SlideShare uma empresa Scribd logo

Pentest trends 2017

J
Jorge González

Artículo escrito en Pentest Magazine: Zoomeye- search engine for cyberspace

Tecnologia
1 de 53
Baixar para ler offline
Managing Editor: Anna Kondzierska 
 anna.kondzierska@pentestmag.com Proofreaders & Betatesters: Lee McKenzie, Avi Benchimol, Da Co, David Kosorok, John Webb, Sagar Rahalkar. Special thanks to the Betatesters & Proofreaders who helped with this issue. Without their assistance there would not be a PenTest Magazine. Senior Consultant/Publisher: Pawel Marciniak 
 CEO: Joanna Kretowicz
 joanna.kretowicz@pentestmag.com DTP: Anna Kondzierska Publisher: Hakin9 Media Sp.z o.o. SK 02-676 Warsaw, Poland
 ul. Postepu 17D
 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concering the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 1
Table of contents Zoomeye- search engine for cyberspace
 by Jorge González Milla 4 SAP Security. Today’s state, future trends and predictions.
 by Darya Maenkova 9 Present and future of cyber security - What’s in store to become a cyber warrior?
 by Samrat Das 14 An IoT landscape for 2017
 by Jason Bernier 17 The Evolution of MicroEncryption® Type Technology
 by Steven Russo 18 Threat Modeling Template for Beginners
 by Dr. Narendiran Chandrasekaran 23 Watching the Watchers using Deception Techniques
 by Muruganandam 26 Cybersecurity and penetration testing.Trends in 2017 Approaches by: Ali Tabish 35 Mihai Raneti 38 Amar Wakharkar and Mary Nowottnick 41 Celal Cagri 43 Ahmed Atef Selim 45 Washington Umpierres de Almeida Junior 49
3 Dear PenTest Readers, We would like to proudly present you the newest issue of PenTest Open, which is free to download for everyone interested in the topic. We hope that you will find many interesting articles inside the magazine and that you will have time to read all of them. We’re approaching the end of the year so it’s time to sum up past year and think about the future. During 2016 we could read about dozens, of data breaches. The biggest companies in the world suffered from them: Snapchat, Linkedin, Oracle, Dropbox, Yahoo or Cisco. What’s even more alarming is that the number of attacks on public institutions is rising. In 2016 we could observe attacks on University of Central Florida, U.S. Department of Justice, Philippine Commission on Elections, and couple of hospitals and power stations. Furthermore cybercriminals are using more advanced and complicated methods. We were overwhelmed by amount of information about malware, phishing attacks, ransomware, and data leaks. The good thing is that companies can deal better and better with attack and data breaches, but still it’s more about incident response than regular pentesting and constantly upgrading company’s security posture. So what can we expect next year? Are there going be more or less attacks and data breaches? And who is going to be a target? In this OPEN issue you will read different opinions about future of cybersecurity and penetration testing given by specialists from all around the world. You can read about MicroEncryption methodology and its features. We’ll cover topics like: business disruption, threat intelligence & management, IoT landscape, and cybersecurity market. There is also an article about Zoomeye - search engine for Cyberspace, and how to use it. We’ll dive into topics like MiTB and SSL/TLS protocol attacks and deception techniques. We’ll show you a threat modeling template for beginners, where features and components of this process will be broadly explained to you. We would also want to thank you for all your support. We appreciate it a lot. If you like this publication you can share it and tell your friends about it! Every comment means a lot to us. As always, special thanks to the Beta testers and Proofreaders who helped with this issue. Without your assistance there would be no PenTest Magazine. Also we want to take this opportunity to wish you a Happy New Year! Enjoy your reading, PenTest Magazine’s Editorial Team
Zoomeye- search engine for cyberspace When the internet is tried to be implemented where it is basically useless or has very little use and, moreover, ISPs do not help much, chaos takes over devices. A simple search in any given “dark engine” is enough to realize how many devices keep their default settings or come with no default configuration at all. ZoomEye is the cyberSpace search engine you never heard of… Everyone knows about the beloved Shodan and the new valid alternative Censys for searching IoT devices, but are you sure you aren’t missing anything? ZoomEye is a search engine for cyberspace, it is especially created for hunting the demons in cyberspace. ZoomEye is a search engine developed by Knownsec Inc, a Chinese security firm based in Beijing. The first version of ZoomEye was released on 1st July 2013 and it underwent continuous development until now, reaching version 3. ZoomEye uses Xmap and Wmap at its core to grab data from publicly exposed devices and web services and doing fingerprint analysis. ZoomEye is simpler and more intuitive than Shodan, it allows pagination without prior registration. We can use filters to search for devices, it is not illegal, because it simply collects devices that are visible on the Internet. It can also search for banners or make requests to some common ports and then it stores the information returned in the headers provided by the server. This information is stored and often used to indicate or identify the software that serves us. 4 ISPs should take their routers’ security seriously, whereas companies should do the same with their devices’ safety. Otherwise, everyday consumers will be unprotected. These days, any user with an average knowledge in the field could take control of devices to carry out unconstrained attacks. Many people already know Shodan, that engine for devices connected to the Internet, but today may
 I present to you… ZoomEye. by Jorge González Milla
Services, ports, countries, cities, default settings and many more possibilities at a mouse click’s reach, thanks to the potential of “dorks”. It is widely known that Windows XP no longer has support from Microsoft long ago. We can easily discover devices running Windows XP with a simple “dork” in ZoomEye. We can also discover services, servers, ports and many more… 5
Even printing systems… Surprisingly, some printers provide too much information when we try to access them (without any credentials). These are all hints and hints for cybercriminals. 6
Web servers running under Windows OS in Spain: If we move to the top mobile OS, we can find a huge amount of devices. When opening the main page, we can already see Android-based operating systems running that we can investigate, and we have noticed the following: Just by using our imagination, we can get loads of information. Raspberry is another widely used, inexpensive and easily accessible device. 7
Biometrics systems, coffee makers, light bulbs… all these devices, being connected and configured by an inexpert user or running the default settings... it can be scary. ISPs should take action, as they cannot expect the everyday user to correctly set their device. Remember, what we have shown you here is just the tip of the iceberg… Why take action? Simply by putting the filter “Anonymous access allowed”, we will observe that the services will be deployed to which we can access anonymously. And this is only in ZoomEye... Imagine such big problems, if some malicious intent tries to wreak havoc by uploading malware (as we saw above) or doing other kinds of things that are devised. If we do not take steps to prevent cyber attacks, the Internet could die. Thousands of attacks per second, infected people attacking without consent, etc. The chaos could be the Internet. 8 My name is Jorge, I am from Jaén, Andalucía, Spain. I am currently an analyst programmer and security analyst. I also do pentesting. Since 2006 I dedicate myself to computer science and since 2014 I am in cybersecurity. Aside from ethical hacking, I like to read, the sport and my work. I would like to work solely as a security analyst / pentester as it is my passion. I have worked in several companies to become a programmer analyst and I have also worked as a pentester although I do not have much experience, so I would like to work as a pentester, because it is what I really love. Author: Jorge González Milla
SAP Security. Today’s state, future trends and predictions. Interest in SAP security is growing. Within the last 10 years, experts delivered a lot of talks on SAP cybersecurity. Studies related to this topic were featured in the top international media (e.g., Forbes, The Guardian, Wired, Financial Times, etc.). So, nowadays, it’s hard to believe that SAP Security used to be terra incognita in the past. All these warnings were for a reason, as within the last three years, several highly significant incidents related to the SAP cybersecurity occurred (NVidia breach in 2014, OPM Breach in 2015, and US-CERT alert on an SAP vulnerability). To make accurate predictions, we should first get to know what the state of SAP Cybersecurity is today and what emerging use cases we can observe now. State of SAP Security To give a full picture of SAP Cybersecurity, we focused on two aspects: SAP Product Security and SAP Implementation Security. Product Security This part relates to vulnerability statistics. The average number of security patches for SAP products (aka SAP Security Notes) per year has slightly decreased. Surprisingly, it doesn’t mean that the number of the issues has dropped, too. The vendor now may fix multiple vulnerabilities in one patch, while three years ago, each patch addressed a particular one. Actually, the number of patches is still quite high. 9 The article describes the state of SAP cybersecurity with a special focus on SAP Product Security (statistics according to released patches) and SAP Implementation Security. In light of all the facts, we forecast which topics will attract researchers’ attention in the near future. by Darya Maenkova
Number of SAP Security Notes per year In total, 3794 SAP Security Notes and Support Package Implementation Notes have been published as of November, 2016. Most of the issues (69%) were rated high priority and hot news, i.e., about 2/3 of the fixes must be applied as soon as possible. The most common vulnerability types remain XSS, missing authorization check, and directory traversal. Figure 1. SAP Security Notes by type The list of vulnerable SAP platforms has extended and now it includes modern cloud and mobile technologies, such as HANA. The new platforms are more exposed to the Internet, which facilitates an attack. There are vulnerabilities in almost every SAP module: CRM takes the leading position among them, following by EP and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional SAP modules (like ones mentioned before) were introduced about two dozen years ago, but the first vulnerabilities were discovered just several years ago, i.e., SAP HANA and SAP Mobile apps attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional ones. Figure 2. SAP Vulnerabilities by application area 10
The number of security issues in industry-specific solutions has grown significantly and now totals 160. The most vulnerable ones are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities. Industry Solution Number of vulnerabilities Banking 33 Retail 21 Advertising Management (including Classified Advertising Management) 27 Automotive 14 Utilities 14 Healthcare 13 Campus Management 12 Oil and Gas 10 Defense Forces and Public Security 6 Aerospace and Defense 4 SAP Implementation Security This part describes how securely SAP Systems are implemented on a global scale. The statistics related to exposed SAP web applications can be gained with well-known Google search requests or Shodan, but this approach gives several false positive results. Because of that, we used our own scanning method to gather information about SAP system types. As a result of the scan, more than 11000 unique servers with different SAP web servers were identified. Further research reveals that most of the legitimate SAP application services exposed to the Internet are located in the USA (2332), India (1003), and Germany (895). The most interesting and complex research was performed for services that should not be accessible from the Internet; SAP has a set of modules that should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet. There were found almost 25000 such web-exposed SAP systems (namely, SAP Gateway, SAP Message server, SAP HostControl, SAP Visual Admin P4, SAPRouter, SAP MC, SAP Afaria). Not only do they bring a potential risk but they have real vulnerabilities and misconfigurations that are well- known and described in public sources. In detail, it was found that: • 78% of ABAP systems (3177 Systems in total) on the Internet have the WebRFC service enabled. This service allows executing RFC functions (read data from SAP table, execute OS commands, make financial transactions, etc.) using HTTP requests to the NetWeaver ABAP ports and URLs. By default, any user can have access to this interface and execute the RFC_PING command by sending an XML packet. Other functions require additional authorizations. So there are two main risks: 11
- If there is a default username and password in the system, an attacker can execute numerous dangerous RFC functions because default users have dangerous rights. - If a remote attacker obtains any existing user credentials, he/she can execute a denial-of- service attack on the server by sending the RFC_PING request with a malformed XML packet. • 10% (533) of J2EE systems on the Internet have the CTC service enabled. The service is intended for managing the J2EE engine remotely. The Verb Tampering vulnerability in CTC allows bypassing authorization checks for remote access to the service. The non-intrusive scan cannot determine if identified services are vulnerable but the probability is rather high. • 1209 Message Servers HTTP (an HTTP part of Message Server) are exposed to the Internet. One of the issues of SAP Message Server HTTP is a possibility to get the values of the configuration parameters of SAP system remotely without authentication. This information can be used for further attacks. • 3465 SAP Management Console Services are exposed to the Internet, which are potentially vulnerable to unauthorized access to log files. • 859 SAP Visual Admin P4 services are exposed to the Internet. The service provides administrative functionality to manager SAP J2EE applications remotely. Near future Now, when we have drawn a picture of the SAP threat landscape, we can try to forecast what will be on the horizon for 2017. In short, as SAP Cybersecurity is a part of Cybersecurity, SAP Cybersecurity experts can expect in the coming year to encounter the same trends as the industry in general. Future trends and predictions about IT security are connected with such things as: - Cloud solutions. Enterprises are not thinking about migrating applications and data to the cloud, they are doing it. Threats posed by cloud solutions are rather well-known: data breaches, compromised credentials because of broken or missing authentication, exploited system vulnerabilities, to name a few. As for SAP in particular, SAP states that its SAP HANA in-memory technology has 110 million cloud subscribers around the world, so attack surface is potentially rather wide. - Internet of things – Vulnerabilities identified in different wearable devices hit the headlines of the major media a myriad of times in 2016. But what really represents a threat is industrial IoT, or IIoT. It includes sensor data, machine-to-machine communication and automation technologies. Such technologies have a potential to drastically change the future of the whole vertical. Nonetheless, one shouldn’t forget that the IIoT security is a challenge. Any device connected to the plant floor and at the same time exposed to the Internet is susceptible to be hacked. In its portfolio, SAP has a set of solutions for the IoT that includes a platform, applications, underlying and technical services. Moreover, researchers from ERPScan have even already identified several vulnerabilities in modules responsible for plant floor integration (SAP Plant Connectivity, SAP xMII). - Industry-specific attack vectors – Cybercrime is on the rise - and no vertical is immune to it. Several highly targeted attacks happened this year, for example, the hotel industry fell victim to Oracle MICROS data breach. We have identified a special attack vector against an oil and gas company. In particular, the researchers have discovered vulnerabilities in SAP xMII system, SAP Plant Connectivity, SAP HANA, Oracle E-Business Suite platform and some widely used OPC servers, such as Matricon 12
OPC. Configuration issues and these vulnerabilities can be used to conduct a multi-stage attack and get access to connected systems  Taking into account a huge number of vulnerabilities in industry solutions from SAP (160 as for the mid-2016), one can suppose that different kinds of cybercriminals may pay attention to these software vulnerabilities, especially to such industries as Oil & Gas, Automotive, and Banking. 13 Author: Darya Maenkova Darya is Sr. Analyst at Department of Security Evangelism, ERPScan. Her main fields of interest are statistical and analytical studies, as well as trend analysis. She participates in ERPScan’s research works, including monthly analysis of SAP Security Notes, quarterly overview of Oracle CPU, and annual SAP Security Reports.
Present and future of cyber security - What’s in store to become a cyber warrior? If we take a look at the most important sources of business today, it ranges from Financial Systems, Telecommunications, Aviation, Consumer Devices, Automobiles, Internet of Things. Imagine all these systems that are generating revenue along with people using all their services worldwide. All these have a serious impact both on usage and impact. At this stage, if an external attacker, or better, say insider, leaks the data, exposes the system hacking in and corrupting and manipulating data, it will become a huge loss along with loss of reputation and financial damage. Serious financial damage has been caused by security breaches. The most recent of things include security consulting firms producing estimation of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. These range anywhere from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). Just in 2016, the following were some much talked about hacks: 1. AdultFriendFinder AdultFriendFinder lost close to 412 million users with their personal information exposed. The information was published on online criminal marketplaces for purchase. The information included e- mails and passwords, among others. 2. LinkedIn In May of 2016, 117 email addresses and passwords were published online. LinkedIn is still clueless to figure out who was behind the hack. 3. World Anti-Doping Agency 14 Cyber security in itself is a broad and diverse field. Its growing importance due to the increasing need on computer systems and the Internet in today’s society coupled with the “Internet of Things” is unparalleled. by Samrat Das
With the Olympics in full swing in 2016, Russian hackers leaked the medical data of athletes, like Simone Byles and Serena Williams. 4. SnapChat On March 3rd of this year, 700 current and former employees had their private data stolen in a phishing scam that posed as chief executive Evan Spiegel. 5. Yahoo! Yahoo lost 500 million usernames, passwords, telephone numbers, dates of birth in late 2014 itself. The revelation came finally in 2016. 6. Cisco Cisco was notified of a significant privacy vulnerability on their careers page, leaving job-seekers open to potential hacks. All this proved a single moral, the world needed hard core cyber security geeks and professionals who can test the systems and organizations to detect, patch and prevent all such attacks and vulnerabilities to a large extent. 7. Verizon A hack in the Verizon Enterprise Solutions division, a section of the company dedicated to IT services and data breach assistance to companies and government bodies alike. Hackers stole information from 1.5 million users. 8. Democratic Party Democratic Party experienced plenty of hacks to go around in 2016. 9. BitCoin One of the bitcoin exchanges, BitFinex in Hong Kong, was hacked, losing $65 million plus by still untraced hackers. 10. DropBox Data revealed in 2016 showed that 68 million users were at risk for stolen passwords and usernames. Such security measures may include: ! Vulnerability Management ! Secure Coding ! Penetration Testing ! Physical Security ! Security Compliance and Audits Going by the recent trends, according to Forbes, the global cybersecurity market reached $75 billion for 2015 and is expected to hit $170 billion in 2020. According to sources, cyber security is the most in demand profession one can look forward to in the coming future. As of this writing, the top seven skills you can master for looking forward to a bright career in cyber security are: • Security Analysis (Penetration Testing and Vulnerability Assessment) The most in demand and booming profession where demand exceeds supply, you are a person who is paid with a legal way to break into networks, find loopholes in websites and discover attack vectors in 15
mobile and rich clients, not to forgot wireless networks and IOT devices. This is one field that is deep rooted for the present and future with a promising cyber security career option. According to the US Bureau of Labor Statistics, the number of jobs for information security analysts is projected to increase 18% between 2014 and 2024. • Secure Software Development This involves finding exploits and vulnerable software code and patch them, your role as a secure developer/ source code reviewer will be to identity and patch the vulnerabilities. • Cloud Security Cloud security is identified as the place their organization has the biggest security skills deficit. Demand is high as large businesses generate jobs for cloud security architects. There are several threats particular to the cloud such as data breaches, system vulnerability exploits, and hijacked accounts, among others. This is a field for the present and a much more widespread future work where tons of things are to be done with lesser found skills to be deployed. • Intrusion Detection Intrusion detection involves discovering potentially harmful activity that could compromise the confidentiality, integrity, or availability of information, a field where you are in charge of assessing networks and infrastructure to find and detect/ block malicious attackers from penetrating into your network. • Network Security Combined with incident management, organizations also need professionals who secure and lock down firewalls, monitor systems and detect and analyze suspicious behavior. • Risk Mitigation/ Threat Modelling A field where you need to identify and discover risks, create mitigation plans and create blueprints for a secure infrastructure, the demand in present and coming time can’t be ruled out. In a nutshell, this sums up that cyber security is an ambitious, highly rewarding and a look forward to career option for people worldwide. This is one field away from the lack of opportunities, recessions, over supply and limited opportunities. For young people, out of college and interns, this is one really good field to grow by leaps and bounds and make a mark for yourself! 16 Samrat is a security researcher currently working for Deloitte India as a Security Consultant. His interests involve: Network and Web Penetration Testing, Reverse Engineering & Malware Analysis and Secure Code Review. He can be reached on sam9318@gmail.com and twitter: @Samrat_Das93 or his LinkedIn profile: https:// in.linkedin.com/in/samrat18 Author: Samrat Das
An IoT landscape for 2017 2016 was quite a year for cyber security. We saw a lot of new vulnerabilities and exploits published. It seems to be a never ending cycle of a researcher finding a vulnerability, and then the software developer publishes a patch, for the most part. One of the predictions for 2017 is more security incidents involving Internet of Things (IoT) devices. Something that occurred in October 2016, that I suspect few expected, was a massive Denial of Service attack by a massive botnet dubbed the “Mirai” botnet. The Mirai botnet was made up of thousands of compromised IoT devices. How is it that a simple device like a thermostat, or home security camera could effectively aid in performing a successful cyber-attack that denied thousands of users’ access to a large number of websites? Vendors of IoT devices need to employ better and more sophisticated security measures. Vendors need to take a more aggressive stance to creating a better cyber security posture for its consumers. Currently, vendors and manufacturers do not have any real incentive to add additional security measures other than potential legal issues. A potential solution to this would be to have legal regulation into any device that has the potential to connect to the internet. This would be plenty of incentive to have manufacturers and vendors at least take security more seriously and add additional security measures into their products. Another way to help improve security on IoT devices would be to have developers open source their code. This would allow for more people to help contribute and report critical findings. I suspect that incidents involving IoT devices will only increase in 2017. From DoS attacks to full on cyber invasions and intrusions hosted by IoT botnets. I am hopeful that researchers will find new ways to add additional security, and create further avenues to help combat such cyber-attacks. 
 
