penetration - All Articles - CISO Platform2024-03-29T12:51:41Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/penetrationTop 5 Big Data Vulnerability Classeshttps://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes-12014-09-15T15:00:00.000Z2014-09-15T15:00:00.000ZJitendra Chauhanhttps://www.cisoplatform.com/members/JitendraChauhan697<div><p><a href="http://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes-1" target="_blank"><img src="http://i62.tinypic.com/bgoabk.jpg" class="align-left" alt="bgoabk.jpg" /></a>Recently, we were pentesting a Data mining and Analytics company. The amount of data that they talked about is phenomenal and they are planning to move to Big Data. They invited me to write a blog on state of the art, Big Data security concerns and challenges and I happily accepted.</p><p><span class="font-size-3"><strong><span style="font-family:arial, helvetica, sans-serif;">Key Insights on Existing Big Data Architecture</span></strong></span></p><p>Big data is fundamentally different from traditional relational databases in terms of requirements and architecture. Big data is often characterized by 3Vs, Volume, Velocity and Variety of data. Some of the fundamental differences in Big Data architecture are as follows:</p><ul><li><strong>Distributed Architecture:</strong> Big data architecture is highly distributed on the scale of 1000s of data and processing nodes. Data is horizontally partitioned, replicated and distributed among multiple data nodes available. As a result, Big Data architecture is generally highly resilient and fault tolerant.</li><li><strong>Real-Time, Stream and Continuous Computations:</strong> Performing computation real-time and continuously is next trend in Big Data apart from Batch processing model as supported by Hadoop.</li><li><strong>Ad-hoc Queries:</strong> Big data enables Knowledge Workers to create and execute data analyzing queries on the fly.</li><li><strong>Parallel and Powerful Programming Language:</strong> The computations performed in Big Data are much more complex, highly parallel and computationally intensive than traditional SQL / PLSQL queries. For example, Hadoop uses MapReduce framework to perform computations on data processing nodes. MapReduce programs are written in Java.</li><li><strong>Move the code:</strong> In Big Data, it is easy to move the code, rather than data.</li><li><strong>Non Relational Data:</strong> Migrating tremendously from traditional relational databases, the data stored in Big Data is non relational. The main advantage of non relational data is that it can accommodate large volume and variety of data.</li><li><strong>Auto-tiering:</strong> In Big Data, hottest data blocks are tiered into higher performance media, while the coldest data is sent to lower cost high capacity drives. As a result, it is extremely difficult to know precisely where the data is exactly located among the available data nodes.</li><li><strong>Variety of Input Data Sources:</strong> Big Data requires collecting data from many sources such as logs, end to point devices, social media etc.</li></ul><p>Finally, there is no silver bullet in Big Data in terms of data model. Hadoop is already outdated and unsuitable for many Big data problems. Some of the emerging Big data solutions are following:</p><ul><li>For Real-time analytics: Cloudscale, Storm</li><li>For Graph Computation: Giraph and Pregel (Some examples graph computation are Shortest Paths, Degree of Separation etc.)</li><li>For low latency queries over very large data set: Dremel and so on.</li></ul><p><span class="font-size-3"><strong><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/apt-secrets-that-vendors-don-t-tell">APT Secrets that Vendors Don't Tell</a>)</b></strong></span></p><p></p><p><span class="font-size-3"><strong>Top 5 Big Data Vulnerability Classes</strong></span></p><p><strong>1. Insecure Computation</strong></p><p>There are many ways an insecure program can create big security challenges for a big data solution including:</p><ul><li>An insecure program can access sensitive data such as personal profile, age credit cards etc.</li><li>An insecure program can corrupt the data leading to in current results.</li><li>An insecure program can perform Denial of Service into your Big Data solution leading to financial loss.</li></ul><p><strong>2. End-point input validation/filtering</strong></p><p>Big data collects data from variety of sources. There are two fundamental challenges in data collection process:</p><ul><li>Input Validation: How can we trust data? What kind of data is untrusted? What are untrusted data sources?</li><li>Data Filtering: Filter rogue or malicious data.