IT Security: is your data safe from both external and internal attack?

SoftHack™ is an Internet penetration testing operation that we conduct for organizations upon approval and written consent.Penetration testing ; in which professional, “white hat” hackers attempt to break through an organization’s security defenses – has become a key defense weapon in today’s information systems security arsenal.

Through thorough and regular penetration testing, I. T. and security professionals like ourselves can take action to prevent true “black hat” hackers from compromising systems and exploiting proprietary information. A regular electronic intruder has to find only one hole into an organization’s computers, but a pen tester has to find them all. This is not only somewhat tedious and even boring at times, it is very important for the Bank IT team to render all help required. A malicious intruder probably does not care about such things as accidentally damaging systems, or wiping log files to hide his presence. The pen tester is trying to keep from disrupting normal business, preserve records and logs, yet still trying to move about unnoticed. That said, we will have to have not only all of the intruder techniques possible, but also understand system administration as well as corporate life in general.

System Vulnerability Detection

SYMBIOTIC offers organization a fully detailed, exhaustive and comprehensive report listing all the network services, their vulnerabilities and recommended fixes. In layman’s terms we “show you how hack-able your network is” from Internal and external attackers. 80% of all security breaches occur from inside a network, 15% from outside the network with internal help and 5% is done by outsiders.

The importance of Internet security in an organization can never be overemphasized. The worst awakening for the IT personnel, management or clients is that of a day when they will get all their data for the last five or so years, gone.

At SYMBIOTIC we preempt such mishaps and give clients consultancy services to prevent the occurrence. We scan your network based on what you will authorize after a briefing from us. Based on the authorized tests, we give the clients a summary detailing intelligence of their working methodologies, as a hacker would collect it.

Intended Audit Scope

The proposed eSoftHack™ audit will cover the following areas of network concerns:

  • Primary OSes

The primary rule of security is being with the most up to date and stable (not necessarily latest) Operating Systems and/or firmware running on critical network equipment e.g. routers, servers will be audited. We will test the devices for default insecure configurations, service packs and patch levels.

  • IDS / IPS

If one is in place, we will test the IDS on its effectiveness to deduce and/or protect when the network is under attack either externally or internally. Any existing IDS will be put to test against spoofed and legitimate SYN, FIN, RST, XMAS and ACK packets from UPD or TCP connections.

  • Internal Firewalls

Any existing access control firewalls or stateful packet inspection firewalls will be subjected to fire-walk, hping, netcat, cryptcat and other firewall evasion techniques. The firewall tests will also comprise the ability of the firewall to detect and stop SYN floods, tear drop attacks, ping of death, smarf amplification, DoS, DDoS, DrDoS and fDoS.

  • Network Computers

We will check that the network complies with the rule that users access information on need-to-know basis only. Machines will be checked for Viruses, Trojans (especially RATs – Remote Access Trojans like Sub7 or DeepThroat), Malware and AdWare.

  • Web Services and Applications

We will test the security of your web server (internal and corporate website servers) for security concerns. Internal machines will be tested for browser types and versions. Also machines connected to the Internet will be checked.

  • Network Cabling and architecture

The network topology, ports and connectivity will be tested. The network will be checked against a number of security issues related to DHCP, transparent proxying, non-stateful packet inspection etc. The network will be checked for minimum access rights given on guest connection and also checked for availability of DMZ.
Network devices like Wireless Access Points, Network Switches etc will be tested for basic related hacks.

  • Social Engineering

Complete network harmony in any organization is achieved when the IT staff and security policies complement each other. Hackers use the “Art of Deception” to get privileged information or get some tasks done unwittingly by receptionists, Junior IT staff and/or other staff.

  • Internal Security policies

Policies for processes like server room access, IT staff termination, DHCP, Proxying, LAN access etc will be placed under scrutiny. Also processes like office stationery disposal, Quotas, Email Scanning will be checked.

