Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, August 25, 2006

Review: ‘Hacker-in-a-Box’ Tool Tests Attack Scenarios

Few “ethical” hackers can provide simulated attacks with the level of sophistication that Cenzic offers in its Hailstorm “hacker-in-a-box” penetration tester.  Hailstorm’s unique non-signature based technology interprets results during realtime attacks without comparing results with signature-based databases. The tool’s interpreting engine eliminates false positives by providing generic solutions to attacks.

Today, most hacking is financially driven and well-organized, with attacks launched to steal information from banks, financial services firms and online retailers.  With banks, for instance, hackers working with inside employees or identifying weak application exploits have been known to set up temporary offshore accounts to siphon tiny amounts from many of accounts.  Stealing customer information is the most common attack, since it can be done with simple SQL-injection scripts to retrieve complete database tables.

With the arrival of Web 2.0 and Ajax, new vulnerabilities are popping up at the client level.  To identify holes, developers must revalidate Ajax code at the server level before finalizing transactions.  Essentially, Ajax creates the same types of vulnerabilities as server-based Web applications, but they’re more magnified because more code is exposed at the client side, with less validation done at the server side.

Cenzic promotes a “divide and conquer” methodology, in which security administrators make critical decisions on how to test applications during development and QA testing.  The only security strategy promoted by ASPs and ISPs deals with providing firewall and SSL support to applications, leaving application logic completely out of their security infrastructure.

In addition to Hailstorm, Cenzic offers two ASP models to simplify remote testing and QA for customers that don’t have the resources in-house.

Posted on 08/25