
facto methodology for performing penetration testing Web applications and Web services.
and obtaining security metrics. • NSA Infrastructure Evaluation Methodology (IEM)
Pete Herzog, OSSTMM creator said: The primary
goal of the OSSTMM is to provide transparency. It provides How effective are our system, how efficient are our
transparency of those who have inadequate security processes? We never going to know until we run
configurations and policies. It provides transparency of those drills and exercises that stress out the platforms and
who perform inadequate security and penetration tests. It perform the analysis. Simulate the possible attacks,
provides transparency of the unscrupulous security vendors measuring the level of response of our architecture
vying to sponge up every last cent of their prey’s already is fundamental, we have learned by the events how
meager security budget; those who would side-step business dangerous an unpredicted incident could be.
values with over-hyped threats of legal compliance, cyber- Conducting a pen test is a good opportunity to test the
terrorism, and hackers. level of security of an environment but also to evaluate
In main opinion transparency and an efficient the response of the company to an intrusion or to an
methodology are essential for the study and the incident. Using this methodology it is possible to stress
assessment of every system. and analyze a system or an application discovering
Figure 2. Chinese Army computer hacking class
02/2012(2) Page 10 http://pentestmag.com
11. its vulnerabilities and the impact of every possible increase of cyber criminal activities have attracted the
attacks or malfunctions on the overall architecture attention to the security requirements of any IT solutions.
and on related systems. It’s happened that during The verification of the effectiveness of the solutions
a penetration test discovered mutual vulnerabilities mentioned in defense has become a significant activity
between components, for example the exploit of a first that has led to an increased demand of figures such
Web service could cause the block or better an exploit as the penetration tester, which is multidisciplinary and
in a related system that use the services provide. multifaceted professional with the ability to analyze and
Several years ago, during the period I conducted study a system identifying its vulnerabilities.
penetration testing for a major company I observed Of course in critical environment, like a military
during a test session that some components were one, the governments due the secrecy of the solution
intentionally excluded because the administrators of the analyzed have preferred to promote internal born group
platforms were informed regarding the vulnerabilities. of expert trained to execute penetration test. In these
That behavior it’s really dangerous, excluding weak sector nations such as China, Russia and the US are
systems during a penetration test it’s a common wrong at the forefront.
practice that prevent an efficient analysis of the system. Also bring as example such systems within critical
In this way we will never be able to measure the infrastructures, related vulnerabilities are alerting the
impact of the vulnerabilities on the overall security security world community. The case of Stuxnet virus
despite how the risks are addressed and recognize has taught the world how dangerous a cyber weapon
by the management of a firm. In a past experience capable of exploiting vulnerability in a system might be.
I have had the opportunity to audit a company ISO The only possibility we have facing these cyber threats
27001 compliant, its management was perfectly aware is to thoroughly test each individual component of the
regarding some known vulnerabilities accepting the systems we are going to deploy. The method of soliciting
related risks. Few months later, an external attack such infrastructure through penetration tests is essential,
damaged the company due a vulnerability not known unique opportunity to identify critical vulnerabilities that if
correlated to a well non problem not tested. exploited could affect their security posture.
Penetration tests are a precious opportunity to protect
Penetration Test, a widespread need our infrastructures that must be integrated in more
If the practice to carry out a penetration test is articulated testing policiesy, a good example has been
recognized and requested by the major standards that provided by the Special Publication 800-42, Guideline
we examined in a private environment, it becomes on Network Security Testing published by the National
crucial in critical environments such as military and Institute of Standards and Technology (NIST), an
government. agency of the U.S. Department of Commerce.
In these areas information management are extremely Let me conclude with phrase that I’ve read several
sensitive and it is essential for the environments to time on the Web that resume the purpose of penetration
be tamper-resistant. For this reason, every device, test methodology:
component and infrastructure must be subjected to “Protecting your enterprise by breaking it”
rigorous testing in time for the purpose of assessing
the level of overall security. Particularly critical are all
those heterogeneous environments where components PIERLUIGI PAGANINI
are provided by different providers and whose iteration Pierluigi Paganini has a Bachelor in
enables the delivery of services. It is this type of Computer Science Engineering IT, majoring
environment, together with those characterized by in Computer Security and Hacking
openness to the outside, are a real thorn in the side of techniques. Security expert with over 20
management bodies as these architectures are more years experience in the �eld. Certi�ed
exposed to external threats. Ethical Hacker at EC Council in London.
In recent years there has been a dramatic growth Actually he is Company Operation Director
of the attacks perpetrated against successful private for Bit4Id, Researcher, Security Evangelist,
companies and government agencies, a phenomenon Security Analyst and Freelance Writer. The passion for writing
in constant and growing concern. and a strong belief that security is founded on sharing and
Demonstration projects conducted by groups awareness led Pierluigi to found the security blog „Security
of hacktivist like Anonymous, warfare operations Affairs”.
conducted by foreign governments for purposes of Security Affairs (http://securityaffairs.co/wordpress)
offense and cyber espionage and an unprecedented Email: pierluigi.paganini@securityaffairs.co
02/2012(21) Page 11 http://pentestmag.com
12. IT SECURITY AUDITING
Interview with
Michael
Brozzetti
Michael Brozzetti (CIA, CISA, CGEIT) is President of Boundless LLC,
an expert internal auditing and governance firm and is Chairman
of the Business Integrity Alliance™ which is a joint venture between
zEthics, Inc. and Boundless LLC missioned to advocate and advance
the practices supporting the principles of integrity, transparency,
accountability, and risk oversight. Michael has a passion for helping
organizations strategically manage the risk of internal control failure,
respond to critical risk events, and improve the quality of internal audit
activities. Michael Brozzetti is a Certified Internal Auditor® Learning
System training partner with the Institute of Internal Auditors, Villanova
University, and the Holmes Corporation.
