Skip navigation

Category Archives: Information Security

Those of you who have been working in the IT security field, at some point would have definitely come across some terms which at first glance, (inspite the apparent obvious similarity) seem to imply the same thing.

Sometimes it is also the case that such terms are even erroneously used interchangeably, which creates confusion on what is exactly required. Such confusion not only creates a communication barrier between different levels of management but also leaves people in a state of limbo as to where to begin to tackle the problem.

I am talking about Risk Analysis and Risk Assessment, Vulnerability testing and Penetration testing.

 Imagewww.risk.net

 

One fine morning, everything seemed normal, however, once I reached the office, it was not quite so. The day has come when management realised that their trusty firewall might not be enough to protect the business assets, despite ongoing recommendations. Geared up for this day, I immediately triggered the plan in motion and proposed the way forward. Unfortunately risk confusion kicked in and this is where terms such as Risk analysis, Risk assessment Vulnerability and Penetration tests were thrown at me all in once sentence.

Management’s expectations were that all would be done by the end of the day (or two), which was far from the case. I immediately hit the brakes and ran an intervention with management to explain that all those terms actually mean different things and also pointed out that all would yield different results. It was therefore necessary to explain what is what and what comes before what to achieve the required objectives.

Risk Analysis comes before anything. Risk analysis is a process which is performed to gather the threats and associate vulnerabilities your business assets are exposed to. This is a holistic process which would return a cost/benefit analysis. Risk analysis takes into consideration the type of business and the most/least probable threats such a business (whether financial, retail, manufacturing etc.) is exposed to.

Risk Assessment follows. A Risk Assessment is a method of focusing on where the business is with respect to the level of risk exposure and where the business wants to be in the future. During this process the business’ existing security controls are examined to ensure that they do provide the expected level of security.

To further provide a meaningful risk assessment strategy, vulnerability and penetration testing could take place, but which one? Once again, both vulnerability and a penetration tests are terms which are used interchangeably but they do not necessary imply the same thing. By performing a vulnerability test, one is assessing the level of probability that a threat agent can expose a weakness in the business’ security infrastructure. A penetration test, goes a step further, by not only exposing such weakness but by taking advantage of it and attempting to expose further any vulnerabilities that were not identified by the initial vulnerability test. As an example, let us assume a website which is vulnerable to an SQL injection attack and once compromised, by the attacker, the database data is also successfully extracted and copied on a remote destination belonging to the said attacker.

However, while actually performing this attack during a penetration test, it emerged that during the process of performing the SQL injection and copying the database; the original database was left in an inconsistent state and has been corrupted. This not only proved that there has been an information breach due to the unauthorised disclosure and duplication of the database but also it was discovered that the original database had been left in an inconsistent state which also creates availability issues for the business. To summarise, the vulnerability test identified an SQL Injection vulnerability but a penetration test also revealed that and a denial of service attack was also possible.

Any weakness in the business’ existing (or lack of) security controls will emerge during a risk assessment and such risk will then be remediated through the risk management program to achieve the desired level of risk acceptance by the business.

Although it may not be including as one of the buzz words, Risk Management is the final but ongoing process required to bring the business risks down to an acceptable level. This means that if for example a technical security control is not present, a business policy might be issued as a corrective control to counteract the lack of a technical control through an administrative one. The process of ensuring constant policy compliancy is also part of Risk Management and it can be said that the Risk Management process is never ending, as long there are assets to protect.

Advertisements

Have you ever wondered how mobiles are capable of rendering website so perfectly on such small devices and most important of all, it is safe as though you are using your PC.

I decided to investigate on this mobile browsing technique and user security (privacy).

My Test Environment

I currently have two phones in hand. My iPAQ running Windows Mobile 6.1 and a Blackberry Gold. Both devices are connect to my internal Wifi with a public address. (obtained by browsing to http://www.myipaddress.com)

myipaddesswifi

Once i setup both phones to connect to my internal WiFi i opened both mobile phone browsers and browsed to the same site mentioned above on each phone respectively.

Note: Since IE cannot render websites correctly on the iPAQ, I installed Skyfire as a browser . (www.skyfire.com) On the other hand, the Blackberry is black box and the software is proprietary –  meaning that such software has been produced specifically for BlackBerry and no further information is available.

The result:

HP iPAQ Windows Mobile 6.1 –  Skyfire

IP Address: 212.118.x.x

BlackBerry Bold

IP Address: 93.186.x.x

What in the hell are these IP Addresses?

Good question, a trace route reveilles more information.

Trace HP iPAQ (Skyfire) IP Address:

trace02

Trace BlackBerry IP Address:

trace01

What does this mean?

This means that mobile phones browsers, route all traffic through a proxy service which converts the actual web page  (which was designed for a regular PC screen) to a mobile phone screen. Without this proxy service, it would not be possible for a common phone browser to handle such web pages, especially since websites have evolved from the days of basic HTML.

Does this mean that every web page I view is going through a third party?

Yes indeed. Hold your horses before you start to freak out. With Skyfire, you are told that there is this third party which handles the connection but customer’s privacy is guaranteed. With Blackberry i do not know. *honestly* I happened to stumble across this test to  clear my suspicion and i was hoping that since Skyfire is a freeware, such work around is acceptable  –  but for BlackBerry  – i not sure if i am pleased with this solution. Well, given that there seems no other method for such good website rendering (since BlackBerry also adopted this method), i guess we would have to lump it.

I did not bother browsing to the BlackBerry website to check if the we are informed of this technique. I was expecting that the first time the browser is opened on the blackberry, the user is notified of the third party you are about to connect to. Once you accept this, you may proceed with your happy internet mobile browsing.

So next time you think of viewing any naughty things on your mobile phone –  including facebook or email, remember that there is a third party recording every move but thanks to the Data Protection Act, you are safe! *for now*.

TrueCrypt is a wonderful piece of software which i recommend everyone to make use of to protect every mobile workstation. This freeware provides full or dynamic hard disk encryption. By dynamic i mean, that it can be used to encrypt flash drives, hard drives or partitions etc, depending on what you fancy. It makes use of the well known AES, 128 block size, 256 bit encryption cipher. Its is relatively easy to use since it also offers a rescue disk and software administration feels solid. I tested it on XP and Window 7 beta and there were no issues. I think I will give it a go at ubuntu too. I do suggest though that if you have a dual boot workstation you test it out prior to installation, since i have to say i managed to mess up my XP bootup after encrypting Windows 7.

truecrypt_thumb

http://www.truecrypt.com

Last year i had purchased AVG Network edition but only recently i have set it up correctly. I find that AVG have improved very much over the years, although i have to admit that they are still not quite there when it comes to central management. I find the central management a little flaky since when the AV is pushed onto a Windows Server, the installation cannot be any easier but when i attempted to install it onto a XP machine, the nuisance of running the AVG agent before hand is not very professional in my opinion. Especially if you deploy this in a large environment.

Over all it is rather cheap, so i am pretty happy with this product.

avgnetwork