PENETRATION TESTING AND ITS GROWING IMPORTANCE FOR MODERN BUSINESSES BY RICHARD LEE

Richard Lee r23lee Research Paper PENETRATION TESTING AND ITS GROWING IMPORTANCE FOR MODERN BUSINESSES BY RICHARD LEE 1

Richard Lee r23lee Research Paper 1.0 - Introduction Systems security is growing increasing important in our world today. An organization needs to ensure that their systems are functioning as required. One of the ways to do this is through penetration testing. This report will talk about what penetration testing is, some of the common tools and techniques used by the testers, why it is important to businesses (from a business risk perspective, system security perspective, internal audit perspective, and regulation compliance perspective), and go through the basics about how to go about planning a penetration test. 2.0 Background What Is Penetration Testing? Penetration testing, as the name implies, is a series of activities undertaken to identify and exploit security vulnerabilities. i The basic idea of penetration testing is to simulate what a hacker would do to attack and compromise a system, and see how vulnerable the system is. It can be useful for testing systems in a new environment before actually going live with the system. ii The results of these tests help the organization evaluate its current level of security by showing holes in its security, as well as help the organization focus on system security improvements where it is needed the most. iii It should be noted that penetration testing is often completed with finite resources, focused on a particular area, over a finite period of time iv, and therefore not intended to identify all security vulnerabilities in a system, nor intended to guarantee that the information is secure hackers tend to have more time and resources than an organization may be able to afford for security testing. v As well, since penetration tests are done at a point in time, it is incapable of anticipating security holes caused by new hacker tools, new technologies, or changes to the organization s system. vi Finally, penetration testing, by its very nature, focuses on security vulnerabilities that would enable unauthorized access, and is not necessarily focused on vulnerabilities that could result in the accidental loss or disclosure of the organization s information and information systems. vii From the perspective of a company, there are several testing strategy considerations that are available, based on the objectives to be achieved. First, is determining if external or internal testing (or both) is to be performed. External testing mimics attacks on the organization s network perimeter from outside the organization s network (e.g., through the Internet or extranet). Testers would try to penetrate externally-visible systems, such as the Domain Name Server, email server, web server, or firewall. viii Internal testing is performed from within the organization s technology environment. It is meant to mimic attacks on the system by disgruntled employees, authorized visitors, or hackers who have successfully penetrated the perimeter of the system. ix Although results can differ, techniques employed for internal or external testing are similar. x Another strategy consideration is if blind, double-blind, and/or targeted testing should be used. Blind testing basically means that the testers is provided with limited information about the organization s system, and therefore must use publically available information to conduct its penetration tests. xi This type 2

Richard Lee r23lee Research Paper of testing may provide the users with valuable information about the system, but may also be more timeconsuming and expensive, due to the extra work that the penetration testers have to do to find information about the system. xii Double-blind testing basically means that the organization s IT and security staff are unaware of the potential attacks by penetration testers. It is useful in that, on top of finding vulnerabilities in the system itself, it can provide information about the effectiveness of a company s security monitoring and response procedures. xiii Targeted testing basically means that both the testers and the security/it staff are aware of the tests to be performed and how the system works. These tests may be useful in testing the design of the system, and is generally less time-consuming and more cost-efficient than either of the blind testing strategies. However, since the tests are only being performed on specific parts of the system, and the IT and security staff are notified beforehand, it does not test the organization s response procedures, nor does it provide as complete a picture of an organization s security vulnerabilities. xiv 2.1 Common Techniques & Tools Penetration testing is often done using the same kind of tools and techniques that a malicious hacker might use. xv Some of the common techniques for penetration testing, among others, are as follows: Application security testing xvi - evaluate controls over a web-based application and its process flow. The application s use of encryption, user-authentication process, use of cookies, and so forth are tested. Denial of Service (DoS) testing xvii - basically, attempting to exhaust the system resources of a system so that legitimate user requests cannot be effectively executed (i.e., denying the user of service). This is typically done through attempting to overload the system with requests/data (so that all memory or processing power is taken up) or pushing certain processes to their internally-defined maximum limit so as to achieve the same thing to the legitimate user. Wireless network penetration testing xviii - finding improperly-secured wireless networks and identifying security gaps or flaws in the design that will allow outsiders to enter the corporate system through the wireless network. For example, many organizations leave their wireless connection unsecured xix, allowing the public to access their system without any need for authentication. Alternatively, they use wireless protocols such as WEP, which have well-known vulnerabilities that make the security negligible. xx Social engineering xxi basically, using deceptive (e.g., pretending to be a large company s IT department, etc.) or physical means (e.g., intercepting mail, searching through a company s trash, etc.), attempting to gather enough information to penetrate a system. An example of this would be a tester posing as an employee to get into secured areas. Social engineering tests the ability of the organization s people to contribute to or prevent unauthorized access to information and information systems. xxii 3

Richard Lee r23lee Research Paper Spoofing pretending that information is from a trusted source (through changing packet headers on the data sent to the system) and sending that information to the system. This is often used to test systems that have been set up to only accept information from or send information to a certain machine, and seeing if invalid commands can be sent, and/or confidential information can be received. xxiii Packet sniffing capturing and analyzing data as it is travelling over a network. With the data, a tester may be able to do things such as find network problems, collect sensitive information sent over the network (if not properly encrypted), or reverse engineer proprietary protocols over the network. xxiv Brute force attack basically trying out as many combinations of character passwords as possible for user accounts, in hopes of finding one that will be correct (and thus allowing the tester to gain access to the system). xxv Vulnerability analysis knowing what kind of system is being targeted, look at known and/or vulnerabilities of those systems, and try to exploit those vulnerabilities to see if the system has been properly patched. xxvi Code review looking at publically-accessible application code to ensure that it doesn t contain sensitive information (e.g., test comments, names or clear-text passwords). xxvii Authorization testing testing user authentication systems to see if invalid or unauthorized user information is accepted. This test is used to see if a system can be made into allowing unauthorized access. xxviii Functionality testing testing user functionality to see if it properly handles invalid input, and if it properly performs to specification. xxix Some of the possible tools used in penetration testing, among others, are as follows: Port scanners locating ports (data connections) of a target from a remote location that are available for connection, and see if one can enter the network through the improperly configured ports. It is useful in testing port configurations, and attempting to hide from network intrusion detection methods. xxx Vulnerability scanner attempts to exercise known vulnerabilities in targeted systems. Vulnerability scanner looks for common configuration weaknesses in the system. xxxi Web Application Assessment Proxy a tool that interposes itself between a tester s web browser and the target web server, and subsequently allows the tester to view and manipulate all information sent to/from the server. This potentially allows the tester to change information fields in data sent/stored, and seeing how the web server will react (e.g., changing a user ID field in a stored cookie, and seeing if the system still authenticates under that new user ID). xxxii Penetration testers need to select their tools wisely, and look at needs of software developers vs. penetration testers. xxxiii 4

Richard Lee r23lee Research Paper 3.0 Why Should Businesses Consider Penetration Testing? In 2004, a study by the Federal Trade Commission noted that $48 billion (USD) worth of damages was caused by identity theft. A research group noted that 50% of the security breaches that allowed for these identity thefts came from internal sources. A large part of the problem was due to insufficient security measures to keep the customer information from being stolen. xxxiv From 2005 to 2008, 217 million customer records and financial data were compromised across the United States. Among the reasons for this was the lack of proper safeguards of systems storing such information. In fact, in 2008, several companies were charged by the FTC for failing to provide reasonable and appropriate security for sensitive consumer information, leading to identity theft. xxxv At the beginning of 2008, the Systems Admin, Audit, Networking, and Security (SANS) Institute a report saying that the government of China had successfully hacked into key U.S. government and industry databases. The issue was to find the perpetrators and to kick them out again. xxxvi In late 2008, a researcher a flaw with the email system that allowed for email data to be intercepted and read without the knowledge of the sender or receiver. xxxvii For businesses, this meant that a hacker could intercept sensitive company emails and read them. In April of 2009, a researcher unveiled a possible exploit to many retail networks around the world, allowing somebody with a laptop and some special equipment to break into retail systems and ultimately gather customer data. It is an exploit in a system that was previously considered secure. xxxviii Based on the above, one can see that damages caused by hackers can be significant an unsecured system becomes a major business risk to the company. xxxix Not only will there be damages due to loss of data, but there is also going to be a major hit to the organization s reputation, which will hurt the company in the long run. xl On top of that, a crime due to network intrusion has historically been the most challenging computer crime to investigate, so getting results from post-invasion investigations is not very good as well. xli As well, there is now evidence that lots of money is being made on criminal hacking and identity theft. xlii So even if clients don t test their system security, there will be other people who will test it for them, to the company s detriment. Companies faced with this information may wonder why not simply use firewalls and intrusion detection systems to prevent such attacks on their system? The problem is that while these mechanisms are important, they aren t fool-proof. By its very nature, firewalls will allow through to the system what it has been programmed to allow through (e.g., allowed services), and hackers may be able to take advantage of that. Intrusion detection systems can only detect what it has been programmed to identify, and will not be effective if the company doesn t monitor or respond to the alerts. xliii 5