It’s not very common for us to interview the department. In 2005, I decided to take that “leap
professionals with extensive audit of faith” and focused my energy into Boundless LLC,
experience. Please tell us about your which later became recognized as a Philadelphia 100
background and professional experience. “Fasting Growing Company” in 2010.
Michael Brozzetti: I started my auditing career with
PricewaterhouseCoopers LLP (PwC) as an intern Can you tell us a little bit about your company
where I gained a lot of experience in the IT Auditing, Boundless LLC and the services you offer?
IT Governance, and Business Process Reengineering MB: Boundless LLC helps safeguard reputation and
domains. In 2002, I moved into working full-time fiduciary integrity by helping organizations manage
as an IT Auditor at Charming Shoppes, which is a the risk of internal control failure, respond to critical
publically traded specialty retail company. As of that risk events, and improve the quality of internal audit
time, the company was going through transition and activities. We accomplish this by helping organizations
had decided to bolster its Internal Audit department integrate and improve their organizational ARCs –
by hiring lots of fresh talent so I had an excellent Audit, Risk, and Compliance – through our training,
opportunity to work with a lot of great people to help speaking, and consulting service offerings. “One-
build a new Internal Audit department from the ground size” does not fit all anymore so Boundless remains
up. It was a unique and valuable experience to help flexible in supporting our clients’ needs and when
such a large company design and implement internal we are engaged in a consulting capacity we work
audit processes and systems to support all of the on a retainer basis pledging to uphold the Institute
auditing and consulting engagements performed by of Internal Auditors (IIA) Code of Ethics principles for
02/2012(2) Page 12 http://pentestmag.com
13. integrity, objectivity, competence, and confidentiality. In the past you have spoken about values,
This is what differentiates us from the other consulting morals and ethics? Why would these terms be
firms. Training and speaking is where I like to spend important to any organization?
the majority of my time because I find it rewarding to MB: These terms are particularly important to how an
help people improve what they do and how they do organization governs itself and behaves to its internal
it. and external stakeholders. Professional standards say
that internal auditors are responsible for promoting
You teach at a university, what courses do appropriate ethics and values within the organization.
you teach and how has it helped you as a I have come to the belief that values do, in fact,
professional? motivate while morals and ethics constrain behavior,
MB: I teach a Certified Internal Auditor (CIA) review which was a notion written on by Paul Chippendale. A
course in partnership with Villanova University and the simple way to discern between the difference between
Institute of Internal Auditors (IIA). The CIA is the only morals and ethics is that morals are related to a single
globally accepted designation for internal auditors. It persons belief of what is acceptable and ethics are
is the standard by which internal audit professionals related to a group belief of what is acceptable. Does a
demonstrate their knowledge and competence in the company want to make a profit? YES, of course, but
areas of governance, risk and control. I think what has at what cost and what constrains the company from
helped me most as a professional is the interaction with using overly aggressive captive pricing practices,
so many talented Internal Auditors that come to take misleading sales practices, or cheap foreign labor
the course. The course design promotes experiential where work safety and employee health is of little
learning so when an audit topic is discussed it is often concern. I would say ethics in this case should be
anchored to the real world experiences of the group. This the constraint, however some would argue as long
learning style really makes the course topics resonate as it is legal it is okay. I disagree with this mentality
with participants and it also fosters an excellent 360 and believe that most law and regulation should be
degree learning environment for participants, as well viewed as the bare minimum. When making significant
as myself. business decisions I encourage companies to routinely
���������
��
� �
�������� ����� ��������
���������������������������� ��
This may sound quite rudimentary but can ask three questions. 1) Is it legal? 2) Is it ethical? 3) Is
you tell us what the difference is between an it sustainable? If you can’t say YES, to questions 1 and
Internal Auditor and an External auditor? 2 it is really difficult to say Yes to number 3 which more
MB: External auditors are primarily responsible for than likely proves it to be a bad business decision from
providing opinions about financial statements within the a long-term governance perspective. Reference (http://
scope of accounting standards and rules. The external www.youtube.com/watch?v=3yt1gzFqe0M).
auditors approach is historical in nature usually looking
at the previous fiscal year or quarter and typically put If an IT security professional notices illegal
their greatest focus on financial reporting risk. On the practices within their organization (inner
other hand, Internal auditors have a much broader threats), what approach should they take to
responsibility for assessing operational risk, fraud risk, report such activities?
strategic risk, technology risk, and financial risk beyond MB: First, it is important to get the facts straight and
just that of financial reporting. Internal Auditors often validate the documentation supports the findings before
take a more forward looking approach and ultimately raising the issue to trusted management or through a
make recommendations to improve the governance, trusted ethics/fraud hotline. I am emphasizing the
risk, and control processes of their organizations. word “trusted” because if the IT security professional
Reference (http://www.youtube.com/watch?v=4-ko4n- does not have sufficient reason to trust management
Hyjs). or an ethics/fraud hotline to address the problem
02/2012(21) Page 13 http://pentestmag.com
14. IT SECURITY AUDITING
the reporting of these activities can become more issues to senior-level management to get their
challenging. attention and take action.
