Menu
 Home
 Local News    
 Global News
 Technical & Product News
 Opinions
 Contact Us
 Subscribe/Unsubscribe
 
 Publications
 ICT World
 Cable Talk
 Computing S.A.
 Network World
 The Channel
 IT users handbook
 
 Sponsors
 ICT World Company Directory
 
 Partners
 CareerJunction
 Johnnic Mag Division
 
 Privacy Policy
 Privacy Policy
 
   
   

Security assessment - try to gain a hacker's perspective

Date: 09 November 2006
Issue: Two hundred and eleven (6/11/06 - 10/11/06)
(ICT World)
Category: Technical & Product News
Thinking like a cyber criminal to enhance protection of IT systems and infrastructure is a growing trend within the IT security market says Clint Carrick, CEO of Carrick Holdings, a local provider of IT security solutions and services.

Decision-makers within companies are placing themselves in the shoes of the cyber criminal, and have found success in this approach in terms of reassessing their IT security policies and procedures, explains Carrick.
 
Carrick Holdings, the parent company of Cyber Detectives, Carrick Training and Carrick Consulting, was recently contracted by a local banking institution to perform a comprehensive security assessment. 
 
The service involved a discovery or external approach (black box) and an internal (white box) approach.
 
Carrick agents were instructed not to exploit any vulnerabilities, but determine external visibility and report on it.
 
The principle is not one of  'you cannot gain access, then the environment is secure, but rather security through obfuscation, explains Carrick. This principle addresses the risks associated with the commencement of the hacking life cycle.
 
Hugo van Niekerk, a technician at Carrick Holdings, explains the companys phased approach to the evaluation.
 
The first phase of the project involved reconnaissance. As the term implies, the process involves soliciting any information that is publicly available about the Target of Evaluation (TOE) which is the collective term used to describe the system that requires assessment.
 
DNS servers represent such a source of information. The DNS information directed the security agents to the firewall IP address and the pool of public IP addresses assigned to the specific bank. DNS further identified where the banks Web sites were hosted and other static IP information, for example, e-mail and VPN services, says Van Niekerk.
 
The second phase involved analysis by scanning for vulnerabilities, he continues.

Whilst several shortcomings in the system were revealed, the analysis also showed that the institution had taken significant steps to protect its infrastructure from regular modification of processes and procedures, through to patch and vulnerability management and effective e-mail filtering.
 
On the banks internal network, the junction devices were expertly configured and provided a balanced measure of security. The servers where patched and controls like anti-virus, Intrusion Prevention Systems (IPS), encryption and filtering at various levels, were installed, says Van Niekerk.
 
Most attacks against the environment are complex and are executed by highly motivated perpetrators. Banking institutions and financial houses face this challenge on a daily basis and there is certainly merit in approaching security from both sides of the parameter, so to speak, Carrick concludes.