Dear PenTest Readers,
As we declared last month, the current issue maintains our main focus on the crucial and wide topic of critical infrastructure cybersecurity. This time we intend to be more specific, as our major subject of examination is Supervisory Control And Data Acquisition - SCADA. Due to growing concerns about such systems’ vulnerabilities, we would like to introduce you to a fascinating world of Operational Technology pentesting, industrial control systems, and programmable logic controllers.
The perfect start is provided to you with the article written by Marlene Ladendorff, PhD, who is an eminent expert in the field of OT cybersecurity. If you want to learn about penetration testing of SCADA architecture, its peculiarity and the differences between the security of such environments and Enterprise IT systems, this article is the best possible option. We are extremely happy and grateful that such an expert publishes in our magazine second time in a row.
Furthermore, we would like to draw your attention to an excellent article by Cevn Vibert, which presents the landscape of the ICS in a superbly thorough manner. The article invites the reader for a fascinating journey through the big picture of Industrial Control Systems, with very interesting scenarios included.
Eduardo Honorato, who also publishes his second article in a row, approaches the topic through the optics of risk assessment and appropriate standards. His article is also focused on the undeniably vital context of automation. This is another ‘must read’ of this issue.
Bruce Williams had a huge influence on us in the creation of these two issues related to critical infrastructure - he helped us by publishing his third article on his concept of pentesting for protection, named “Janus Thinking”. The concept has been introduced in our previous issue. Now, it is concluded with the third part on thinking about threats and assets. We hope that this approach symbolized by the Roman god Janus will gain its well-deserved popularity in the business.
One of our reviewers, Aditya Srivastava, has written a practical article on enumeration of SCADA systems using an nmap script. He also presents the scope of threat for the Internet facing PLCs. The piece is definitely worth reading. And speaking of practical dimension of this edition, Girshel Chokhonelidze provides us with a lab on data exfiltration using ICMP protocol. We are sure that this method will be very interesting to you and we are delighted to present it in this issue.
Moreover, we are pleased to mention that our magazine is an encouraging publishing platform for the young, ambitious talents as well. This time we have an article by Mohamed Kameela Begum Majeeth and Dikshika Naresh on cluster bomb storming and forestalling. Thus, if you have an interesting idea and you’re willing to publish - do not be intimidated, contact us!
Finally, Marcell Gogan presents two of his well-written articles on the newest trends in the cyber security world. If you wish to be up-to-date and relevant, you should definitely read his pieces on Edge Computing and Zero Login Technologies.
We are also excited to introduce to you the outstanding professionals from InfySec. Experts from this company have just recently started to cooperate with our magazine, and will be providing us with brilliant articles, labs, and tutorials on a regular basis.
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Pen Testing SCADA Architecture
by Marlene Ladendorff, PhD
Significant differences exist between Enterprise IT and OT SCADA system architecture and functionality. IT systems are upgraded on a much more frequent basis than SCADA systems but the lifetime of SCADA systems is substantially longer than their IT counterparts. Penetration testing for IT systems can be performed on active networks while SCADA penetration testing should be limited to test bed or development systems and executed in a passive manner to not disrupt operations. All personnel involved or potentially affected by a penetration test should be included in a review of the test, an activity that some industries refer to as a pre-job brief.
Industrial Cyber Physical Security Enhancement
by Cevn Vibert
Industrial Cyber Security is now deeply into a form of arms race. Defenders are needing more defence tools and monitoring wizardry to detect and prevent attacks, but only if they can afford the resource time and expertise costs. They are usually seriously hampered by lack of budget and resources. Automation and Security Vendors are building more and more complex systems to help the defenders, but only if the defenders can afford the prices.
How to Assess Energy Infrastructure Cybersecurity
by Eduardo Honorato
As the report says, the dynamics of the energy industry could be creating an imminent cyber storm. As a first step, we need to understand how these companies use technology in the automation of their work and how we can improve safety.
Enumerating SCADA Systems
by Aditya Srivastava
The concern with Internet facing PLCs is that they can be targeted by adversaries to breach the perimeter and come inside the network so that they can try to achieve persistence and start scanning devices over the network, move laterally across and get the stuff done that they intend to do, like bringing down the plant or creating a natural disaster.
The Art of Staying Ahead of Trouble: Janus Thinking (Pentesting for Protection)
by Bruce Williams
The protection of computer assets is complex. This way of having a face scanning the assets with their vulnerabilities helps with teaching. There are two skills convergent thinking (narrowing down the options) and divergent thinking (expanding the possibilities). A good analyst shifts between the two. The drill down from the first figure to the assets with their vulnerabilities is often hard. The first step was to see which assets where in the middle and in particular which ones were critical. If you can do it for critical you can do it for major and minor, later on.
Data Exfiltration Lab
by Girshel Chokhonelidze
Data exfiltration/data extrusion/data theft definitions are used to describe the unauthorized transfer of data from a computer or other device. Data exfiltration can be conducted manually, by an individual with physical access to a Device, but it can also be an automated process conducted through malicious programming over a network.
Top 4 Reasons For Moving Your Cloud Application To The Edge
by Marcell Gogan
The need for faster data processing is one of the main reasons why computing moves to the network edge. There are millions of devices running cloud-based applications and generating extremely large amounts of data that needs to be stored and processed somewhere. Uploading all that data to the cloud, sending it to a centralized data center, processing the requests coming from end-users, and then sending the results back takes too much time and consumes too much network resources. Edge architectures allow processing data closer to its source, thus improving the efficiency of time-sensitive data processing.
Cluster Bomb Storming on Web Application and Forestalling using Logic Based CAPTCHA
by Mohamed Kameela Begum Majeeth and Dikshika Naresh
This paper presents an approach for disabling cluster bomb attack on the student’s Intranet in a reputed collegewebsite, therefore safeguarding Students Privacy and from excess unwanted network traffic. This approach also enhances the security of the intranet from computer bot and automated attacks. We propose the usage of Logic Based CAPTCHA, a completely automated public test that would differentiate humans and computer bots apart by making the user answer simple questions.They are effective in stopping automated abuse, including Cluster bomb attack.
Exploiting The Entity: XXE (XML External Entity Injection)
by Anand M
In the recent year, major tech giants like Google, Facebook, Magento, Shopify, Uber, Twitter, Microsoft have undergone XML External Entity attacks on their major application. One such vulnerability that has been around for many years is XML external entity injection or XXE. For example, this vulnerability can be used to read arbitrary files from the server, including sensitive files such as the application configuration files. XXE attack helped the hackers to gain the read-only access on Google’s production servers itself. So far major vulnerabilities like SQL injection and Command injection have been playing a major role on the web application attacks. But XXE is also a major critical bug which helps the attacker to gain access to the server itself. OWASP Top Ten standards also added the XXL as one of the critical vulnerabilities lists. This vulnerability is an important one to understand because it exists by default for many popular XML parsers. To best explain and demonstrate the exploitation of XXE, we must first start with the basics of XML. So Let’s dig in deeper.
Zero Login Technologies: Is Biometrics Safer Than Passwords?
by Marcell Gogan
This new authentication method acts as an alternative to the traditional two-factor authentication where you need to first enter a password and then prove the fact of possessing a particular device remembered by the system. With technologies similar to the one invented by TypingDNA, you are no longer dependent on particular devices for verifying your identity – your unique behavior patterns will do the job.