For example, if an IT security professional finds
that their company is holding CVV codes for credit If an IT security professional would like
card customers and that this information was recently to make a transition to IT Auditing, what
breached the IT security professional might find it path (certification, formal education, work
peculiar as to why they are not getting a positive experience etc) would you recommend and
response from the CISO or CIO. The IT security what are some of challenges they have to be
professional might know that the laws and regulations aware of?
requires the company to notify the customers of the MB: IT security professionals can make excellent
possibility of a breach, but is now concerned the candidates for IT auditors because it’s like looking
CIO/CISO is down playing the incident because through the other end of the lends. IT Auditors
they recently learned that they were responsible for are independent of operations, so an IT security
implementing the security program and developing the professional transitioning has the practical experience
data privacy policies. As you can see, it is important to know where vulnerabilities might exist or where
that the reporting takes place to a trusted party that is operations personnel might be prone to taking “short-
independent enough from the event so that the best cuts.” This operational experience can certainly help
decisions can be made for the organization. I know them make sound recommendations for organizational
this is easier said than done and often involves lots of improvement if they decide a transition into IT Auditing.
moral courage when no one is listening to significant In terms of IT audit certifications, I often recommend
concerns. To prepare for such an incident, I would the CISA because it is considered by many to be the
suggest that the IT security professional establish most recognized and referenced by companies looking
trusted relationships with other professionals in the to hire IT Audit professionals. I know IT Auditors that
organizations audit, compliance, risk, legal, ethics, come from a variety of educational backgrounds
and other departments so that they have multiple including, business, accounting, and IT. In my
experts to raise concerns to in the best interest of the experience, companies love to hire CISA’s with “Big 4”
organization. I wish I could say reporting was as easy experience so if you have an opportunity to make the
as filing through the hotline or reporting to the senior transition by getting hired by a Big 4 firm you should
most security officer, but the reality is that while this certainly consider this even if it is just for the short-
might work in some cases, don’t assume it always term. These firms typically offer lots of great hands-on
will. experience and a lot of education which have a lot of
value even if you decide not to try and make a partner
Why would someone attain the CIA at the firm.
certification and would you recommend
that certification to anyone in the IT Security From your consulting experience, can
profession? you share with us some of the common IT
MB: IT Security professionals play an important Governance issues you have noticed?
role in assuring their organization maintains strong MB: I would have to say one of the most common
governance, risk, and control practices. There IT Governance issues is understanding that IT
is nothing wrong with IT security professionals Governance is not only limited to just IT, it’s a team
maintaining a career path as a technical security sport that involves all aspects of the business
expert, however professionals wanting to get involved operations. IT governance comes down to aligning
in more of the broader business risk issues might want IT with the business strategies, goals, and objectives
to think about becoming a Certified Internal Auditor. so that reliable information is at the right place,
My first certification was as a Certified Information at the right time, and in the right hands to support
Systems Auditor (CISA) which helped me learn a lot sound decision making. While this might seem like a
about the technology and security risks that IT security simplistic view it truly is the essence of IT governance.
professionals face every day, however my decision There are many excellent IT governance frameworks
to pursue the CIA certification was to gain a broader that can be used to support the business, however it
perspective into the business risk of operating an is a common mistake to try and use the framework to
enterprise. In my experience, when you can frame run the business rather than using the frameworks
the technology and security risks within a broader and applying them to support the operations of the
business risk perspective it helps communicating business.
02/2012(2) Page 14 http://pentestmag.com
15. How critical are IT Governance frameworks You are also an entrepreneur, how did you go
such as COBIT, ISO 17799 in building a strong about building your personal brand?
organizational foundation? What frameworks MB: Far too often, we find people just doing what
have you recommended in the past few they’re told to do rather than believing in what must be
years? done. In my view, this is problematic within the auditing
MB: The speed and reliability of information flow industry because you can always pay someone to
is critical in today globalized marketplace and IT tell you what you want to hear and unfortunately
Governance frameworks can certainly serve as a strong this happens. While it is important to maintain an
organizational foundation. There are many frameworks, open mind, it is equally important to make business
including COBIT, ISO 27001, 27002, and 38500. While judgments based on sound principles. A reputation
the IT governance space is mature with frameworks I built on consistent action and sound principles endure
believe that the practical implementations are harder so that is the motto I like to associate with to build my
cases to find due to some of the issues I noted above. personal brand. Mean what you say, and say what you
ISACA had drawn up a nice paper that aligned COBIT mean!
with ITIL (Information Technology Infrastructure Library)
which I thought which was very helpful in a compliance What book are you reading currently and any
project I was involved in. I found it very useful to consider recommendations for our readers?
frameworks and align them within the process-driven MB: I love to read and right now I have two books on my
context understood by most IT professionals (ITIL) and plate. “It is Dangerous to be Right when the Government
the control objective-driven context understood by IT is Wrong” by Judge Andrew P. Napolitano and “The
Auditors (COBIT.) Again, it comes down to recognizing Original Argument: The Federalists’ Case for the
that everyone has stake in IT governance and that it Constitution.” I have a grown an great deal of interest in
really needs to approached from an enterprise viewpoint how the government and business communities interact
and that the frameworks adopted can satisfy all with each other, which you can probably tell from my
stakeholders. current reading list. Two good books I have read and
also recommend is “Tribes” by Seth Godin and “No One
You have a very strong profile as a speaker, Would Listen” by Harry Markopoulos.
how did you attain that and how do you
continuous hone your speaking skills?