Anatomy of the Hack

A degree of success in one or more of the methods above will either lead to a remote network access or just a step closer to a hack. For the success of this process, no unscheduled network changes should be done before and during the pen testing.
The whole idea of pen testing is to answer the following questions:

  • How much data about CLIENT-X can a hacker get from external non-CLIENT-X sources?
  • How much data about CLIENT-X can a hacker get from Internal IT sources?
  • How much data about CLIENT-X can a hacker get from Internal non-IT sources?
  • What internal network devices/resources are available to external users?
  • What internal network devices/resources are available to internal guest users?
  • What internal network devices/resources are available to internal legit users?
  • What is the RAV of a hack?

This is very important for management and stake holder and helps answer a very sleep-depriving question: “how safe is the network?”. A very big percentage of ISPs, Companies and Corporate firms in Kenya, Uganda and Tanzania, whose network we have scanned randomly, live under “Security through obscurity”. They are in business because no one is bothering to hack them.
The anatomy of a standard non-destructive hack is:

Information gathering

  • Getting as much network information as possible. This is done by using Social Engineering attacks to staff, port scanning, AFRINIC records, dumpster diving etc.
  • Using information gathered to get more information.

Gaining Access

  • On a minimum, a would-be hacker needs guest access to network equipment to be able to ‘look around’ the network.

  • Privilege Escalation

  • a. Once some form of access is got, a would-be hacker needs to be able to promote their account to a more privileged one or get another higher account.

The Hack

The hack is the ‘reason’ or ‘goal’ for the hack. It could be:

  1. Get access to DB server.
  2. Get access to Storage server.
  3. Get access to email server to perform a MitMA or eavesdrop on emails.
  4. Deface the organization’s corporate website.

Covering tracks

A hacker will do the following after a successful hack.

  • Make sure there is a back-door in the network to allow access even if the initial hack account is changed or disabled.
  • Patch the hacked server to make sure that another hacker does not get in using the same method for trophy purposes.
  • Alter and/or Delete all log files to avoid detection.

Leave a Reply

We have been busy over the last year, building robust scalable and user friendly solutions
..........................................................................................................
Tusker Project Fame, a music based reality TV show under the Tusker brand of East Africa Breweries Ltd Citizen Tv is one of Kenya's most watched TV station at the forefront of promoting local content For over 25 years, Forever Living Products has dedicated itself to seeking out nature's best sources for health and beauty and sharing them with the world. Founded in 1978, FOREVER rewrote the book on how to put nature's best sources for health to work for you. Their complete family of aloe vera drinks, skin care products and cosmetics brings the remarkable properties of aloe to the entire body. Add that to their full line of nutritional supplements and products from the bee hive, and you have a complete system for naturally achieving better health and beauty.
Transparency International Kenya - Transparency International is a non governmental organization dedicated to increasing government accountability and curbing both international and national corruption.
EQUITY Bank started its operations in 1984 as Equity Building Society. Its establishment was motivated by the desire to create a financial service provider which would touch base with majority of the Kenyan population. The need to come up with the institution was out of the realisation that most Kenyans lacked access to financial services or simply could not afford them. The initial focus was to offer Mortgage services but in the early 1990’s EBS changed its business focus to micro finance services. EBS grew to become a leading micro finance institution providing a wide range of products and services. The growth in business volume and outreach necessitated the conversion to a commercial bank which was dully registered on December 31, 2004 as Equity Bank Limited (EBL) Sovaya - bridge the digital divide...true wirless broadband
Cellulant Standard Investment Bank Mxit

Android development bankanywhere bank anywhere bbc CRM cyber crime Enterprise ERP eSoftHack facebook applications Google check out hacking idd salim iphone applications IT security Jessica Colaço m-com mbugua njihia microsoft mobile banking mobile web africa Mpesa MTN mobile money myspace applications online banking in kenya Open Bravo PayPal pen testing seacom secure networks SME sms market place sms service SoftHack sugar crm teams twitter applications vtiger web market web shop white hat Zap

Symbiotic in pictures

See all photos

Good Reads