Sie befinden sich aktuell in den Sleeping Sheep Hackers… Blog-Archiven für den folgenden Tag 18.3.2010.
18.3.2010 von matti.
I had a network test lately and was using some newer tools….
Ncrack:
http://nmap.org/ncrack/man.html
Medusa (after two years a new version):
http://www.foofus.net/jmk/medusa/medusa.html
Nsploit (nmap with metasploit)
http://trac.happypacket.net/
Happy hacking everyone…
Geschrieben in hacking | Drucken | 1 Kommentar »
18.3.2010 von matti.
In case you need some peace from the client just sent some questions at their direction….
1) Physical Security
a. Who has access?
b. How is access regulated?
2) Password Security
a. Password history?
b. Password complexity?
c. Lockout?
3) Backup Security
a. Redundant?
b. Log files?
4) Users / Access Security
a. Who has access to the system?
b. From where is access granted?
c. Who are the application’s end users?
d. How do the end users interact with the application?
e. What security expectations do the end users have?
f. Which third parties supply data to the application?
g. Which third parties receive data from the applications?
h. Which third parties process the application’s data?
i. What mechanisms are used to share data with third parties besides the application itself?
j. What security requirements do the partners impose?
k. Who has administrative capabilities in the application?
l. What administrative capabilities does the application offer?
m. What security related regulations apply?
n. What auditing and compliance regulations apply?
o. What user privilege levels does the application support?
p. What user identification and authentication requirements have been defined?
q. What session management requirements have been defined?
r. What application performance monitoring requirements have been defined?
s. What application security monitoring requirements have been defined?
t. What application error handling and logging requirements have been defined?
u. How many logical tiers group the application’s components?
v. What access requirements have been defined for URI and Service calls?
w. What user authorization requirements have been defined?
x. How are user identities maintained throughout transaction calls?
5) Network Security
a. What details regarding routing, switching, firewalling, and load balancing have been defined?
b. What network design supports the application?
c. What core network devices support the application?
d. What network performance requirements exist?
e. What private and public network links support the application?
f. Which security devices are in place to enforce access
g. Which networks are attached
h. Which systems are connected on the same network segment
i. Network segregation
j. Admin traffic and data traffic separation
6) Data
a. What data does the application receive, produce, and process?
b. How can the data be classified into categories according to its sensitivity?
c. How might an attacker benefit from capturing or modifying the data?
d. What data backup and retention requirements have been defined for the application?
e. What data entry paths does the application support?
f. What data output paths does the application support?
g. How does data flow across the application’s internal components?
h. What data input validation requirements have been defined?
i. What data does the application store and how?
j. What data is or may need to be encrypted and what key management requirements have been defined?
k. What capabilities exist to detect the leakage of sensitive data?
l. What encryption requirements have been defined for data in transit over WAN and LAN links?
7) Systems
a. What operating systems support the application?
b. What hardware requirements have been defined?
c. What details regarding required OS components and lock down needs have been defined?
d. Infrastructure Monitoring
e. What network and system performance monitoring requirements have been defined?
f. What mechanisms exist to detect malicious code or compromised application components?
g. What network and system security monitoring requirements have been defined?
8 ) Monitoring
a. What application auditing requirements have been defined?
b. What application performance monitoring requirements have been defined?
c. What application security monitoring requirements have been defined?
d. What application error handling and logging requirements have been defined?
e. How are audit and debug logs accessed, stored, and secured?
9) Operations
a. What physical controls restrict access to the application’s components and data?
b. What is the process for granting access to the environment hosting the application?
c. What is the process for identifying and addressing vulnerabilities in the application?
d. What is the process for identifying and addressing vulnerabilities in network and system components?
e. What access to system and network administrators have to the application’s sensitive data?
f. What security incident requirements have been defined?
g. How do administrators access production infrastructure to manage it?
h. What controls exist to protect a compromised in the corporate environment from affecting production?
i. What security governance requirements have been defined?
j. What corporate security program requirements have been defined?
k. What security training do developers and administrators undergo?
l. Which personnel oversees security processes and requirements related to the application?
m. What employee initiation and termination procedures have been defined?
n. What application requirements impose the need to enforce the principle of separation of duties?
o. What controls exist to protect a compromised in the corporate environment from affecting production?
p. What security governance requirements have been defined?