MB: There is certainly an art and science to
professional speaking. Storytelling is an excellent
way to help people view things in a different light
to help them make the best possible chooses in
their personal and professional endeavors. As
professionals we are all, to some degree, speakers
whether it is in an auditorium of hundreds or a
conference room of just a few. I grew a real passion ABY RAO
for speaking once I started instructing the CIA review Aby Rao has several years experience
course in partnership with the IIA and Villanova in IT industry and has working
University in 2008. One of the course participants knowledge in applying various
that had attended my class thought I would make a security controls and implementing
good speaker so she invited me into a local chapter countermeasures related to Web
as a speaker. From that point, I learned that speaking Applications and Database. He is
is an excellent way to help people make a difference skilled at planning and leading all
so I joined my local National Speakers Association phases of Software Development
(NSA) chapter and, at this time, sit on the NSA Life Cycle, Project Management and
Philadelphia Chapter Board. I have an opportunity Agile Software Development. Aby
to work and learn from some of the best speakers has a Bachelor Engineering in Computer Science, Master of
in the business whom all have various disciplines Science in Information Science, Master of Science in Television
of expertise. The NSA four pillars of professional Management and various IT certi�cations including CISSP,
speaking include ethics, expertise, eloquence, and CISA< Security+, ITIL, ISO/IEC 20000 etc. He is also an
entrepreneurship which are also driving principles I independent �lmmaker and currently resides with his wife in
use to continually hone my speaking skills. Durham, North Carolina, USA.
02/2012(21) Page 15 http://pentestmag.com
16. IT SECURITY AUDITING
Interview with
Mehmet Cuneyt
Uvey
Mehmet Cuneyt Uvey was born in Istanbul, Turkey, in 1967.
He graduated from Middle East Technical University, Public
Administration Department. He then completed his MBA degree
from Bloomsburg University of Pennsylvania, USA. He has 25 years
of experience in Internal Audit, IT Audit, IT Risk Management, IT
Governance, Information Security and Project Management. He
performed audits, managed many projects and rendered consultancy
services to public and private institutions. Mehmet has CGEIT, CISM,
CISA, BS7799/ISO27001 Lead Auditor, PMP certificates and has worked
as one of ISACA’s CobiT Trainers in the past. Currently, he works as
an Internal Auditor for Turkish Tractor and Agricultural Machines
Company (a CNH – Koc Group partnership). He gives lectures to
graduate level classes about the above-mentioned subjects at various
universities. He speaks Turkish, English and German.
What motivated you to get into the IT information security is one of the most important parts
Security field? in IT audit. That’s how I got into IT Security.
Mehmet Cuneyt Uvey: I am of internal audit and
finance origin. Back in the 80’s and early 90’s, the bank I How did you get your start in IT Security?
worked for was in a huge transition into automation. The MCU: After establishing the IT Audit department and
bank had 600 branches, the systems developed first performing process & systems audits, we recognized
were aimed at branch automation. Use of mainframe that there was an information security standard published
and manual procedures were consolidated to batch by BSI (British Standards Institute) named BS-7799
processing, which was the first precedent. Later on high (now ISO27001). We had the chance to get the standard
volume of investment into ATMs, credit card business and we thought of using the standard for our audits for
and POS machines were new additions to the network. information security. This was the first time.
Self-service banking channels and Internet banking
became all integrated. During this transition, I thought As an internal auditor what are some of your
of auditing the systems and IT processes instead of day to day tasks?
the financial transactions. I had the chance to establish MCU: I work in one of the largest tractor companies/
the IT Audit in the bank I worked and understood that factories in the world. The Internal Audit Department
02/2012(2) Page 16 http://pentestmag.com
17. started here eight months ago. My daily tasks are of
different dimensions. On one side, I try to perform planned
audits for the most critical processes (for example, Supply
Chain Management) and relevant systems, on the other
side, I try to follow-up previous internal and/or external
audit findings to ensure compliance. Another additional
dimension is the coordination of corporate projects or
become involved in compliance related projects (mostly
IT related) to insurer auditability and accountability. In
need, one of my tasks is to perform special audits, ad
hoc assignments from the top management.
What certifications, training, or skills would
you recommend for someone who wants to
pursue a career in IT Security Auditing?
MCU: My first security related certification was BS 7799
Lead Auditor designation. This certification gives you
the chance to look at Information Security with a broad
perspective and a systematic approach. Moreover, you
can become an external auditor with this certificate, to
assess companies which want to acquire the ISO27001
Certification. I highly recommend CISSP certification,
especially for technical background professionals. CISSP
is like a passport valid in all countries. Last, but not least,
ISACA’s globally recognized CISM (Certified Information
Security Manager) and to some extent CISA (Certified
Information Systems Auditor) and CRISC (Certified in
Risk and Information Systems Control) certifications are
also helpful to get into IT Security and Audit. If you want to
go further, Certified Ethical Hacker (CEH) designation is
more towards penetration testing, attacks and resembles
more of technical perspective of Information Security.
Are there any skills that you believe the
auditors today lack, or should improve on?
MCU: The profession of Auditing is one of the oldest
ones in human history. There are many different types
(Financial, Quality, Operational, Health and Safety, etc.)
and levels of auditing. The first requirement for the
auditors is to know the business that they are auditing.