 17 Author: Jason Bernier A full time red team member on the US Army Red Team, performing computer exploitation at Sotera Defense Solutions, and a part time penetration tester at Lunarline Inc. He started his career in the military, working as a general IT admin/engineer. After serving in the military, he continued his IT career within the defense industry. He eventually made his way into security after earning a BS in IT/Security, and an MS in IT/Cyber Security. He has over 20 years of experience, including penetration testing, vulnerability assessment, and insider threat detection. by Jason Bernier
The Evolution of MicroEncryption® Type Technology The New Reality Secure and reliable encryption schemes are essential to protect sensitive information held by individuals, entities, organizations and governments. However, encryption combined with firewalls is no longer strong enough to stop malicious actors from acquiring sensitive data that is being protected. We must deploy new ways to essentially guarantee we are protected against potential cyber threats, both externally as well as internally. Today, if you were to ask most cyber experts, you might hear that there is no system that is 100% un-hackable. The Pioneers - How Change Came About Between 2006-2008, two individuals (David Schoenberger and Timothy Reynolds) were working within the payment card industry, protecting systems that connected into the back end of the Federal Reserve. While working with clients and protecting transactions to very high levels, requests continued to come asking why “Tokenization” could not be applied to both databases and files. After this continued to occur, David and Tim decided to develop this capability. After several years, they were successful in doing just that. As the capability was being designed and architected, additional enhancements were made to the Tokenization process they created. For example, their “DigiTokens”, unlike standard tokens, do not contain any part or piece of the data that is being protected. In other words, the DigiTokens are agnostic. Additionally, depending on client specific needs, within a given system architecture, the DigiTokens are not reused or repeated to protect other pieces of data in the future. 18 A new data security paradigm is required to secure sensitive data in the event of a perimeter defense breach. This new paradigm must ensure that only the right people get access to the right information at the right time. The MicroEncrypted Digital Vault capabilities ensure that data at rest and data in motion remain unavailable to exploitation even in the event of traditional network defense breach. by Steven Russo
A New Approach To Data Security While firewalls and encryption are not strong enough to hold back banks of supercomputers used by foreign actors, most all agree they can penetrate and access most any system they so desire. Where the twist comes in, is what can they get once inside. This is where additional security measures can thwart their efforts. With the advent of a new approach to cyber security on the back end, involving AES encryption, combined with use of a uniquely modified form of Tokenization, technology known as MicroEncryption®, once a bad actor successfully penetrates firewalls and encryption, there is nothing sensitive within that system to steal. One of the most significant challenges while considering protection schemas is not only the level of security. The data that is most sensitive is also the same data that must remain accessible to those authorized to access it. MicroEncryption accomplishes this while meeting these requirements. Also important to note is the fact that not all data contained within a database or file structure is sensitive. For example, if within a database, a record had no known association with an account number, a first/ last name, a social security number, or a city and state, there would be no correlation to the sensitive data, therefore making the remainder of the fields contained virtually useless to the hacker. These advancements work off an entirely different premise and methodology relative to current cyber security processes. While It has been repeatedly proven that “Bulk Encryption” is not efficacious in securing data, by MicroEncrypting the information, sensitive data is protected individually, down to the byte level, if that is what is desired, within the system design. This also means that not all data within a system requires encryption. Since the sensitive data is being protected on an individualized basis, it can be returned very rapidly when called upon. While custom solutions and a variety of APIs are available, in most cases a developer only requires access to a MicroEncryption API and they are ready to protect data. This methodology, while only recently available for commercial use, mitigates the effects of latency, regarding user experiences, while securing most all forms of data like never possible. Tokenization has existed for a long time within the digital arena. Substitution or surrogate key values, or “tokens”, have been used to isolate sensitive data elements from exposure to exploitation (16-character maximum) by replacing them with placeholders. MicroEncryption like concepts are now providing a security mechanism for both small and larger scale data protection, exceeding 2 GB in size - a feat previously unavailable within the Tokenization protection schemas. Now, through access via an SDK, developers of all sizes can adopt and utilize the schema for projects of all sizes. This includes not only files of all types, but databases, payments, payment processing, information around transactions and more. Its attraction is not only its scalability, but its simplicity to deploy. Depending on the complexity of a system, and what items developers determine require protection, connections have been made in as little as a few hours through published APIs. This service through the SDK is both PCI DSS Level 1 compliant as well as HIPAA compliant, allowing for the compliant storage of credit card information and healthcare data. ESB providers, such as Neuron ESB, have seen the benefits of MicroEncryption and taken it to the next level by creating a simplified pathway for MicroEncryption to be deployed into many industry standard applications. This reduces programming efforts in more than 40 commercial applications (including Microsoft and Oracle) more than 80 percent. You can see why this technology is rapidly becoming a schema of choice. 19
As MicroEncryption technology evolved, and adoption continues, certain entities requiring data protection expressed the desire to maintain the MicroEncrypted data within their own environment. Banks, financial institutions, large enterprises and governments are classic examples. To meet that demand, MicroEncryption is now available as a private hosted solution that can be deployed in a variety of ways, including a client’s own data center or private cloud. As of late, managed services providers, as well as data centers themselves, are taking advantage of this new form of hybrid security architecture. MicroEncryption like technology is rapidly becoming a vital tool in their toolbox of options and capabilities. Taking it to the next step, flexible adaptor based systems were developed that allow any data to transact with any other third-party system, as well as a recurring process scheduling engine that allows an organization to manage business rules that determine when, how often, and what kind of data processing to schedule and generate. These systems include, but are not limited to, payment processing, identity verification, bank systems, account systems, or any data transformation. Information and registration for a free trial of the recently released CertainSafe MicroTokenization SDK can be found at https://certainsafe.com/custom-solutions. The CertainSafe Digital Vault is not limited to fields of a database. Another unique feature of the architecture allows files up to 2GB to be secured in the Digital Vault. CertainSafe has developed a browser based app named the Digital Safety Deposit Box and Client Portal to manage secure storage and sharing of files and private messages. This gives users the ability to secure any data type, including simple text, Word Docs, Excel, x-ray files, video, voice, pictures, top secret documents and more. As the evolution continued, taking industry demands a step further, a Virtual Safety Deposit Box was developed for use by individuals, without requiring any additional programming whatsoever. It utilizes the complete MicroEncryption technology suite to protect the information contained within the CertainSafe Digital Vault. Its purpose is to allow for the storage of files, in an ultra-secure vault, providing a mechanism that enables the storage, ability to share, and the ability to control folders containing files, with ease, speed and efficiency. As an added feature set, individuals can communicate through an Instant Secure Chat, that too uses MicroEncryption to protect the instant chat messaging contained. This platform is called the CertainSafe Digital Safety Deposit Box. MicroEncryption as a service, whether through an SDK, or a private instance, due to its ease of use, as well as pricing structure, is quickly becoming a favorite of managed service providers of all sizes. As the evolution of data security continues forward, it is believed that MicroEncryption type schemas will be the top choice for those developers requiring the highest levels of security. 20
“The MicroEncryption technology is truly innovative with its ability to scale to future needs and evolve with the new best practices in the security world,” said Dan Furman, former CIO of the Federal Improvement Team. By tokenizing data and storing it fully encrypted, the data becomes both usable directly from the secure datacenter and simultaneously meets and exceeds industry standards and regulations. In addition, value can be gained from processing the data onsite and avoiding the potential security failure point, as data must move to an analysis server. From Personally Identifiable Information (PII) and Health Insurance Portability and Accountability Act (HIPAA) [http://www.hhs.gov/ocr/privacy/ ], mandated data restrictions to user password tokenization, the need for usable and secure data has never been so great. Companies of all sizes who store any information about their customers, employees, patients or partners must be conscious of how to protect this information. Unlike other security solutions, MicroEncryption technology is lightning fast and is currently being scaled to enable over 58 billion secure actions per second in a test portal environment. “Thanks to this new breakthrough in technology, MicroEncryption offers everyone access to the same speed and security as the billion-dollar giants,” said Mr. Fioto, Chairperson and CEO of RACE. Industry Recognition "CertainSafe, with the invention of MicroEncryption, has cracked the code on how to properly secure data that's both at rest and at motion." Richard Marshall, former director of Global Cybersecurity Management for the US Department of Homeland Security “I've closely investigated the MicroEncryption technology and am confident it is the most secure method for sharing and storing data, bar none.” Rep. Pete Hoekstra, former Chairman of the House Intelligence Committee "The CertainSafe approach to cloud security may be the most brilliant and effective that I've seen to date, in an area that is critical if Net-based commerce, applications, and transactions are to go forward." Mark Anderson, FiRe chair and CEO of the Strategic News Service Summary A new data security paradigm is required to secure sensitive data in the event of a perimeter defense breach. This new paradigm must ensure that only the right people get access to the right information at the right time. The MicroEncrypted Digital Vault capabilities ensure that data at rest and data in motion remain unavailable to exploitation even in the event of traditional network defense breach. These types of technology solutions are applicable on a global basis across dozens of industries including healthcare, financial services, hospitality, retail, energy/smart grid, supply chain management and government service sectors. The innovative processes make data stored fully usable and accessible while maintaining the highest levels of security. With MicroEncryption like technology deployed, users can store HIPAA, PCI, PFI, PHI, PII as well as other types of sensitive data requiring compliance. 21
Steven R. Russo launched his career as an entrepreneur at the age of 18. He later went to become a highly recognized leader in HVAC distribution where he displayed considerable sales and management contributions. In 2011, Steven and his business partner, John Nachef acquired a ground breaking cybersecurity technology. Steven and his partner formed Secure Cloud Systems (SCS) , raising more than $10M from private investors to fund operations to date. For the past five years, Steven managed day-to-day operations while working closely with the SCS technology team to prepare their cyber-platform for market. Steven has been inspirational in developing the CertainSafe® Product line which includes the game changing CertainSafe Digital Safety Deposit Vault, which then allowed for the creation of the CertainSafe Digital Safety Deposit Box. 22 Author: Steven R. Russo
Watching the Watchers using Deception Techniques We need to ensure we maintain both the attacker’s interest as well as their acceptance that they are attacking real targets. Honeypots have often been criticized for their lack of believability, causing many attackers to recognize the system as fake and avoid interaction. If we allow this to happen, the Labyrinth could provide no additional intelligence on the attackers, or on their tactics and techniques, and wouldn't allow for any additional timesaving afforded to the security team. So to begin, what is a Honeypot? A Honeypot is a non-production system, typically housed within a virtual environment, whose sole purpose is to be a target. The Honeypot is a decoy system that provides a deceptive layer, shifting the focus of attackers away from production systems. The objective of a Honeypot is to provide security teams with information about its every function, so the team can determine the tactics and techniques of those actors who interact with the system. To convince the attacker that the decoy system is genuine, "we need to be aware that he will be trying to fingerprint the decoy and its applications." It is critical that Honeypots do not stick out and cause an attacker to move in a different direction. Within an entire network of honeypots, even if an attacker does move in a different direction, it will likely be towards another honeypot. But, the goal of the Labyrinth is to be as believable as possible, to ensure we keep the attackers focused on what we want them to focus on, and not allowing them to question their actions. To assist with the believability of the Labyrinth, it should behave like a real network. Each system within the internal network should have representation within the Labyrinth, and the topological layout of the Labyrinth should essentially mimic that of the real network. To ensure the acceptance of the Labyrinth, a logical combination of honeypot systems within each subnet should resemble what the internal network would use. For example, within the DMZ section of the Security Analyst, the legitimate types of DMZ systems should be present: a fake Web Server, an external Domain Name Server (DNS), a Mail Server, and perhaps a File Server (FTP) or even a Voice 23 by Muruganandam
over IP (VoIP) server. However, if there were also unpatched Windows XP systems with large quantities of internal information, it may cause an advanced attacker to question their situation. This doesn’t mean you cannot have an unpatched Windows XP system in the Labyrinth. You should use a variety of OS's as long as they represent the types of systems with the real environment. Place these systems within subnets that resemble a functional network. Having a network within the Labyrinth that resembles an actual subnet of endpoint specific systems, e.g. user laptops, desktops, and printers, simply makes the Labyrinth more believable and facilitates the attacker to wander deeper into the Labyrinth, in turn, allowing the security team to develop a much more comprehensive listing of the TTPs on the attackers. The entire point is to make the attackers waste as much time as possible to allow your teams to counter their potential attacks. With the effort of designing and configuring the Labyrinth to be as believable as possible, there is another level of configuration that can make the Labyrinth resemble the real thing, administrative actions within the Labyrinth. "Day-to-day changes in the environment may include adding, upgrading and removing applications, networks, operating systems, endpoints, and devices." Creating network traffic within the Labyrinth and by essentially treating the Labyrinth like a real environment provides yet another layer of deception. To achieve this deception, we have several scripted actions within the Labyrinth simulating user actions, like requesting DNS lookups, Web Traffic, file transfers, and generating events that trigger log population on the systems. Creating what appears to be legitimate noise within the Labyrinth and aid in the believability of the Labyrinth's functionality. In turn, this can allow the attacker to interpret the network as normal and continue to probe and test the Labyrinth as they would any other network. The beneficial security information gleaned from a honeypot is without a 24 The entire point is to make the attackers waste as much time as possible to allow your teams to counter their potential attacks.
doubt the primary motivation for their use. However, there are limits and restrictions under which a Labyrinth environment should operate. "A primary concern for honeypot designers is that of an attacker getting control over it. If this happens, the attacker can initiate attacks from the honeypot, which is regarded by the network as a secure environment." While the primary purpose of the Labyrinth is to record and use the tactics and techniques of an attacker to better secure the legitimate network, the risk of having the attacker use the Labyrinth for malicious purposes against other sites are grounds for significant legal concern. The monitoring of suspected malicious actions within the Labyrinth is the primary goal of the Labyrinth. While ultimately protecting the legitimate network is the objective, protecting outside organizations from attacks based within the Labyrinth is equally as important. Should all identified malicious actions be stopped immediately? Within the Honeypot community it is loosely understood, that "it is sometimes better to observe the attack through to completion and then identify the stolen goods after the deed has been done." By keeping the attacker focused on what you want them to focus on, you gather information. You are also safeguarding the attacker from actively focusing on something, or someone, else. Since the Labyrinth can be wiped clean at a moment's notice, a critical event or an action targeting an outside entity, the malicious action can be stopped in its tracks as the Labyrinth is reset to a clean version. The defenders could fail to gain a complete picture of the attacker’s TTPs, but the information gathered from these actions still allow the security team to bolster their defenses. 25 Muruganandam is an Principal Security QA working with Oracle India Pvt Ltd. • Muruganandam has expertise in Security testing of web applications and network products. He is involving many industry security certifications like: PCI and Common Criteria. Author Muruganandam
Threat Modeling Template for Beginners Table of Contents 1. THREAT MODELING PROCESS 1.1. DEFINE AN ARCHITECTURE OVERVIEW 1.2. GATHER A LIST OF EXTERNAL DEPENDENCIES 1.3. IDENTIFY THE ASSETS AND SECURITY OBJECTIVES 1.4. DATA FLOW DIAGRAMS 1.4.1 TRUST BOUNDARIES 1.4.2 DATA FLOW 1.4.3 ENTRY POINTS 1.4.4 PRIVILEGED CODE 1.4.5 DFD ELEMENTS 1.5. DETERMINE AND INVESTIGATE THE THREATS 1.5. 1. Use STRIDE-per-Element Framework 1.5. 1. Threat Rating [Optional] 1.6. PROPOSE THE RESPECTIVE COUNTERMEASURE SOLUTIONS 1.7. VALIDATE THE COUNTERMEASURES 2. REFERENCES 1.Threat Modeling Process There are various thread modeling techniques that are defined by NIST, FIPS, Common Criteria and Microsoft. Particularly, for the application security, network security and embedded system security, the Microsoft defined STRIDE model is the recognized and approved technique by the various reputed secure R&D organizations including MSR (Microsoft Research Lab), Software Engineering Research Institute (SERI), Carnegie Mellon University, Global Security Research Forum and RSA Lab [1]. 26 The scope & objective of this paper is to regulate the threat modeling process and provide needed guidance for the developers, testers, and beginners to understand how to create a Threat Model for any embedded systems software before beginning to design implementation phases in the Secure Software Development Life Cycle (S-SDLC). by Dr. Narendiran Chandrasekaran
Before starting the threat modeling process, an architect, business analyst, developer and test lead meet together to identify the security objectives and goals. An architect begins by defining the architecture and walkthrough to ensure that all attendees understand the architecture from the same perspective. The following subsections describe the process of the Microsoft STRIDE Threat Modeling Technique [2,3,4]. Threat Modeling is an iterative process that starts during early phases of design of the system and continues throughout the system life cycle. Because it is impossible to identify all of the possible threats in a single pass, this process needs to be repeated as the system evolves, as shown in Figure 1. The following are the steps for the Threat Modeling Process: a) Define an Architecture Overview b) Gather a List of External Dependencies c) Identify Security Objectives d) Decompose and draw a Data Flow Diagram (DFD) for the identified Components e) Investigate the Threats: Use STRIDE Model to Identify/Define the Threats f) Threat Rating, Threat Table, Calculate the Risks and Quantitative Comparison g) Propose the respective Countermeasure Solutions h) Validate the Countermeasure Figure 1. Threat Modeling Process 27
1.1. Define an Architecture Overview As a first step, create a high-level architecture that describes the composition and structure of the system/sub-systems as well as its physical deployment characteristics. Also, depending on the complexity of the system, it is the responsibility of the security developer/analyst/architect to create the additional diagrams that focus on different areas. Then, enhance the diagrams by adding details about the trust boundaries, data flow, authentication, authorization, etc. During DFD process, those details will be identified and documented. In addition, document the technologies to be used and what the software does, as shown in Table 1. Sl.No. Technology/Platform Implementation Details Table 1. Template for Technologies/Platform Details 1.2. Gather a List of External Dependencies Table 2 shows how to list out and document the external dependencies/entities that a system may use, for example, a database or server. Sl.No Dependencies Purpose Table 2. Template for Technologies/Platform Details 1.3. Identify the Assets and Security Objectives Understand the security objective and assets that need to be protected and achieved. This could range from confidentiality, integrity, authentication, authorization, non-repudiation, secret keys, availability, etc. 1.4. Data Flow Diagrams DFD is a graphical representation of data flows, data stores, and relationships between data sources and destinations. In threat modeling, DFD helps to identify trust boundaries, data flow, entry points, and privileged code of the proposed system. 1.4.1 Trust Boundaries Identify the trust boundaries that surround each of the noticeable components/assets of the system. 1.4.2 Data Flow Data flow is completed by analyzing the data flow between individual components and subsystems. Data flow across trust boundaries is particularly important because code that is passed data from outside its own trust boundary should assume that the data is malicious and perform thorough validation of the data. 28
1.4.3 Entry Points In DFD, there are two types of entry points, namely internal and external. External entry point requests are from front-end application/external dependencies and internal entry points exposed by subcomponents across the levels of the system may only exist to support internal communication with other components. However, it is mandatory to know where these are, and what types of input they receive in case an attacker manages to bypass the front door of the system and directly attack an internal entry point. 1.4.4 Privileged Code Privileged code accesses specific types of secure resources and performs other sensitive operations. 1.4.5 DFD Elements A DFD contains four types of elements. Table 3 shows the elements are external entities, data flow, data store, and processes. When the DFD is used for threat modeling, there is one more element to keep track of, which is the trust boundary. The trust boundary represents data moving from a high trust to low trust, or vice versa. Process External Interactor Data Store Data Flow Trust Boundary Table 3. DFD Elements Mostly the diagrams are used to evaluate the threats by hand or with the help of automated tools. Figure 2 exhibits a simple example of how the data is flowing between an Electronic Control Unit (ECU) and Cloud Infrastructure Components for the authentication process via wireless connection. Figure 2. Simple DFD Model 1.5. Determine and Investigate the Threats This section deals with how to investigate and analyze the DFDs to capture and record the possible security gaps, attacks, bugs, and flaws in internal & external design components, infrastructure, interface, external communication, etc. 29
1.5.1. Use STRIDE-per-Element Framework STRIDE is named after the six categories that the threats are divided into, namely Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Table 4 shows the different threat types of the STRIDE Framework [4]. Threat Type Security Attributes Meaning Spoofing Authentication Pretending to be something or someone other than yourself. Tampering Integrity Modifying something on disk, on a network, or in memory. Repudiation Non-Repudiation Claiming that you didn't do something, or not responsible. Repudiation can be honest or false, and the key question for system designers is, what evidence do you have? Information Disclosure Confidentiality Providing information to someone not authorized to see it. Denial of Service Availability Absorbing resources needed to provide service. Elevation of Privilege Authorization Allowing someone to do something they're not authorized to do. Table 4. STRIDE Threat Types STRIDE-per-Element model evaluates every element in the DFDs. Table 5 shows different elements of the DFD and the different categories in STRIDE [3,5]. Element Type S T R I D E External Entity X X Data Flow X X X Data Store X X X X Process X X X X X X Table 5. Mapping of STRIDE to DFD element type After the DFD model of the system has been created, a list of all elements in the diagram has to be created. Table 6 shows the list of elements created from DFD in Figure 2. Element Type Item Numbers External Entity Infrastructure Server (1.0) Data Flow Server Command & response (1.0 <-> 2.0) Data Store Transform a Session Key (3.0) Process ECU (2.0) Table 6. Elements from DFD in Figure 2. Once the list of DFD elements is done, STRIDE will be applied to each element in the list. However, not all types of threats have to be applied to all types of elements. Table 7 shows the result of STRIDE-per- Element analysis. 30
Threat Type DFD Item Numbers Spoofing External entities: (1.0) Processes: (2.0) Tampering Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 <-> 2.0), (2.0 <-> 3.0) Repudiation External entities: (1.0) Processes: (2.0) Data Stores: (3.0) Information Disclosure Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 Ö 2.0), (2.0 Ö 3.0) DoS Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 Ö 2.0), (2.0 Ö 3.0) EoP Processes: (2.0) Table 7. Threats to the Model in Figure 3. The threats have been grouped after the STRIDE categories, refer to Appendix A to understand precisely. After STRIDE has been applied to the list of elements, it is time to calculate the risk attached to each threat. The advantage of STRIDE-per-element is that it is prescriptive; it helps to identify what to look for without having a checklist. When STRIDE-per-element is used by an experienced user, it can be useful for finding new types of weaknesses and common issues in system components [6]. 1.5.2. Threat Rating [Optional] Threat rating is rating the threats based on the level of the risks. This process allows the architect/ developer/customer to address the threats that present the most risk first, and then resolve the other threats. In fact, it may not be economically viable to address all of the identified threats, and one may decide to ignore some because the chance of them occurring is small and the damage that would result if they did is minimal. Microsoft has standardized the DREAD model, which is used to help rate the threats/risks[2]. The procedure to rate the threats using the DREAD model is described in the attached Excel sheet. 1.6. Propose the respective Countermeasure Solutions The mitigation process mainly addresses each threat and proposes the respective solutions. There are four standard ways to address the threats. i. Redesign the architecture to eliminate the threat ii. Apply Standard Mitigations, given in Table 5 iii. Invent New Mitigations (Riskier) iv. Accept Vulnerabilities in Design 31
Threat Type Security Attributes Meaning Spoofing Authentication Cookie Authentication Kerberos Authentication PKI Systems such as SSL/TLS and Certificates to Authenticate code or data Digital Signatures Tampering Integrity Mandatory Integrity Controls HMAC Digital Signatures Repudiation Non-Repudiation Secure Logging and Auditing Digital Signatures Information Disclosure Confidentiality Encryption ACLS Denial of Service Availability ACLS Filtering Quota Elevation of Privilege Authorization Input Validation ACLs Privilege Ownership Table 8. Standard Mitigation Techniques 1.7. Validate the Countermeasures Validation is the on-going and manual process in the Secure Software Development Life-Cycle. It validates all the threat models that are created during the DFD process. The following questions need to be answered: a. Does DFD match final code? b. Are threats enumerated? c. Has test/QA reviewed the model? d. Is each threat mitigated? e. Are mitigations done right? 2. References [1.] A. Shostack, Threat Modeling: Designing for Security. US: John Wiley & Sons Ltd, 2014. [2.] https://msdn.microsoft.com/en-us/library/ff648644.aspx [3.] Common Criteria, Common criteria for information technology security evaluation, part 1: Introduction and general model, 2012. [4.] M. Howard and S. Lepner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices). Microsoft Press, 2006. [5.] CHU Ying, HAO Lin. STRIDE Critical Threat Modeling Using in Designing Certificate Authority. Journal of Yunnan University (Natural Science).2004.26 (supplement):54-57 (in Chinese)  32
[6.] A. Weimerskirch, C. Paar, and M. Wolf, “Cryptographic component identification: enabler for secure vehicles”, in proceedings of 69th IEEE vehicular Technology Conference(VTC ‘15), pp. 1227- 1231, Dallas, Texas, USA, September 2015. 33 Author: Dr. Narendiran Chandrasekaran Dr. Narendiran Chandrasekaran brings 13+ years of experience in the software industry. He has been working on various Security and Cryptography technologies including Mobile Security, Platform Security, Network Security, HDCP Content Protection, OMA/Google Widevine DRM Frameworks also Vulnerability/Threat Assessment, Fuzzing, Penetration Testing Tools & Techniques, Crypto acceleration, RFC Security Standards, PKI, ARM Trustzone - Trusted Execution Environment(TEE), Participate/Interact with various Security Standard Bodies(NIST/FIPS/Common Criteria/EMVCo/MPFI) and Certification Process for secure products (Global Platform/PCIDSS). He has published and presented more than 13 technical papers in the leading IEEE/ACM Security Conferences/Journals in India, US, China, and also filed a Grade "A" patent in India. He is currently working as a Principal Architect at Cyber Security Product and Engineering Service (P&ES) Lab, Capgemini India.
34 Join our new course! Effectively Measuring and Communicating PenTest Results a CISO perspective Click here for more info
Approach by:
 Ali Tabish 2016 is about to wind down and multiple industries commence to fine-tune their business strategies for the upcoming year. Cyber criminals are making exactly the same strategies so they can work smarter. Criminals are getting smarter by exploring new practices, building organizations, bringing human expertise for more sophisticated and specialized cyber attacks. It’s like we have action and then reaction cycle, enterprise organizations are planning or implementing security measures so they become attentive in their reactions. Let’s flash back through the year 2016 stats, you will find devastating data breaches, spanning across multiple large and small industries. A few recent cyber attacks in 2016: ! DDoS Attack against Liberia Using Mirai Botnet. ! Hundreds Of Operations Canceled After Malware Hacks Hospitals Systems. ! Shadow Brokers reveals list of Servers Hacked by the NSA. ! Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices. According to the ITRC (Identity Theft Resource Center), as of November 1st of this year, there were 845 reported breaches, exposing 29,765,131 records (keep in mind that this does not include the majority of breaches in which companies usually did not report the number of records affected). These breaches are targeting high-value data (includes confidential data like health information, classified information related to governments, phishing, etc). So… what will 2017 bring? We expect to see the following security threats and trends: BYOD – Smart Phones Having Smart Malware People who are unaware about the technology and security might assume that malware are relatively unchanging, but their concept is almost wrong. Smart application designs are continuously improving. Those improvements mean the ability to bypass security controls, data exfiltration through advance deception methods. As a result, we can expect to see high value data breaches that originate on bring your own devices (Smart Phones / Mobiles). Nowadays, newer application versions consume less computing power, causing less lag, and they are good at remaining fully undetected; late discovery could result in more files being stolen, which is becoming a major corporate security concern. As you were aware of recent state sponsored attacks on journalists’ smart phones that means attack methods are now in the feral and we should expect to see more organized crime. 35
