Tech Guides - Security

Connected physical devices, home automation appliances, and wearable devices are all part of Internet of Things (IoT). All of these have two major things in common that is seamless connectivity and massive data transfer. This also brings with it, plenty of opportunities for massive data breaches and allied cyber security threats. The motive of digital forensics is to identify, collect, analyse, and present digital evidence collected from various mediums in a cybercrime incident. The multiplication of IoT devices and the increased number of cyber security incidents has given birth to IoT forensics. IoT forensics is a branch of digital forensics which deals with IoT-related cybercrimes and includes investigation of connected devices, sensors and the data stored on all possible platforms. If you look at the bigger picture, IoT forensics is a lot more complex, multifaceted and multidisciplinary in approach than traditional forensics. With versatile IoT devices, there is no specific method of IoT forensics that can be broadly used.So identifying valuable sources is a major challenge. The entire investigation will depend on the nature of the connected or smart device in place. For example, evidence could be collected from fixed home automation sensors, or moving automobile sensors, wearable devices or data store on Cloud. When compared to the standard digital forensic techniques, IoT forensics portrays multiple challenges depending on the versatility and complexity of the IoT devices. Following are some challenges that one may face in an investigation: Variance of the IoT devices Proprietary Hardware and Software Data present across multiple devices and platforms Data can be updated, modified, or lost Proprietary jurisdictions for data is stored on cloud or a different geography As such, IoT Forensics requires a multi-faceted approach where evidence can be collected from various sources. We can categorize sources of evidence into three broad groups: Smart devices and sensors; Gadgets present at the crime scene (Smartwatch, home automation appliances, weather control devices, and more) Hardware and Software; the communication link between smart devices and the external world (computers, mobile, IPS, and firewalls) External resources; areas outside the network unders investigation (Cloud, social networks, ISPs and mobile network providers) Once the evidence is successfully collected from an IoT device no matter the file system, operating system, or the platform it is based on, it should be logged and monitored. The main reason behind this is IoT devices data storage are majorly on Cloud due to its scalability and accessibility. There are high possibilities the data on Cloud can be altered which would result to an investigation failure. No doubt Cloud forensics can equally play an important role here but strengthening cyber security best practices should be the ideal motive. With ever evolving IoT devices there will always be a need for unique practice methods and techniques to break through the investigation. Cybercrime keeps evolving and getting bolder by the day. Forensics experts will have to develop skill sets to deal with the variety and complexity of IoT devices to keep up with this evolution. No matter the challenges one faces there is always a unique solution to complex problems. There will always be a need for unique, intelligent, and adaptable techniques to investigate IoT-related crimes and an even greater need for those displaying these capabilities. To learn more on IoT security, you can get you hands on a few of our books; IoT Penetration Testing Cookbook and Practical Internet of Things Security. Why Metadata is so important for IoT Why the Industrial Internet of Things (IIoT) needs Architects 5 reasons to choose AWS IoT Core for your next IoT project  