Risk assessment know-how is a must. Auditors need
more Technical skills, understand Project Management
and should also spend time learning the SDLC
(Systems Development Life Cycle) for the relevant
business processes, so that they can look underneath
the numbers (business results), but also to the systems
and processes that create those numbers.
What do you feel are some of the largest risks
that companies face today, or ones in which
you have seen?
MCU: The world is changing and the way of doing
business is very different today. Information systems and
02/2012(21)
18. IT SECURITY AUDITING
its added-value is also changing shape and going up to place for IT Audit and Security professionals. I am the
the cloud. High dependency of Information Technology is founding President. Up to now, especially by bringing
an advantage, as well as a disadvantage. At the end of CobiT into the financial sector and implementing it 12
the day, Information Security becomes one of the largest years ago, had given me the chance to have a good job
risks for a company’s reputation. There are many legal and to give consultancy and training to many large firms
arrangements regarding intellectual property, protection during my consultancy years. I made a Master’s Degree
of information and privacy, but there are also activist class out of CobiT and other frameworks and gave my “IT
groups that defend free access to all information and Governance” class in four best universities in my country.
transparency. There are digital wars between countries, I had the chance to add value to many young colleagues
systems are destroyed or compromised with cyber-terror to help them and/or lecture them for certifications. These
and organized collective attacks. Of course, companies all came from the know-how, frameworks, certifications
take their shares from such attacks too. and networking inside and around ISACA.
What do you feel is the one of the biggest Beside ISACA are there other organizations
mistakes that companies make trying to meet that you would recommend being a part of
a compliance standard? (for Security Auditors), why?
MCU: Trying to meet a standard is a very good effort. MCU: For security auditors with more technical
But companies think getting the standard done and background, I highly recommend (ISC)2 – International
being certified is the end of the road. Definitely it is Information Systems Security Certification Consortium,
just the beginning. A standard is defined as “minimum Inc., which is another path to follow. (ISC)2 is the
requirement” to be able to get qualified. It needs to main organization behind sound security certifications
improve, get updated and surely become one of the and designations like SSCP – Systems Security
main components of daily routine to live and grow. Certified Practitioner; CAP – Certified Authorization
Professional; CSSLP Certified Secure Software Life-
There are many frameworks for auditors cycle Professional; and the most common of all, CISSP
today, which one to you see as being the most – Certified Information Systems security Professional.
well rounded?
MCU: This is a hard to answer question. There are What would you say to someone who is
generally applied frameworks such as CobiT, ISO 27001, looking to get into IT security and Auditing?
ITIL, ISO 25999, ISO 38500 and so on. There are also MCU: It will be an uncommon answer to this question
sector specialized frameworks. The framework you want but first, after the relevant education, they need to learn
to use should be relevant with the business line and also the business. What business are they in, what kind of
the size of your company. PCI-DSS Standard for instance transactions take place, what kind of tools and techniques
is most important for Payment Card Industry; HIPAA are used, what systems are involved and what are their
– Health Insurance Portability and Accountability Act is interaction and connections (interfaces) and what could
essential for health and insurance sectors, NIST (National be the risks and vulnerabilities of the business process
Institute of Standards and Technology) standards cover and so on... And among those risks, what could be
almost all the information security issues technically, and the information security risks. On one hand, business
so on. First you need to make sure that you search about knowledge is necessary, on the other hand relevant
the frameworks and standards that are most relevant for technical skills and understanding of its risks is essential.
your business and fits the size of your organization.
ABY RAO
What benefits have you seen being a member Aby Rao has several years experience in IT industry and has
of an organization such as ISACA? working knowledge in applying various security controls and
MCU: I am a member since 2000. During that time, I had implementing countermeasures related to Web Applications
the chance to get myself prepared, go through knowledge and Database. He is skilled at planning and leading all phases
and experience, have certifications in IT Audit (CISA), of Software Development Life Cycle, Project Management and
Security (CISM), Governance (CGEIT), IT Risk (CRISC). Agile Software Development. Aby has a Bachelor Engineering
Moreover, we had the chance to establish an ISACA in Computer Science, Master of Science in Information Science,
Chapter in Ankara, Turkey, together with colleagues Master of Science in Television Management and various IT
and professionals, (same day with our sister Warsaw certi�cations including CISSP, CISA< Security+, ITIL, ISO/IEC
Chapter), so that we could promote and share ISACA and 20000 etc. He is also an independent �lmmaker and currently
its professional know-how and have a good networking resides with his wife in Durham, North Carolina, USA.
02/2012(2) Page 18 http://pentestmag.com
20. SECURITY
CONSULTING BUSINESS
Interview with
Lukas Ruf
Dr. Lukas Ruf is senior security and strategy consultant with
Consecom AG, a Swiss-based consultancy specialized in ICT Security and
Strategy Consulting. He is one of the experts with application, system
and network security of Switzerland. He is specialized in network and
system security, risk management, identity and access management,
computer network architectures, operating systems, and computer
architectures. He is an expert in strategic network/ICT consulting,
security audits, and designer of security architectures for distributed
platforms. Dr. Lukas Ruf has been gaining experience in Security and
Strategy Consulting since early 2000. Since 1988 he has been active
with in ICT application development as an architect, lead engineer,
apprentice coach, consultant, educator and trainer. His proficiency
builds on this long-term experience.