Richard Lee r23lee Research Paper Therefore, penetration testing is still useful in that it can help find new holes not previously considered by management, and it validates and confirms the effective configuration of an organization s firewalls and its intrusion detection systems. xliv 3.1 Evolving Nature of Businesses Bigger Online Presence and Move to E-Commerce With the growing number of businesses setting up their systems with online access, and with a general move toward increased e-commerce, security testing is becoming ever more important. For example, with companies moving to replace their PSTN systems with VOIP telephone systems, research has shown that there are still information security threats, risks, and vulnerabilities that need to be addressed with VOIP before it can become a mission-critical business application. xlv In development is also an audit methodology using penetration testing for a security review of VOIP. xlvi Another major use of online services has been the growing dependence on e-mail by businesses. Although e-mail has been well-established and can generally be secured, there are still issues that may arise from it. For example, as organizations set up external, web-based access to email accounts, there are security concerns that need to be addressed (regarding proper encryption, etc.). As well, as previously mentioned, people are still discovering exploits with the email system. xlvii On top of that, e-mail is being used as an area for social engineering, with people taking advantage of the technology to pretend to be somebody they aren t. xlviii Another area of increased use for businesses has been the advent of on-demand systems or software as a service (SaaS). With such systems, large amounts of company information are sent over the internet to a service provider. This could be open attacks where a hacker becomes an invisible intermediary in the network, with both sides assuming that they re dealing with the other party, when in fact, both sides are dealing with the hacker. Penetration testing can be used as a tool to help with finding vulnerabilities in such systems. A possible issue with penetration testing, however, is that since penetration testing, if any, will be done on the service provider s system, there is a legal grey area as to whether or not such activity is allowed. xlix The use of web-based applications is also growing popular. However, web applications, in the second half of 2008, accounted for 80% of security breaches. l The problem is that security requirements are usually not taken into account when developing web applications. Being web-based, and lacking proper security, web applications have become popular targets for hackers, and have become the new battleground for computer security. li Penetration testing is important in this case to find out an applications vulnerabilities before the hackers do. Regarding e-commerce, there are still security concerns with people unwilling to spend online. lii The credit card industry has tried to address these fears by introducing security standards (PCI DSS) that ensured that merchants who store, process, and transmit cardholder data meet minimum levels of security. The requirements for merchants include a requirement to regularly monitor and test networks, with a specific requirement for penetration testing. liii Thus, for retail firms that accept credit cards, penetration testing is also a requirement. 6

Richard Lee r23lee Research Paper Therefore, one can see how the growing prevalence of doing things online is fostering the growing need for penetration testing. 3.2 Internal Audit and Systems Security Purposes As part of systems security, many security experts have written about requirements for maintaining a secure network. Although there are minor differences with opinions regarding what is required, the general guidelines tend to be the same. Gerhard Lindenmayer, in an article in Risk Management magazine, gives recommendations that are typical of many security experts. He gives a list of ten recommendations, which are: (1) develop a layered approach rely on a comprehensive combination of technology, training, policy, and enforcement to maintain security; (2) Encrypt data using proper encryption; (3) Maintain a security-focused company-wide mindset (including training and enforcement); (4) Implement strong password requirements; (5) Maintain up-to-date, memory-resident antivirus software; (6) Prevent data from being taken off the premises by employees (e.g., limit ability to use USB keys, monitor emails, etc.); (7) Limit access to the internet (e.g., filtering non-business related sites and third-party email sites); (8) Ensure software patches are applied regularly; (9) Properly maintain firewalls and intrusion detection systems; and (10) Provide regular penetration tests. liv Note that security experts consistently recommend providing regularly penetration tests, not only to comply with PCI DSS, but also to maintain effective security overall. From an internal audit perspective, penetration testing can also be useful. For example, consider the case of employee user IDs. At first glance, the idea of how user IDs are assigned may not be that big of a deal, but from a penetration testing perspective, they can use user ID naming conventions to help determine which accounts may have administrative authority, and thus which accounts to focus their attacks on. lv Doing penetration testing would assist internal auditors in developing policies that would lower the risk of penetration. Not only that, penetration testing can help identify more pervasive gaps and deficiencies in the organization s overall security processes including, for example, its ability to identify, escalate and respond to potential security breaches and incidents. lvi 3.3 Sarbanes-Oxley Compliance For companies that require compliance with Sarbanes-Oxley, penetration testing can also assist in meeting the requirements about internal controls and management assertions over them. lvii Indirectly, penetration testing can help with COBIT compliance (DS5 Ensure system security), which in turn is in compliance with SOX. lviii ISACA has an audit procedure document (P8). The report provides some background to the standards, talks about preparing for a penetration testing, types of penetration testing and vulnerability assessment, and concluding with a list of suggested procedures throughout the various stages of pen testing. lix 7

Richard Lee r23lee Research Paper Thus, one can see the importance of penetration testing on the business, both from business risks management perspective, internal audit and systems security perspective, and from a regulations compliance perspective. 4.0 How to Approach Penetration Testing? When considering penetration testing, organizations will have to consider many things. Penetration tests are usually run by the internal audit or IT department, or from outside firms that specialize in penetration testing. lx Penetration testing requires proper tools and expertise, which may not be easy to find. 4.1 The Need for Ethics & Competence Penetration testing basically requires the tester to go and find vulnerabilities in the organization s system. Management is essentially given the testers permission to attempt to break the system. As such, penetration testing can reveal sensitive information about an organization. Knowing this, it is therefore not a good idea to leave penetration testing to people who may not be trusted. After all, there is little difference between a malicious hacker and a penetration tester who can t be trusted. Having tests done by an incompetent team is also irresponsible. To help organizations find people who are competent and ethical, various professional and government certifications are available that indicate a firm can be trusted. The International Council of E-Commerce Consultants (EC-Council) offers three certifications, being: (1) CEH (certified ethical hacker) for ethical penetration testers; (2) CHFI (computer hacking forensic investigator) for detecting hacking in networks, dealing with conflicts as disloyal employees, etc.; and (3) CNDA (certified network defence architect) for US government and military agencies. lxi The International Information Systems Security Certification Consortium (ISC2) also has the CISSP, or Certified Information Systems Security Professional. It is accredited by ANSI and ISO, and is globally recognized. They may be experts in such topics as Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security CISSP, Security Architecture and Design, and Telecommunications and Network Security. lxii There are also various other designations by various agencies and professional organizations, including the CISA (certified information systems auditor) and CISM (certified information systems manager) from ISACA, OPSA to certify expertise in the OSSTMM methodology (to be discussed below), lxiii lxiv lxv and the SANS institute offering various certifications for various topics. 8

