Dear PenTest Readers,
This month we would like to focus on the critical infrastructure aspect of penetration testing. Whereas this is the area which should be particularly protected, we are under an impression that there wasn’t enough space for a discussion on it within the cybersecurity field. It has to be emphasized that critical infrastructure and its security is crucial, and has a great impact on the security of whole societies. Even the most protected facilities are vulnerable to cybersecurity attacks. We would like to draw more attention to this sphere with this magazine issue. However, we will are not quite finished analyzing it yet, so the next month we will be particularly focused on SCADA systems. Moreover, we are very happy to present three articles written by our wonderful betatesters – David Kosorok (as the co-author), Robert Fling, and Aditya Srivastava. Each of them provides innovative insight into pentesting practices, also in connection to this month’s theme. You should definitely give them a read!
Without further ado, we kindly invite you to dive in the reading.
PenTest Magazine’s Editorial Team.
Table of Contents
Deterministic Unidirectional Devices: Protecting OT Networks with Data Diodes
by Marlene Ladendorff, PhD
The Ukraine power grid compromise offers an example of the consequences that can result from a cyber-attack. A deterministic unidirectional device (data diode) would have circumvented the attack via the wired network cyber threat vector. Once the diode is installed, confirmation of unidirectional communication should be performed via penetration testing. Other possible circumventions of IT/OT network separation include data diode bypasses, improper data diode configuration, primary and backup diode composition, and incident response plans in the event of diode failure.
Industrial Control Systems Cyber Security Tests
by Eduardo Honorato
Many, however, may not be aware that a penetration test may have the potential to destabilize the system. In certain cases, the impact on the system is irreversible, so that it can no longer be restored back to its original state. In some other situation, the impact of destabilization may even propagate the upstream or downstream effect, affecting other interconnected systems. In industrial control systems, this impact has a very high risk of destabilizing processes potentially resulting from a volatile chemical reaction that poses a danger to human safety and also to the environment.
CTFs For Corporates
by Rohit Nambiar and David Kosorok
While external bug bounties are a great way to PenTest your application, what if you could achieve something similar by harnessing internal talent and maybe even develop new ones? The process would be slower but possibly more fruitful in the long run. While this cannot replace the regulatory required external PenTests, there could be a gradual substitute for many of the bi-annual or more frequent PenTests that don’t require external auditing. In the long haul, not only do your applications get tested but you have also created an army of security experts, each with unique mindsets gained from solving diverse types of challenges as part of the CTF.
I Am The One Who DOESN’T Knock
by Robert Fling
These are just a few techniques that should be added to your arsenal. As previously stated, I could go on forever about different types of locks and how to bypass them. These simple techniques will allow you to gain access to interior rooms of a building to either gain access to a room for you to work in or to explore areas that general employees are not granted access to. It is worth mentioning that if you are to try any of these techniques during an actual pentest that it should be EXPLICITLY written in your contract with the client that you will attempt to bypass physical security. If you do not and gain access to a building without permission, you are breaking the law and that is something we do not want to be doing.
Protecting Critical Infrastructure From Attack: Janus Thinking
by Bruce Williams
I think that Janus thinking is needed. The person who can have a view of the assets must have an understanding of the value of these assets. Nowadays Industrial Control Systems talk the same language as web servers. The Janus framework is how I try to teach cybersecurity trainees to understand that pentesting is just not using Kali but selecting the correct tools to tell you your position with the protection of critical infrastructure. Buffer overflow was a favourite in Unix system, so strange to see old friends again.
Janus Thinking In Practice
by Bruce Williams
The three different concepts explained here are not exclusive of each other, but rather complement each other. In many information security programs, vulnerability assessments are the first step – they are used to perform wide sweeps of a network to find missing patches or misconfigured software. From there, one can either perform a penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost/benefit of fixing the penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost/benefit of fixing the vulnerability. Of course, you don’t need either to perform a risk analysis. Risk can be determined anywhere a threat and an asset is present. It can be data center in a hurricane zone or confidential papers sitting in a wastebasket.
Identity Assurance by Our Own Volition and Memory
by Hitoshi Kokumai
Identity verification, which has been represented by seals and handwritten signatures in the past, is not just one of the many factors for information security, but is the very foundation of the social infrastructure without which no social life can exist. This relation between the society and the identity verification will not change so long as humans live social lives. EPS will be a legitimate successor to the timehonored seals and handwritten signatures.
Abusing The Spring-boot Actuator End-points In REST API
by Mithun Smith Dias
While it’s the choice of a developer to use these end-points with a purpose, although Spring Security provides you with a very flexible security features to configure in your applications such as authentication and authorization requirements, Spring Security also supports LDAP server and OAuth which could be used for authentication and authorization. But the security of an application should be taken care of during the start of a development phase.
by Aditya Srivastava
The way to solve these problems is to change the way we look at security incidents and respond. Until now we have been following a reactive approach that is to conduct incident response after the intrusion has been made but that is becoming less responsive in today’s world. So it’s time to shift from reactive to proactive approach security controls.
z/OS Code Scanning Is Essential to System z® Security
by Ray Overby
Security professionals understand how to mitigate the risks caused by configuration-based vulnerabilities. They have robust tools to monitor network traffic, scan applications, and monitor security configurations for documented vulnerabilities. Unfortunately, these tools are incapable of detecting zero day codebased vulnerabilities at the OS layer, and in practice OS layer vulnerability assessments uncover serious exposures unrelated to “drifting” configurations and excessive access. How is this possible when integrity and security are so integral to System z that the operating system will not start unless an ESM has been specified in the system configuration?