Dr. Ruf, you are a very distinguished LR: At ETH, I enrolled for electrical engineering. For
professional with experience in academia personal interest, I concentrated on micro electronics
and industry. Please tell us more about and anything that was possible to study in the field
yourself leading to how you got into Security of computer and network engineering. My masters
consulting business. were then focusing on computer and network
Lukas Ruf: Back in 1988, I started my first part-time job architectures. For one of my term thesis, I designed and
besides highschool as a computer supporter for one of implemented the first port of Topsy v1 to the ia32 PC
the (then) larger PC resellers. Before enroling for studies platform.
at ETH Zurich (ETHZ), I began working as a software To continue research in system and network design
engineer for a ten-person consultancy. In 1996, I was and engineering, I started my Ph.D. thesis in the field
asked by my boss to present my reflections on web- of Active Networking. Active Networking explored the
security to one of our major customers. This led to my possibilities of breaking the strict boundaries of network
first web-penetration testing in 1998. Business evolved layers already within the network stack – and allowed
and I started my first one-man security consulting in for dynamic re-configuration and update of functionality
2000. That’s it, basically. provided therein.
This research allowed me to gain an in-detph
While you were studying at ETH Zurich what understanding of networking as well as system security
did you study and what was your research and stability. Insights of which I benefit every day in my
focus. job as security consultant.
02/2012(2) Page 20 http://pentestmag.com
21. Is there enough innovation taking place in
the field of Information Security? Are you
involved in any innovative projects yourself?
LR: From an academical point of view: there is a lot
of room for future research and innovation is taking
place heavily. In daily practice, fundamental issues are
still obstacles although you cannot gain any fame in
academia.
Me as a security consultant serving customers also
in the field of their strategic evolution, I am involved
in various client side projects that are cutting edge for
industry and academia.
You have a strong engineering background,
please tell us how that is helping you in your
career.
LR: My strong engineering background helps me
everyday: first, it allows me to understand the issues
engineers face daily and to interprete them towards
management. Second, it is the foundation for secure
designs and architectures. And, foremost, it supports the
conception of processes and organizational structures
that fit the need of business as well as operation.
When it comes to reviewing solutions it is /the/ crucial
point to deliver the required insights as well as the
appropriate assessment to our customers.
Tell us more about your consulting firm, it’s
size and it’s technical strengths.
LR: We are a strong team of experts that, as a team,
covers an extremely wide range of technologies.
Based on a group of friends that did their PhDs
together at ETH, we have been able to grow to,
currently, eight consultants and one administrative
support person.
Our effective strength consists in the pool of experts
that are, first, open for critizism, and second, strong in
method. We all benefit from our ETH background that
laid the technological foundations on which we built
our current offering: we combine organization with
technology.
Where does EU stand in terms of preventing
cybercrime compared to rest of the world.
LR: As a security consultant supporting customers
internationally, EU faces exactly the same problems
like any other regions. In general, however, the EU is
positioned better to counteract attacks effectively than
other due to a good level of education and, hence,
awareness of threats and daily mitigation measures.
EU is known for it’s strict cyber privacy. What
are your thoughts on privacy laws in EU?
22. SECURITY
CONSULTING BUSINESS
LR: Laws are on the right track. From my point of view, Cloud computing is gaining tremendous
the protection of users’ rights should be extended to popularity in US, what is it’s status in EU?
protect also the unknowning, common user: I have great LR: Cloud computing is gaining popularity in the EU
concerns when it comes to the willingness of people to tremendously as well. A big challenge – for good – is the
post any private fluffy triviality that, if combined correctly, strict interpretation of laws on privacy when it comes to
provides a very detailed profile of the user. People must customer identifying data in health care or similar. The
be protective of their self dipslay – they do not know problem there is that users of cloud computing often
what they are currently doing. neglect the laws focusing just on commercial benefit.
Similarly, all kind of user tracking by cookies with I hope that EU-wide initiatives strengthen the right of
‘like-it’ buttons must be prohibited by law. It must not be end-users there too.
possible for any – private or governmental – institution
to screen any activity of the people. ‘1984’ is not far from Consecom AG is involved in SEBPS – The
where we are today. Secure Browsing Platform for Switzerland ?
Please tell us more about that initiative.
When you are consulting, how do you ensure LR: You can download SEBPS from www.sebps.net for
that your client is educated on various free. SEBPS is our contribution to the public to protect
security risks and issues related to their their web-activities against fraud while being usable.
environment? Our goal has been to provide a drastic increase in web-
LR: I tell them. :) browsing security for ‘my gand-mother’, i.e. the 99% of
users in the world that need not know how to configure
What are some of the security threats a linux kernel such that they can be safe against most
companies in EU are worried about? of the cyber attacks that affect common users. We
LR: Fraud. Based on identity theft, fraud is committed have accomplished this goal by providing a VM-based,
every second. The protection of identities is crucial to hardened Firefox on Linux platform that renders the
ecommerce and egovernment – as well as private life. process-persistent installation of malware impossible.
Please share with us some of your Switzerland is a beautiful country. How do
experiences in Identity and Access you make the best use of it’s natural beauty?
Management. LR: I enjoy spending as much time as possible outdoor
LR: Being very active also in IdM and IAM, I came with friends and family. In Switzerland, I enjoy hiking as
to the conclusion that all business face an endless well as skiing. When at the sea, I have been enjoying
endeavor if they do not follow a correct and strong windsurfing for the past thirty years.
method to introduce to IAM. Important is that the
concept is sound and meets the requirement of
business. If IAM is an initiative carried out by operation
only, it rarely meets the effective requirements other
than administration.