Richard Lee r23lee Research Paper hackers. These certifications help organizations differentiate ethical hackers from malicious (black-hat) 4.2 Planning For Penetration Testing When planning for penetration testing, there are many considerations that need to be made. First, one needs to consider the scope of the work to be performed. It is important because it defines the boundaries, objectives and the validation of procedures. lxvi Next, one also needs to ensure that the person doing the test is capable of doing the testing. This was previously discussed in section 4.1. After that, there should be an adequate set of tests to yield the best balance of cost/benefits. lxvii Manual and automated tests are often considered. Next, the organization should ensure that a methodology is being followed. Everything needs to be planned, documented, and followed. lxviii One of the more common testing methodologies is the Open Source Security Testing Methodology Manual (OSSTMM). lxix It basically provides a methodology for a thorough security test (an OSSTMM audit ). Basically, it involves tracking what you test, how you test the target, keeping track of what you did not test, and subsequently follow a checklist to ensure that things have been tested. lxx Finally, the results should be properly documented, and recommendations and findings need to be made in a report (otherwise, the testing was made for no reason). lxxi It should be noted that personnel need to be properly trained in order to properly do penetration testing. lxxii 4.3 Hiring Externally In addition to the above, there are certain things that need to be considered when hiring an external consulting firm. How does an organization know that they aren t hiring a group of malicious hackers? Again, there should be assurances that the workers all have designations that show ethical and competent behaviour (as per section 4.1). On top of that, one should look at the reputation of the firm. For lxxiii lxxiv example, many of the Big 4 accounting firms offer penetration testing services. After choosing the firm, the organization must also ensure that proper non-disclosure agreements are in place (to legally bind the testers from revealing any company information), ensure that the terms of the engagement are in writing, and define when the testing starts/ends. lxxv 5.0 Conclusion In conclusion, one sees the importance of penetration testing for businesses. It helps to reduce business risk (especially in the changing environment) and ensure proper systems security (useful for 9

Richard Lee r23lee Research Paper internal audit and regulation compliance issues). As well, one sees the importance of ethics, proper planning, and designations when approaching an initial penetration test. i Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. ii Van Wyk, Kenneth R. "Penetration Testing Tools." U.S. Department of Homeland Security. Carnegie Mellon University, 18 Jan. 2007. Web. May 2009. <https://buildsecurityin.uscert.gov/daisy/bsi/articles/tools/penetration/657-bsi.html>. iii Mehta, Puneet. "Guide to penetration testing, Part 1: Reasons to perform a penetration test." Network Management: Covering today's Network topics. Techtarget.com, 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083683,00.html>. iv Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. v Ibid. vi Ibid. vii Ibid. viii Ibid. ix Mehta, Puneet. "Guide to penetration testing, Part 3: Penetration testing strategies." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083715,00.html>. x Ibid. xi Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. xii Ibid. xiii Ibid. xiv Ibid. xv Ibid. xvi Ibid. xvii Mehta, Puneet. "Guide to penetration testing, Part 4: Types of tests." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083719,00.html>. xviii Ibid. xix Kaplan, Jeremy. "Know Your Network." PC Magazine 2007: n. pag. Print. xx Cheung, Humphrey. "The Feds can own your WLAN too." SmallNetBuilder - Small Network Help. N.p., 31 Mar. 2005. Web. 05 July 2009. <http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=251&itemid=100>. xxi Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. xxii Ibid. xxiii Mehta, Puneet. "Guide to penetration testing, Part 3: Penetration testing strategies." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083715,00.html>. xxiv Ibid. xxv Ibid. xxvi Ibid. xxvii Mehta, Puneet. "Guide to penetration testing, Part 4: Types of tests." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083719,00.html>. xxviii Ibid. xxix Ibid. 10

Richard Lee r23lee Research Paper xxx Van Wyk, Kenneth R. "Penetration Testing Tools." U.S. Department of Homeland Security. Carnegie Mellon University, 18 Jan. 2007. Web. May 2009. <https://buildsecurityin.uscert.gov/daisy/bsi/articles/tools/penetration/657-bsi.html>. xxxi Ibid. xxxii Ibid. xxxiii Ibid. xxxiv Lawrence, Chris. "Protecting data from the enemies within." Electric Light and Power 2005: 58. Print. xxxv Chan, Henfree, and Bruce Schaeffer. "Penetration Testing: Why Franchise Systems Need Information Security." Franchising World 2008: 44. Print. xxxvi Rogers, Jack. "China has penetrated key U.S. databases: SANS director - SC Magazine US." Security News and Security Product Reviews - SC Magazine US. N.p., 18 Jan. 2008. Web. May 2009. <http://www.scmagazineus.com/china-has-penetrated-key-us-databases-sans-director/article/104338/>. xxxvii "E-mail at risk from internet flaw." Computer Weekly 12 Aug. 2008: 7. Print. xxxviii "Researcher Blows Lid of Retail Networks." Network Security Apr. 2009: 20. Print. xxxix Leiman, Amin. "Presenting Penetration Test Results to Management." ISACA - Serving IT Governance Professionals. N.p., 2001. Web. May 2009. <http://www.isaca.org/content/contentgroups/journal1/20012/presenting_penetration_test_results_to_manageme nt.htm>. xl Goodwin, Bill. "Lawyers warn on reporting e-crime." Computer Weekly Apr. 2007: 6. Print. xli Casey, Eoghan. "Investigating Sophisticated Security Breaches." Communications of the ACM 2006: 48-54. Print. xlii Northcutt, Stephen, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles, and Steve Mancini. "Penetration Testing: Assessing Your Overall Security Before Attackers Do." Sans.org. N.p., 2006. Web. 25 May 2009. <www.sans.org/reading_room/analysts_program/penetrationtesting_june06.pdf>. xliii Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. xliv Ibid. xlv Tryfonas, Theodore, and Ian Sutherland. "Employing Penetration Testing As An Audit Methodology For The Security Review of VOIP." Internet Research 17.1 (2007): 61-87. ABI/Inform. Web. May 2009. xlvi Ibid. xlvii "E-mail at risk from internet flaw." Computer Weekly 12 Aug. 2008: 7. Print. xlviii Wood, Peter. "The hacker s top five routes into the network (and how to block them)." Network Security 2006.2 (2006): 5. ABI/Inform. Web. May 2009. xlix Richmond, Riva. "A New Battleground for Computer Security." Wall Street Journal 6 Mar. 2007, D.1 sec.: D.1. ABI/Inform. Web. May 2009. l Moscaritolo, Angela. "Web apps account for 80 percent of internet vulnerabilities - SC Magazine US." Security News and Security Product Reviews - SC Magazine US. SC, 18 Mar. 2009. Web. May 2009. <http://www.scmagazineus.com/web-apps-account-for-80-percent-of-internet-vulnerabilities/article/129027/>. li Richmond, Riva. "A New Battleground for Computer Security." Wall Street Journal 6 Mar. 2007, D.1 sec.: D.1. ABI/Inform. Web. May 2009. lii Warwick, Ashford. "Online security is the biggest reason UK consumers do not shop online." Computer Weekly 19 May 2009: n. pag. Print. liii "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures version 1.2." PCI DSS. N.p., 2008. Web. May 2009. <https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>. liv Lindenmayer, Gerhard. "Information Security Standards: The 10 keys to Protecting Your Network." Risk Management Dec. 2007: 11. ABI/INform. Web. May 2009. lv Wood, Peter. "The hacker s top five routes into the network (and how to block them)." Network Security 2006.2 (2006): 5. ABI/Inform. Web. May 2009. lvi Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. lvii "Sarbanes-Oxley Act." N.p., 2002. Web. 5 July 2009. <http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf>. lviii Breward, Michael. "IT Control Frameworks." ACC 621 - System Reliability. Waterloo, ON. 2009. Lecture. 11