Ransomware Threat Prevention It’s the most pervasive cyber threat since 2005. According to publicly available information, ransomware infections have outnumbered data breaches more than 7,000 over the past 11 years. Since then, ransomware has become an tool of choice for many cyber criminals. Ransom attacks are increasing 20-fold over the next year. With all this success, their increase in frequency is somewhat expected. Prevention of ransomware for an enterprise is like a cost of doing business; it becomes as prevalent as distributed denial of service attacks. Given the success rate, enterprises will have to deploy a multi- faceted prevention strategy, like advanced sandboxing and threat extraction for effective enterprise infrastructure protection. We are expecting to see more targeted attacks to influence an organization, with “legitimate” actors launching such attacks. Internet of Things (IoT) The Internet of Things (IoT) is quickly becoming a way of life; unfortunately, this shift comes with additional risk. IoT will continue to create never-ending shocking stories because these devices are not so secure.  In the coming year, we expect to see further research, increase in data-harvesting attacks and poc (proofs of concepts) demonstrating vulnerability against these devices as well. The convergence of informational technology and operational technology is making environments more vulnerable. The security concerns around the IoT will become similar to the set of security concerns around SCADA. Environments often run legacy systems that are obsolete or whose patches are not available. The industry should look towards best practices like NIST and others have formulated. Cloud Computing Using IT as a service to cut down the capital cost provides an opportunity for an enterprise to build their infrastructure on the cloud so they are continuously putting more data on the cloud, which leads towards the backdoor chance for hackers to access enterprise systems, to disrupt or take down a major cloud provider will affect all of their clients’ businesses. There will also be a rise in ransomware attacks impacting cloud-based data centers. These attacks will start finding their way through spreading encrypted files from cloud to cloud. Market Manipulation Cyber criminals are thinking way beyond that. These perpetrators are well prepared and have their eyes set on insider trading and market manipulation. For the past few years, we’ve seen widely publicized breaches, carried out by different groups. Sometimes hackers obtained credentials through sophisticated spear phishing attacks in order to hit the confidentiality by accessing classified information regarding upcoming mergers, or sometimes hackers gained access to news media outlets to disclose non-public corporate information like financial restatements and traded on that information prior to public release, making billions. Due to these opportunities for important payouts, such frauds will increase. Summary In the future, enterprise organizations will see an increase in cyber attacks or intrusions that are sophisticatedly designed. Cyber criminals will continue to exploit their success and venture into larger money making schemes via market manipulation. 36
So mid-size or enterprise organizations can protect themselves via implementing stronger controls and awareness programs, like employee training and proper reporting procedures. It’s better to couple these controls with well-tailored cyber insurance policies. 37 • Independent Security Researcher • CCISO, CHFI, CEH, CEI, ECSA, MCSE, STS • Ethical Hacker of the Year 2016 – Finalist https://www.linkedin.com/in/alitabishofficial https://twitter.com/atabishofficial Author: Ali Tabish
Approach by: Mihai Raneti Every year, you read yet another set of articles trying to predict what is going to happen in the cybersecurity field the following year. The sad thing is that in spite of that, breaches still take organizations by surprise. You do not need to be a close observer to realize there are some recurrent patterns. By definition, hackers are curious people who innovate and show proof of unstoppable creativity time after time. They are expected to continuously increase the complexity of their attacks and the sophistication of their techniques and tools. They are always one step ahead, thinking of tomorrow, while the majority of cybersecurity solutions are designed thinking of what happened yesterday. There is this big imbalance between cybercriminals and those trying to secure cyberspace, which keeps getting bigger and bigger. Clearly, we are not able to slow them down, let alone stop them. Even key security people in a company are easily tricked, because most of the time they do not have a hacker's mindset. When we hear the word hacker, we immediately think negatively. But a hacker is someone who dissects things. If you check Pinterest, it is full of life hacks, Photoshop hacks, parenting hacks, all kinds of hacks. It doesn't mean they are teaching you how to steal something, they are teaching you alternative ways of getting to the same result. Cybercriminals do have some advantages over cybersecurity specialists, though. They have time, resources, drive and skills. Let us take them one by one. One of the main traits of an attacker is determination. They will not give up until they are inside the network or get the info they are looking for. They have plenty of time to apply any strategy, to change their approach, to try again and again, and they do it with such finesse that most of the time they get away with it for months. They also benefit from plenty of material and financial resources. Sometimes they are backed by companies or even nation states looking to have the upper hand over their competitors. The most important feature of all is their passion for this kind of job. There is no special school for hackers, they are simply self taught people continuously looking to improve their performance, not because someone from the outside tells them to, but because they want it. The same applies to cybersecurity specialists. Everyone is complaining that there are not enough people on the right side, and we cannot see that changing anytime soon. We have been making massive efforts regarding HR, and we saw for ourselves how difficult it is to find someone who combines programming skills with a cybersecurity background. Things are especially hard when you are a startup. There is a handful of specialists, but they already belong to large enterprises, and you have to be ingenious enough to approach them and bring them to your team. That is if they are not motivated only by the money they can earn, because in that case, your startup is no match for the likes of Google or Microsoft. The cybersecurity job market is the reverse of almost all others: there are plenty of positions to fill and 38
very few people with the right qualifications and the right mindset. Universities are not aligned with the job market, and that is one big drawback. Cybersecurity degrees are still something quite rare and they stand no chance of meeting the demands of the market. Cybersecurity is critical for the survival of almost any business, since almost everything is happening online. It is essential to have people covering this aspect. Also, the military is the biggest traditional employer in this field, since intelligence is highly valued. A study from the Bureau of Labor Statistics shows that the growth rate of jobs in information security is estimated at 37% between 2012 and 2022. Needless to say, that is a much faster pace than the average for all other occupations. In the study “Mitigating the Cybersecurity Skills Shortage”, Cisco estimates that the current opening in cybersecurity jobs reached 1 million. Symantec projects a demand of 6 million positions that need to be filled globally by 2019, and foresees a shortfall of 1,5 million jobs. Since cybersecurity is a very dynamic field, there is a need for continuous professional development to keep up with the ever changing threats. Stopping intruders is ultimately a thing that depends on humans, no matter the amount of computing power involved. As we have said many times before, man and machine can achieve great things together. Machine learning is increasingly used, and someday in the future, it will probably be 99% in charge of security, leaving 1% to humans. Another key problem in cybersecurity is awareness. Although it is on the rise, and has been so for a while, that is not reflected in the real life situations. Breaches still occur because companies cannot possibly foresee the way they will be attacked. Some are surprised that they have been attacked at all, they underestimate themselves and think they have nothing of value. The main concerns of cybersecurity specialists should be helping organizations understand a breach will certainly take place sooner or later. They should have an idea about who would likely target them, the reasons behind the attack and what valuable pieces of information the attackers are after. There are three main risk factors for organizations. One is the BYOD policy. Assuming an employee has no hidden agenda, bringing personal wearable (IoT) technology to work can mean opening the door to vulnerabilities. Device security is the least of a person's worries, and a recent study from Microsoft shows that personal computers are two times more exposed to threats than enterprise computers. The same applies to other gadgets. Another risk factor, somehow related to BYOD policies, is working remotely. In this day and age, employees can work from anywhere, but there is no guarantee that the device, which apparently connects to the network, is legitimate or that the person at the other end of the device is really who they claim to be. We have the tendency of perceiving cybercrime as something coming from the outside, so we take the inside out of the equation. Which leads to the third and greatest risk factor, malicious insiders. More than 50% of attacks are caused by insiders, which can be divided into two categories. On the one hand, there are those with poor knowledge or adoption of proper security practices. No matter how strong cybersecurity policies are inside an organization, there will always be a person falling for spear phishing. They will most likely open the Word document, Excel spreadsheet or PDF attached to the email. Trojans are still on the rise, tricking people into clicking fake links with catchy titles, lowering their security settings or installing malware. On the other hand, there are those who aim for a big data theft. It can be quite difficult to detect them, because they have plenty of experience at hiding their traces and no one would suspect them. They are most often the model employees. Social engineering is the foundation for a large number of attacks and breaches, and as such it should be the main choice for pentesters. Lately, cyber attacks have started targeting infrastructure, and in the future, our basic commodities, 39
such as food, water, electricity, fuel and the ability to communicate will probably also be in jeopardy. As long as the internet is at the core of any modern society, it will always be a target. The past has showed a tendency of attacks to follow geopolitical criteria. That is especially true for countries like the US, Russia, China and North Korea. That will go on in the future for certain, probably resulting in greater disruptions. We have also seen attacks that leveraged a huge number of IoT devices in the last months. It is very difficult to keep track of entry points and data flow. We hear more and more about the Internet of insecure Things, and while that was supposed to be used ironically, it is starting to be 100% true. Cybercriminals are taking full advantage of this opportunity and reaping the benefits of poor security. Most of their work is already done for them, they only have to make a little effort to take control over devices. While this is relatively new, it has been expected to happen for a while now and it will most likely reach even larger proportions in the future. This could be an effect of the low prices of crimeware. For as little as $50, one can buy a USB stick that can destroy any device that has a USB port. Cybercriminals gain time because they can buy their tools, as opposed to having to create and develop them. Parts of botnets can be rented and used to target a specific geographical area. Not to mention how easy it is to buy anything on the dark web. A good deal of breaches come from vulnerabilities that have been known for at least one year. That is a consequence of the use or refurbishing of open source code. The attacks targeting the healthcare sector are starting to become commonplace. Unlike IoT devices, which can be set aside, implantable devices cannot be removed from the person. We also see further development in ransomware, and people's lives could become at risk if we talk about implants. The cybersecurity market is slowly going towards a new wave of solutions based on deception. A Gartner study estimates that by 2018 one in ten enterprises will be using tools and tactics based on deception to protect themselves against cyberattackers. The passage from cloud to cyber fog is also a signal of the increasing power of deception used as cybersecurity strategy. Fog computing could be the solution everyone has been waiting for. Fragmenting data into tiny pieces that make no apparent sense will render it useless for hackers. 40 Mihai has a degree in Psychology and various certifications in the field of IT and cybersecurity. He is passionate about quantum physics, math, history and technology. He has a critical thinking, always sees the bigger picture and is keen on problem solving. He is the brain behind
 a pioneering cybersecurity technology. Author: Mihai Raneti
Approach by: Amar Wakharkar and Mary Nowottnick Cyber security will be seen as one of the most pressing national security issues of 2017 due to sophisticated and highly publicized cyber-attacks, such as the ones reported by various media channels during the US Presidential election that the Russians hacked the Democratic National Committee’s computer systems. In addition to their attacks on Democratic organizations, cyber security will be increasingly framed as a strategic and national prestige issue. As a result, too much attention on a large scale probability will be targeted to cyber-attacks on the government and the national critical infrastructure. Cyber operations will be a significant component of future warfare. 2017 will be a pivotal year for governments, financial firms, the auto industry and IoT (Internet of Things) vendors as they try to stay ahead of the IT security curve. The current trends showcase that cyber security today is not just about securing your data, but about maintaining and managing the overall assets for your country, as well as your organization. With each day, it is important that the government, as well as other entities, know how cyber security threats are impacting their business and consumers, and how the cyber security solution industry is meeting these concerns. Entities need to be more vigilant, financially prepared and rapid to meet the security requirements and expectations from their customers, shareholders, and regulators. Some of the other key trends for 2017 will be: • 2017 will see increased spending on National Critical Cyber Infrastructure and increased regulatory monitoring. Regulatory guidelines will be far more stringent and followed strictly, backed by the government agenda to security national critical cyber infrastructure. • The growth of mobile technology adoption has driven a growth in corporate and end user security vulnerabilities and data breaches. Now, many applications ask for permission to access the user's contact list, personal information and location. In some scenarios, users are not even aware of such data or location sharing and have no clue about the proper security hygiene to be followed. It has resulted in a huge gap that may lead to far larger and a more impactful mobile security issue. Enterprise mobile security and BYOD solutions with concentration on policy management, device security, content security, mobile application security and identity and access management, will help organizations and individuals to set up an effective mobile security road map and ensure that the end user is secured. • We will see a significant increase in national political leadership targeting. Senior political leaders, diplomats and their online social presence will be the main target of attackers, resulting in the loss of confidence and prestige. Government and senior political leaders should assume that hackers already have a complete profile of them and are waiting for the right opportunity to strike. • IoT and IoT payment risk will emerge as a global risk. As many IoT vendors, banks and investment firms continue on the path to IoT, they will become increasingly inter-connected. A security breach at one firm can create negative effects that may greatly impact the adoption of IoT technology, and so, technology risks will continue to rise. 41
• Zero-day exploits and insider threats and organized attacks will continue to increase. In addition to technology risks, skill set development and staff augmentation will present greater challenges to organizations. The current industry trend shows that there is a discrepancy between demand and supply for certified, experienced and knowledgeable cyber security professionals. The existing workforce is struggling to keep up with the increasing payload. In response to this increased payload, the attack on organizational infrastructure, and the existing workforce is struggling. The demand for skilled cyber security professionals will increase exponentially in 2017. Currently, very few cyber security experts are linking the business and the security practice and making C-Suite decisions to impact the business environment. Companies will need many more experts in their C-Suite who can make the case for cybersecurity aligned to business challenges and business expansion. 42 Authors: Amar Wakharkar is cyber security expert at Capgemini USA based out of Houston, TX. Amar has more than nine years of global cyber security consulting experience across Nigeria, Kenya, India, Hong Kong, Singapore, Malaysia, Qatar, United Arab Emirates, USA with Fortune 500 clients in the area of application security, SSDLC, mobile security, ITGC, penetration testing and vulnerability assessment areas. Amar has published numerous articles in print media and was speaker in cyber security forum. He is reachable on AMARSUHAS@HOTMAIL.COM Amar Wakharkar is cyber security expert at Capgemini USA based out of Houston, TX. Amar has more than nine years of global cyber security consulting experience across Nigeria, Kenya, India, Hong Kong, Singapore, Malaysia, Qatar, United Arab Emirates, USA with Fortune 500 clients in the area of application security, SSDLC, mobile security, ITGC, penetration testing and vulnerability assessment areas. Amar has published numerous articles in print media and was speaker in cyber security forum. He is reachable on AMARSUHAS@HOTMAIL.COM Mary Nowottnick has six years of IT security experience, including work at the Goddard Space Flight Center in the Deep Space Science Missions Field. Currently she is working at a Fortune 500 company and can be reached at mcnowottnick@gmail.com Mary Nowottnick has six years of IT security experience, including work at the Goddard Space Flight Center in the Deep Space Science Missions Field. Currently she is working at a Fortune 500 company and can be reached at mcnowottnick@gmail.com
Approach by: Celal Cagri Nowadays, we have witnessed so much that people are referring to past times as "how did old people who did not have our opportunities in the past continue their lives?" It is impossible not to relate to this statement because computers, smartphones, intelligent home systems, intelligent cars, internet of things products and the Internet itself are a part of our lives now and we can’t imagine life without them. However, all of these things bring their own security problems to us. Pentest is one of the offensive ways to deal with these security issues. Pentest is a solution, a service. Pentest is a different approach for individuals, corporations and countries to look at their cyber security and privacy levels with the eyes of the hackers. Pentest is a system that is constantly improving, like other systems that have such a large usage volume. Just like every complex system, making its process as automated as possible is one of the goals of a pentest. To solve this part of the problem, machine learning and software engineering must be used effectively. However, besides this, a pentest has its own agenda, such as developing new methodologies, using new techniques, exploring new attack surfaces in cyberspace. It leads us to new trends in cyber security and pentest. When we look at 2017, we expect a different, beautiful year with new approaches. Among the trends of 2017, we must first consider the web pentest. The reason for this is obvious. All over the world, companies are developing their products to serve over the web. Many people may say that "Web pentest is already known and it is continuously performed". However, this web pentest is a little bit specialized. JavaScript platforms and its libraries are started to be used more all over the world. Applications are running node.js in the background. Backbone.js, ember.js and now mostly angular.js libraries are being used every day in front-end. This trend, which has been observed in application development, has led the attackers to find new vulnerabilities in these JavaScript libraries and platforms and exploit them. Therefore, to provide better security, it seems that the pentester will be spending a lot of time on JavaScript-based web applications in 2017. In social engineering, ransomware and web browsers attacks, especially man in the browser (MiTB), are very popular for attackers recently. Traditional precautions, such as SSL, CSRF tokens or two-step verifications to prevent sensitive data-theft, unauthorized transactions etc., do not have any impact on MiTB attack because they all can be bypassed very easily. Run Time Application Self Protection(RASP) is a new technology and is recommended for preventing the MiTB attacks. Although RASP is a good solution for SQL injections or XSS attacks, it’s still inadequate to stop MiTB attacks. When we consider everything, it is obvious that the most important purpose of the social engineering attacks in a pentest is to raise awareness of the users, thus simulating the real attack in the same way is the best solution. Therefore, for the pentester, using malicious web browser plugins/add-ons in social engineering attacks to compromise the target system with MiTB attacks or show clients what hackers can do in real life by infecting fake ransomware software to client systems, will be one of the most common trends for 2017. 43
One of the other important titles of 2017 is Mobile Pentest. What I mean by mobile pentest is not just the pentest of mobile applications. It should be considered as attacks that target phones and mobile operating systems directly. While new vulnerabilities are discovered, even in the most recent iOS and Android versions, the importance of this kind of mobile pentest is better understood if you realize that many people do not update their phones regularly. Advanced Persistent Threat (APT) attacks have been heard so much in recent years and it would not be wrong to say that attacking critical employees’ mobile phones directly will be a new trend in target oriented pentest projects that simulate to APT attacks. It is worth briefly mentioning the cyber security trends as well. There is an old concept that we have been hearing a lot lately: Web malware. Looking at the solutions offered so far, we see that there are popular products that fight against web malware and products that find classic web vulnerabilities. However, we don’t see a solution dealing with both together. For 2017 and after, products that address both web malware and web vulnerabilities will be a new trend solutions. Also, products especially focused on browser security will also be new trends for 2017. Every year, we expect some new qualifications for new car models such as an automatic parking system but we don’t expect to change basic components of the car such as wheels or tires. Likewise, the core components of the pentest (network attacks, wireless assessments, classic web application pentests, etc., and the way it is performed) will still continue (and it must be) in 2017. In addition, JavaScript-based web application pentests, social engineering attacks that target browsers, fake ransomware attacks, mobile attacks that target the phone itself will be a special place in 2017. 44 In social engineering, ransomware and web browsers attacks, especially man in the browser (MiTB), are very popular for attackers recently.
Approach by: Ahmed Atef Selim As 2016 is ending with many security incidents, research, conferences and discussions have taken place during the last 365 last days. It is time to have a look at the rising trends for 2017 and security controls suggested as lessons learned from research, incidents, etc. Security specialists need to pay attention to new trends in both defensive and offensive worlds, new techniques that will help defenders protect their assets more effectively. Also, bad guys have their own trends. In this article, we will try to cover the most rising trends in the security world (defensive and offensive), including the new trend of deception of an attacker, moving toward thread-intelligence-driven operations, business disruption attacks. Raising of Game Theory (Deception & Decoy) Imagine for a moment, that once an attack is detected in an end user’s environment, the user’s system had the ability to begin to lie and trick the attacker, giving false responses. This is now a reality and it’s called deception techniques. For the past 20 years, most active security control responses built into network security have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and 45 Security specialists need to pay attention to new trends in both defensive and offensive worlds, new techniques that will help defenders protect their assets more effectively.
quarantine, such responses visible to a skilled adversary, especially APT actors and can accordingly workaround them and change the attack strategy. On the contrary, deception by definition moves beyond detection to diversion and offers detection and disruption of the attack process, resulting in the delay of an attacker’s activities or failing the whole breach progression. Although the idea may seem nascent, deception techniques have been used widely to enhance threat detection and enhance threat response strategy. For years, most security practitioners used honeypots to gather threat intelligence, even in some cases during incident investigation, deception techniques are used to intercept and disrupt command-and-control communications. However, recent technology is offering more than information gathering (as honeypots offers), recent technology is capable of automated decoying. Today, deception technologies are being employed within security products and include the use of bot emulated/virtualized and real endpoint decoy systems, as well as network services, protocols, applications or fake data elements, where technology provider try to cover four levels (Network, Endpoint, Application and Data). One important thing to consider is how far the technology provider can trick the attacker, and this can be achieved by adopting deception on all steps of the kill chain. Figure 1 shows the deception strategies that can be used for each step of the kill chain. Figure 1 Deception facing Kill Chain Steps Finally, you need to know that deception techniques and technologies have existed and are being adopted in the market; such technology is gaining more fans within financial services and healthcare domains. Meanwhile, technology providers can certainly do more to articulate their threat deception capabilities and enhance old products (such as firewalls, IPS, etc.) to leverage deception techniques to thwart attackers and enhance detection. Raising of Threat Intelligence & Management (Analytics & Visualization) It is no secret that organization spending is directed toward solutions that could offer to close the "breach monitoring" gap, however, as much spending organizations do, the problem isn’t solved since attackers are always evolving and getting new ideas. Although this observation proves the common saying “There is no silver bullet”, it also shows the need for threat management over vulnerability management. Analytics and Visualization are terms that are coming to the security domain and raising, this trend gives the opportunity for security teams to shift operations towards threat management teams. Instead of focusing on a well-known vulnerability, threat management teams need to focus on all scenarios even if vulnerability doesn’t “currently” exist. 46
For proper threat management, a huge amount of data needs to be collected and then analyzed accordingly to make the right decisions. Therefore, Analytics and Visualization have become game- changers in the security domains and this trend will continue rising for a while as it impacts a security process, not just a routine operation. For simplicity, figure 2 shows the main function of analytics and how this serves the decision maker. On the other hand, visualization is important to show the decision maker how the analysis is done to support the decision. Next we will check two rising trends that need to be adopted or planned to evolve your operations. Figure 2 Security Analytics Function User and Entity Behavior Analysis: UEBA is the normal evaluation for the User Behavior analysis, as mentioned before that the analytics domain will keep evolving and raising more. Actually, UEBA is a conversation of another behavior analytics plus more analytics, so instead of analyzing data to capture fraudulent activities or an insider, you can capture misbehavior in the organization assets and most important to capture data exfiltration. Red Teaming Automation: Most organizations are investing to conduct penetration testing and vulnerability analysis to keep its organization secure, however, these exercises are not a replica of the real world attack (due to the limitations that exist to not impact availability or a false positive is involved as long as there is no testing for some vulnerabilities). Accordingly, analytics and visualization came into the picture to support these activities by conducting more powerful exercises as they have a huge data that gives them more penetration and have tools to help visualize these data and simulate attacks that can’t be done by traditional methods. On the offensive Side (Business Disruption) Although what has been seen in 2016 from ransomware spreading and all this attention from manufacturers and end-users, it may not be the year that will be remembered. Business Disruption attacks became a trend and it seems that the signs started early by an attack on KSA governmental entities. Ransomware is not the only way for business disruption, however, more ways are getting in the way. Business Disruption is rising to the surfs, specifically data integrity. The rise of this trend may be due to the big economics and profit coming from it, specifically that it targets business. The trend is expected to expand more to include not only organizations but strategic governmental entities and being used in political disruptions. 47
Final Words In conclusion, security specialists need to pay attention to new trends in both defensive and offensive worlds, and new techniques that will help defenders protect their assets. One of them is deception where the security specialist will not only detect and prevent, they will also have the ability to disrupt the attacking process, the same as playing chess. CISO/CSOs must start thinking about a threat intelligence-driven process instead of the ordinary ways for driving the security process (such as current practices, penetration testing, vulnerability assessment, etc.). On the other hand, the bad guys are still evolving and they have their own trends; one of the trends that keeps evolving and will be targeting much bigger entities is the business disruption attacks. Finally, alongside of the rising trends, some of the old trends keep evolving and will keep evolving, such as: • Governance Risk & Compliance (GRC): Every day we find new breach and Organizations and Governments are issuing regulation and standards, and it keeps getting tougher. • Identity and Access Management (IAM): is a dream for every big organization to achieve, as the number of employees increase and their security issues related to authentication become uncontrollable, the dream will become a must to have. Wish everyone preparing effective 2017 security plan and happy 2017. 48 Author: Ahmed A. Selim Professional Service Head at SecurityMeter, a Security Managed Service Provider in North Africa Middle East and East of Asia. He conducted a wide range of security services and deployment for major entities in the MENA Region including consultancy, strategic planning and organizational shift over. His early career in IT gave him the opportunity to have wide range of IT Domain and qualified him to focus on Security consultancy and lead a team of Professional Experts in Security Service and Solutions.
Approach by: Washington Umpierres de Almeida Junior The world society has watched the forms of communication evolve throughout its history. There have been times when the telegram was known as the fastest way to send a message to a person or company, and even in this scenario, there were people able to intercept this kind of information when it was in transit. However, in those times, these people should have physical access to the information since the data was traveling written on paper. But the forms of communication continued to evolve until the emergence of the Internet, where communication methods went through a process of evolution that revolutionized the way people and companies communicated with each other. Nowadays, the methods used to do things have been changing dramatically. Today people use electronic transfers instead of exchanging checkbook sheets, send e-mails instead of writing letters, share information in social network instead of meeting acquaintances and friends somewhere and so on. From an industry point of view, the evolution goes the same way. Companies have been implementing complex automated methods to increase their production and more recently, financial institutions are working to implement the blockchain-based technology, which indicates a movement to replace the traditional bank business model. The world and the way people and companies do things has been changing very quickly. This evolution has brought both benefits and challenges to modern society, which today has huge dependence on Internet resources. Along with these changes also arise the threats involved on each technological element around us. So what can we expect from incoming threats in 2017? Incoming Threats The incoming threats for the next years will be focused in SSL/TLS1 protocols, blockchain-based technology and smartphones. Why? Let us have a look at each one in more detail. Attacks on SSL/TLS protocols In a simplified way, the protocol running over SSL/TLS implementation adds an "S" in the end. Thus, for example, to a web application (http) implemented in a secure manner (SSL/TLS) it has the format "https", which is some times referenced as "http secure". After the development of the Secure Socket Layer by Netscape2, it seemed the technology information industry would have found a way to provide a secure manner to navigate in the Internet. For many years, the security provided by SSL/TLS protocols seemed to be the best way to guarantee privacy and security over on-line transactions. Although still widely used over the Internet, SSL/TLS protocols present serious vulnerabilities that allow hackers to exploit numerous variations of these flaws to compromise systems and as a consequence it can be used to capture sensitive data such as personal information, credit card details, user ids, passwords and so on. 49
Pentest trends 2017
Pentest trends 2017
Pentest trends 2017