10) Change Management
a. How are changes to the code/application controlled?
b. How are changes to the infrastructure controlled?
c. How is code/applications deployed to production?
d. What mechanisms exist to detect violations of change management practices?
11) Virtualization and Externalization
a. What aspects of the application lend themselves to virtualization?
b. What virtualization requirements have been defined for the application?
c. What aspects of the product may or may not be hosted via the cloud computing model?
Geschrieben in general | Drucken | Keine Kommentare »
18.3.2010 von matti.
Short overview of BCP and DR….
The development of a BCP manual can have five main phases:
Analysis
Solution design
Implementation
Testing and organization acceptance
Maintenance
RTO = The Recovery Time Objective is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
RPO = The Recovery Point Objective is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an “acceptable loss” in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
MTPOD = Maximum Tolerable Period of Disruption
The Recovery Point Objective must ensure that the Maximum Tolerable Data Loss for each activity is not exceeded. The Recovery Time Objective must ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.
* Disease
* Earthquake
* Fire
* Flood
* Cyber attack
* Sabotage
* Hurricane
* Utility outage
* Terrorism
The goal of the solution design phase is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as:
The minimum application and application data requirements
The time frame in which the minimum application and application data must be available
The implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing.
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies the organization’s recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include:
* Crisis command team call-out testing
* Technical swing test from primary to secondary work locations
* Technical swing test from secondary to primary work locations
* Application test
* Business process test
At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual, roll out to ALL staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical.
Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
General steps to follow while creating BCP/DRP
Identify the scope and boundaries of business continuity plan. First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets.
Conduct a business impact analysis (BIA). Business impact analysis is the study and assessment of effects to the organization in the event of the loss or degradation of business/mission functions resulting from a destructive event. Such loss may be financial, or less tangible but nevertheless essential (e.g. human resources, shareholder liaison)
Sell the concept of BCP to upper management and obtain organizational and financial commitment. Convincing senior management to approve BCP/DRP is key task. It is very important for security professionals to get approval for plan from upper management to bring it to effect.
Each department will need to understand its role in plan and support to maintain it. In case of disaster, each department has to be prepared for the action. To recover and to protect the critical functions, each department has to understand the plan and follow it accordingly. It is also important for each department to help in the creation and maintenance of its portion of the plan.
The BCP project team must implement the plan. After approval from upper management plan should be maintained and implemented. Implementation team should follow the guidelines procedures in plan.
NIST tool set can be used for doing BCP. National Institute of Standards and Technologies has published tools which can help in creating BCP.
The following is a list of the most common strategies for data protection.
Backups made to tape and sent off-site at regular intervals (preferably daily)
Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk
Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synced). This generally makes use of storage area network (SAN) technology
High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data
In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.
In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:
Local mirrors of systems and/or data and use of disk protection technology such as RAID
Surge protectors — to minimize the effect of power surges on delicate electronic equipment
Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure
Fire preventions — alarms, fire extinguishers
Anti-virus software and other security measures
Geschrieben in general | Drucken | Keine Kommentare »
18.3.2010 von matti.
I have kind of developed a 13 step program to an ISMS….
ISMS - An information security management system
13 Steps Program:
Purchase a copy of the ISO/IEC standards
Obtain Management Support
Determine the Scope of the ISMS
Identify Applicable Legislation
Define a Method of Risk Assessment
Create an Inventory of Information Assets to Protect
Identify Risks
Assess the Risks
Identify Applicable Objectives and Controls
Set up Policy and Procedures to Control Risks
Allocate Resources and train the Staff
Monitor the Implementation of the ISMS
Prepare for Certification Audit
Geschrieben in hacking | Drucken | Keine Kommentare »