Richard Lee r23lee Research Paper lix "IS Auditing Procedure: P8 Security Assessment - Penetration Testing and Vulnerability Analysis." ISACA - Serving IT Governance Professionals. N.p., 2004. Web. May 2009. <http://www.isaca.org/content/contentgroups/standards2/standards,_guidelines,_procedures_for_is_auditing/is_ Auditing_Procedure_P8_Security_Assessment_-_Penetration_Testing_and_Vulnerability_Analysis1.htm>. lx Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. lxi "EC-Council Certification." EC-Council Security Certification. EC-Council, n.d. Web. May 2009. <http://www.eccouncil.org/certification.htm>. lxii "CISSP Education & Certification." (ISC)2 Certified Information Security Education Professional Information Security Certifications. N.p., n.d. Web. May 2009. <http://www.isc2.org/cissp/default.aspx>. lxiii "SANS Institute - Why Certify?" SANS Institute - Network, Security, Computer, Audit Information & Training. N.p., n.d. Web. May 2009. <http://www.sans.org/why_certify.php>. lxiv "Certification Overview." ISACA - Serving IT Governance Professionals. N.p., n.d. Web. 05 July 2009. <http://www.isaca.org/template.cfm?section=certification&template=/contentmanagement/contentdisplay.cfm& ContentID=39617>. lxv "OSSTMM PROFESSIONAL SECURITY ANALYST ACCREDITED CERTIFICATION (OPSA)." ISECOM - Making Sense of Security. N.p., n.d. Web. 05 July 2009. <http://www.isecom.org/certification/opsa.shtml>. lxvi Mehta, Puneet. "Guide to penetration testing, Part 1: Reasons to perform a penetration test." Network Management: Covering today's Network topics. Techtarget.com, 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083683,00.html>. lxvii Ibid. lxviii Ibid. lxix "OSSTMM3 Lite." ISECOM, 2008. Web. May 2009. <http://www.isecom.org/mirror/osstmm_3.0_lite.pdf>. lxx Ibid. lxxi Mehta, Puneet. "Guide to penetration testing, Part 1: Reasons to perform a penetration test." Network Management: Covering today's Network topics. Techtarget.com, 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083683,00.html>. lxxii Van Wyk, Kenneth R. "Penetration Testing Tools." U.S. Department of Homeland Security. Carnegie Mellon University, 18 Jan. 2007. Web. May 2009. <https://buildsecurityin.uscert.gov/daisy/bsi/articles/tools/penetration/657-bsi.html>. lxxiii "Infrastructure Security - Network - Application - Server - Architecture - Information Technology - Deloitte Touche Tohmatsu." Deloitte U.S. Audit, Tax, Consulting, Financial Advisory Services - Deloitte LLP. N.p., n.d. Web. 05 July 2009. <http://www.deloitte.com/dtt/article/0,1002,cid%253d25263,00.html>. lxxiv "Security Assessment." PricewaterhouseCoopers. N.p., n.d. Web. 05 July 2009. <http://www.pwc.com/extweb/service.nsf/docid/e43eb2c08222cdb5ca25741d003dbe5e>. lxxv Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. 12

Richard Lee r23lee Research Paper Works Cited Breward, Michael. "IT Control Frameworks." ACC 621 - System Reliability. Waterloo, ON. 2009. Lecture. Casey, Eoghan. "Investigating Sophisticated Security Breaches." Communications of the ACM 2006: 48-54. Print. "Certification Overview." ISACA - Serving IT Governance Professionals. N.p., n.d. Web. 05 July 2009. <http://www.isaca.org/template.cfm?section=certification&template=/contentmanage ment/contentdisplay.cfm&contentid=39617>. Chan, Henfree, and Bruce Schaeffer. "Penetration Testing: Why Franchise Systems Need Information Security." Franchising World 2008: 44. Print. Cheung, Humphrey. "The Feds can own your WLAN too." SmallNetBuilder - Small Network Help. N.p., 31 Mar. 2005. Web. 05 July 2009. <http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=251 &Itemid=100>. "CISSP Education & Certification." (ISC)2 Certified Information Security Education Professional Information Security Certifications. N.p., n.d. Web. May 2009. <http://www.isc2.org/cissp/default.aspx>. "EC-Council Certification." EC-Council Security Certification. EC-Council, n.d. Web. May 2009. <http://www.eccouncil.org/certification.htm>. "E-mail at risk from internet flaw." Computer Weekly 12 Aug. 2008: 7. Print. Goodwin, Bill. "Lawyers warn on reporting e-crime." Computer Weekly Apr. 2007: 6. Print. "Infrastructure Security - Network - Application - Server - Architecture - Information Technology - Deloitte Touche Tohmatsu." Deloitte U.S. Audit, Tax, Consulting, Financial Advisory 13

Richard Lee r23lee Research Paper Services - Deloitte LLP. N.p., n.d. Web. 05 July 2009. <http://www.deloitte.com/dtt/article/0,1002,cid%253d25263,00.html>. "IS Auditing Procedure: P8 Security Assessment - Penetration Testing and Vulnerability Analysis." ISACA - Serving IT Governance Professionals. N.p., 2004. Web. May 2009. <http://www.isaca.org/content/contentgroups/standards2/standards,_guidelines,_proce dures_for_is_auditing/is_auditing_procedure_p8_security_assessment_-_penetration_ Testing_and_Vulnerability_Analysis1.htm>. Kaplan, Jeremy. "Know Your Network." PC Magazine 2007: n. pag. Print. Lawrence, Chris. "Protecting data from the enemies within." Electric Light and Power 2005: 58. Print. Leiman, Amin. "Presenting Penetration Test Results to Management." ISACA - Serving IT Governance Professionals. N.p., 2001. Web. May 2009. <http://www.isaca.org/content/contentgroups/journal1/20012/presenting_penetration_t est_results_to_management.htm>. Lindenmayer, Gerhard. "Information Security Standards: The 10 keys to Protecting Your Network." Risk Management Dec. 2007: 11. ABI/INform. Web. May 2009. Mehta, Puneet. "Guide to penetration testing, Part 4: Types of tests." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083719,00.html>. Mehta, Puneet. "Guide to penetration testing, Part 1: Reasons to perform a penetration test." Network Management: Covering today's Network topics. Techtarget.com, 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083683,00.html>. 14

Richard Lee r23lee Research Paper Mehta, Puneet. "Guide to penetration testing, Part 3: Penetration testing strategies." Network Management: Covering today's Network topics. Techtarget.com, 27 Apr. 2005. Web. 25 May 2009. <http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1083715,00.html>. Moscaritolo, Angela. "Web apps account for 80 percent of internet vulnerabilities - SC Magazine US." Security News and Security Product Reviews - SC Magazine US. SC, 18 Mar. 2009. Web. May 2009. <http://www.scmagazineus.com/web-apps-account-for-80-percent-of-internet-vulnerabili ties/article/129027/>. Northcutt, Stephen, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles, and Steve Mancini. "Penetration Testing: Assessing Your Overall Security Before Attackers Do." Sans.org. N.p., 2006. Web. 25 May 2009. <www.sans.org/reading_room/analysts_program/penetrationtesting_june06.pdf>. "OSSTMM PROFESSIONAL SECURITY ANALYST ACCREDITED CERTIFICATION (OPSA)." ISECOM - Making Sense of Security. N.p., n.d. Web. 05 July 2009. <http://www.isecom.org/certification/opsa.shtml>. "OSSTMM3 Lite." ISECOM, n.d. Web. May 2009. <http://www.isecom.org/mirror/osstmm_3.0_lite.pdf>. "Payment Card Industry (PCI) Data Security Standard? Requirements and Security Assessment Procedures? version 1.2." PCI DSS. N.p., 2008. Web. May 2009. <https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>. "Researcher Blows Lid of Retail Networks." Network Security Apr. 2009: 20. Print. 15

Richard Lee r23lee Research Paper Richmond, Riva. "A New Battleground for Computer Security." Wall Street Journal 6 Mar. 2007, D.1 sec.: D.1. ABI/Inform. Web. May 2009. Rogers, Jack. "China has penetrated key U.S. databases: SANS director - SC Magazine US." Security News and Security Product Reviews - SC Magazine US. N.p., 18 Jan. 2008. Web. May 2009. <http://www.scmagazineus.com/china-has-penetrated-key-us-databases-sans-director/ article/104338/>. "SANS Institute - Why Certify?" SANS Institute - Network, Security, Computer, Audit Information & Training. N.p., n.d. Web. May 2009. <http://www.sans.org/why_certify.php>. "Sarbanes-Oxley Act." N.p., 2002. Web. 5 July 2009. <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h 3763enr.tst.pdf>. "Security Assessment." PricewaterhouseCoopers. N.p., n.d. Web. 05 July 2009. <http://www.pwc.com/extweb/service.nsf/docid/e43eb2c08222cdb5ca25741d003d BE5E>. Tryfonas, Theodore, and Ian Sutherland. "Employing Penetration Testing As An Audit Methodology For The Security Review of VOIP." Internet Research 17.1 (2007): 61-87. ABI/Inform. Web. May 2009. Using An Ethical Hacking Technique to Assess Information Security Risk. Rep. The Canadian Institute of Chartered Accountants / Information Technology Advisory Committee, June 2003. Web. May 2009. <http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html>. 16