Recomendados

At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityJFashant
 
Developer’s silence raises concern about surespot encrypted messenger
Developer’s silence raises concern about surespot encrypted messengerDeveloper’s silence raises concern about surespot encrypted messenger
Developer’s silence raises concern about surespot encrypted messengerAnonDownload
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010Felipe Prado
 
So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-documentSubhadeep Chakraborty
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013Комсс Файквэе
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01simpletonsafe
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperKen Spencer Brown
 

Recomendados

At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityJFashant
 
Developer’s silence raises concern about surespot encrypted messenger
Developer’s silence raises concern about surespot encrypted messengerDeveloper’s silence raises concern about surespot encrypted messenger
Developer’s silence raises concern about surespot encrypted messengerAnonDownload
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010Felipe Prado
 
So692 cyber security-document
So692 cyber security-documentSo692 cyber security-document
So692 cyber security-documentSubhadeep Chakraborty
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013Комсс Файквэе
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01simpletonsafe
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperKen Spencer Brown
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Tree incident shows value of remote working
Tree incident shows value of remote workingTree incident shows value of remote working
Tree incident shows value of remote workingJohn Davis
 
Social media data leakage and data accountability risks
Social media data leakage and data accountability risksSocial media data leakage and data accountability risks
Social media data leakage and data accountability risksArrka Consulting
 
identifying malevolent facebook requests
identifying malevolent facebook requestsidentifying malevolent facebook requests
identifying malevolent facebook requestsINFOGAIN PUBLICATION
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesSyedAmoz
 
Combating RANSOMWare
Combating RANSOMWareCombating RANSOMWare
Combating RANSOMWareUmer Saeed
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and SecurityBud Siddhisena
 
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Nicholas Tancredi
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?SecuRing
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?Internet Security Auditors
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentSirius
 

Mais conteúdo relacionado

Mais procurados

Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Tree incident shows value of remote working
Tree incident shows value of remote workingTree incident shows value of remote working
Tree incident shows value of remote workingJohn Davis
 
Social media data leakage and data accountability risks
Social media data leakage and data accountability risksSocial media data leakage and data accountability risks
Social media data leakage and data accountability risksArrka Consulting
 
identifying malevolent facebook requests
identifying malevolent facebook requestsidentifying malevolent facebook requests
identifying malevolent facebook requestsINFOGAIN PUBLICATION
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesSyedAmoz
 
Combating RANSOMWare
Combating RANSOMWareCombating RANSOMWare
Combating RANSOMWareUmer Saeed
 
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Nicholas Tancredi
 

Mais procurados (8)

Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
Tree incident shows value of remote working
Tree incident shows value of remote workingTree incident shows value of remote working
Tree incident shows value of remote working
 
Social media data leakage and data accountability risks
Social media data leakage and data accountability risksSocial media data leakage and data accountability risks
Social media data leakage and data accountability risks
 
identifying malevolent facebook requests
identifying malevolent facebook requestsidentifying malevolent facebook requests
identifying malevolent facebook requests
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
 
Combating RANSOMWare
Combating RANSOMWareCombating RANSOMWare
Combating RANSOMWare
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
 
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...
 

