Penetration Testing in IT/ Security Assurance Projects

There are various cases when during an IT/ security assurance projects there are specific requirements to rely on penetration testing projects/ reports completed by a third party.

However, not always, the IT security auditors have the necessary information to assess the quality of the penetration testing projects (focusing on planning, projects delivery and reporting).

And I address here the IT security assurance projects having in scope IT systems and finalizing with an Independent Auditor Report (IT Audit Opinion) and not audits focused on processes (like ISO audits) or on specific IT controls relevant for specific objectives (like ISAE 3402 IT/ Security assurance projects).

IT/ Security auditing standards

In order to have a consistent and objective assessment of third party reports, an IT security auditor must refer to the auditing standards he is using for performing his engagement.

And if we consider the IT audit standards available on the it-audit-activitymarket, we must look at ISACA framework. There are also other standards applicable to various industries or specific objectives, focused on management systems, like ISO standards, but ISACA’s are the only ones of general nature which can be used cross-platforms, industries, etc. And as support for this, I performed some quick Internet searches and found mostly the same views.

For example, in one of its papers, NIST recognizes the entities enumerated below as addressing the IT auditing within their standards, further states that all of them taken essentially the same position concerning audits involving information systems and continues focusing on ISACA’s CobIT.

  • The American Institute of Certified Public Accountants (AICPA) in several Statements on Auditing Standards (SASs);
  • Institute of Internal Auditors Association (IIA) in its Standards for the Professional Practice of Internal Auditing;
  • Information Systems Audit and Control Association (ISACA) in its “ITAF™: A Professional Practices Framework for IS Audit/Assurance”
  • S. General Accounting Office (GAO) in its Government Auditing Standards and Title 2, Accounting.

Continue reading

My experience with the OSCP certification

Offensive Security review - Try harder!

Hi there,

Probably you’re here because you’re interested in obtaining the OSCP certification. Smart decision, good for you! Or maybe you are interested in obtaining a certification in info-sec, but you are still looking for the right one? Even if you are just looking for a way to boost your technical skills, you may be interested in becoming an Offensive Security Certified Professional.

I recently went through the course (Penetration testing with Kali Linux) and certification exam, so here is some of my experience and a few thoughts, you might find them useful.

Requirements

There is no secret that in order to obtain this certification, you need to dedicate a great amount of time and ambition and I completely agree with this.

Also, rumour has it that you already need to have Godlike skills in everything there is to know, or else you won’t understand the materials. I can honestly say that the rumours aren’t true. A strong background in info-sec is preferred, however the course materials are very well explained, there are plenty resources for learning your way through this course, all you need is the determination to try harder and read more, until you fill all knowledge gaps that might appear.

Continue reading

Defcamp 2015

Defcamp 2015At the end of November, between 19 and 20, we will be present at Defcamp 2015 Information Security conference. Adrian Furtuna, Technical Manager at KPMG Romania and Ionut Ambrosie, Security Consultant at KPMG Romania will deliver a hands-on workshop on web security.

 

At DefCamp 2015 you will learn how easy your online data can be stolen, how your privacy is violated and what are the techniques used to break critical systems security

Defcamp history

The Internet is perhaps the greatest invention of the twentieth century and made possible, since 2000, the rise in popularity for smart devices such as smartphones and social networks like Facebook, Twitter or LinkedIn. Besides all the benefits it brings, such as instant communication, faster access to services and access to information, privacy and data security are two issues that should concern more and more users.

Continue reading

OWASP Bucharest EEE

OWASP Bucharest EEEOWASP Bucharest is happy to announce the next local event, part of OWASP EEE (Eastern European Event), a one day Security and Hacking Conference. It will take place on 9th of October, 2015 – Bucharest, Romania. The OWASP Bucharest Event’s objective is to raise awareness about application security, to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can have a high cost to fix.

  • The conference is free however, you need to register.
  • The workshop has an entrance fee and limited seats.
  • The event will be in English, with cutting-edge topics presented by renowned security professionals: Bogdan Matache, Daniel Tomescu, Alexander Antukh, Teodor Cimpoesu, Cosmin Anghel, Razvan Deaconescu, Adrian Ifrim, Adrian Furtuna and Ionut Ambrosie.

Continue reading

NetRipper – Smart traffic sniffing for penetration testers

Ionut

Ionut Popescu, Senior Security Consultant @ KPMG Romania has been accepted as speaker at the prestigious DEFCON conference. He will present one of his projects: NetRipper tool, developed especially to be used in penetration testing projects.

The conference will be held in Las Vegas, Nevada, between 6-9 August 2015.

NetRipper – Short description

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is the tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Popescu

And we will be waiting to share  his experience at the conference in the next article.