You have some experience in security
architecture, what are some of the challenges
in security architecture of large scale web
applications? ABY RAO
LR: I have had the opportunity to support various Aby Rao has several years experience in IT industry nad has
customers with developing the security architecture working knowledge in applying various security controls and
of web-portals based on JSR 168 and JSR 286. implementing countermeasures related to Web Applications
There, I had to learn that engineering must not follow and Database. He is skilled at planning and leading all phases
basic concepts without reflection of the specific target of Software Development Life Cycle, Project Management and
solution. For large scale web application, performance Agile Software Development. Aby has a Bachelor Engineering
is always an issue to deal with the huge amount of data in Computer Science, Master of Science in Information Science,
such that today’s end-customers do not klick away – Master of Science in Television Management and various IT
while guaranteeing the appropriate level of protection certi�cations including CISSP, Security+, ITIL, ISO/IEC 20000
for the company as well as for the end-customer. etc. He is also an independent �lmmaker and currently resides
with his wife in Durham, North Carolina, USA.
02/2012(2) Page 22 http://pentestmag.com
23.
24. CLOUD COMPUTING
Securing Clouds
The most common objections for holding back SaaS (Software as
a Service) adoption as reported from end customers, are named as
‘security’ and ‘reliability’. This is interesting when you consider that SaaS
Security is consistently reported as the fastest growth area of SaaS.
T
his ‘security’ objection usually stems from the tightening, this new economic model for computing is
customers’ perspective; they are concerned achieving rapid interest and adoption.
about the security of their data held outside their Cloud represents an IT service utility that enables
perimeter by the cloud provider. organisations to deliver agile services at the right cost
Yet despite these concerns there has been a and the right service level; cloud computing offers the
thunderstorm of growing noise surrounding cloud potential for efficiency, cost savings and innovation
computing in the past 24 months. Vendors, analysts, gains to governments, businesses and individual
journalists and membership groups have all rushed to users alike. Wide-scale adoption and the full potential
cover the cloud medium, although everyone seems to of cloud will come by giving users the confidence and
have their own opinion and differing definition of cloud by demonstrating the solid information security that it
computing. Similar to many new sectors of technology, promises to deliver.
the key is to separate the truth from the hype before Computing is experiencing a powerful transformation
making educated decisions on the right time to across the world. Driven by innovations in software,
participate. hardware and network capacity, the traditional model of
While still evolving and changing, cloud computing computing, where users operate software and hardware
is here to stay. It promises a transformation – a move locally under their ownership, is being replaced by zero
from capital intensive, high-cost, complex IT delivery local infrastructure. You can leverage a simple browser
methods to a simplified, resilient, predictable and a access point through to powerful applications and large
cost-efficient form factor. As an end user organisation amounts of data and information from anywhere at any
of different sizes, you need to consider where and when time, and in a cost effective manner.
cloud may offer benefit and a positive edge to your Cloud computing offers substantial benefits including
business. efficiencies, innovation acceleration, cost savings
Cloud computing is a new concept of delivering and greater computing power. No more 12-18 month
computing resources, not a new technology. Services upgrade cycles; as huge IT burden like system or
ranging from full business applications, security, software updates are now delivered automatically with
data storage and processing through to Platforms as cloud computing and both small and large organisations
a Service (PaaS) are now available instantly in an can now afford to get access to cutting-edge innovative
on-demand commercial model. In this time of belt- solutions. Cloud computing also brings green benefits
02/2012(2) Page 24 http://pentestmag.com
25. such as reducing carbon footprint and promoting well as internal threats. In a time of financial challenge
sustainability by utilising computing power more protecting against the disgruntled employee is also to
efficiently. be taken seriously.
Cloud computing can refer to several different service There is no doubt cloud is bringing change. With
types, including Software as a Service (SaaS), Platform the Internet and technology, we have a generation of
as a Service (PaaS) and Infrastructure as a Service users demanding access to their applications from their
(IaaS). SaaS is generally regarded as well suited to iPhone, iPad, BlackBerry or Android devices. We have
the delivery of standardised software applications and entered an era where infinite IT power and information
platforms, like email, CRM, accounting and payroll. is available to a user on the smallest of devices, on the
The development of the SaaS business model has move and at an affordable price. As devices get more
been rapid and it is now being used to provide high powerful, the Internet faster, the demand and supply of
performance, resilient and secure applications across a cloud applications will skyrocket and the power in the
range of company sizes and industries. hands of the user will be greater than we have ever
However as already mentioned in end user survey, delivered before. Expect the marriage between mobility
after survey, the top 2 issues that surface to the top and the cloud to continue to grow.
are security (data being the typical lead in this) and So as you extend your footprint into utilising an
reliability (being availability and accessibility). A good increasing number of cloud based services so you need
reference point for this being the Cloud Industry Forums to consider the security aspects from an access control
2011 survey extract below. perspective ie. who can access what, from where and
Is this so different when you consider the traditional on what device and what are the additional risks if any of
network form factor? Consider the increasing number of this. For example can a user store their login details on
recent and well publicised data breaches and reliability their personal Ipad and is that device secured enough
issues from the likes of Sony, Blackberry and TK-maxx. that if they lost it your cloud systems access would not
Often these are tarred with the cloud brush, however be breached.