Destaque

The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?SecuRing
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?Internet Security Auditors
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentSirius
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterEugene Cheng
 
Email Marketing 101: The Welcome Email
Email Marketing 101: The Welcome EmailEmail Marketing 101: The Welcome Email
Email Marketing 101: The Welcome EmailSendGrid
 

Destaque (20)

The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of Things
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
 
Smart TV Insecurity
Smart TV InsecuritySmart TV Insecurity
Smart TV Insecurity
 
The Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonifyThe Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonify
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
 
Email Marketing 101: The Welcome Email
Email Marketing 101: The Welcome EmailEmail Marketing 101: The Welcome Email
Email Marketing 101: The Welcome Email
 

Semelhante a Pentest trends 2017

Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Bruce Wolfe
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017NRC
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessGreg Wartes, MCP
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost coldfire007
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Jesus Rances
 
The use of internet web 120
The use of internet web 120The use of internet web 120
The use of internet web 120jram2113
 
Possible cyber security threats of 2016
Possible cyber security threats of 2016Possible cyber security threats of 2016
Possible cyber security threats of 2016James_08
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet SecurityAshley Zimmerman
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...Dana Gardner
 
The dark side of cybersecurity: International Awareness Cybersecurity Month
The dark side of cybersecurity: International Awareness Cybersecurity MonthThe dark side of cybersecurity: International Awareness Cybersecurity Month
The dark side of cybersecurity: International Awareness Cybersecurity MonthITrust - Cybersecurity as a Service
 
Computer Security Guide to Pc Security
Computer Security Guide to Pc SecurityComputer Security Guide to Pc Security
Computer Security Guide to Pc SecurityMallTake
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
Research Paper Sentence OutlineResearch Question How e-commer.docx
Research Paper Sentence OutlineResearch Question How e-commer.docxResearch Paper Sentence OutlineResearch Question How e-commer.docx
Research Paper Sentence OutlineResearch Question How e-commer.docxaudeleypearl
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 

Semelhante a Pentest trends 2017 (20)

Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost
 
Spyware
SpywareSpyware
Spyware
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2
 
The use of internet web 120
The use of internet web 120The use of internet web 120
The use of internet web 120
 
Possible cyber security threats of 2016
Possible cyber security threats of 2016Possible cyber security threats of 2016
Possible cyber security threats of 2016
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet Security
 
Cyber security macau
Cyber security macau Cyber security macau
Cyber security macau
 
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
When it Comes to API Security, Expect the Whole World to Be Testing Your Mett...
 
The dark side of cybersecurity: International Awareness Cybersecurity Month
The dark side of cybersecurity: International Awareness Cybersecurity MonthThe dark side of cybersecurity: International Awareness Cybersecurity Month
The dark side of cybersecurity: International Awareness Cybersecurity Month
 
Computer Security Guide to Pc Security
Computer Security Guide to Pc SecurityComputer Security Guide to Pc Security
Computer Security Guide to Pc Security
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Research Paper Sentence OutlineResearch Question How e-commer.docx
Research Paper Sentence OutlineResearch Question How e-commer.docxResearch Paper Sentence OutlineResearch Question How e-commer.docx
Research Paper Sentence OutlineResearch Question How e-commer.docx
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Robust Software Solutions.pptx
Robust Software Solutions.pptxRobust Software Solutions.pptx
Robust Software Solutions.pptx
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Pentest trends 2017

  • 1.
  • 2. Managing Editor: Anna Kondzierska 
 anna.kondzierska@pentestmag.com Proofreaders & Betatesters: Lee McKenzie, Avi Benchimol, Da Co, David Kosorok, John Webb, Sagar Rahalkar. Special thanks to the Betatesters & Proofreaders who helped with this issue. Without their assistance there would not be a PenTest Magazine. Senior Consultant/Publisher: Pawel Marciniak 
 CEO: Joanna Kretowicz
 joanna.kretowicz@pentestmag.com DTP: Anna Kondzierska Publisher: Hakin9 Media Sp.z o.o. SK 02-676 Warsaw, Poland
 ul. Postepu 17D
 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concering the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 1
  • 3. Table of contents Zoomeye- search engine for cyberspace
 by Jorge González Milla 4 SAP Security. Today’s state, future trends and predictions.
 by Darya Maenkova 9 Present and future of cyber security - What’s in store to become a cyber warrior?
 by Samrat Das 14 An IoT landscape for 2017
 by Jason Bernier 17 The Evolution of MicroEncryption® Type Technology
 by Steven Russo 18 Threat Modeling Template for Beginners
 by Dr. Narendiran Chandrasekaran 23 Watching the Watchers using Deception Techniques
 by Muruganandam 26 Cybersecurity and penetration testing.Trends in 2017 Approaches by: Ali Tabish 35 Mihai Raneti 38 Amar Wakharkar and Mary Nowottnick 41 Celal Cagri 43 Ahmed Atef Selim 45 Washington Umpierres de Almeida Junior 49
  • 4. 3 Dear PenTest Readers, We would like to proudly present you the newest issue of PenTest Open, which is free to download for everyone interested in the topic. We hope that you will find many interesting articles inside the magazine and that you will have time to read all of them. We’re approaching the end of the year so it’s time to sum up past year and think about the future. During 2016 we could read about dozens, of data breaches. The biggest companies in the world suffered from them: Snapchat, Linkedin, Oracle, Dropbox, Yahoo or Cisco. What’s even more alarming is that the number of attacks on public institutions is rising. In 2016 we could observe attacks on University of Central Florida, U.S. Department of Justice, Philippine Commission on Elections, and couple of hospitals and power stations. Furthermore cybercriminals are using more advanced and complicated methods. We were overwhelmed by amount of information about malware, phishing attacks, ransomware, and data leaks. The good thing is that companies can deal better and better with attack and data breaches, but still it’s more about incident response than regular pentesting and constantly upgrading company’s security posture. So what can we expect next year? Are there going be more or less attacks and data breaches? And who is going to be a target? In this OPEN issue you will read different opinions about future of cybersecurity and penetration testing given by specialists from all around the world. You can read about MicroEncryption methodology and its features. We’ll cover topics like: business disruption, threat intelligence & management, IoT landscape, and cybersecurity market. There is also an article about Zoomeye - search engine for Cyberspace, and how to use it. We’ll dive into topics like MiTB and SSL/TLS protocol attacks and deception techniques. We’ll show you a threat modeling template for beginners, where features and components of this process will be broadly explained to you. We would also want to thank you for all your support. We appreciate it a lot. If you like this publication you can share it and tell your friends about it! Every comment means a lot to us. As always, special thanks to the Beta testers and Proofreaders who helped with this issue. Without your assistance there would be no PenTest Magazine. Also we want to take this opportunity to wish you a Happy New Year! Enjoy your reading, PenTest Magazine’s Editorial Team
  • 5. Zoomeye- search engine for cyberspace When the internet is tried to be implemented where it is basically useless or has very little use and, moreover, ISPs do not help much, chaos takes over devices. A simple search in any given “dark engine” is enough to realize how many devices keep their default settings or come with no default configuration at all. ZoomEye is the cyberSpace search engine you never heard of… Everyone knows about the beloved Shodan and the new valid alternative Censys for searching IoT devices, but are you sure you aren’t missing anything? ZoomEye is a search engine for cyberspace, it is especially created for hunting the demons in cyberspace. ZoomEye is a search engine developed by Knownsec Inc, a Chinese security firm based in Beijing. The first version of ZoomEye was released on 1st July 2013 and it underwent continuous development until now, reaching version 3. ZoomEye uses Xmap and Wmap at its core to grab data from publicly exposed devices and web services and doing fingerprint analysis. ZoomEye is simpler and more intuitive than Shodan, it allows pagination without prior registration. We can use filters to search for devices, it is not illegal, because it simply collects devices that are visible on the Internet. It can also search for banners or make requests to some common ports and then it stores the information returned in the headers provided by the server. This information is stored and often used to indicate or identify the software that serves us. 4 ISPs should take their routers’ security seriously, whereas companies should do the same with their devices’ safety. Otherwise, everyday consumers will be unprotected. These days, any user with an average knowledge in the field could take control of devices to carry out unconstrained attacks. Many people already know Shodan, that engine for devices connected to the Internet, but today may
 I present to you… ZoomEye. by Jorge González Milla
  • 6. Services, ports, countries, cities, default settings and many more possibilities at a mouse click’s reach, thanks to the potential of “dorks”. It is widely known that Windows XP no longer has support from Microsoft long ago. We can easily discover devices running Windows XP with a simple “dork” in ZoomEye. We can also discover services, servers, ports and many more… 5
  • 7. Even printing systems… Surprisingly, some printers provide too much information when we try to access them (without any credentials). These are all hints and hints for cybercriminals. 6
  • 8. Web servers running under Windows OS in Spain: If we move to the top mobile OS, we can find a huge amount of devices. When opening the main page, we can already see Android-based operating systems running that we can investigate, and we have noticed the following: Just by using our imagination, we can get loads of information. Raspberry is another widely used, inexpensive and easily accessible device. 7
  • 9. Biometrics systems, coffee makers, light bulbs… all these devices, being connected and configured by an inexpert user or running the default settings... it can be scary. ISPs should take action, as they cannot expect the everyday user to correctly set their device. Remember, what we have shown you here is just the tip of the iceberg… Why take action? Simply by putting the filter “Anonymous access allowed”, we will observe that the services will be deployed to which we can access anonymously. And this is only in ZoomEye... Imagine such big problems, if some malicious intent tries to wreak havoc by uploading malware (as we saw above) or doing other kinds of things that are devised. If we do not take steps to prevent cyber attacks, the Internet could die. Thousands of attacks per second, infected people attacking without consent, etc. The chaos could be the Internet. 8 My name is Jorge, I am from Jaén, Andalucía, Spain. I am currently an analyst programmer and security analyst. I also do pentesting. Since 2006 I dedicate myself to computer science and since 2014 I am in cybersecurity. Aside from ethical hacking, I like to read, the sport and my work. I would like to work solely as a security analyst / pentester as it is my passion. I have worked in several companies to become a programmer analyst and I have also worked as a pentester although I do not have much experience, so I would like to work as a pentester, because it is what I really love. Author: Jorge González Milla
  • 10. SAP Security. Today’s state, future trends and predictions. Interest in SAP security is growing. Within the last 10 years, experts delivered a lot of talks on SAP cybersecurity. Studies related to this topic were featured in the top international media (e.g., Forbes, The Guardian, Wired, Financial Times, etc.). So, nowadays, it’s hard to believe that SAP Security used to be terra incognita in the past. All these warnings were for a reason, as within the last three years, several highly significant incidents related to the SAP cybersecurity occurred (NVidia breach in 2014, OPM Breach in 2015, and US-CERT alert on an SAP vulnerability). To make accurate predictions, we should first get to know what the state of SAP Cybersecurity is today and what emerging use cases we can observe now. State of SAP Security To give a full picture of SAP Cybersecurity, we focused on two aspects: SAP Product Security and SAP Implementation Security. Product Security This part relates to vulnerability statistics. The average number of security patches for SAP products (aka SAP Security Notes) per year has slightly decreased. Surprisingly, it doesn’t mean that the number of the issues has dropped, too. The vendor now may fix multiple vulnerabilities in one patch, while three years ago, each patch addressed a particular one. Actually, the number of patches is still quite high. 9 The article describes the state of SAP cybersecurity with a special focus on SAP Product Security (statistics according to released patches) and SAP Implementation Security. In light of all the facts, we forecast which topics will attract researchers’ attention in the near future. by Darya Maenkova
  • 11. Number of SAP Security Notes per year In total, 3794 SAP Security Notes and Support Package Implementation Notes have been published as of November, 2016. Most of the issues (69%) were rated high priority and hot news, i.e., about 2/3 of the fixes must be applied as soon as possible. The most common vulnerability types remain XSS, missing authorization check, and directory traversal. Figure 1. SAP Security Notes by type The list of vulnerable SAP platforms has extended and now it includes modern cloud and mobile technologies, such as HANA. The new platforms are more exposed to the Internet, which facilitates an attack. There are vulnerabilities in almost every SAP module: CRM takes the leading position among them, following by EP and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional SAP modules (like ones mentioned before) were introduced about two dozen years ago, but the first vulnerabilities were discovered just several years ago, i.e., SAP HANA and SAP Mobile apps attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional ones. Figure 2. SAP Vulnerabilities by application area 10
  • 12. The number of security issues in industry-specific solutions has grown significantly and now totals 160. The most vulnerable ones are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities. Industry Solution Number of vulnerabilities Banking 33 Retail 21 Advertising Management (including Classified Advertising Management) 27 Automotive 14 Utilities 14 Healthcare 13 Campus Management 12 Oil and Gas 10 Defense Forces and Public Security 6 Aerospace and Defense 4 SAP Implementation Security This part describes how securely SAP Systems are implemented on a global scale. The statistics related to exposed SAP web applications can be gained with well-known Google search requests or Shodan, but this approach gives several false positive results. Because of that, we used our own scanning method to gather information about SAP system types. As a result of the scan, more than 11000 unique servers with different SAP web servers were identified. Further research reveals that most of the legitimate SAP application services exposed to the Internet are located in the USA (2332), India (1003), and Germany (895). The most interesting and complex research was performed for services that should not be accessible from the Internet; SAP has a set of modules that should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet. There were found almost 25000 such web-exposed SAP systems (namely, SAP Gateway, SAP Message server, SAP HostControl, SAP Visual Admin P4, SAPRouter, SAP MC, SAP Afaria). Not only do they bring a potential risk but they have real vulnerabilities and misconfigurations that are well- known and described in public sources. In detail, it was found that: • 78% of ABAP systems (3177 Systems in total) on the Internet have the WebRFC service enabled. This service allows executing RFC functions (read data from SAP table, execute OS commands, make financial transactions, etc.) using HTTP requests to the NetWeaver ABAP ports and URLs. By default, any user can have access to this interface and execute the RFC_PING command by sending an XML packet. Other functions require additional authorizations. So there are two main risks: 11
  • 13. - If there is a default username and password in the system, an attacker can execute numerous dangerous RFC functions because default users have dangerous rights. - If a remote attacker obtains any existing user credentials, he/she can execute a denial-of- service attack on the server by sending the RFC_PING request with a malformed XML packet. • 10% (533) of J2EE systems on the Internet have the CTC service enabled. The service is intended for managing the J2EE engine remotely. The Verb Tampering vulnerability in CTC allows bypassing authorization checks for remote access to the service. The non-intrusive scan cannot determine if identified services are vulnerable but the probability is rather high. • 1209 Message Servers HTTP (an HTTP part of Message Server) are exposed to the Internet. One of the issues of SAP Message Server HTTP is a possibility to get the values of the configuration parameters of SAP system remotely without authentication. This information can be used for further attacks. • 3465 SAP Management Console Services are exposed to the Internet, which are potentially vulnerable to unauthorized access to log files. • 859 SAP Visual Admin P4 services are exposed to the Internet. The service provides administrative functionality to manager SAP J2EE applications remotely. Near future Now, when we have drawn a picture of the SAP threat landscape, we can try to forecast what will be on the horizon for 2017. In short, as SAP Cybersecurity is a part of Cybersecurity, SAP Cybersecurity experts can expect in the coming year to encounter the same trends as the industry in general. Future trends and predictions about IT security are connected with such things as: - Cloud solutions. Enterprises are not thinking about migrating applications and data to the cloud, they are doing it. Threats posed by cloud solutions are rather well-known: data breaches, compromised credentials because of broken or missing authentication, exploited system vulnerabilities, to name a few. As for SAP in particular, SAP states that its SAP HANA in-memory technology has 110 million cloud subscribers around the world, so attack surface is potentially rather wide. - Internet of things – Vulnerabilities identified in different wearable devices hit the headlines of the major media a myriad of times in 2016. But what really represents a threat is industrial IoT, or IIoT. It includes sensor data, machine-to-machine communication and automation technologies. Such technologies have a potential to drastically change the future of the whole vertical. Nonetheless, one shouldn’t forget that the IIoT security is a challenge. Any device connected to the plant floor and at the same time exposed to the Internet is susceptible to be hacked. In its portfolio, SAP has a set of solutions for the IoT that includes a platform, applications, underlying and technical services. Moreover, researchers from ERPScan have even already identified several vulnerabilities in modules responsible for plant floor integration (SAP Plant Connectivity, SAP xMII). - Industry-specific attack vectors – Cybercrime is on the rise - and no vertical is immune to it. Several highly targeted attacks happened this year, for example, the hotel industry fell victim to Oracle MICROS data breach. We have identified a special attack vector against an oil and gas company. In particular, the researchers have discovered vulnerabilities in SAP xMII system, SAP Plant Connectivity, SAP HANA, Oracle E-Business Suite platform and some widely used OPC servers, such as Matricon 12
  • 14. OPC. Configuration issues and these vulnerabilities can be used to conduct a multi-stage attack and get access to connected systems  Taking into account a huge number of vulnerabilities in industry solutions from SAP (160 as for the mid-2016), one can suppose that different kinds of cybercriminals may pay attention to these software vulnerabilities, especially to such industries as Oil & Gas, Automotive, and Banking. 13 Author: Darya Maenkova Darya is Sr. Analyst at Department of Security Evangelism, ERPScan. Her main fields of interest are statistical and analytical studies, as well as trend analysis. She participates in ERPScan’s research works, including monthly analysis of SAP Security Notes, quarterly overview of Oracle CPU, and annual SAP Security Reports.
  • 15. Present and future of cyber security - What’s in store to become a cyber warrior? If we take a look at the most important sources of business today, it ranges from Financial Systems, Telecommunications, Aviation, Consumer Devices, Automobiles, Internet of Things. Imagine all these systems that are generating revenue along with people using all their services worldwide. All these have a serious impact both on usage and impact. At this stage, if an external attacker, or better, say insider, leaks the data, exposes the system hacking in and corrupting and manipulating data, it will become a huge loss along with loss of reputation and financial damage. Serious financial damage has been caused by security breaches. The most recent of things include security consulting firms producing estimation of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. These range anywhere from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). Just in 2016, the following were some much talked about hacks: 1. AdultFriendFinder AdultFriendFinder lost close to 412 million users with their personal information exposed. The information was published on online criminal marketplaces for purchase. The information included e- mails and passwords, among others. 2. LinkedIn In May of 2016, 117 email addresses and passwords were published online. LinkedIn is still clueless to figure out who was behind the hack. 3. World Anti-Doping Agency 14 Cyber security in itself is a broad and diverse field. Its growing importance due to the increasing need on computer systems and the Internet in today’s society coupled with the “Internet of Things” is unparalleled. by Samrat Das
  • 16. With the Olympics in full swing in 2016, Russian hackers leaked the medical data of athletes, like Simone Byles and Serena Williams. 4. SnapChat On March 3rd of this year, 700 current and former employees had their private data stolen in a phishing scam that posed as chief executive Evan Spiegel. 5. Yahoo! Yahoo lost 500 million usernames, passwords, telephone numbers, dates of birth in late 2014 itself. The revelation came finally in 2016. 6. Cisco Cisco was notified of a significant privacy vulnerability on their careers page, leaving job-seekers open to potential hacks. All this proved a single moral, the world needed hard core cyber security geeks and professionals who can test the systems and organizations to detect, patch and prevent all such attacks and vulnerabilities to a large extent. 7. Verizon A hack in the Verizon Enterprise Solutions division, a section of the company dedicated to IT services and data breach assistance to companies and government bodies alike. Hackers stole information from 1.5 million users. 8. Democratic Party Democratic Party experienced plenty of hacks to go around in 2016. 9. BitCoin One of the bitcoin exchanges, BitFinex in Hong Kong, was hacked, losing $65 million plus by still untraced hackers. 10. DropBox Data revealed in 2016 showed that 68 million users were at risk for stolen passwords and usernames. Such security measures may include: ! Vulnerability Management ! Secure Coding ! Penetration Testing ! Physical Security ! Security Compliance and Audits Going by the recent trends, according to Forbes, the global cybersecurity market reached $75 billion for 2015 and is expected to hit $170 billion in 2020. According to sources, cyber security is the most in demand profession one can look forward to in the coming future. As of this writing, the top seven skills you can master for looking forward to a bright career in cyber security are: • Security Analysis (Penetration Testing and Vulnerability Assessment) The most in demand and booming profession where demand exceeds supply, you are a person who is paid with a legal way to break into networks, find loopholes in websites and discover attack vectors in 15
  • 17. mobile and rich clients, not to forgot wireless networks and IOT devices. This is one field that is deep rooted for the present and future with a promising cyber security career option. According to the US Bureau of Labor Statistics, the number of jobs for information security analysts is projected to increase 18% between 2014 and 2024. • Secure Software Development This involves finding exploits and vulnerable software code and patch them, your role as a secure developer/ source code reviewer will be to identity and patch the vulnerabilities. • Cloud Security Cloud security is identified as the place their organization has the biggest security skills deficit. Demand is high as large businesses generate jobs for cloud security architects. There are several threats particular to the cloud such as data breaches, system vulnerability exploits, and hijacked accounts, among others. This is a field for the present and a much more widespread future work where tons of things are to be done with lesser found skills to be deployed. • Intrusion Detection Intrusion detection involves discovering potentially harmful activity that could compromise the confidentiality, integrity, or availability of information, a field where you are in charge of assessing networks and infrastructure to find and detect/ block malicious attackers from penetrating into your network. • Network Security Combined with incident management, organizations also need professionals who secure and lock down firewalls, monitor systems and detect and analyze suspicious behavior. • Risk Mitigation/ Threat Modelling A field where you need to identify and discover risks, create mitigation plans and create blueprints for a secure infrastructure, the demand in present and coming time can’t be ruled out. In a nutshell, this sums up that cyber security is an ambitious, highly rewarding and a look forward to career option for people worldwide. This is one field away from the lack of opportunities, recessions, over supply and limited opportunities. For young people, out of college and interns, this is one really good field to grow by leaps and bounds and make a mark for yourself! 16 Samrat is a security researcher currently working for Deloitte India as a Security Consultant. His interests involve: Network and Web Penetration Testing, Reverse Engineering & Malware Analysis and Secure Code Review. He can be reached on sam9318@gmail.com and twitter: @Samrat_Das93 or his LinkedIn profile: https:// in.linkedin.com/in/samrat18 Author: Samrat Das
  • 18. An IoT landscape for 2017 2016 was quite a year for cyber security. We saw a lot of new vulnerabilities and exploits published. It seems to be a never ending cycle of a researcher finding a vulnerability, and then the software developer publishes a patch, for the most part. One of the predictions for 2017 is more security incidents involving Internet of Things (IoT) devices. Something that occurred in October 2016, that I suspect few expected, was a massive Denial of Service attack by a massive botnet dubbed the “Mirai” botnet. The Mirai botnet was made up of thousands of compromised IoT devices. How is it that a simple device like a thermostat, or home security camera could effectively aid in performing a successful cyber-attack that denied thousands of users’ access to a large number of websites? Vendors of IoT devices need to employ better and more sophisticated security measures. Vendors need to take a more aggressive stance to creating a better cyber security posture for its consumers. Currently, vendors and manufacturers do not have any real incentive to add additional security measures other than potential legal issues. A potential solution to this would be to have legal regulation into any device that has the potential to connect to the internet. This would be plenty of incentive to have manufacturers and vendors at least take security more seriously and add additional security measures into their products. Another way to help improve security on IoT devices would be to have developers open source their code. This would allow for more people to help contribute and report critical findings. I suspect that incidents involving IoT devices will only increase in 2017. From DoS attacks to full on cyber invasions and intrusions hosted by IoT botnets. I am hopeful that researchers will find new ways to add additional security, and create further avenues to help combat such cyber-attacks. 
 
