| Penetration Testing: | | 1. It could never be logical to have the external (black hat hacker) penetration test done at the same time and by the same consultants as the internal penetration test. | | 2. The nature, scope and objective of the external penetration test is clear with industry standards on how it should be ethically undertaken. | | 3. The natural, scope and objective of an internal penetration test is subjective and poorly defined - it does not build on or interact with a normal external penetration test in any way. |
| Independent Consultants: | | The ASP is in a position to manage all IT costs that are part of our professional ITIL schedule of work, including regular penetration tests. | | The ASP will cooperate in every way where a client chooses to pay for their own independent consultants to perform an external penetration test. | | The ASP have NOT included in its financial plans, to pay for independent consultants to conduct regular testing. | | The finacial stability of the whole supply chain involving many companies is at risk where one partner in the supply chain demands an independent consultants report, but is not willing to pay for it - that partner has excluded themselves fom the supply chain and the supply chain must change partners. The supply chain of partners is viable only while all partners colaborate and do not impose liabilities and costs on other partners. Rule 1: Partners can spend their own money but cannot spend other partners money. |
| Sanction: | | The ASP operate private Internet applications with data fragmented and shared between a supply chain of different companies with authorized users. | | Where any criminal activity is detected, that authorized user is blacklisted and excluded from participating in the supply chain - each company will also take whatever disciplinary measures that they deem to be appropriate. | | A blacklisted user is shown the home page and no matter what they enter, they will always be shown the home page without any error message. |
| Business Requirement | | The external penetration test must be performed against both the infrastructure and web application stack. This activity must test all components of the system that are externally accessible / exposed and mimic the journey than an external hacker could perform. |
| Measurement | Vulnerabilities identified by the penetration test that pose a risk to the infrastructure shall be remedied in a timely manor as:
| Exploit Difficulty |
|---|
| Exploit Impact | Easy | Moderate | Difficult |
|---|
| Critical | 1 week | 2 weeks | 1 month | | High | 2 weeks | 1 month | 2 months | | Medium | 1 month | 3 months | 6 month | | Low | 3 months | 6 months | never | | Info | never | never | never |
|
| External Penetration Test: | | These are carried out on a regular basis by the ASP team who undertake such work for hundreds of web sites using a common architecture and data center organization. When any change is made to the hardware or system software, then an external penetration test is undertaken using a set of standard scanners and ethical hackers tools. | | Data centers are attacked hundreds of times each day, so the threat, attack mode and significance of external penetrations test are well understood and part of the daily operation. | | The ASP budget for external penetration test are periodically suppliemented with a technology transfer session with external consultants who can verify that our methods and techniques remain up to date and relevant. In practice, we have more web sites and do more external penetration tests that most of the consultancies that we have paid for to help us stay relevant. The cost of this normal and essential operations work is included in all our business arrangements. | | Where a security firm are brought in to help with a direct cost of £2000, then at least the same amount again must be spent with our internal team to prepare, work with the consultants and learn new tricks. In a dynamic data center, an external penetration test may be scheduled every three months, with different parts of the test carried out each month. |
| Authentication: | | The ASP have evolved more and more layers of sign-in security over many years to the point where criminal attacks will never be cost effective. | | The assignment of (1) time-of-day, (2) day-of-week, (3) geo-location-country, (4) IP-address, (5) ISP-name, (6) computer-operating-system and (7) type-of-browser make sign-in a comprehensive facility that is beyond the security found in most applications. | | By limiting an attack on a password to a few attempts before the attacker is blacklisted means that automated guessing and brute force cracking tools will not work. | | The only error message that a criminal is shown is the home page and they have no way to detect that they have been blacklisted and even if they then guessed the right password, they would still be shown the home page. |
| Multi Tenancy: | | The ASP deliver multi-tenancy applications that involve any number of independent companies that (1) may cooperate with others in a supply chain or (2) may compete without knowing of others. Multi-tenancy demands a matrix of data access control and functional access control - internal penetration tests are needed. | | Each user may not be aware of any other user. |
| Multi Currency: | | The ASP deliver multi-currency applications that involve any number of currencies that have base currencies as (1) Euro, (2) GBP and (3) USD. Each financial transaction must be converted to a base currency with the exchange rate for the transaction date. A set of financial transactions may be converted between base currencies on a conversion exchange date - typically a month end reconciliation for tax purposes. Internal penetration tests are needed to verify the flow of amounts leave no room for fraud. |
| | | Internal Test Objective: | | The internal penetration test will treat each authorized user as a potential criminal who is intent on damaging the application and/or stealing data that they should not have access to. Criminal attacks by an authorized user may be identified as: | | 1. URL Manipulation. | | 2. Field Injection. | | 3. Hidden Field Manipulation. |
| Internal Penetration Test: | | Internal testing is carried out on a continual basis and the ASP team include such testing as a fundamental part of its on-going financial plan. | | It is almost impossible for an independent security team to undertake an effective internal penetration test without weeks of one-on-one training. | | The idea that an independent consultant can begin to guess what data can be accessed and what is protected is beyond any professional method of working. | | After six months of User Acceptance Trials (UAT) with truely experienced and skilled people, the notion that independent consultants have something to contribute is hard to imagine. | | Rule 2: Independent consultants have nothing to contribute to internal testing and this type of work will never be cost effective. |
| 1. URL Manipulation: | | The ASP have been delivering secure Internet applications for more than ten years and have evolved an architecture that detects URL manipulation. | | The URL is shown as almost 200 characters to make it expensive for a criminal to understand and intelligently manipulate A honeytrap is encoded as a function name, so if that function name is changed in any way, the change can be detected and the criminal blacklisted. With the majority of web pages, the URL address bar is not shown and where it is shown, it is generally too long to be viewed or understood. | | A different URL will be used for the same web page, so knowing what the URL was does not mean that the same URL can be used again. | | The only URL manipulation error message that the criminal is shown the home page and the user is blacklisted so they cannot try another hacking attack - one strike and you are out. |
| 2. Field Injection: | | The ASP built reusable field validation functions many years ago and this middleware is fundamental to every application. | | Application development begins with a data dictionary where every field has a detailed purpose, life-cycle and permitted values. Validation against these permitted values is dynamically built into every application without exception. | | Where a criminal tries to inject "SELECT * FROM USERS" to get a list of user data, this kind of injection will be detected, recorded and the criminal blacklisted. In the same way, injection of JavaScript or programming logic will be detected and the criminal blacklisted. All server-side programming languages are disabled on each web server. | | All the special symbols that are needed to make any injection work are either replaced or removed by common reusable routines that apply to every field.. | | The only field injection error message that the criminal is shown the home page and the user is blacklisted so they cannot try another hacking attack - one strike and you are out. |
| 3. Hidden Field Manipulation: | | Forms contain hidden fields and parameters that a criminal with applicable hacking tools may be able to show and change. | | The normal flow of data from a browser to a web server is encrypted, but hackers tools enable the data to be changed before it is encrypted by the users browser. | | A honeytrap is encoded into hidden fields so where an object key is changed, this change can be detected and the user blacklisted. It is not possible for an independent consultant to properly recognise the object keys that an authorized user is permitted to view and those that they are not permitted to view. | | The architectural design of the application includes traps and session variable checks that will detect criminal behaviour. | | The only hidden field manipulation error message that the criminal is shown the home page and the user is blacklisted so they cannot try another hacking attack - one strike and you are out. |
|