April 12th, 2011 by peter.bassill

Penetration Testing has been a part of information security since the early 1990’s, yet to this day security staff make the same mistakes over and over again. In this short piece I explore my personal views on selecting a penetration testing firm and how I go about engaging them in some real world attack scopes. Read the rest of this entry »

April 11th, 2011 by peter.bassill

I want a penetration testing firm that:

understands my employers business is to make money
but my business is to protect my employer

understands that I find no value in a 300 page report
but a high quality report 3 pages report in queens english is better than gold

understands that I take a risk based approached to security
and knows that risk is a common business language, not CVSS criteria

understands when I say holistic, it means you find your own damn way in
and not “well, we can get in easier from your server lan”

understands that I dont give a damn about a particular standard
but knows the contects of NIST 800-53, PCI and ISO:2700x

understands that PCI-DSS is a base line level of security
and not something I think we aspire to

understands that I use all the tools available to
and knows how to test manually, thinking outside the box

I want  a penetration testing firm that listens!

March 28th, 2011 by peter.bassill

If there is one thing in the security industry we are drowning in, it is acronyms dreampt up by over payed and over played marketing teams. Not that I think ill of the marketing people, they do a brilliant job and I just wish we had some more of them in our business. APT, or Advanced Persistant Threat, is the latest fad of the marketeers and the box shippers. The amazing and crazy thing about an APT is that it does not exist. In fact, all the APT is is the human between the computer and the keyboard (pink fluffy computer is my preferred term).

As I was thinking about this following yet another phone call from a nameless vendor who has a box to resolve the APT issue, I read through Bill Breeners article here where he is commenting on a conversation between Josh Corman of the 451 Group and security-privacy-compliance expert David Mortman. As every, worth a read.

March 11th, 2011 by peter.bassill

Andrew W Morse, Founder, Digital Tsunami “Communications Evolution” recently asked the question; “With the increased complexity of polymorphic malware and the increased use of social platforms, do you have concerns for increased network intrusion via ever-increasing corporate cloud computing?” on Linkedin.

It gave a fair amount to think about so I thought I would share my opinions with you all.

What a great question and thank you for asking it. Ok, do you have more or less security by renting a 1U server from a server farm in a datacenter? Do you have more or less security when rather than rent that server from a server farm you physically house it in your datacenter? There are a number of players out there in the market that would have you beleive that a server in the “cloud” is vulnerable to attack but the truth is that any server with a connection to a public facing network is going to be attacked at some point in time.

From my point of view, the biggest security concern is one I am not hearing about much and that is the disk. Say you rent a cloud server with 100gig and you then use this for some data processing and once you have finished, you close down your server and remove it from the system. That disk is still there.

It is possible to rent a single cloud server and get it up and running in only a few minutes. Once done, add a few cloud disks to it and run standard forensics recovery tools over the disks you have provisioned from the pool. What are the odds of successfully recovering someone’s information? A number of cloud vendors put some form of protect infront of the physical layer, but when we are talking disk, how much work does it take to recover a previous tenants data?

Still worried about network intrusion? Have your admins build and secure your cloud servers properly and maintain a good patching program alongside good security practises for access control.

Worried about a disk recovery attack? Encyrpt your data in the cloud and then carry out a DoD standard 7 pass wipe of your data areas prior to deprovisioning your server.

Worries about security still? Think about risk and not particular technology points.

February 12th, 2011 by peter.bassill

Sensibility around Security is something we as an industry can be lacking and with the continual growth of compliance controls being imposed on businesses by a myriad of organisations and governmental bodies’ compliance is becoming a significant security detractor. Two years ago I hear Josh Corman of the 451 Group stated many businesses “fear the auditor more than the attacker” and to this day I feel it remains true. As security professionals, we have in many aspects been reduced to mere box tickers and list checkers in an effort to make sure we meet the simplest of security standards. The very best example of this is the PCI-DSS.

When the Payment Card Industries Data Security Standards (PCI-DSS) version 2.0 was released in the last quarter of 2010, it seemed that every vendor under the sun once again started phoning claiming to have the solution to my PCI-DSS problems, if only they really did have a solution.

There is a common belief that in order to be secure you must have a checklist, something auditors love to see. While I am not adverse to checklists, in fact I use a number of them on occasion to ensure we are carrying out our routine tasks correctly, they don’t really help your security baseline. The trouble here is that this very simple task, of checking tasks off a checklist, ties up security professionals for excessive amounts of time in order to prove compliance.

Is there a light at the end of the tunnel? For the moment, I don’t see how there can be one. Many standards are evolving, some for the better, but with more requirements being sought to be proven in a single audit the life of the security professional is without doubt being reduced to box checking.

My suggestion for increased security is simple; less large single annual audits. Split the audits into three or four segments and eat them like an orange, one piece at a time.