</li></ul><p>The amount of data collection in Big Data makes it difficult to validate and filter data on the fly.</p><p>The behavior aspect of data poses additional challenges in input validation and filtering. Traditional Signature based data filtering may not solve the input validation and data filtering problem completely. For example a rogue or malicious data source can insert large legitimate but incorrect data to the system to influence prediction results.</p><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/top-technologies-solutions-available-for-the-single-sign-on">Technology/Solution Guide for Single Sign-On</a>)</b></p><p></p><p><strong>3. Granular access control</strong></p><p>Existing solutions of Big Data are designed for performance and scalability, keeping almost no security in mind. Traditional relational databases have pretty comprehensive security features in terms of access control in terms users, tables and rows and even at cell level. However, many fundamental challenges prevent Big Data solutions to provide comprehensive access control:</p><ul><li>Security of Big Data is still an ongoing research.</li><li>Non relational nature of data breaks traditional paradigm of table, row or cell level of access control. Current NoSQL databases dependents on 3rd party solutions or application middleware to provide access control.</li><li>Ad-hoc Queries poses additional challenge wrt to access control. For example, imagine end user could have submitted legitimate SQL queries to Relational Databases.</li><li>Access control is disabled by default.</li></ul><p><strong>4. Insecure data storage and Communication</strong></p><p>There are multiple challenges related to data storage and communication in Big Data:</p><ul><li>Data is stored at various Distributed Data Nodes. Authentication, authorization and Encryption of data is challenge at each node.</li><li>Auto-tiering: Auto partitioning and moving of data can save sensitive data on a lower cost and less sensitive medium.</li><li>Real Time analytics and Continuous computation requires low latency with respect to queries and hence encryption and decryption may provide additional overhead in terms of performance.</li><li>Secure communication among nodes, middlewares and end users is another area of concern.</li><li>Transactional logs of big data is another big data itself and should be protected same as data.</li></ul><p><strong>5. Privacy Preserving Data Mining and Analytics</strong></p><p>Monetization of Big data generally involves doing data mining and analytics. However, there are many security concerns pertaining to monetizing and sharing big data analytics in terms of invasion of privacy, invasive marketing, and unintentional disclosure of sensitive information, which must be addressed.</p><p>For example, AOL released anonymized search logs for academic purposes, but users were easily identified by their searchers. Netflix faced a similar problem when users of their anonymized data set were identified by correlating their Netflix movie scores with IMDB scores.</p><p></p><p>Original post is on <a href="http://www.ivizsecurity.com" target="_blank"><strong>iViZ</strong></a> Security <a href="http://www.ivizsecurity.com/blog/penetration-testing/top-5-big-data-vulnerability-classes/" target="_blank"><strong>Blog</strong></a>!</p><p>(Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/5-security-trends-trends-from-defcon-2014-the-largest-hacker-conf">5 Security Trends from Defcon 2014 - The Largest Hacker Conference</a>)</b></p><p><b> </b></p></div>Penetration Testing E-commerce Applicationshttps://www.cisoplatform.com/profiles/blogs/penetration-testing-e-commerce-applications2014-09-15T15:00:00.000Z2014-09-15T15:00:00.000ZJitendra Chauhanhttps://www.cisoplatform.com/members/JitendraChauhan697<div><p>Over the past decade, E-Commerce applications have grown both in terms of numbers and complexity. Currently, E-Commerce application are going forward becoming more personalized, more mobile friendly and rich in functionality. Complicated recommendation algorithms are constantly running at the back end to make content searching as personalized as possible.</p><p><span class="font-size-3"><strong>Why a conventional application penetration testing is not enough for E-commerce Applications?</strong></span></p><p>E-Commerce applications are growing in complexity, as a result conventional application penetration is simply not enough. Conventional application penetration testing focus on vulnerability classes described in OWASP or WASC standards like SQL Injection, XSS, CSRF etc.