Richard Lee r23lee Research Paper Van Wyk, Kenneth R. "Penetration Testing Tools." U.S. Department of Homeland Security. Carnegie Mellon University, 18 Jan. 2007. Web. May 2009. <https://buildsecurityin.us-cert.gov/daisy/bsi/articles/tools/penetration/657-bsi.html>. Warwick, Ashford. "Online security is the biggest reason UK consumers do not shop online." Computer Weekly 19 May 2009: n. pag. Print. Wood, Peter. "The hacker?s top five routes into the network (and how to block them)." Network Security 2006.2 (2006): 5. ABI/Inform. Web. May 2009. Additional Sources Cited Breward, Michael. "IT Control Frameworks." ACC 621 - System Reliability. Waterloo, ON. 2009. Lecture. Cheung, Humphrey. "The Feds can own your WLAN too." SmallNetBuilder - Small Network Help. N.p., 31 Mar. 2005. Web. 05 July 2009. <http://www.smallnetbuilder.com/index.php?option=com_content&task=view&id=251&itemi d=100>. "Sarbanes-Oxley Act." N.p., 2002. Web. 5 July 2009. <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf>. 17

Annotated Bibliography Technology Tools Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Van Wyk, Kenneth Penetration Testing Tools US. Dept. of Homeland Security 2007 2009-05- https://buildsecurityin.uscert.gov/daisy/bsi/articles/tools/penetration/657-bsi.html This article provides an introduction to the more commonly-used tools for traditional penetration testing. Common tools include: Port scanners locating ports of a target from a remote location that are available for connection. Useful in testing port configurations, and attempting to hide from network intrusion detection methods. Vulnerability scanner attempts to exercise known vulnerabilities in targeted systems. Vulnerability scanner looks for common configuration weaknesses in the system. Application Scanners Probing and testing web apps (e.g., SQL injection, XSS, etc.). Web Application Assessment Proxy interpose between the browser and server, getting and analyzing everything in between. It continues to stated that most penetration companies these days don t do white-box testing, but rather black-box testing. Pen testing orgs use a variety of software to test, and maintain a large inventory of such software. Purpose of pen testing: detect unpatched flaws, testing new environments before going live. Penetration testers need to select their tools wisely, look at needs of software dev vs. pen testers. Features that may be useful to pen testers: visibility (of features), extensibility, configurability, documentation, license flexibility. States that penetration testing requires skill and lots of training. Espenschi ed, Jon Five Free Pen Testing Tools Computerworld 2008 2009-05- 25 http://www.computerworld.com/action/article.co?command=viewbasic&articleid=908743 Basically a list of pen testing tools. For scanning, Nmap and Nessus. For exploit analysis, Metasploit Framework. For network protocol capture and analysis, Wireshark. As well, some program call KisMAC. Herzog, Pete OSSTMM3 Lite Osstmm.org 2008 2009-05- http://www.isecom.org/mirror/osstmm_3.0_lite.pdf The Open Source Security Testing Methodology Manual provides a methodology for a thorough security test (an OSSTMM Audit). Basically, it involves tracking what you test, how you test the target, keeping track of what you did not test, and subsequently follow a checklist to ensure that things have been tested. The checklist includes: (1) Posture review [background, business policies, etc.]; (2) Logistics; (3) Active detection verification; (4) Visibility Audit; (5) Controls verification; (6) Trust verification; (7) Access verification; (8) Process verification; (9) Configuration/training verification; (10) Property Validation; (11) Segregation review; (12) Exposure verification; (13) Competitive intelligence scouting; (14) Quarantine verification; (15) Privileges Audit; (16) Survivability validation/service continuity; (17) Alert and log review/end survey. 17

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link The guide subsequently claims that to become an OSSTMM compliant security provider, more effort will still be required. Stephenson, Peter SC Magazine US 2009 2009-05- Core Security Technologies Core Impact Pro 8 http://www.scmagazineus.com/core-security- Technologies-Core-Impact-Pro-8/Review/2835/ This is a product review for a software tool for vulnerability assessment and penetration testing. The product is called Core Impact Pro 8. It has many features, including the ability to scan and exploit systems using multiple modules for information gathering, exploitation, local information gathering, privilege escalation, etc. They said that even though it costs a lot ($30k/year), it s totally worth it. Bauer, Mick Paranoid Penguin Seven Top Security Tools ACM.org Linux Journal 2004 12 2009-05- In a list of top seven security tools for a Linux system, the author includes Nmap, a port scanning tool; Nessus, a security scanner tool (scans ports and subsequently tries to connect and gather as much information as possible); Paros, a fuzzing tool for web applications (sends garbage data to see how the application reacts to invalid data); and F.I.R.E., for analyzing compromised systems. Using an Ethical Hacking Technique to Assess Information Security Risk Cica.ca 2003 2009-05- ACM http://www.cica.ca/index.cfm/ci_id/15758/la_id/1.html This is a joint report by the CICA and the Information Technology Advisory Committee. The report is meant to provide businesses with information about penetration testing. Penetration testing is a series of activities undertaken to identify and exploit security issues in a system. It typically involves a small team of people (hired by the organization) to simulate the role of a hacker trying to attack the system. The team typically comprises of people from internal audit, IT department, and/or consulting firms specializing in pen testing. The goal is to try and find vulnerabilities and fix them before some evildoer does. By doing this, organizations can gain insights regarding the effectiveness of the security controls in place for the system. It considers if firewalls or intrusion detection systems are enough. It then states that firewalls don t protect against what it allows through, and IDS can only detect based on a set of human-made rules. The primary objective of a pen test is to determine if a company s system can be exploited and compromised. Scope will depend on the engagement. 18

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Testing strategies include: (1) internal vs. external [amount of access already available]; (2) blind and double-blind vs. targeted testing [how much information about the systems known]. Types of testing include: (1) Application security testing [evaluate controls over the app and its process flow]; (2) DoS testing; (3) War dialing *attempting to find org s modem lines]; (4) Wireless pen testing [identify and attempt to exploit wireless networks]; (5) Social engineering [using social interactions to attempt to get company info, less technical than other tests, but still important]. To manage risk of testing, ensure testing team is qualified, ensure proper scope, objectives and terms of engagement in writing, define the role of the observer, ensure proper NDAs in place, and define when testing ends. Designation Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link ISC2 Certification Isc2.org 2009-05- http://www.isc2.org/credentials/default.aspx http://www.isc2.org/cissp/default.aspx Programs They say that certification matters because employers need a concrete proof that they re qualified people. They also say that ISC2 is recognized as the not-for-profit leader in certifying IS professionals. CISSP, or Certified Information Systems Security Professional, is accredited by ANSI and ISO. It is globally recognized. They may be experts in such topics as Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security CISSP, Security Architecture and Design, Telecommunications and Network Security. EC-Council Certification Eccouncil.org 2009-05- 19 http://www.eccouncil.org/certification.htm http://www.eccouncil.org/ceh.htm http://www.eccouncil.org/chfi.htm http://www.eccouncil.org/cnda.htm The EC-Council offers several security certifications in regard to it security professionals. They include the CEH (certified ethical hacker) [for ethical pen testers], CHFI (computer hacking forensic investigator) [for detecting hacking in networks, dealing with conflicts as disloyal employees, etc.], CNDA (certified network defence architects) *for US gov t and military agencies+, and others. GIAC Certifications Certification Global Information Assurance Certification 2009-05- http://www.giac.org/certifications/