these are breaches where the company was hosting its Cloud or SaaS does not provide one-size-fits-all
own solution as a provider and yet was hacked from solutions, and not every application in the cloud will
outside. These are sizeable targets and with larger IT be right for your business. You should consider in
teams and budgets than the average size business in what areas it makes sense to utilise the cloud. Where
the market today. can your organisation gain improvement in areas of
Look at end user surveys on IT challenges in general business efficiency, resilience and cost reduction? Look
and managing the complexity of security appears high to others in your sector and what they have done, and
if not top of those lists, with other contributors around look for simplicity and obvious choices in your first cloud
lack of IT expertise or not enough IT staff. Increasingly solution adoptions.
businesses are concerned about protection of the Review your shortlisted vendors carefully and
organisations information assets both from external as compare them across multiple areas but not just
Table 1. What are your most signi�cant concerns, if any, about the adoption of cloud your business?
Only asked of respondents who either currently use cloud or will do at Total No. employees 20-200 More
some point in the future Fewer than 20 than 200
Data security 64,00% 62,00% 61,00% 68,00%
Data privacy 62,00% 68,00% 61,00% 60,00%
Dependency upon internet access 50,00% 53,00% 58,00% 42,00%
Con�dence in the reliability of the vendors 38,00% 32,00% 38,00% 41,00%
Contract lock-in 35,00% 30,00% 43,00% 30,00%
Cost of change/ migration 32,00% 27,00% 35,00% 33,00%
Contractual liability for services if SLA's are missed 31,00% 16,00% 38,00% 33,00%
Con�dence in knowing who to choose to supply service 28,00% 27,00% 29,00% 28,00%
Con�dence in the vendors business capability 24,00% 16,00% 25,00% 26,00%
Con�dence in the clarity of charges (ie will they be cheap on-prem) 22,00% 16,00% 26,00% 21,00%
Lack of busines case to need cloud service 21,00% 11,00% 27,00% 22,00%
Base 323 73 112 95
02/2012(21) Page 25 http://pentestmag.com
26. CLOUD COMPUTING
price. With cloud computing you need to ensure all sectors to enable businesses to understand
that you validate who you are dealing with, what and utilize this important new technology to its
their reputation is and the quality of service you will advantage.
receive. CompTIA’s Cloud Essentials certification is an
example option that enables employees of varying
Example things to check before signing up with roles to validate their cloud knowledge, take online
a cloud service provider, that a reputable cloud training and exam condition testing, and differentiate
provider will be happy to answer include: themselves in the competitive job market. John
McGlinchey,Vice President, Europe & Middle East,
• What are the terms and conditions in the service CompTIA commented “We have had a demand from
level agreement (SLA)? the user market for a training curriculum with testing
• Are there penalties if a supplier fails to deliver? to support this rapidly growing new form factor. The
• What has the provider’s success rate been over a demand and adoption is outstripping the skill base and
certain period? it is key that individuals and businesses recognise and
• Can they provide customer testimonials? Can you address this shortfall, before it becomes a serious issue
speak to the customers directly? for all concerned.”
• Who is going to support the services? Will it be More education is needed in cloud across all sectors
their own supporting staff or a third party? Where to enable businesses to understand and utilize this
are the support staff ? important new technology option to its advantage and
• Do they provide out of hours support? If so, what this need for understanding stretches past simply the
kind of support do you get? border of the IT department. Expect to see more cloud
• Where are the suppliers data centres ? Which will courses and exams providing the market with the
you be utilising ? required validations in this new cloudy world.
• Where is your data stored? Is it in the UK, Europe, The IT department in this form factor may not be
or the US? deploying the hardware and software any longer, but
• Who has access to your data? they will play a key role in ensuring the integrity of your
• What security certifications does the vendor hold systems and security controls that you have in place for
for their data centre operations? your cloud operations.
• How often has the vendor updated its service in the Ignoring the cloud or moving everything to it in a
past 12 months? race to be ‘all cloud’ are both perilous positions. Taking
• Will you be getting ongoing value for money from educated steps to the cloud will ensure you gain the
the enhancements? benefits that it can bring in a secure manner and that
• Can you see the service roadmap the vendor you don’t end up in a technological storm.
delivered in the past year?
There is nothing to fear inherently about the cloud.
Companies simply have to perform their diligence as
they would when buying any other solution, as long as
they know the right questions to ask.
In addition to considering the security aspects that
may change in utilising cloud solutions such as mobility,
access control and the security of the chosen vendor IAN MOYSE
itself you should also consider the education of cloud Ian Moyse is Workbooks.com Sales Director, Eurocloud UK
inherent in your own IT staff. Whilst the fundamental Board Member and Cloud Industry Forum Governance Board
technology being utilised is not new the architectures, Member. He has over 25 years of experience in the IT Sector,
security methods and mobility aspects do require with nine of these specialising in security and over 23 years of
adoption of new skills and mind-sets and you will likely channel experience Starting as a Systems Programmer at IBM
also be engaging with vendors you may not have dealt in the mainframe environment, he has held senior positions
with or even have heard of prior. in both large and smaller organisations including Senior Vice
Cloud offers opportunities for those that embrace President for EMEA at CA and Managing Director of several
the new form factor and self-educate and certify UK companies. For the last 7 years he has been focused on
themselves for the needs of employers today and Security in Cloud Computing and has become a thought
tomorrow. More education is needed in cloud across leader in this arena.
02/2012(2) Page 26 http://pentestmag.com