 17 Author: Jason Bernier A full time red team member on the US Army Red Team, performing computer exploitation at Sotera Defense Solutions, and a part time penetration tester at Lunarline Inc. He started his career in the military, working as a general IT admin/engineer. After serving in the military, he continued his IT career within the defense industry. He eventually made his way into security after earning a BS in IT/Security, and an MS in IT/Cyber Security. He has over 20 years of experience, including penetration testing, vulnerability assessment, and insider threat detection. by Jason Bernier
  • 19. The Evolution of MicroEncryption® Type Technology The New Reality Secure and reliable encryption schemes are essential to protect sensitive information held by individuals, entities, organizations and governments. However, encryption combined with firewalls is no longer strong enough to stop malicious actors from acquiring sensitive data that is being protected. We must deploy new ways to essentially guarantee we are protected against potential cyber threats, both externally as well as internally. Today, if you were to ask most cyber experts, you might hear that there is no system that is 100% un-hackable. The Pioneers - How Change Came About Between 2006-2008, two individuals (David Schoenberger and Timothy Reynolds) were working within the payment card industry, protecting systems that connected into the back end of the Federal Reserve. While working with clients and protecting transactions to very high levels, requests continued to come asking why “Tokenization” could not be applied to both databases and files. After this continued to occur, David and Tim decided to develop this capability. After several years, they were successful in doing just that. As the capability was being designed and architected, additional enhancements were made to the Tokenization process they created. For example, their “DigiTokens”, unlike standard tokens, do not contain any part or piece of the data that is being protected. In other words, the DigiTokens are agnostic. Additionally, depending on client specific needs, within a given system architecture, the DigiTokens are not reused or repeated to protect other pieces of data in the future. 18 A new data security paradigm is required to secure sensitive data in the event of a perimeter defense breach. This new paradigm must ensure that only the right people get access to the right information at the right time. The MicroEncrypted Digital Vault capabilities ensure that data at rest and data in motion remain unavailable to exploitation even in the event of traditional network defense breach. by Steven Russo
  • 20. A New Approach To Data Security While firewalls and encryption are not strong enough to hold back banks of supercomputers used by foreign actors, most all agree they can penetrate and access most any system they so desire. Where the twist comes in, is what can they get once inside. This is where additional security measures can thwart their efforts. With the advent of a new approach to cyber security on the back end, involving AES encryption, combined with use of a uniquely modified form of Tokenization, technology known as MicroEncryption®, once a bad actor successfully penetrates firewalls and encryption, there is nothing sensitive within that system to steal. One of the most significant challenges while considering protection schemas is not only the level of security. The data that is most sensitive is also the same data that must remain accessible to those authorized to access it. MicroEncryption accomplishes this while meeting these requirements. Also important to note is the fact that not all data contained within a database or file structure is sensitive. For example, if within a database, a record had no known association with an account number, a first/ last name, a social security number, or a city and state, there would be no correlation to the sensitive data, therefore making the remainder of the fields contained virtually useless to the hacker. These advancements work off an entirely different premise and methodology relative to current cyber security processes. While It has been repeatedly proven that “Bulk Encryption” is not efficacious in securing data, by MicroEncrypting the information, sensitive data is protected individually, down to the byte level, if that is what is desired, within the system design. This also means that not all data within a system requires encryption. Since the sensitive data is being protected on an individualized basis, it can be returned very rapidly when called upon. While custom solutions and a variety of APIs are available, in most cases a developer only requires access to a MicroEncryption API and they are ready to protect data. This methodology, while only recently available for commercial use, mitigates the effects of latency, regarding user experiences, while securing most all forms of data like never possible. Tokenization has existed for a long time within the digital arena. Substitution or surrogate key values, or “tokens”, have been used to isolate sensitive data elements from exposure to exploitation (16-character maximum) by replacing them with placeholders. MicroEncryption like concepts are now providing a security mechanism for both small and larger scale data protection, exceeding 2 GB in size - a feat previously unavailable within the Tokenization protection schemas. Now, through access via an SDK, developers of all sizes can adopt and utilize the schema for projects of all sizes. This includes not only files of all types, but databases, payments, payment processing, information around transactions and more. Its attraction is not only its scalability, but its simplicity to deploy. Depending on the complexity of a system, and what items developers determine require protection, connections have been made in as little as a few hours through published APIs. This service through the SDK is both PCI DSS Level 1 compliant as well as HIPAA compliant, allowing for the compliant storage of credit card information and healthcare data. ESB providers, such as Neuron ESB, have seen the benefits of MicroEncryption and taken it to the next level by creating a simplified pathway for MicroEncryption to be deployed into many industry standard applications. This reduces programming efforts in more than 40 commercial applications (including Microsoft and Oracle) more than 80 percent. You can see why this technology is rapidly becoming a schema of choice. 19
  • 21. As MicroEncryption technology evolved, and adoption continues, certain entities requiring data protection expressed the desire to maintain the MicroEncrypted data within their own environment. Banks, financial institutions, large enterprises and governments are classic examples. To meet that demand, MicroEncryption is now available as a private hosted solution that can be deployed in a variety of ways, including a client’s own data center or private cloud. As of late, managed services providers, as well as data centers themselves, are taking advantage of this new form of hybrid security architecture. MicroEncryption like technology is rapidly becoming a vital tool in their toolbox of options and capabilities. Taking it to the next step, flexible adaptor based systems were developed that allow any data to transact with any other third-party system, as well as a recurring process scheduling engine that allows an organization to manage business rules that determine when, how often, and what kind of data processing to schedule and generate. These systems include, but are not limited to, payment processing, identity verification, bank systems, account systems, or any data transformation. Information and registration for a free trial of the recently released CertainSafe MicroTokenization SDK can be found at https://certainsafe.com/custom-solutions. The CertainSafe Digital Vault is not limited to fields of a database. Another unique feature of the architecture allows files up to 2GB to be secured in the Digital Vault. CertainSafe has developed a browser based app named the Digital Safety Deposit Box and Client Portal to manage secure storage and sharing of files and private messages. This gives users the ability to secure any data type, including simple text, Word Docs, Excel, x-ray files, video, voice, pictures, top secret documents and more. As the evolution continued, taking industry demands a step further, a Virtual Safety Deposit Box was developed for use by individuals, without requiring any additional programming whatsoever. It utilizes the complete MicroEncryption technology suite to protect the information contained within the CertainSafe Digital Vault. Its purpose is to allow for the storage of files, in an ultra-secure vault, providing a mechanism that enables the storage, ability to share, and the ability to control folders containing files, with ease, speed and efficiency. As an added feature set, individuals can communicate through an Instant Secure Chat, that too uses MicroEncryption to protect the instant chat messaging contained. This platform is called the CertainSafe Digital Safety Deposit Box. MicroEncryption as a service, whether through an SDK, or a private instance, due to its ease of use, as well as pricing structure, is quickly becoming a favorite of managed service providers of all sizes. As the evolution of data security continues forward, it is believed that MicroEncryption type schemas will be the top choice for those developers requiring the highest levels of security. 20
  • 22. “The MicroEncryption technology is truly innovative with its ability to scale to future needs and evolve with the new best practices in the security world,” said Dan Furman, former CIO of the Federal Improvement Team. By tokenizing data and storing it fully encrypted, the data becomes both usable directly from the secure datacenter and simultaneously meets and exceeds industry standards and regulations. In addition, value can be gained from processing the data onsite and avoiding the potential security failure point, as data must move to an analysis server. From Personally Identifiable Information (PII) and Health Insurance Portability and Accountability Act (HIPAA) [http://www.hhs.gov/ocr/privacy/ ], mandated data restrictions to user password tokenization, the need for usable and secure data has never been so great. Companies of all sizes who store any information about their customers, employees, patients or partners must be conscious of how to protect this information. Unlike other security solutions, MicroEncryption technology is lightning fast and is currently being scaled to enable over 58 billion secure actions per second in a test portal environment. “Thanks to this new breakthrough in technology, MicroEncryption offers everyone access to the same speed and security as the billion-dollar giants,” said Mr. Fioto, Chairperson and CEO of RACE. Industry Recognition "CertainSafe, with the invention of MicroEncryption, has cracked the code on how to properly secure data that's both at rest and at motion." Richard Marshall, former director of Global Cybersecurity Management for the US Department of Homeland Security “I've closely investigated the MicroEncryption technology and am confident it is the most secure method for sharing and storing data, bar none.” Rep. Pete Hoekstra, former Chairman of the House Intelligence Committee "The CertainSafe approach to cloud security may be the most brilliant and effective that I've seen to date, in an area that is critical if Net-based commerce, applications, and transactions are to go forward." Mark Anderson, FiRe chair and CEO of the Strategic News Service Summary A new data security paradigm is required to secure sensitive data in the event of a perimeter defense breach. This new paradigm must ensure that only the right people get access to the right information at the right time. The MicroEncrypted Digital Vault capabilities ensure that data at rest and data in motion remain unavailable to exploitation even in the event of traditional network defense breach. These types of technology solutions are applicable on a global basis across dozens of industries including healthcare, financial services, hospitality, retail, energy/smart grid, supply chain management and government service sectors. The innovative processes make data stored fully usable and accessible while maintaining the highest levels of security. With MicroEncryption like technology deployed, users can store HIPAA, PCI, PFI, PHI, PII as well as other types of sensitive data requiring compliance. 21
  • 23. Steven R. Russo launched his career as an entrepreneur at the age of 18. He later went to become a highly recognized leader in HVAC distribution where he displayed considerable sales and management contributions. In 2011, Steven and his business partner, John Nachef acquired a ground breaking cybersecurity technology. Steven and his partner formed Secure Cloud Systems (SCS) , raising more than $10M from private investors to fund operations to date. For the past five years, Steven managed day-to-day operations while working closely with the SCS technology team to prepare their cyber-platform for market. Steven has been inspirational in developing the CertainSafe® Product line which includes the game changing CertainSafe Digital Safety Deposit Vault, which then allowed for the creation of the CertainSafe Digital Safety Deposit Box. 22 Author: Steven R. Russo
  • 24. Watching the Watchers using Deception Techniques We need to ensure we maintain both the attacker’s interest as well as their acceptance that they are attacking real targets. Honeypots have often been criticized for their lack of believability, causing many attackers to recognize the system as fake and avoid interaction. If we allow this to happen, the Labyrinth could provide no additional intelligence on the attackers, or on their tactics and techniques, and wouldn't allow for any additional timesaving afforded to the security team. So to begin, what is a Honeypot? A Honeypot is a non-production system, typically housed within a virtual environment, whose sole purpose is to be a target. The Honeypot is a decoy system that provides a deceptive layer, shifting the focus of attackers away from production systems. The objective of a Honeypot is to provide security teams with information about its every function, so the team can determine the tactics and techniques of those actors who interact with the system. To convince the attacker that the decoy system is genuine, "we need to be aware that he will be trying to fingerprint the decoy and its applications." It is critical that Honeypots do not stick out and cause an attacker to move in a different direction. Within an entire network of honeypots, even if an attacker does move in a different direction, it will likely be towards another honeypot. But, the goal of the Labyrinth is to be as believable as possible, to ensure we keep the attackers focused on what we want them to focus on, and not allowing them to question their actions. To assist with the believability of the Labyrinth, it should behave like a real network. Each system within the internal network should have representation within the Labyrinth, and the topological layout of the Labyrinth should essentially mimic that of the real network. To ensure the acceptance of the Labyrinth, a logical combination of honeypot systems within each subnet should resemble what the internal network would use. For example, within the DMZ section of the Security Analyst, the legitimate types of DMZ systems should be present: a fake Web Server, an external Domain Name Server (DNS), a Mail Server, and perhaps a File Server (FTP) or even a Voice 23 by Muruganandam
  • 25. over IP (VoIP) server. However, if there were also unpatched Windows XP systems with large quantities of internal information, it may cause an advanced attacker to question their situation. This doesn’t mean you cannot have an unpatched Windows XP system in the Labyrinth. You should use a variety of OS's as long as they represent the types of systems with the real environment. Place these systems within subnets that resemble a functional network. Having a network within the Labyrinth that resembles an actual subnet of endpoint specific systems, e.g. user laptops, desktops, and printers, simply makes the Labyrinth more believable and facilitates the attacker to wander deeper into the Labyrinth, in turn, allowing the security team to develop a much more comprehensive listing of the TTPs on the attackers. The entire point is to make the attackers waste as much time as possible to allow your teams to counter their potential attacks. With the effort of designing and configuring the Labyrinth to be as believable as possible, there is another level of configuration that can make the Labyrinth resemble the real thing, administrative actions within the Labyrinth. "Day-to-day changes in the environment may include adding, upgrading and removing applications, networks, operating systems, endpoints, and devices." Creating network traffic within the Labyrinth and by essentially treating the Labyrinth like a real environment provides yet another layer of deception. To achieve this deception, we have several scripted actions within the Labyrinth simulating user actions, like requesting DNS lookups, Web Traffic, file transfers, and generating events that trigger log population on the systems. Creating what appears to be legitimate noise within the Labyrinth and aid in the believability of the Labyrinth's functionality. In turn, this can allow the attacker to interpret the network as normal and continue to probe and test the Labyrinth as they would any other network. The beneficial security information gleaned from a honeypot is without a 24 The entire point is to make the attackers waste as much time as possible to allow your teams to counter their potential attacks.
  • 26. doubt the primary motivation for their use. However, there are limits and restrictions under which a Labyrinth environment should operate. "A primary concern for honeypot designers is that of an attacker getting control over it. If this happens, the attacker can initiate attacks from the honeypot, which is regarded by the network as a secure environment." While the primary purpose of the Labyrinth is to record and use the tactics and techniques of an attacker to better secure the legitimate network, the risk of having the attacker use the Labyrinth for malicious purposes against other sites are grounds for significant legal concern. The monitoring of suspected malicious actions within the Labyrinth is the primary goal of the Labyrinth. While ultimately protecting the legitimate network is the objective, protecting outside organizations from attacks based within the Labyrinth is equally as important. Should all identified malicious actions be stopped immediately? Within the Honeypot community it is loosely understood, that "it is sometimes better to observe the attack through to completion and then identify the stolen goods after the deed has been done." By keeping the attacker focused on what you want them to focus on, you gather information. You are also safeguarding the attacker from actively focusing on something, or someone, else. Since the Labyrinth can be wiped clean at a moment's notice, a critical event or an action targeting an outside entity, the malicious action can be stopped in its tracks as the Labyrinth is reset to a clean version. The defenders could fail to gain a complete picture of the attacker’s TTPs, but the information gathered from these actions still allow the security team to bolster their defenses. 25 Muruganandam is an Principal Security QA working with Oracle India Pvt Ltd. • Muruganandam has expertise in Security testing of web applications and network products. He is involving many industry security certifications like: PCI and Common Criteria. Author Muruganandam
  • 27. Threat Modeling Template for Beginners Table of Contents 1. THREAT MODELING PROCESS 1.1. DEFINE AN ARCHITECTURE OVERVIEW 1.2. GATHER A LIST OF EXTERNAL DEPENDENCIES 1.3. IDENTIFY THE ASSETS AND SECURITY OBJECTIVES 1.4. DATA FLOW DIAGRAMS 1.4.1 TRUST BOUNDARIES 1.4.2 DATA FLOW 1.4.3 ENTRY POINTS 1.4.4 PRIVILEGED CODE 1.4.5 DFD ELEMENTS 1.5. DETERMINE AND INVESTIGATE THE THREATS 1.5. 1. Use STRIDE-per-Element Framework 1.5. 1. Threat Rating [Optional] 1.6. PROPOSE THE RESPECTIVE COUNTERMEASURE SOLUTIONS 1.7. VALIDATE THE COUNTERMEASURES 2. REFERENCES 1.Threat Modeling Process There are various thread modeling techniques that are defined by NIST, FIPS, Common Criteria and Microsoft. Particularly, for the application security, network security and embedded system security, the Microsoft defined STRIDE model is the recognized and approved technique by the various reputed secure R&D organizations including MSR (Microsoft Research Lab), Software Engineering Research Institute (SERI), Carnegie Mellon University, Global Security Research Forum and RSA Lab [1]. 26 The scope & objective of this paper is to regulate the threat modeling process and provide needed guidance for the developers, testers, and beginners to understand how to create a Threat Model for any embedded systems software before beginning to design implementation phases in the Secure Software Development Life Cycle (S-SDLC). by Dr. Narendiran Chandrasekaran
  • 28. Before starting the threat modeling process, an architect, business analyst, developer and test lead meet together to identify the security objectives and goals. An architect begins by defining the architecture and walkthrough to ensure that all attendees understand the architecture from the same perspective. The following subsections describe the process of the Microsoft STRIDE Threat Modeling Technique [2,3,4]. Threat Modeling is an iterative process that starts during early phases of design of the system and continues throughout the system life cycle. Because it is impossible to identify all of the possible threats in a single pass, this process needs to be repeated as the system evolves, as shown in Figure 1. The following are the steps for the Threat Modeling Process: a) Define an Architecture Overview b) Gather a List of External Dependencies c) Identify Security Objectives d) Decompose and draw a Data Flow Diagram (DFD) for the identified Components e) Investigate the Threats: Use STRIDE Model to Identify/Define the Threats f) Threat Rating, Threat Table, Calculate the Risks and Quantitative Comparison g) Propose the respective Countermeasure Solutions h) Validate the Countermeasure Figure 1. Threat Modeling Process 27
  • 29. 1.1. Define an Architecture Overview As a first step, create a high-level architecture that describes the composition and structure of the system/sub-systems as well as its physical deployment characteristics. Also, depending on the complexity of the system, it is the responsibility of the security developer/analyst/architect to create the additional diagrams that focus on different areas. Then, enhance the diagrams by adding details about the trust boundaries, data flow, authentication, authorization, etc. During DFD process, those details will be identified and documented. In addition, document the technologies to be used and what the software does, as shown in Table 1. Sl.No. Technology/Platform Implementation Details Table 1. Template for Technologies/Platform Details 1.2. Gather a List of External Dependencies Table 2 shows how to list out and document the external dependencies/entities that a system may use, for example, a database or server. Sl.No Dependencies Purpose Table 2. Template for Technologies/Platform Details 1.3. Identify the Assets and Security Objectives Understand the security objective and assets that need to be protected and achieved. This could range from confidentiality, integrity, authentication, authorization, non-repudiation, secret keys, availability, etc. 1.4. Data Flow Diagrams DFD is a graphical representation of data flows, data stores, and relationships between data sources and destinations. In threat modeling, DFD helps to identify trust boundaries, data flow, entry points, and privileged code of the proposed system. 1.4.1 Trust Boundaries Identify the trust boundaries that surround each of the noticeable components/assets of the system. 1.4.2 Data Flow Data flow is completed by analyzing the data flow between individual components and subsystems. Data flow across trust boundaries is particularly important because code that is passed data from outside its own trust boundary should assume that the data is malicious and perform thorough validation of the data. 28