</p><p>It is required to create specialized penetration testing framework tailored towards E-Commerce applications that should have following features:</p><ul><li>Comprehensive Business Logic Vulnerabilities for various functional modules related to E-Commerce Applications.</li><li>Comprehensive flaws related to various Integrations with various 3rd party products.</li></ul><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/captivating-new-insights-into-hbb-tvs">Can your SMART TV get hacked?</a>)</b></p><p><br /> <span class="font-size-3"><strong>Key Vulnerability Classes Covered:</strong></span></p><p>Some of the vulnerability classes covered as part of E-commerce penetration testing are listed below.</p><p><strong>Order Management Flaws</strong></p><p>Order management flaws primarily consists of misusing placing an order functionality. The exact vulnerabilities will depend on the kind of application, however some examples are listed below:</p><p>Possibility of Price manipulation during order placement.</p><ul><li>Possibility of manipulating the shipping address after order placement.</li><li>Absence of Mobile Verification for Cash-on-Delivery orders.</li><li>Obtaining cash-back/refunds even after order cancellation.</li><li>Non deduction of discounts offered even after order cancellation</li><li>Possibility of illegitimate ticket blocking for certain time using automation techniques.</li><li>Client side validation bypass for max seat limit on a single order.</li><li>Bookings/Reservations using fake a/c info.</li><li>Usage of Burner (Disposable) phones for verification.</li></ul><p><strong>Coupon and Reward Management Flaws</strong></p><p>Coupons and Reward management flaws are extremely complex in nature. Some examples are listed below:</p><ul><li>Coupon Redemption possibility even after order cancellation.</li><li>Bypass of coupon’s terms & conditions.</li><li>Bypass of coupon’s validity.</li><li>Usage of multiple coupons for the same transaction.</li><li>Predictable Coupon codes.</li><li>Failure of re-computation in coupon value after partial order cancellation.</li><li>Bypass of coupon’s validity date.</li><li>Illegitimate usage of coupons with other products.</li></ul><p><strong><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/how-to-choose-your-security-penetration-testing-vendor">How to choose your Security / Penetration Testing Vendor?</a>)</b></strong></p><p></p><p><strong>Payment Gateway Integration (PG) Flaws</strong></p><p>Many of the classical attacks on E-Commerce applications are because of Payment gateway integrations. Buying a pizza in 1$ is a classical example of misusing PG integration by an attacker.</p><ul><li>Price modification at client side with zero or negative values.</li><li>Price modification at client side with varying price values.</li><li>Call back URL manipulation.</li><li>Checksum bypass.</li><li>Possibility of price manipulation at Run Time.</li></ul><p><strong>Content Management System (CMS) Flaws</strong></p><p>Most E-Commerce applications have backend content management system to upload / update content. In most cases, CMS will be integrated with resellers, content providers and partners. For example, hotel E-Commerce application will be integrated with individuals hotels or with multiple partners. As a result of increased complexity, there are multiple sub vulnerability classes that need to testes, some of them are listed below:</p><ul><li>File management logical flaws</li><li>RBAC Flaws</li><li>Notification System Flaws</li><li>Misusing Rich Editor Functionalities</li><li>3rd Party APIs Flaws</li><li>Flaws in Integration with PoS (Point of Sales Devices)</li></ul><p><strong>Conventional Vulnerabilities</strong></p><p>Apart from business logic vulnerabilities, conventional vulnerabilities are also part of the penetration testing framework. Examples of conventional vulnerabilities are SQL Injection, Cross Site Scripting (XSS), CSRF and other vulnerabilities defined as part of OWASP.</p><p>Original post is on <a href="http://www.ivizsecurity.com" target="_blank"><strong>iViZ</strong></a> Security <a href="http://www.ivizsecurity.com/blog/penetration-testing/penetration-testing-e-commerce-applications/" target="_blank"><strong>Blog</strong></a>!</p><p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/shellshock-bug-a-quick-primer">Shellshock Bug: A Quick Primer</a>)</b></p></div>4 Areas where Artificial Intelligence Fails in Automated Penetration Testinghttps://www.cisoplatform.com/profiles/blogs/4-areas-where-artificial-intelligence-fails-in-automated-pentest2016-02-20T09:00:00.000Z2016-02-20T09:00:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p><a href="http://www.cisoplatform.com/profiles/blogs/4-areas-where-artificial-intelligence-fails-in-automated-pentest" target="_blank"><img width="750" src="{{#staticFileLink}}8669804656,original{{/staticFileLink}}" class="align-full" alt="8669804656?profile=original" /></a></p><p>Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool at iViZ. Where it did not help is in dancing. I think I am a poor dancer since my mind thinks modeling. By the time I model the step in my mind, I miss the beat. I believe there are a few things which we need to do from heart and not from mind.