Software systems are vulnerable. That's down to a range of things, from the constant changes our software systems undergo, to the extent of the opportunities for criminals to take advantage of the gaps and vulnerabilities within these systems. Fortunately, penetration testers - or ethical hackers - are a vital line of defence. Yes, you need to properly understand the nature of cyber security threats before you take steps to tackle them, but penetration testing tools are the next step towards securing your software. There's famous saying from Stephane Nappo that sums up cyber security today: It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. So, make sure you have the right people with the right penetration testing tools to protect not only your software but your reputation too.  The most popular penetration testing tools Kali Linux Kali linux is a Linux distro designed for digital forensics and penetration testing. The predecessor of BackTrack, it has grown in adoption to become one of the most widely used penetration testing tools. Kali Linux is  based on debian - most of its packages are imported from Debian repositories. Kali includes more than 500 preinstalled penetration testing programs that makes it possible to exploit wired, wireless, and ARM devices. The recent release of Kali Linux 2018.1 supports Cloud penetration testing. Kali has collaborated with some of the planet's leading cloud platforms such as AWS and Azure, helping to change the way we approach cloud security. Metasploit Metasploit is another popular penetration testing framework. It was created in 2003 using Perl and was acquired by Rapid7 in 2009 by which time it was completely rewritten in Ruby. It is a collaboration of the open source community and Rapid 7 with the outcome being the Metasploit Project well known for its anti-forensic and evasion tools. Metasploit is a concept of ‘exploit’ which is a code that is capable of surpassing any security measures entering vulnerable systems. Once through the security firewalls, it runs as a ‘payload’, a code that performs operations on a target machine, as a result creating the ideal framework for penetration testing. Wireshark WireShark is one of the world’s primary network protocol analyzers also popular as a packet analyzer. It was initially released as Ethereal back in 1998 and due to some trademark issues was renamed to WireShark in 2006. Users usually use WireShark for network analysis, troubleshooting, and software and communication protocol development. Wireshark basically functions in the second to seventh layer of network protocols, and the analysis made is presented in a human readable form. Security Operations Center analysts and network forensics investigators use this protocol analysis technique to analyze the amount of bits and bytes flowing through a network. The easy to use functionalities and the fact that it is open source makes Wireshark one of the most popular packet analyzers for security professionals and network administrators who want to quickly earn money as freelancers. Burp Suite Threats to web applications have grown in recent years. Ransomware and cryptojacking have become increased techniques used by cybercriminals to attack users in the browser. Burp or Burp Suite is one widely used graphical tool for testing web application security. Since it's about application security there are two versions to this tool: a paid version that include all the functionalities and the free version that comes with few important functionalities. This tool comes preinstalled with basic functionalities that will help you with web application security checks. If you are looking at getting into web penetration testing this should definitely be your first choice as it works with Linux, Mac and Windows as well. Nmap Nmap also known as Network Mapper is a security scanner. As the name suggests it builds a map of the network to discover hosts and services on a computer network. Nmap follows a set of protocols to function where it sends a crafted packet to the target host and then analyses the responses. It was initially released in 1997 and since then it has provided a variety of features to detect vulnerabilities and network glitches. The major reason why one should opt for Nmap is that it is capable of adapting to network conditions like network delay and network congestion during a scan. To keep your environment protected from security threats you should take necessary measures. There are n number of penetration testing tools out there with exceptional capabilities. The most important thing would be to choose the necessary tool based on your environment’s requirement. You can pick and choose from the above mentioned tools as they are shortlisted taking into consideration the fact that they are effective, well supported and easy to understand and most importantly they are open-source. Learn some of the most important penetration testing tools in cyber security Kali Linux - An Ethical Hacker's Cookbook, Metasploit Penetration Testing Cookbook - Third Edition Network Analysis using Wireshark 2 Cookbook - Second Edition For a complete list of books and videos on this topic, check out our penetration testing products.

A history of cybercrime As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution. Cybercrime in the 70s and 80s In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls. In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00. 1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target. The birth of the web and a new dawn for cybercrime The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal. The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world. This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others. Cybercrime in a fast-paced technology landscape Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals: We see constant ransomware attacks across all sectors of the economy People are constantly on the lookout for identity theft and financial fraud Continuous news reports regarding the latest point of sale attack against major retailers and hospitality organizations This is an extract from Information Security Handbook by Darren Death. Follow Darren on Twitter: @DarrenDeath. 

It is estimated that hacks and flaws in security have cost the US over $445B every year. It is clear at this point that the cost of hacking attacks and ransomware has increased and will continue to increase year by year. Therefore, industries—especially those that require large amounts of important data—will need to invest in technologies to continue to be more secure. By design, Blockchain is theoretically a secure means of storing data. Each transaction is detailed on an immutable ledger, which serves to prevent and detect any form of tampering. Besides this, Blockchain also eliminates the need for verification from trusted third parties, which can come at high costs. But is this a promise that the technology has yet to fulfill, or is it part of the security revolution of the future we so desperately need? How Blockchain is resolving security issues One security issue that can be resolved by Blockchain relates to the fact that many industries rely heavily on “cloud and on-demand services, where our data is accessed and processed by untrusted third parties.” There are also many situations where they may want to jointly work on data without revealing our portion to untrusted entities. Blockchain can be used to create a system where users can jointly store data and also remain anonymous. In this case, Blockchain can be used to record time-stamped events that can’t be removed—so in the case of a cyber attack, it is easy to see where it came from. The Enigma Project, originally developed at MIT, is a good example of this use case. Another issue that Blockchain can improve is data tampering. There have been a number of cyber attacks where the attackers don’t delete or steal data, but alter it. One infamous example of this is the Stuxnet malware, which severely and physically damaged Iran's nuclear program. If this data were altered on the Blockchain, the transactions will be marked and will not be able to be altered or covered, and therefore hackers will not be able to hide their tracks. Blockchain's security vulnerabilities The inalterability of Blockchain and its decentralization clearly has many advantages, however, it does not entirely remove the possibility of data being altered. It is possible to introduce data unrelated to transactions to the Blockchain, and therefore this Blockchain data could be exposed to malware. The extent to which malware could impact the entire Blockchain and all its data is not yet known, however, there have been some instances of proven vulnerabilities. One such proven vulnerability includes Vitaly Kamluk’s proof of concept software that could take information from a hacker’s Bitcoin address and essentially pull malicious data and store it on the Blockchain. Private vs. public Blockchain implementations When understanding security risks in Blockchain technology, it is also important to understand the difference between private and public implementations. On public Blockchains, anyone can read or write transactions and anyone can aggregate those transactions and publish them if they are able to solve a cryptographic puzzle. Solving these puzzles takes a lot of computer power, and therefore a high amount of energy is required to solve many of these problems. This leads to a market where most of the transactions and puzzle solving is done in countries where energy is cheapest. This, in turn, leads to centralization and potential collusion. Private Blockchains, in comparison, give the network operator control over who can read and write to the ledger. In the case of Bitcoin in particular, ownership is proven through a private key linked to a transaction and just like physical money, these can easily be lost or stolen. One estimate puts the value of lost Bitcoins at $950M. There are many pros and cons which should be considered when deciding whether or not to use Blockchain. It is important to note here that the most important thing Blockchain provides us is with the ability to track who committed a particular transaction—for good or for bad—and when. There are some security measures with which it certainly would help a great deal—especially when it comes to tracking what information was breached, altered, or stolen. However, it is not an end-all-be-all when it comes to keeping data secured. If Blockchain is to be used to store important data, such as financial information, or client health records, it should be a wrapped in a layer of other cyber security software. Lauren Stephanian is a software developer by training and an analyst for the structured notes trading desk at Bank of America Merrill Lynch. She is passionate about staying on top of the latest technologies and understanding their place in society. When she is not working, programming, or writing, she is playing tennis, traveling, or hanging out with her good friends in Manhattan or Brooklyn. You can follow her on Twitter or Medium at @lstephanian or via her website.