  • 30. 1.4.3 Entry Points In DFD, there are two types of entry points, namely internal and external. External entry point requests are from front-end application/external dependencies and internal entry points exposed by subcomponents across the levels of the system may only exist to support internal communication with other components. However, it is mandatory to know where these are, and what types of input they receive in case an attacker manages to bypass the front door of the system and directly attack an internal entry point. 1.4.4 Privileged Code Privileged code accesses specific types of secure resources and performs other sensitive operations. 1.4.5 DFD Elements A DFD contains four types of elements. Table 3 shows the elements are external entities, data flow, data store, and processes. When the DFD is used for threat modeling, there is one more element to keep track of, which is the trust boundary. The trust boundary represents data moving from a high trust to low trust, or vice versa. Process External Interactor Data Store Data Flow Trust Boundary Table 3. DFD Elements Mostly the diagrams are used to evaluate the threats by hand or with the help of automated tools. Figure 2 exhibits a simple example of how the data is flowing between an Electronic Control Unit (ECU) and Cloud Infrastructure Components for the authentication process via wireless connection. Figure 2. Simple DFD Model 1.5. Determine and Investigate the Threats This section deals with how to investigate and analyze the DFDs to capture and record the possible security gaps, attacks, bugs, and flaws in internal & external design components, infrastructure, interface, external communication, etc. 29
  • 31. 1.5.1. Use STRIDE-per-Element Framework STRIDE is named after the six categories that the threats are divided into, namely Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Table 4 shows the different threat types of the STRIDE Framework [4]. Threat Type Security Attributes Meaning Spoofing Authentication Pretending to be something or someone other than yourself. Tampering Integrity Modifying something on disk, on a network, or in memory. Repudiation Non-Repudiation Claiming that you didn't do something, or not responsible. Repudiation can be honest or false, and the key question for system designers is, what evidence do you have? Information Disclosure Confidentiality Providing information to someone not authorized to see it. Denial of Service Availability Absorbing resources needed to provide service. Elevation of Privilege Authorization Allowing someone to do something they're not authorized to do. Table 4. STRIDE Threat Types STRIDE-per-Element model evaluates every element in the DFDs. Table 5 shows different elements of the DFD and the different categories in STRIDE [3,5]. Element Type S T R I D E External Entity X X Data Flow X X X Data Store X X X X Process X X X X X X Table 5. Mapping of STRIDE to DFD element type After the DFD model of the system has been created, a list of all elements in the diagram has to be created. Table 6 shows the list of elements created from DFD in Figure 2. Element Type Item Numbers External Entity Infrastructure Server (1.0) Data Flow Server Command & response (1.0 <-> 2.0) Data Store Transform a Session Key (3.0) Process ECU (2.0) Table 6. Elements from DFD in Figure 2. Once the list of DFD elements is done, STRIDE will be applied to each element in the list. However, not all types of threats have to be applied to all types of elements. Table 7 shows the result of STRIDE-per- Element analysis. 30
  • 32. Threat Type DFD Item Numbers Spoofing External entities: (1.0) Processes: (2.0) Tampering Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 <-> 2.0), (2.0 <-> 3.0) Repudiation External entities: (1.0) Processes: (2.0) Data Stores: (3.0) Information Disclosure Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 Ö 2.0), (2.0 Ö 3.0) DoS Processes: (2.0) Data Stores: (3.0) Data Flows: (1.0 Ö 2.0), (2.0 Ö 3.0) EoP Processes: (2.0) Table 7. Threats to the Model in Figure 3. The threats have been grouped after the STRIDE categories, refer to Appendix A to understand precisely. After STRIDE has been applied to the list of elements, it is time to calculate the risk attached to each threat. The advantage of STRIDE-per-element is that it is prescriptive; it helps to identify what to look for without having a checklist. When STRIDE-per-element is used by an experienced user, it can be useful for finding new types of weaknesses and common issues in system components [6]. 1.5.2. Threat Rating [Optional] Threat rating is rating the threats based on the level of the risks. This process allows the architect/ developer/customer to address the threats that present the most risk first, and then resolve the other threats. In fact, it may not be economically viable to address all of the identified threats, and one may decide to ignore some because the chance of them occurring is small and the damage that would result if they did is minimal. Microsoft has standardized the DREAD model, which is used to help rate the threats/risks[2]. The procedure to rate the threats using the DREAD model is described in the attached Excel sheet. 1.6. Propose the respective Countermeasure Solutions The mitigation process mainly addresses each threat and proposes the respective solutions. There are four standard ways to address the threats. i. Redesign the architecture to eliminate the threat ii. Apply Standard Mitigations, given in Table 5 iii. Invent New Mitigations (Riskier) iv. Accept Vulnerabilities in Design 31
  • 33. Threat Type Security Attributes Meaning Spoofing Authentication Cookie Authentication Kerberos Authentication PKI Systems such as SSL/TLS and Certificates to Authenticate code or data Digital Signatures Tampering Integrity Mandatory Integrity Controls HMAC Digital Signatures Repudiation Non-Repudiation Secure Logging and Auditing Digital Signatures Information Disclosure Confidentiality Encryption ACLS Denial of Service Availability ACLS Filtering Quota Elevation of Privilege Authorization Input Validation ACLs Privilege Ownership Table 8. Standard Mitigation Techniques 1.7. Validate the Countermeasures Validation is the on-going and manual process in the Secure Software Development Life-Cycle. It validates all the threat models that are created during the DFD process. The following questions need to be answered: a. Does DFD match final code? b. Are threats enumerated? c. Has test/QA reviewed the model? d. Is each threat mitigated? e. Are mitigations done right? 2. References [1.] A. Shostack, Threat Modeling: Designing for Security. US: John Wiley & Sons Ltd, 2014. [2.] https://msdn.microsoft.com/en-us/library/ff648644.aspx [3.] Common Criteria, Common criteria for information technology security evaluation, part 1: Introduction and general model, 2012. [4.] M. Howard and S. Lepner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices). Microsoft Press, 2006. [5.] CHU Ying, HAO Lin. STRIDE Critical Threat Modeling Using in Designing Certificate Authority. Journal of Yunnan University (Natural Science).2004.26 (supplement):54-57 (in Chinese)  32
  • 34. [6.] A. Weimerskirch, C. Paar, and M. Wolf, “Cryptographic component identification: enabler for secure vehicles”, in proceedings of 69th IEEE vehicular Technology Conference(VTC ‘15), pp. 1227- 1231, Dallas, Texas, USA, September 2015. 33 Author: Dr. Narendiran Chandrasekaran Dr. Narendiran Chandrasekaran brings 13+ years of experience in the software industry. He has been working on various Security and Cryptography technologies including Mobile Security, Platform Security, Network Security, HDCP Content Protection, OMA/Google Widevine DRM Frameworks also Vulnerability/Threat Assessment, Fuzzing, Penetration Testing Tools & Techniques, Crypto acceleration, RFC Security Standards, PKI, ARM Trustzone - Trusted Execution Environment(TEE), Participate/Interact with various Security Standard Bodies(NIST/FIPS/Common Criteria/EMVCo/MPFI) and Certification Process for secure products (Global Platform/PCIDSS). He has published and presented more than 13 technical papers in the leading IEEE/ACM Security Conferences/Journals in India, US, China, and also filed a Grade "A" patent in India. He is currently working as a Principal Architect at Cyber Security Product and Engineering Service (P&ES) Lab, Capgemini India.
  • 35. 34 Join our new course! Effectively Measuring and Communicating PenTest Results a CISO perspective Click here for more info
  • 36. Approach by:
 Ali Tabish 2016 is about to wind down and multiple industries commence to fine-tune their business strategies for the upcoming year. Cyber criminals are making exactly the same strategies so they can work smarter. Criminals are getting smarter by exploring new practices, building organizations, bringing human expertise for more sophisticated and specialized cyber attacks. It’s like we have action and then reaction cycle, enterprise organizations are planning or implementing security measures so they become attentive in their reactions. Let’s flash back through the year 2016 stats, you will find devastating data breaches, spanning across multiple large and small industries. A few recent cyber attacks in 2016: ! DDoS Attack against Liberia Using Mirai Botnet. ! Hundreds Of Operations Canceled After Malware Hacks Hospitals Systems. ! Shadow Brokers reveals list of Servers Hacked by the NSA. ! Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices. According to the ITRC (Identity Theft Resource Center), as of November 1st of this year, there were 845 reported breaches, exposing 29,765,131 records (keep in mind that this does not include the majority of breaches in which companies usually did not report the number of records affected). These breaches are targeting high-value data (includes confidential data like health information, classified information related to governments, phishing, etc). So… what will 2017 bring? We expect to see the following security threats and trends: BYOD – Smart Phones Having Smart Malware People who are unaware about the technology and security might assume that malware are relatively unchanging, but their concept is almost wrong. Smart application designs are continuously improving. Those improvements mean the ability to bypass security controls, data exfiltration through advance deception methods. As a result, we can expect to see high value data breaches that originate on bring your own devices (Smart Phones / Mobiles). Nowadays, newer application versions consume less computing power, causing less lag, and they are good at remaining fully undetected; late discovery could result in more files being stolen, which is becoming a major corporate security concern. As you were aware of recent state sponsored attacks on journalists’ smart phones that means attack methods are now in the feral and we should expect to see more organized crime. 35
  • 37. Ransomware Threat Prevention It’s the most pervasive cyber threat since 2005. According to publicly available information, ransomware infections have outnumbered data breaches more than 7,000 over the past 11 years. Since then, ransomware has become an tool of choice for many cyber criminals. Ransom attacks are increasing 20-fold over the next year. With all this success, their increase in frequency is somewhat expected. Prevention of ransomware for an enterprise is like a cost of doing business; it becomes as prevalent as distributed denial of service attacks. Given the success rate, enterprises will have to deploy a multi- faceted prevention strategy, like advanced sandboxing and threat extraction for effective enterprise infrastructure protection. We are expecting to see more targeted attacks to influence an organization, with “legitimate” actors launching such attacks. Internet of Things (IoT) The Internet of Things (IoT) is quickly becoming a way of life; unfortunately, this shift comes with additional risk. IoT will continue to create never-ending shocking stories because these devices are not so secure.  In the coming year, we expect to see further research, increase in data-harvesting attacks and poc (proofs of concepts) demonstrating vulnerability against these devices as well. The convergence of informational technology and operational technology is making environments more vulnerable. The security concerns around the IoT will become similar to the set of security concerns around SCADA. Environments often run legacy systems that are obsolete or whose patches are not available. The industry should look towards best practices like NIST and others have formulated. Cloud Computing Using IT as a service to cut down the capital cost provides an opportunity for an enterprise to build their infrastructure on the cloud so they are continuously putting more data on the cloud, which leads towards the backdoor chance for hackers to access enterprise systems, to disrupt or take down a major cloud provider will affect all of their clients’ businesses. There will also be a rise in ransomware attacks impacting cloud-based data centers. These attacks will start finding their way through spreading encrypted files from cloud to cloud. Market Manipulation Cyber criminals are thinking way beyond that. These perpetrators are well prepared and have their eyes set on insider trading and market manipulation. For the past few years, we’ve seen widely publicized breaches, carried out by different groups. Sometimes hackers obtained credentials through sophisticated spear phishing attacks in order to hit the confidentiality by accessing classified information regarding upcoming mergers, or sometimes hackers gained access to news media outlets to disclose non-public corporate information like financial restatements and traded on that information prior to public release, making billions. Due to these opportunities for important payouts, such frauds will increase. Summary In the future, enterprise organizations will see an increase in cyber attacks or intrusions that are sophisticatedly designed. Cyber criminals will continue to exploit their success and venture into larger money making schemes via market manipulation. 36
  • 38. So mid-size or enterprise organizations can protect themselves via implementing stronger controls and awareness programs, like employee training and proper reporting procedures. It’s better to couple these controls with well-tailored cyber insurance policies. 37 • Independent Security Researcher • CCISO, CHFI, CEH, CEI, ECSA, MCSE, STS • Ethical Hacker of the Year 2016 – Finalist https://www.linkedin.com/in/alitabishofficial https://twitter.com/atabishofficial Author: Ali Tabish
  • 39. Approach by: Mihai Raneti Every year, you read yet another set of articles trying to predict what is going to happen in the cybersecurity field the following year. The sad thing is that in spite of that, breaches still take organizations by surprise. You do not need to be a close observer to realize there are some recurrent patterns. By definition, hackers are curious people who innovate and show proof of unstoppable creativity time after time. They are expected to continuously increase the complexity of their attacks and the sophistication of their techniques and tools. They are always one step ahead, thinking of tomorrow, while the majority of cybersecurity solutions are designed thinking of what happened yesterday. There is this big imbalance between cybercriminals and those trying to secure cyberspace, which keeps getting bigger and bigger. Clearly, we are not able to slow them down, let alone stop them. Even key security people in a company are easily tricked, because most of the time they do not have a hacker's mindset. When we hear the word hacker, we immediately think negatively. But a hacker is someone who dissects things. If you check Pinterest, it is full of life hacks, Photoshop hacks, parenting hacks, all kinds of hacks. It doesn't mean they are teaching you how to steal something, they are teaching you alternative ways of getting to the same result. Cybercriminals do have some advantages over cybersecurity specialists, though. They have time, resources, drive and skills. Let us take them one by one. One of the main traits of an attacker is determination. They will not give up until they are inside the network or get the info they are looking for. They have plenty of time to apply any strategy, to change their approach, to try again and again, and they do it with such finesse that most of the time they get away with it for months. They also benefit from plenty of material and financial resources. Sometimes they are backed by companies or even nation states looking to have the upper hand over their competitors. The most important feature of all is their passion for this kind of job. There is no special school for hackers, they are simply self taught people continuously looking to improve their performance, not because someone from the outside tells them to, but because they want it. The same applies to cybersecurity specialists. Everyone is complaining that there are not enough people on the right side, and we cannot see that changing anytime soon. We have been making massive efforts regarding HR, and we saw for ourselves how difficult it is to find someone who combines programming skills with a cybersecurity background. Things are especially hard when you are a startup. There is a handful of specialists, but they already belong to large enterprises, and you have to be ingenious enough to approach them and bring them to your team. That is if they are not motivated only by the money they can earn, because in that case, your startup is no match for the likes of Google or Microsoft. The cybersecurity job market is the reverse of almost all others: there are plenty of positions to fill and 38
  • 40. very few people with the right qualifications and the right mindset. Universities are not aligned with the job market, and that is one big drawback. Cybersecurity degrees are still something quite rare and they stand no chance of meeting the demands of the market. Cybersecurity is critical for the survival of almost any business, since almost everything is happening online. It is essential to have people covering this aspect. Also, the military is the biggest traditional employer in this field, since intelligence is highly valued. A study from the Bureau of Labor Statistics shows that the growth rate of jobs in information security is estimated at 37% between 2012 and 2022. Needless to say, that is a much faster pace than the average for all other occupations. In the study “Mitigating the Cybersecurity Skills Shortage”, Cisco estimates that the current opening in cybersecurity jobs reached 1 million. Symantec projects a demand of 6 million positions that need to be filled globally by 2019, and foresees a shortfall of 1,5 million jobs. Since cybersecurity is a very dynamic field, there is a need for continuous professional development to keep up with the ever changing threats. Stopping intruders is ultimately a thing that depends on humans, no matter the amount of computing power involved. As we have said many times before, man and machine can achieve great things together. Machine learning is increasingly used, and someday in the future, it will probably be 99% in charge of security, leaving 1% to humans. Another key problem in cybersecurity is awareness. Although it is on the rise, and has been so for a while, that is not reflected in the real life situations. Breaches still occur because companies cannot possibly foresee the way they will be attacked. Some are surprised that they have been attacked at all, they underestimate themselves and think they have nothing of value. The main concerns of cybersecurity specialists should be helping organizations understand a breach will certainly take place sooner or later. They should have an idea about who would likely target them, the reasons behind the attack and what valuable pieces of information the attackers are after. There are three main risk factors for organizations. One is the BYOD policy. Assuming an employee has no hidden agenda, bringing personal wearable (IoT) technology to work can mean opening the door to vulnerabilities. Device security is the least of a person's worries, and a recent study from Microsoft shows that personal computers are two times more exposed to threats than enterprise computers. The same applies to other gadgets. Another risk factor, somehow related to BYOD policies, is working remotely. In this day and age, employees can work from anywhere, but there is no guarantee that the device, which apparently connects to the network, is legitimate or that the person at the other end of the device is really who they claim to be. We have the tendency of perceiving cybercrime as something coming from the outside, so we take the inside out of the equation. Which leads to the third and greatest risk factor, malicious insiders. More than 50% of attacks are caused by insiders, which can be divided into two categories. On the one hand, there are those with poor knowledge or adoption of proper security practices. No matter how strong cybersecurity policies are inside an organization, there will always be a person falling for spear phishing. They will most likely open the Word document, Excel spreadsheet or PDF attached to the email. Trojans are still on the rise, tricking people into clicking fake links with catchy titles, lowering their security settings or installing malware. On the other hand, there are those who aim for a big data theft. It can be quite difficult to detect them, because they have plenty of experience at hiding their traces and no one would suspect them. They are most often the model employees. Social engineering is the foundation for a large number of attacks and breaches, and as such it should be the main choice for pentesters. Lately, cyber attacks have started targeting infrastructure, and in the future, our basic commodities, 39
  • 41. such as food, water, electricity, fuel and the ability to communicate will probably also be in jeopardy. As long as the internet is at the core of any modern society, it will always be a target. The past has showed a tendency of attacks to follow geopolitical criteria. That is especially true for countries like the US, Russia, China and North Korea. That will go on in the future for certain, probably resulting in greater disruptions. We have also seen attacks that leveraged a huge number of IoT devices in the last months. It is very difficult to keep track of entry points and data flow. We hear more and more about the Internet of insecure Things, and while that was supposed to be used ironically, it is starting to be 100% true. Cybercriminals are taking full advantage of this opportunity and reaping the benefits of poor security. Most of their work is already done for them, they only have to make a little effort to take control over devices. While this is relatively new, it has been expected to happen for a while now and it will most likely reach even larger proportions in the future. This could be an effect of the low prices of crimeware. For as little as $50, one can buy a USB stick that can destroy any device that has a USB port. Cybercriminals gain time because they can buy their tools, as opposed to having to create and develop them. Parts of botnets can be rented and used to target a specific geographical area. Not to mention how easy it is to buy anything on the dark web. A good deal of breaches come from vulnerabilities that have been known for at least one year. That is a consequence of the use or refurbishing of open source code. The attacks targeting the healthcare sector are starting to become commonplace. Unlike IoT devices, which can be set aside, implantable devices cannot be removed from the person. We also see further development in ransomware, and people's lives could become at risk if we talk about implants. The cybersecurity market is slowly going towards a new wave of solutions based on deception. A Gartner study estimates that by 2018 one in ten enterprises will be using tools and tactics based on deception to protect themselves against cyberattackers. The passage from cloud to cyber fog is also a signal of the increasing power of deception used as cybersecurity strategy. Fog computing could be the solution everyone has been waiting for. Fragmenting data into tiny pieces that make no apparent sense will render it useless for hackers. 40 Mihai has a degree in Psychology and various certifications in the field of IT and cybersecurity. He is passionate about quantum physics, math, history and technology. He has a critical thinking, always sees the bigger picture and is keen on problem solving. He is the brain behind