</p><p>I was thinking why in the context of today’s maturity of Artificial Intelligence (AI) we cannot fully automate Penetration Testing (or “maybe” we will never be able to). Here are the top reasons that come to my mind.</p><p>( <span id="docs-internal-guid-7e7ed265-371c-740c-ad6e-d7d5c8d40a57"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/major-components-of-it-grc-solutions"><span>Major Components Of IT GRC Solutions</span></a></span> )</p><p></p><p><strong style="font-size:1.5em;">Penetration Testing: Multi Stage Attack Planning is a PSPACE Complete Problem</strong></p><p>In <strong>Penetration Testing</strong>, attack chaining becomes a critical element in terms of strategizing as well as executing some brilliant hacks. Human mind sometimes can compute some brilliant attack plans in just a jiffy. However, when we try to model this as a standard “AI Planning” problem, we get into a mess. Every exploit/attack can be modeled as an action with precondition and post condition. So, the standard solution we can think of is to use “Planning Algorithms” to build the entire attack graph. However, the challenge is with state explosion and we will immediately run out of memory (PSPACE Complete Problem). Though approximations can help, it can never find all the possible attack paths the moment the number of nodes increases beyond a threshold. However, when it comes to coverage, AI would definitely do better than humans (since humans get bored).</p><p></p><h2><strong>Modeling Creativity is a Hard Problem</strong></h2><p>There had been some work in terms of Artificial Creativity. We do have AI programs writing Poems (<a href="http://nodebox.net/code/index.php/Flowerewolf" target="_blank">Flowerewolf</a>). However we are quite far from creating automation that can match the human creativity. There are potential ways to model creativity. As an example you can model the knowledge from one field and apply it in a completely different field and in some cases you may end up with a "creative model". However not much of work has happened to model human creativity in the field of ethical hacking.</p><p>( <span id="docs-internal-guid-7e7ed265-371c-d994-9076-850536937b21"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/incident-response-how-to-respond-to-security-breach-first-24-hour"><span>Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist)</span></a></span> )</p><p></p><p><strong style="font-size:1.5em;">Programs cannot Question the Assumptions</strong></p><p>Human minds can question the fundamental assumptions. However a program runs on fundamental assumptions. Einstein challenged the assumptions of Newton. Heisenberg challenged the assumptions of Einstein and the game goes on. Any good pen tester/hacker challenges the assumption. When we broke Microsoft Bit locker encryption we challenged the assumption of the coders that from user land BIOS memory cannot be accessed. A program does not have the capability to challenge the assumptions and that is a severe limitation when it comes to automating Penetration Testing.</p><h2>“<strong>Artificial Intuition” is still in early days</strong></h2><p>Humans have intuition. As per wiki- “<strong>Intuition</strong> is the ability to acquire knowledge without inference and/or the use of reason. Intuition provides us with beliefs that we cannot justify in every case”. We can sometime solve some brilliant problem without the use of any reasoning. Artificial Intuition is there to model this but we are still in quite a primitive state to match what our brains can do.</p><p></p><p>I am a big believer of AI and a bigger believer of the human mind. We did use some decent bit of AI to automate Penetration Testing during our iViZ days. While doing that I learn’t more of what we cannot do than what we can do. I am sure with time AI will get better but will we ever be able to do Penetration Testing without the humans?