Today’s enterprise is effectively borderless, because customers and suppliers transact from anywhere in the world, and previously siloed systems are converging on the core network. The shift of services (and data) into the cloud, or many clouds, adds further complexity to the security model. Organizations that continue to invest in traditional information security approaches either fall prey to cyber threats or find themselves unprepared to deal with cyber crimes.  I think it is about time for organizations to move their cyber security efforts away from traditional defensive approaches to a proactive approach aligned with the organization’s business objectives.  To illustrate and simplify, let’s classify traditional information security approaches into three types. IT infrastructure-centric approach In this traditional model, organizations tend to augment their infrastructure with products of a particular vendor, which form building blocks for their infrastructure. As the IT infrastructure vendors extend their reach into security, they introduce their security portfolio to solve the problems their product generally introduces. Microsoft, IBM, and Oracle are some examples who have complete a range of products in IT Infrastructure space. In most such cases the decision maker would be the CIO or Infrastructure Manger with little involvement from the CISO and Business representatives. Security-centric approach This is another traditional model whereby security products and services are selected based upon discrete needs and budgets. Generally, only research reports are referred and products with high rating are considered, with a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro fall in this category. Generally, the CISO or security team is involved with little to no involvement from the CIO or Business representatives. Business-centric approach This is an emerging approach, wherein decisions affecting cybersecurity of an organization are made jointly by corporate boards, CIOs, and CISOs. This new approach helps organizations to plan for an effective security program which is driven by business requirements with a holistic scope including all business representatives, CIO, CISO, 3rd parties, suppliers& partners; this improves the cybersecurity effectiveness, operational efficiency and helps to align enterprise goals and objectives.  The traditional approaches to cybersecurity are no longer working, as the critical link between the business and cybersecurity are missing. These approaches are generally governed by enterprise boundaries which no longer exist with the advent of cloud computing, mobile & social networking. Another limitation with traditional approaches, they are very audit-centric and compliance driven, which means the controls are limited by audit domain and driven largely by regulatory requirements. Business-centric approach to security Add in new breeds of threat that infiltrate corporate networks and it is clear that CIOs should be adopting a more business-centric security model. Security should be a business priority, not just an IT responsibility.  So, what are the key components of a business-centric security approach? Culture Organizations must foster a security conscious culture whereby every employee is aware of potential risks, such as malware propagated via email or saving corporate data to personal cloud services, such as Dropbox. This is particularly relevant for organizations that have a BYOD policy (and even more so for those that don’t and are therefore more likely to beat risk of shadow IT). According to a recent Deloitte survey, 70 per cent of organizations rate their employees’ lack of security awareness as an ‘average’ or ‘high’ vulnerability. Today’s tech-savvy employees are accessing the corporate network from all sorts of devices, so educating them around the potential risks is critical. Policy and procedures As we learned from the Target data breach, the best technologies are worthless without incident response processes in place. The key outcome of effective policy and procedures is the ability to adapt to evolving threats; that is, to incorporate changes to the threat landscape in a cost-effective manner. Controls Security controls deliver policy enforcement and provide hooks for delivering security information to visibility and response platforms. In today’s environment, business occurs across, inside and outside the office footprint, and infrastructure connectivity is increasing. As a result, controls for the environment need to extend to where the business operates. Key emergent security controls include: Uniform application security controls (on mobile, corporate and infrastructure platforms) Integrated systems for patch management Scalable environment segmentation (such as for PCI compliance) Enterprise Mobility Application Management for consumer devices Network architectures with Edge-to-Edge Encryption Monitoring and management A 24×7 monitoring and response capability is critical. While larger enterprises tend to build their own Security Operations Centers, the high cost of having staff around the clock and the need to find and retain skilled security resources is too costly for the medium enterprise. Moreover, according to Verizon Enterprise Solutions, companies only discover breaches through their own monitoring in 31 per cent of cases. An outsourced solution is the best option, as it enables organisations to employ sophisticated technologies and processes to detect security incidents, but in a cost-effective manner. A shift in focus It’s never been more critical for organizations to have a robust security strategy. But despite the growing number of high-profile data breaches, too much information security spending is dedicated to the prevention of attacks, and not enough is going into improving (or establishing) policies and procedures, controls and monitoring capabilities. A new approach to security is needed, where the focus is on securing information from the inside out, rather than protecting information from the outside in. There is still value in implementing endpoint security software as a preventative measure, but those steps now need to be part of a larger strategy that must address the fact that so much information is outside the corporate network.  The bottom line is, planning Cybersecurity with a business-centric approach can lead to concrete gains in productivity, revenue, and customer retention. If your organization is among the majority of firms that don’t, now would be a great time to start.  About the Author  Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades. 