 a pioneering cybersecurity technology. Author: Mihai Raneti
  • 42. Approach by: Amar Wakharkar and Mary Nowottnick Cyber security will be seen as one of the most pressing national security issues of 2017 due to sophisticated and highly publicized cyber-attacks, such as the ones reported by various media channels during the US Presidential election that the Russians hacked the Democratic National Committee’s computer systems. In addition to their attacks on Democratic organizations, cyber security will be increasingly framed as a strategic and national prestige issue. As a result, too much attention on a large scale probability will be targeted to cyber-attacks on the government and the national critical infrastructure. Cyber operations will be a significant component of future warfare. 2017 will be a pivotal year for governments, financial firms, the auto industry and IoT (Internet of Things) vendors as they try to stay ahead of the IT security curve. The current trends showcase that cyber security today is not just about securing your data, but about maintaining and managing the overall assets for your country, as well as your organization. With each day, it is important that the government, as well as other entities, know how cyber security threats are impacting their business and consumers, and how the cyber security solution industry is meeting these concerns. Entities need to be more vigilant, financially prepared and rapid to meet the security requirements and expectations from their customers, shareholders, and regulators. Some of the other key trends for 2017 will be: • 2017 will see increased spending on National Critical Cyber Infrastructure and increased regulatory monitoring. Regulatory guidelines will be far more stringent and followed strictly, backed by the government agenda to security national critical cyber infrastructure. • The growth of mobile technology adoption has driven a growth in corporate and end user security vulnerabilities and data breaches. Now, many applications ask for permission to access the user's contact list, personal information and location. In some scenarios, users are not even aware of such data or location sharing and have no clue about the proper security hygiene to be followed. It has resulted in a huge gap that may lead to far larger and a more impactful mobile security issue. Enterprise mobile security and BYOD solutions with concentration on policy management, device security, content security, mobile application security and identity and access management, will help organizations and individuals to set up an effective mobile security road map and ensure that the end user is secured. • We will see a significant increase in national political leadership targeting. Senior political leaders, diplomats and their online social presence will be the main target of attackers, resulting in the loss of confidence and prestige. Government and senior political leaders should assume that hackers already have a complete profile of them and are waiting for the right opportunity to strike. • IoT and IoT payment risk will emerge as a global risk. As many IoT vendors, banks and investment firms continue on the path to IoT, they will become increasingly inter-connected. A security breach at one firm can create negative effects that may greatly impact the adoption of IoT technology, and so, technology risks will continue to rise. 41
  • 43. • Zero-day exploits and insider threats and organized attacks will continue to increase. In addition to technology risks, skill set development and staff augmentation will present greater challenges to organizations. The current industry trend shows that there is a discrepancy between demand and supply for certified, experienced and knowledgeable cyber security professionals. The existing workforce is struggling to keep up with the increasing payload. In response to this increased payload, the attack on organizational infrastructure, and the existing workforce is struggling. The demand for skilled cyber security professionals will increase exponentially in 2017. Currently, very few cyber security experts are linking the business and the security practice and making C-Suite decisions to impact the business environment. Companies will need many more experts in their C-Suite who can make the case for cybersecurity aligned to business challenges and business expansion. 42 Authors: Amar Wakharkar is cyber security expert at Capgemini USA based out of Houston, TX. Amar has more than nine years of global cyber security consulting experience across Nigeria, Kenya, India, Hong Kong, Singapore, Malaysia, Qatar, United Arab Emirates, USA with Fortune 500 clients in the area of application security, SSDLC, mobile security, ITGC, penetration testing and vulnerability assessment areas. Amar has published numerous articles in print media and was speaker in cyber security forum. He is reachable on AMARSUHAS@HOTMAIL.COM Amar Wakharkar is cyber security expert at Capgemini USA based out of Houston, TX. Amar has more than nine years of global cyber security consulting experience across Nigeria, Kenya, India, Hong Kong, Singapore, Malaysia, Qatar, United Arab Emirates, USA with Fortune 500 clients in the area of application security, SSDLC, mobile security, ITGC, penetration testing and vulnerability assessment areas. Amar has published numerous articles in print media and was speaker in cyber security forum. He is reachable on AMARSUHAS@HOTMAIL.COM Mary Nowottnick has six years of IT security experience, including work at the Goddard Space Flight Center in the Deep Space Science Missions Field. Currently she is working at a Fortune 500 company and can be reached at mcnowottnick@gmail.com Mary Nowottnick has six years of IT security experience, including work at the Goddard Space Flight Center in the Deep Space Science Missions Field. Currently she is working at a Fortune 500 company and can be reached at mcnowottnick@gmail.com
  • 44. Approach by: Celal Cagri Nowadays, we have witnessed so much that people are referring to past times as "how did old people who did not have our opportunities in the past continue their lives?" It is impossible not to relate to this statement because computers, smartphones, intelligent home systems, intelligent cars, internet of things products and the Internet itself are a part of our lives now and we can’t imagine life without them. However, all of these things bring their own security problems to us. Pentest is one of the offensive ways to deal with these security issues. Pentest is a solution, a service. Pentest is a different approach for individuals, corporations and countries to look at their cyber security and privacy levels with the eyes of the hackers. Pentest is a system that is constantly improving, like other systems that have such a large usage volume. Just like every complex system, making its process as automated as possible is one of the goals of a pentest. To solve this part of the problem, machine learning and software engineering must be used effectively. However, besides this, a pentest has its own agenda, such as developing new methodologies, using new techniques, exploring new attack surfaces in cyberspace. It leads us to new trends in cyber security and pentest. When we look at 2017, we expect a different, beautiful year with new approaches. Among the trends of 2017, we must first consider the web pentest. The reason for this is obvious. All over the world, companies are developing their products to serve over the web. Many people may say that "Web pentest is already known and it is continuously performed". However, this web pentest is a little bit specialized. JavaScript platforms and its libraries are started to be used more all over the world. Applications are running node.js in the background. Backbone.js, ember.js and now mostly angular.js libraries are being used every day in front-end. This trend, which has been observed in application development, has led the attackers to find new vulnerabilities in these JavaScript libraries and platforms and exploit them. Therefore, to provide better security, it seems that the pentester will be spending a lot of time on JavaScript-based web applications in 2017. In social engineering, ransomware and web browsers attacks, especially man in the browser (MiTB), are very popular for attackers recently. Traditional precautions, such as SSL, CSRF tokens or two-step verifications to prevent sensitive data-theft, unauthorized transactions etc., do not have any impact on MiTB attack because they all can be bypassed very easily. Run Time Application Self Protection(RASP) is a new technology and is recommended for preventing the MiTB attacks. Although RASP is a good solution for SQL injections or XSS attacks, it’s still inadequate to stop MiTB attacks. When we consider everything, it is obvious that the most important purpose of the social engineering attacks in a pentest is to raise awareness of the users, thus simulating the real attack in the same way is the best solution. Therefore, for the pentester, using malicious web browser plugins/add-ons in social engineering attacks to compromise the target system with MiTB attacks or show clients what hackers can do in real life by infecting fake ransomware software to client systems, will be one of the most common trends for 2017. 43
  • 45. One of the other important titles of 2017 is Mobile Pentest. What I mean by mobile pentest is not just the pentest of mobile applications. It should be considered as attacks that target phones and mobile operating systems directly. While new vulnerabilities are discovered, even in the most recent iOS and Android versions, the importance of this kind of mobile pentest is better understood if you realize that many people do not update their phones regularly. Advanced Persistent Threat (APT) attacks have been heard so much in recent years and it would not be wrong to say that attacking critical employees’ mobile phones directly will be a new trend in target oriented pentest projects that simulate to APT attacks. It is worth briefly mentioning the cyber security trends as well. There is an old concept that we have been hearing a lot lately: Web malware. Looking at the solutions offered so far, we see that there are popular products that fight against web malware and products that find classic web vulnerabilities. However, we don’t see a solution dealing with both together. For 2017 and after, products that address both web malware and web vulnerabilities will be a new trend solutions. Also, products especially focused on browser security will also be new trends for 2017. Every year, we expect some new qualifications for new car models such as an automatic parking system but we don’t expect to change basic components of the car such as wheels or tires. Likewise, the core components of the pentest (network attacks, wireless assessments, classic web application pentests, etc., and the way it is performed) will still continue (and it must be) in 2017. In addition, JavaScript-based web application pentests, social engineering attacks that target browsers, fake ransomware attacks, mobile attacks that target the phone itself will be a special place in 2017. 44 In social engineering, ransomware and web browsers attacks, especially man in the browser (MiTB), are very popular for attackers recently.
  • 46. Approach by: Ahmed Atef Selim As 2016 is ending with many security incidents, research, conferences and discussions have taken place during the last 365 last days. It is time to have a look at the rising trends for 2017 and security controls suggested as lessons learned from research, incidents, etc. Security specialists need to pay attention to new trends in both defensive and offensive worlds, new techniques that will help defenders protect their assets more effectively. Also, bad guys have their own trends. In this article, we will try to cover the most rising trends in the security world (defensive and offensive), including the new trend of deception of an attacker, moving toward thread-intelligence-driven operations, business disruption attacks. Raising of Game Theory (Deception & Decoy) Imagine for a moment, that once an attack is detected in an end user’s environment, the user’s system had the ability to begin to lie and trick the attacker, giving false responses. This is now a reality and it’s called deception techniques. For the past 20 years, most active security control responses built into network security have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and 45 Security specialists need to pay attention to new trends in both defensive and offensive worlds, new techniques that will help defenders protect their assets more effectively.
  • 47. quarantine, such responses visible to a skilled adversary, especially APT actors and can accordingly workaround them and change the attack strategy. On the contrary, deception by definition moves beyond detection to diversion and offers detection and disruption of the attack process, resulting in the delay of an attacker’s activities or failing the whole breach progression. Although the idea may seem nascent, deception techniques have been used widely to enhance threat detection and enhance threat response strategy. For years, most security practitioners used honeypots to gather threat intelligence, even in some cases during incident investigation, deception techniques are used to intercept and disrupt command-and-control communications. However, recent technology is offering more than information gathering (as honeypots offers), recent technology is capable of automated decoying. Today, deception technologies are being employed within security products and include the use of bot emulated/virtualized and real endpoint decoy systems, as well as network services, protocols, applications or fake data elements, where technology provider try to cover four levels (Network, Endpoint, Application and Data). One important thing to consider is how far the technology provider can trick the attacker, and this can be achieved by adopting deception on all steps of the kill chain. Figure 1 shows the deception strategies that can be used for each step of the kill chain. Figure 1 Deception facing Kill Chain Steps Finally, you need to know that deception techniques and technologies have existed and are being adopted in the market; such technology is gaining more fans within financial services and healthcare domains. Meanwhile, technology providers can certainly do more to articulate their threat deception capabilities and enhance old products (such as firewalls, IPS, etc.) to leverage deception techniques to thwart attackers and enhance detection. Raising of Threat Intelligence & Management (Analytics & Visualization) It is no secret that organization spending is directed toward solutions that could offer to close the "breach monitoring" gap, however, as much spending organizations do, the problem isn’t solved since attackers are always evolving and getting new ideas. Although this observation proves the common saying “There is no silver bullet”, it also shows the need for threat management over vulnerability management. Analytics and Visualization are terms that are coming to the security domain and raising, this trend gives the opportunity for security teams to shift operations towards threat management teams. Instead of focusing on a well-known vulnerability, threat management teams need to focus on all scenarios even if vulnerability doesn’t “currently” exist. 46
  • 48. For proper threat management, a huge amount of data needs to be collected and then analyzed accordingly to make the right decisions. Therefore, Analytics and Visualization have become game- changers in the security domains and this trend will continue rising for a while as it impacts a security process, not just a routine operation. For simplicity, figure 2 shows the main function of analytics and how this serves the decision maker. On the other hand, visualization is important to show the decision maker how the analysis is done to support the decision. Next we will check two rising trends that need to be adopted or planned to evolve your operations. Figure 2 Security Analytics Function User and Entity Behavior Analysis: UEBA is the normal evaluation for the User Behavior analysis, as mentioned before that the analytics domain will keep evolving and raising more. Actually, UEBA is a conversation of another behavior analytics plus more analytics, so instead of analyzing data to capture fraudulent activities or an insider, you can capture misbehavior in the organization assets and most important to capture data exfiltration. Red Teaming Automation: Most organizations are investing to conduct penetration testing and vulnerability analysis to keep its organization secure, however, these exercises are not a replica of the real world attack (due to the limitations that exist to not impact availability or a false positive is involved as long as there is no testing for some vulnerabilities). Accordingly, analytics and visualization came into the picture to support these activities by conducting more powerful exercises as they have a huge data that gives them more penetration and have tools to help visualize these data and simulate attacks that can’t be done by traditional methods. On the offensive Side (Business Disruption) Although what has been seen in 2016 from ransomware spreading and all this attention from manufacturers and end-users, it may not be the year that will be remembered. Business Disruption attacks became a trend and it seems that the signs started early by an attack on KSA governmental entities. Ransomware is not the only way for business disruption, however, more ways are getting in the way. Business Disruption is rising to the surfs, specifically data integrity. The rise of this trend may be due to the big economics and profit coming from it, specifically that it targets business. The trend is expected to expand more to include not only organizations but strategic governmental entities and being used in political disruptions. 47
  • 49. Final Words In conclusion, security specialists need to pay attention to new trends in both defensive and offensive worlds, and new techniques that will help defenders protect their assets. One of them is deception where the security specialist will not only detect and prevent, they will also have the ability to disrupt the attacking process, the same as playing chess. CISO/CSOs must start thinking about a threat intelligence-driven process instead of the ordinary ways for driving the security process (such as current practices, penetration testing, vulnerability assessment, etc.). On the other hand, the bad guys are still evolving and they have their own trends; one of the trends that keeps evolving and will be targeting much bigger entities is the business disruption attacks. Finally, alongside of the rising trends, some of the old trends keep evolving and will keep evolving, such as: • Governance Risk & Compliance (GRC): Every day we find new breach and Organizations and Governments are issuing regulation and standards, and it keeps getting tougher. • Identity and Access Management (IAM): is a dream for every big organization to achieve, as the number of employees increase and their security issues related to authentication become uncontrollable, the dream will become a must to have. Wish everyone preparing effective 2017 security plan and happy 2017. 48 Author: Ahmed A. Selim Professional Service Head at SecurityMeter, a Security Managed Service Provider in North Africa Middle East and East of Asia. He conducted a wide range of security services and deployment for major entities in the MENA Region including consultancy, strategic planning and organizational shift over. His early career in IT gave him the opportunity to have wide range of IT Domain and qualified him to focus on Security consultancy and lead a team of Professional Experts in Security Service and Solutions.
  • 50. Approach by: Washington Umpierres de Almeida Junior The world society has watched the forms of communication evolve throughout its history. There have been times when the telegram was known as the fastest way to send a message to a person or company, and even in this scenario, there were people able to intercept this kind of information when it was in transit. However, in those times, these people should have physical access to the information since the data was traveling written on paper. But the forms of communication continued to evolve until the emergence of the Internet, where communication methods went through a process of evolution that revolutionized the way people and companies communicated with each other. Nowadays, the methods used to do things have been changing dramatically. Today people use electronic transfers instead of exchanging checkbook sheets, send e-mails instead of writing letters, share information in social network instead of meeting acquaintances and friends somewhere and so on. From an industry point of view, the evolution goes the same way. Companies have been implementing complex automated methods to increase their production and more recently, financial institutions are working to implement the blockchain-based technology, which indicates a movement to replace the traditional bank business model. The world and the way people and companies do things has been changing very quickly. This evolution has brought both benefits and challenges to modern society, which today has huge dependence on Internet resources. Along with these changes also arise the threats involved on each technological element around us. So what can we expect from incoming threats in 2017? Incoming Threats The incoming threats for the next years will be focused in SSL/TLS1 protocols, blockchain-based technology and smartphones. Why? Let us have a look at each one in more detail. Attacks on SSL/TLS protocols In a simplified way, the protocol running over SSL/TLS implementation adds an "S" in the end. Thus, for example, to a web application (http) implemented in a secure manner (SSL/TLS) it has the format "https", which is some times referenced as "http secure". After the development of the Secure Socket Layer by Netscape2, it seemed the technology information industry would have found a way to provide a secure manner to navigate in the Internet. For many years, the security provided by SSL/TLS protocols seemed to be the best way to guarantee privacy and security over on-line transactions. Although still widely used over the Internet, SSL/TLS protocols present serious vulnerabilities that allow hackers to exploit numerous variations of these flaws to compromise systems and as a consequence it can be used to capture sensitive data such as personal information, credit card details, user ids, passwords and so on. 49