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Information By the SANS institute, these certifications represent an individual s mastery in a certain topic. Regarding information security, they deal with audit, legal, management, security administration, and software security. Sans.org Why Certify? Sans.org 2009-05- http://www.sans.org/why_certify.php They say it s beneficial to certify because it boosts confidence, ensures proper ranking of risks, ensure that knowledge of professionals is kept current, companies require it, ensures competence, and provides experts with proper training. ISACA Elevate your Professional Stature Earn an ISACA Certification ISACA 2009-05- http://www.isaca.org/template.cfm?section=certification& Template=/ContentManagement/ContentDisplay.cfm&Cont entid=39617 ISACA provides three designation, CISA, CISM, and CGEIT. CISA is a certified information system auditor, and is for IS audit, control, assurance, and/or security. CISM is the certified information systems manager, and is for an individual who manages, designs, oversees, and assesses an enterprise s IS program. CGEIT is a certificate for certified in the governance of enterprise IT. It is meant to recognize a person s professional knowledge in the area of governing enterprise IT. OSSTMM PROFESSION AL SECURITY ANALYST ACCREDITED CERTIFICATIO N (OPSA) ISECOM 2009-05- 30 http://www.isecom.org/certification/opsa.shtml The OPSA is a certification, and is intended for professionals that show critical thinking, the scientific method, security metrics, and the OSSTMM methodology. The professional is intended to know the rules of engagement, and systems and information assessment, logistics, metrics, correlation, verification, application, and reporting. OSSTMM PROFESSION AL SECURITY TESTER ISECOM 2009-05- 30 http://www.isecom.org/certification/opst.shtml 20

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link ACCREDITED CERTIFICATIO N (OPST) The accreditation is meant to give people the knowledge required to proper test data networks using the OSSTMM. It requires a good knowledge as to how networks work, taking a course, and a 4-hour exam to get. Industry Information Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link How to protect four Deloitte 2003 2009-05- http://www.deloitte.com/dtt/article/0,1002,cid%253d2526 3,00.html key levels of infrastructur e Deloitte s Security Services group offers penetration testing as a service. They offer the testing of networks, servers, applications, and security architecture. Security Assessment PWC 2009-05- http://www.pwc.com/extweb/service.nsf/docid/e43eb2c08 222CDB5CA25741D003DBE5E PWC s Security Assessment service offers attack and penetration testing on the network, wireless, web applications, etc. They also offer vulnerability scanning, and a threat and vulnerability assessment. Washkuch Jr, Frank Core Security CEO Paget to Step Down SC Magazine US 2007 2009-05- 21 http://www.scmagazineus.com/core-security-ceo-pagetto-step-down/article/35257/ The CEO of Core Security stepped down from his position. They mention that Core, being a security testing firm, is currently on a high-growth trajectory. Paget will remain as the CEO until they find somebody else. Stephenson, Peter Penetration Testing: Core Security SC Magazine US 2008 2009-05- http://www.scmagazineus.com/penetration-testing-core- Security/article/121785/ The author basically talks about how awesome the software of Core Security is. The author claims that many engineers would rather have their own software tools that

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link hey built themselves. The author also claims that Core Security s software has a complete script library, and implements it extremely well. Stephenson, Peter Saint Saint Suite SC Magazine US 2009 2009-05- http://www.scmagazineus.com/saint-saint- Suite/Review/2843/ This is s a review for the SAINT Suite from Saint, which is a scanner and penetration testing software. The reviewer claimed it had a lot of features, but lacked documentation. It costs around $2700/license. Manning, A Look at Productivity Goal May 22 2007 2009-05- LexisNexis Carolyn Hackers Part 3 of 12 Adrian Lamo Adrian Lamo, known as the homeless hacker, basically found security holes in corporate software, exploited them, and told the companies about them. He has a lot of victims, including the New York Times, Microsoft, Yahoo!, Bank of America, Citigroup, and Cingular. For example, in the New York Times intranet, he placed his name in as a list of expert sources, which allowed him to access personal and confidential information on contributors. For that, he was fined 65k, put under 6 months house arrest, and two years of probation. He is now a student at the American River College. Impact on E-Commerce Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Leiman, Amin Presenting Penetration Test Results ISACA 5 2001 2008-05- http://www.isaca.org/content/contentgroups/journal1/20 012/Presenting_Penetration_Test_Results_to_Management.htm to Management Although a bit old, the advice is timeless. It gives recommendations as to how to present pen testing results to management. Basically, it recommends IT people translate IT risks into business risk, clarify what needs to be protected, show how to protect the assets, explain how the tests were conducted, and help to create a management action plan. Rogers, Jack China has penetrated key US databases: SANS SC Magazine US Jan 18 2008 2009-05- 22 http://www.scmagazineus.com/china-has-penetrated-key- US-databases-SANS-director/article/104338/

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Director In the news, SANS Institute director of research stated that China has attempted and successfully penetrated key government and industry databases in the US. The director then claims that the issue now is to find who the penetrators are and kick them out again. The director claims that it is an attack by the Chinese government, with involvement from the People s Liberation Army. The reason they found out about this is due to keystroke logs of the attacks. SANS had placed China on its list of its annual list of cybersecurity menaces. Moscaritolo, Angela Web apps account for 80 percent of internet vulnerabilitie s SC Magazine US Mar 18 2009 2009-05- http://www.scmagazineus.com/web-apps-account-for-80- percent-of-internet-vulnerabilities/article/129027/ Web apps account for 80 percent of internet vulnerabilities in the second half of 2008, per a report released by a web app security firm. The report was based on vulnerability disclosures of various software. There has been a steady growth in web app security problems over the years. He said that security requirements are usually not taken into account when developing web apps. Bassill, Peter The Human Side of Data Loss Prevention Computer Weekly Apr.21-27 2009 15 2009-05- ABI/Inform To avoid data prevention loss, the author recommends having very good awareness program, which leads to better data management. For example, having employees know better about risks involved with storing data on a laptop, and carrying it around town. They also recommend the use of internal penetration testing, which allows people to find processes that aren t working properly. Boyt, Susie The Six Stages of Stealing Financial Times 2009 1 2009-05- ABI/Inform Basically, to find out the weaknesses of a system, one needs to behave like a thief, in attempting to exploit systems. The six stages deal with a physical world penetration test on libraries (attempting to steal and damage books, etc.) Lindenmayer, Gerhard Information Security Standards: The 10 keys to Protecting Risk Management 54/12 2007 11 2009-05- ABI/Inform 23

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Your Network Aside from having a layered approach, encryption, security policy, strong passwords, virus scanners, employee data removal, internet access restriction, regularly scheduled patches, and firewalls, they also recommend regular penetration tests. The penetration tests are useful in helping identify vulnerabilities in the systems. Wood, Peter The hacker s top five routes into the network (and how to block them) Network Security 2006/2 2006 5 2009-05- ABI/Inform Hackers usually use the following five ways to enter a network: (1) Helpful staff [i.e., through social engineering, phishing] (e.g., calling to find names and emails of IT staff, creating a website using company formatting, sending emails using spoof source (i.e., from the IT Security Chief, whose email we got from calling them) to the other staff to enter into system, steal passwords). (2) Stupid passwords on privileged accounts [find admin users through user id naming convention, use tools available to see password lockout times, and try passwords without breaching timeouts]; (3) Unprotected infrastructure [allow people to exploit known flaws]; (4) Unused and unpatched services [accessing network through services that people have long forgotten; (5) Unprotected laptops [stolen laptops with passwords can be broken using rainbow tables, VPN sometimes not required to access networks].to protect themselves, they basically recommend the same type of things as the Lindenmayer article above. Kaplan, Jeremy Know Your Network PC Magazine 26/15 2007 1 2009-05- ABI/Inform This is an interview with Gary Morse, a white-hat hacker. Among his insights, he says: (1) Wireless is as easy to penetrate as ever, because people don t bother to set them up properly. They worry about connecting first, and then security after (if at all); (2) hacker attacks will tend to be through open ports on firewalls already (e.g., port 80, 25, etc.), and generally not through ports that they know firewalls will block anyway. They have seen an increase in port 80 attacks in the past few years. Lawrence, Chris Protecting data from the enemies within Electric Light and Power 83/6 2005 58 2009-05- ABI/Inform Basically, it is about how to protect customer data form disgruntled employees. SANS recommends various layers of protection, including segregating who gets what access in the systems, having the customer database in a separate system, requiring log-in to access, encryption, etc. To solve this, they basically recommend the things in the Lindenmayer article. E-mail at risk from internet Computer Weekly Aug12-18 2008 7 2009-05- ABI/Inform

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link flaw At a Black Hat conference, a security researching unveiled a fundamental flaw which could allow man-in-the-middle attacks. Chan, Penetration Franchising World 40/8 2008 44 2009-05- ABI/Inform Henfree; Schaeffer, Bruce Testing: Why Franchise Systems Need Information Security Franchise organizations need information security, even if they don t think they do. It would be naïve to think otherwise. Over 217 millions have had their data compromised since 2005. There are risks that are often found in franchise organizations (e.g., card-swiping technology risks, web apps that expect multiple franchisees to connect to, etc.). Recommendations are similar to those in the Lindenmayer article above. They also recommend things like biometrics for improved security, and using l33t speak for stronger, but easier to remember, passwords. Wagley, John What are your weaknesses? Security Management 51/10 2007 62 2009-05- ABI/Inform To find out what your weaknesses are, a company should conduct a formal assessment of its IT infrastructure, including systems, applications, and policies. A formal assessment starts with vulnerability scans, penetration testing, and an assessment of personnel, policies, and procedures, culminating with an analysis of the findings, put in the context of the organization s risk management needs. Richmond, Riva A New Battleground for Computer Security WSJ March 6 2007 D.1 2009-05- ABI/Inform The new battleground for computer security is on web applications. There may be many problems with the apps, due to developers often simply trying to get the apps out the door as soon as possible. As well, with the open nature of the internet, one may not have to worry about firewalls or antivirus software. For example, a security firm found a serious bug with Google Desktop, which led to Google having to roll out fixes ASAP. The problem with web apps is also a legal one. In the olden days, security people would do penetration testing on software in-house, to find bugs and whatnot. With things like Google applications, part of the info is being sent back to the Google servers. Penetration testing will involve accessing Google s servers, which is a legal grey area. Thus, more people are afraid of doing penetration testing on web applications. The article then quotes a person who teaches hacking to security experts at the SANS Institute, saying that companies like Google will probably do the right thing anyway due to market forces requiring it to. 25

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Bank, David Retailers WSJ Apr 15 2005 B.1 2009-05- ABI/Inform Rush to Secure Data Against Theft By June 30, 2005, retailers that handle credit cards were required to have their web sites and databases secured against breaches. This is a requirement by a consortium of associations including Visa and MasterCard. The problem is that a lot of retailers lack experience in computer security. Security firms are happy for the added revenue. Moore, John Taking Charge Baseline March 7 2007 2009-05- LexisNexis Reinsurance company Scottish Re decided to get rid of their third-party penetration testing consultants, and decided to get things done in house, which they found to be cheaper. People may want to switch to in-house of their IT team is trained enough, as they know the system better than outside consultants. However, there may be some disadvantage because the staff are so used to the system that they may not see something in the bigger picture that an outside consultant would see. Warwick, Ashford Online security is the biggest reason UK consumers do not shop online Computer Weekly May 19 2009 2009-05- LexisNexis According to a poll in the UK, a poll of 2000 respondents revealed that 23% of UK consumers don t shop online due to security concerns. However, these concerns are misplaced, according to some penetration testing firm. Apparently, shopping online is now extremely safe, due to retailers being required to comply with the PCI DSS, a standard for security for retail firms, set up by a consortium of credit card firms. There are still issues, though, since a company in compliance with PCI DSS still exposed millions of credit card holder information in the US. Online retailers require additional compliance with PCI DSS, as their reputation often relies on the security of the systems. Moore, John New Security Survival Guide: How to Layer a Solid Defense CIO Insight May 14 2007 2009-05- LexisNexis The report shows a layered model of system defence, which are: (1) Perimeter Security Layer [firewalls and the like]; (2) Host Security Layer [virus scanners, more firewalls, white-listing (instead of blacklisting), anomaly detection, various other software, etc.]; (3) Identify and Access Management Layer [user identify and password manager, various levels of access, etc.]; (4) Network Access Control layer [NAC products, to only allow set people to connect to the network]; and (5) Vulnerability 26

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Management Layer [code scanning/testing, penetration testing, etc.]. This new look may be required because attacks on enterprise systems continue to grow more complex. The above five points also need to be integrated to be effective. Other Author Mehta, Puneet, CISSP Title of Guide to Penetration Testing Part 1-5 Periodical/Website Vol./No./Edition Year Pages Date TechTarget.com 2005 2009-05- 25 27 Location, database, website, link searchnetworking.techtarget.com/generic/0,295582,sid7_g ci1083683,00.html searchnetworking.techtarget.com/generic/0,295582,sid7_g ci1083708,00.html searchnetworking.techtarget.com/generic/0,295582,sid7_g ci1083715,00.html searchnetworking.techtarget.com/generic/0,295582,sid7_g ci1083719,00.html searchnetworking.techtarget.com/generic/0,295582,sid7_g ci10837,00.html *Part I+ Pen testing has been in use by the DoD since the 1970 s to demonstrate weaknesses in computer systems. Why do penetration testing today? (1) Helps organizations understand their current level of security by showing holes in their security; (2) Helps management justify stronger security budget; (3) Helps organizations focus on improvements where it is needed to most; (4) Regulatory requirements; (5) In an e-commerce environment, better for the entire network of businesses, since all are so tied together;(6) good for validation feedback for newly in place security measures. [Part II] Some key factors in setting up a good pen test: (1) Establish the parameters of the test; (2) Hire skilled and experience consultants for the task; (3) choose adequacy of tests; (4) Following a testing methodology; (5) Document results; (6) Make useful recommendations. Pen testing is useful when setting up a new office, deployment of new network infrastructure, changes to existing infrastructure, new applications, changes to existing applications, and for repeated period testing. [Part III] Talks about various pen testing strategies, already mentioned in previous articles (external, internal, blind, double-blind, targeted testing). Some of the techniques/methods used in a pen test are as follows: (1) Passive research (figuring out the basics of the system); (2) Open source monitoring (searching online to see if confidential information has leaked out); (3) Network mapping and OS fingerprinting (visualization of a network, port scanning, identifying computers on the network, etc.); (4) Spoofing (pretending to be from another machine on another network, or another part of a network); (5) Network sniffing (capture data as it travels across the network); (6) Trojan attack (programs run in stealth mode on the computer after a user initiates it; (7) Brute force attack (going through a list of all possible passwords to get into a system; (8) Vulnerability scanning/analysis (exhaustive examination of targeted areas of an organization s network structure, to see their current state. Although the scans won t solve the problems, applications that do this often do; (9) Scenario testing (actually testing the weaknesses to ensure no false positives). [Part IV] Types of testing include: (1) DoS testing (through resource/memory overload, flood attacks, half open SYN attacks); (2) out-of-band attacks [attempts to break IP header standards]; (3) application security testing. Components of application testing include: (1) code review; (2) authorization testing (input validation, cookie security,

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link lockout testing) tested to see if login systems can be forced into allowing unauthorized access.; (3) Functionality testing (fuzz testing, transaction testing, etc.); (4) War dialling (trying to find and exploit modems over the phone); (5) Testing wireless networks (tries to find unsecured wireless networks, and attempts to compromise whole network from there); (6) Social engineering (exploiting human nature with the objective of gathering information). [Part V] The Open Source Security Testing Methodology Method (OSSTMM) is the most common methodology for performing penetration testing and obtaining security testing. It covers the whole process of risk assessment involved in pen testing, from initial requirements to report generation. The six areas of the testing methodology include: (1) Information security; (2) Process security; (3) Internet technology security; (4) Communication security; (5) Wireless security; (6) Physical security. The OSSTMM focuses on the technical details of testing. As well, since consultants have access to pretty much every aspect of your system, it is important to ensure that the consultants are trustworthy, and NDAs are signed and whatnot. Other standards include: (1) Standards for Information Systems Auditing (ISACA); (2) CHECK (CESG); (3) OWASP. Northcutt, Stephen; Shenk, Jerry; Shackleford, Dave; Rosenberg, Tim; Siles, Raul; Mancini, Steve Penetration Testing: Assessing Your Overall Security Before Attackers Do Sans.org 2006 2009-05- 25 28 www.sans.org/reading_room/analysts_program/penetratio ntesting_june06.pdf A report by the SANS Institute. There is now evidence that there is real money being made on criminal hacking and identity theft. To truly know how secure you are, you need to test yourself (i.e., pen testing). The point is to find holes before somebody else does. It looks at reconnaissance tools (Nmap, Nessus, and other password manipulation and password cracking tools), and exploitation tools (Metasploit, SecurityForest, CORE IMPACT). Robust testing methodologies exist, and high-quality commercial tools are available. They recommend CORE IMPACT, which is stable and accurate. Reporting is also important, and a tester needs to know the audience (i.e., not as advanced in technical knowledge about computers). Schultz, Eugene Convergent Security Risks in Physical Security Systems and IT Infrastructur es ISACA 2006 2009-05- http://www.isaca.org/content/contentgroups/other/conv ergentsecrisksphysicalsecsystems.pdf This is a report jointly commissioned by ASIS International, Information Systems Security Association, and ISACA. It examines the issues of security risk related to the convergence in physical security systems and IT infrastructure. The security concerns noted in this report include: 1. Security risks to systems and devices designed to

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link provide physical security and process control are growing because systems are increasingly being connected to organizations' networks. 2. Special systems and devices are increasingly being deployed in a manner that exposes them to external access from the Internet. Perpetrators who gain unauthorized access to these systems and devices may be able to use them to launch attacks on other resources within the network, some of which may be business-critical. 3. Special systems and devices are becoming more sophisticated and diverse, making security increasingly difficult to control. 4. Many vendors of special systems and devices have not adequately considered security in the design, implementation and support of their products. 5. Special systems and devices are frequently deployed and managed outside of the influence of information systems and security professionals. 6. Confusion concerning applicable security standards exists. 7. Auditing security controls in special systems is often difficult. The recommendations are: (1) Develop a governance framework for managing such risks; (2) Define the security requirements for physical security; (3) Understand the technology better; (4) Analyze and understand security cost-benefit trade-offs; (5) Develop standards for physical security systems; (6) Deploy special network security controls; (7) Implement effective controls; (8) Critical systems need to be treated critical; (9) Physical systems serve as important sources of info in corporate investigations; (10) Require that audit and logging in special systems increase; (11) Training and awareness; (12) Increase pressure on vendors to play a more active security role; (13) Expand the audit function to cover special systems and devices. Sethuraman, Sekar Framework For Control 6 2006 2009-05- http://www.isaca.org/content/contentgroups/journal1/20 067/jopdf0606-framework-for-measuring.pdf Measuring and Reporting Performance of Information Security Programs in Offshore Outsourcing In assessing the security of offshore outsourcing, a metric (e.g., target, met/not met) in evaluating the security performance of the system includes percentage of critical assets covered by pen testing, number of pen tests not completed, etc. They also say that tactical parameters of the report should be tested through pen testing. IS Audit Procedure Security Assessment Penetration Testing and Vulnerability Analysis ISACA Document P8 2004 2009-05- 29 http://www.isaca.org/content/contentgroups/standards2/ Standards,_Guidelines,_Procedures_for_IS_Auditing/IS_Aud iting_procedure_p8_security_assessment_- _Penetration_Testing_and_Vulnerability_Analysis1.htm

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link This is basically ISACA s penetration testing IS audit procedure document. The report provides some background to the standards, talks about preparing for a penetration testing, types of pen testing and vulnerability assessment, external/internal pen testing, physical access controls, social engineering testing, wireless technology background, web applications, and concluding with a list of suggested procedures throughout the various stages of pen testing. Wack, John; Tracy, Miles; Guideline on Network National Institute of Standards and 2003 2009-05- http://csrc.nist.gov/publications/nistpubs/800-42/nist- SP800-42.pdf Souppaya, Murugiah Security Testing Technology This is a report by the NIST meant to provide guidance on network security testing. It talks about security testing and the SDLC, security testing techniques, and deployment strategies for security testing. It also includes a list of common testing tools. Payment Card Industry (PCI) Data Security Standard Requirement s and Security Assessment Procedures version 1.2 PCI Security Standards Council 2008 2009-05- https://www.pcisecuritystandards.org/security_standards/ download.html?id=pci_dss_v1-2.pdf This is the payment card industry standard requirements for companies using payment cards to follow. It is meant to enhance cardholder data security, and meant to be adopted as a standard globally. Basically, it has several requirements for different parts of the network. The rest of the report goes into the specifics of the requirement, including testing requirements for each subsection. It also has additional requirements for shared hosting providers, and also discusses compensating controls. Arvanitis, Nicholas Are You Addicted to Pen Testing? SC Magazine US 2009 2009-05- http://www.scmagazineus.com/are-you-addicted-to-pentesting/article/128343/ Web app security is now more relevant than ever, due to highly publicized security failures in web apps. Companies have to be careful in choosing the pen testing consultants. A web app pen tester should have a well-defined methodology, a complete understanding of how apps are architected and developed, etc. However, companies shouldn t overly rely on pen testing. If all one is doing is pen testing, there is no value added. There needs to be legit action in place to get it fixed, or a proper cost-benefit to know when to stop. Companies should realize that there are companies that do unnecessary pen testing just to drive up profits. 30

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Reporting quality of the results/recommendations are also important. Otherwise, the pen testing is useless, if nobody in the company knows what it means or what to do with it. Ethical Hacking SC Magazine US 2007 2009-05- http://www.scmagazineus.com/ethical-hacking-courses-forsale-on-ebay/article/35768/ Courses For Sale on Ebay Ethical hacking courses, usually costing several hundred dollars, are being found on EBay for a fraction of the price. People suspect that it is piracy. Hacking tools are also available online, and ebay is okay with it, because the tools themselves are technically not illegal. Moscaritolo, Angela IT Professionals Confused about Web 2.0 SC Magazine US May 20 2009 2009-05- http://www.scmagazineus.com/it-professionals-confusedabout-web-20/article/137103/ Even IT professionals are confused about what constitutes web 2.0, according to a survey of 1300 IT managers. As well, IT departments are now being pressured to enable more web 2.0 sites by workers. Rogers, Jack NIST: Fed agencies should mount penetration attacks SC Magazine US Dec 27 2007 2009-05- http://www.scmagazineus.com/nist-fed-agencies-shouldmount-penetration-attacks/article/100210/ NIST recommends that federal agencies conduct regular penetration tests to determine whether their networks can be breached. Masters, Greg The Pen Test Is Mightier SC Magazine US 2008 2009-05- http://www.scmagazineus.com/the-pen-test-ismightier/article/115537/ Virginia Tech needed to assess security threats to the network and bring the university into compliance, reports the author, especially since the IT team at a university faces the same threats as a retail store. They recommend following PCI DSS, which calls for annual pen test. Thurston, Richard Trend Micro to Boycott SC Magazine US 2008 2009-05- http://www.scmagazineus.com/trend-micro-to-boycottsecurity-tests/article/110992/ Security Tests The company boycotts a security procedure VB100, targeted at vendors of security products, claiming that it s no longer relevant. Among other complaints, they say that 31

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link the standard only requires testing offline, and doesn t look for real life threats. VB responds by saying that they re looking at a new standard. Researcher Network Security 2009/4 2009 20 2009-05- ABI/Inform Blows Lid off Retail Networks A researcher unveils a hack that could provide backdoor access to thousands of US networks. Oppliger, Rolf IT Security: In Search of the Holy Grail Communications of the ACM 50/2 2007 96-98 2009-05- Suggests approaching IT security as an engineering and management problem. Problems with companies not wanting to spend time and money on IT security. The goal is to create a useful security architecture. Without architecture, launching pen tests or tiger team analyses tend to be arbitrarily chosen and poorly administered. Halderman, J.Alex; D.Schoen, Seth; Heninger, Nadia; Clarkson, William; Paul, William; A.Calandrino, Joseph; Feldman, Ariel; Appelbaum, Jacob; Felten, Edward Lest We Remember: Cold-Boot Attacks on Encryption Keys Communications of the ACM 52/5 2009 91-98 2009-05- A technical, detailed, study regarding risks about encryption keys stored in DRAM, and how to avoid them. Wadlow, Thomas; Security in the Browser Communications of the ACM 52/5 2009 40-45 2009-05- ACM ACM ACM 32

Author Title of Periodical/Website Vol./No./Edition Year Pages Date Location, database, website, link Gorelik, Vlad The problem with browser security, technical discussion, basically balance between usability and security is required. The safest way is total lockdown, but it becomes unusable to the user. The safest computer is sealed in a depleted uranium sphere at the bottom of the ocean. 33