Consider this: in the past year cyber thieves have stolen $81m from the central bank of Bangladesh, derailed Verizon's $4.8 billion takeover of Yahoo, and even allegedly interfered in the U.S. presidential election. Away from the headlines, a black market in computerized extortion, hacking-for-hire and stolen digital goods is booming. The problem is about to get worse, especially as computers become increasingly entwined with physical objects and vulnerable human bodies thanks to the Internet of Things and the innovations of embedded systems. A recent survey has once again highlighted the urgent need for UK business to take cyber security more seriously. The survey found that 65% of companies don’t have any security solutions deployed onto their mobile devices, and 68% of companies do not have an awareness program aimed at employees of all levels to ensure they are cyber aware. In addition to this, the survey found that 76% of companies still don’t have controls in place to detect and prevent zero-day/unknown malware entering their organizations, and 74% don’t have an incident management process established to respond to cyber incidents and prevent reoccurrences. What are the most common types of data breaches? The most common attack is still a structured query language (SQL) injection. SQL injections feature heavily in breaches of entire systems because when there is a SQL injection vulnerability, it provides the attacker with access to the entire database. Why is it common for large companies to have these types of errors?  There are a number of factors. One is that companies are always very cost conscious, so they’re always trying to do things on a budget in terms of the development cost. What that often means is that they’re getting under-skilled people. It doesn’t really cost anything more to build code that’s resilient to SQL injection. The developers building it have got to know how it works. For example, if you’re offshoring to the cheapest possible rates in another country, you’re probably going to get inexperienced people of very minimal security prowess.  Companies generally don’t tend to take it seriously until after they’ve had a bad incident. You can’t miss it. It’s all over the news every single day about different security incidents, but until it actually happens to an organization, the penny just doesn’t seem to drop. Leaving the windows open  This is not a counsel of despair. The risk from fraud, car accidents, and the weather can never be eliminated completely either. But societies have developed ways of managing such risk — from government regulation to the use of legal liability and insurance to create incentives for safer behavior.  Start with regulation. Government’s first priority is to refrain from making the situation worse. Terrorist attacks, like the ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guard bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.  The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that Internet-connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it. What are the best ways for businesses to prevent cyber attacks?  There are a number of different ways of looking at it. Arguably, the most fundamental thing that makes a big difference for security is the training of technology professionals. If you’re a business owner, ensuring that and you’ve got people working for you who are building these systems, making sure they’re adequately trained and equipped is essential.  Data breaches are often related to coding errors. A perfect example is an Indian pathology lab, which had 43,000 pathology reports on individuals leaked publically. The individual who built the lab’s security system was entirely unequipped. Though it may not be the only solution, a good start in improving cyber security is ensuring that there is investment in the development of the people creating the code.Let us know where you’d start!  About the Author  Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

The term “security” often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty and roadblocks to fast development and release cycles. To secure software, developers must follow numerous guidelines that; while intended to satisfy some regulation or other, can be very restrictive and hard to understand. As a result, a lot of fear, uncertaintyand doubt can surround software security.  First, let’s consider the survey conducted by SpiceWorks, in which IT pros were asked to rank a set of threats in order of risk to IT security. According to the report, the respondents ranked the following threats as their organization’s three biggest risks to IT security as follows:  Human error Lack of process External threats  DevOps can positively impact all three of these major risk factors, without negatively impacting stability or reliability of the core business network. