SCADA - A&S PenTest

The Importance of Security Requirements in the Design of SCADA Systems
by Pierluigi Paganini
Over the last several years, countries have discovered their critical infrastructures too vulnerable to cyber-attacks due the increasing attention in cyber security matters and successfull attacks to SCADA systems worldwide. Events such as the spread of the Stuxnet virus have alerted the international security community on the risks related to cyber-attacks and the relative disastrous con-sequences; we have learned how powerful a cyber weapon can truly be, and the real involvement of governments in cyber warfare.

SCADA Security for Critical Infrastructure
by Daniel Wood
The first step towards securing SCADA systems (aside from JFK’s 1963 memorandum establishing the National Communications System (NCS)), was Reagan’s 1984 Executive Order 12472, Assignment of National Security and Emergency Preparedness (NS/EP) Telecommunications Functions. In short, some of the more important NS/EP requirements include: enhanced priority treatment for voice and data services, secure networks, restorability, international connectivity, interoperability, mobility, nationwide coverage, survivability, voice band service in support of presidential communications, and scalable bandwidth.

The Box Holes. Pen Testing a SCADA Platform
by Stefano Maccaglia
In the last decade SCADA systems have moved from proprietary, closed, networks to open source solutions and TCP/IP enabled networks. Their original “security through obscurity” approach, in terms of protection against unauthorized access, has fallen, together with their intercon-nection limits. This has made them open to communicate with the rest of the world, but vulnerable, as our traditional computer networks.

Testing Industrial
by Timothy Nolan
I had heard a story told and retold in security circles for many years about a vulnerability scan in a manufacturing production environment that caused loss and disruption. As a scan was conducted in an area where production control systems were network connected, some service on the equipment was intolerant of the vulnerability scan and normal production controls failed. Unfortunately, the client whose network was scanned was a manufacturer, a baker of cookies, and the production controls controlled the temperature of the ovens baking the cookies and the movement of cookies through the ovens.

Does Cybercrime Pay? The Economics of Hacking
by Doug Steelman
The world of cyber crime is awash in numbers. Pundits, professors and politicians alike often comment on the costs imposed by the ever growing underground of cyber criminals, citing estimates from the millions to the billions. This number reached new heights in May, 2009 when President Obama (quoting an industry figure) pro-claimed that at least a trillion dollars was being sucked from economies worldwide from cyber attacks.

Email Spying – URL CRAZY
by Steven Wierckx
There are many ways that attackers can try to read your emails. One of them is rarely part of traditional penetration tests. This article will describe how to discover if any-one is spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. We will demonstrate the URLCrazy tool and show how to use it to discover potential spying.

PenTesting From the Scratch
by Virscent
Wordpress is the most popular used CMS (Web application to manage the websites easily, mostly using drag and drop features and an easy to use web interface) for blogging. Every minute a new website is created and if it is a blog then most probably it is WordPress.

Interview with Mike Loginov
by Aby Rao
Despite the attempts of government and national security organisations it’s still widely accepted and documented that Information and Cyber Security is still not taken seriously enough by the majority of boards. This coupled to the fact that there are still few corporate CISO’S or Chief Security Officer’s (CSO’s) across industry with organisations seemingly still hesitant to create this role.