</p><p><i> </i></p><p><span id="docs-internal-guid-99e3c9ef-3721-0272-ad04-ac5cc1afef29" class="font-size-4">More: <a href="http://www.cisoplatform.com/main/authorization/signUp">Join the community of 3000+ Chief Information Security Officers. Click here</a></span></p><p></p><p></p></div>Making your System Impenetrable with Penetration Testinghttps://www.cisoplatform.com/profiles/blogs/making-your-system-impenetrable-with-penetration-testing2020-05-28T07:26:44.000Z2020-05-28T07:26:44.000ZRay Parkerhttps://www.cisoplatform.com/members/RayParker<div><p><span style="font-weight:400;">It cannot be argued that as the global march of digitization continues to grow unchecked, it has brought high convenience, shorter delivery times, cost-effectiveness, and unprecedented access to the customer base for the organizations. However, this myriad of benefits is also accompanied by the curse of privacy and security breaches that are encountered by the companies invariably. The distressing increase in the number of cyber-attacks against the companies has led to a tremendous negative effect on the reputation and customer retention of companies. Owing to this, the security and vulnerability testing is fast becoming the boardroom agenda of organizations, and it has been acknowledged that one of the most effective ways to evaluate the security system is from the perspective of the hacker and not an insider.</span></p><p><span style="font-size:12pt;"><strong>How does It work?</strong></span></p><p><span style="font-weight:400;">A</span> penetration testing company <span style="font-weight:400;">puts themselves in the shoes of the threat actors and breaks into the security system from the outside to effectively assess the vulnerabilities and weak spots in the network. The fundamental aim of penetration testing is to simulate a real-world malicious attack to detect any potential risks and threats that can possibly impact the integrity, confidentiality, and availability of data. The simulated attack on the business systems, financial assets, and database not only checks for the vulnerable vector points for attacks, but it also evaluates the ability of the IT system to identify and respond to an attack in real-time. By identifying the security weak nodes which may have been overlooked in the routine testing, the <a href="https://softwaretestinglead.com/best-penetration-testing-companies/" target="_blank">penetration testing company</a></span><span style="font-weight:400;"> facilities the organization to comply with current regulations.</span></p><p><span style="font-size:12pt;"><strong>Why Should Organizations Opt for Penetration Testing?</strong></span></p><p><span style="font-weight:400;">The network penetration test constitutes of the information collection and vulnerability detection phase where the testers understand the scope of the organization and identify any potential vulnerabilities, followed by the exploitation phase within the weak vector points are actively attacked to gauge the capabilities of the IT system, and finally the reporting phase where the derived insights are reported back to the organization in a comprehensive manner.</span></p><ul><li><span style="font-weight:400;">Some of the primary advantages of a network penetration testing include;</span></li><li><span style="font-weight:400;">Verification of false positives through testing</span></li><li><span style="font-weight:400;">Detection of weak nodes and potential threats in the security system at an early phase through a hackers’ eye view</span></li><li><span style="font-weight:400;">Enhancement of the security controls through detailed testing</span></li><li><span style="font-weight:400;">Circumventing the rate of system downtime by helping the organization avoid any financial setbacks by responding to threats proactively</span></li><li><span style="font-weight:400;">Facilitates the organization in meeting the compliance regulations and evading any penalties</span></li></ul><p><span style="font-size:12pt;"><strong>Conclusion</strong></span></p><p><span style="font-weight:400;">Organizations often presume that frequently updating their passwords or having a windows firewall in place is sufficient to safeguard them against any malicious attacks. However, there are many weak attack vectors in the system that the companies may not even be aware of and so, they are often undetected in regular security testing. Therefore, a thorough security and vulnerability assessment of the network security is necessitated to evade malicious infiltrations and data breaches, and for a robust security system. </span></p><p><span style="font-weight:400;">Author Bio:</span></p><p><span style="font-weight:400;">Scott Andery is a Technical Writer and Marketing Consultant at <a href="https://softdevlead.com/" target="_blank">Software Development Lead</a>. He has 8+ years of experience in Marketing and he has worked with different IT companies. </span></p></div>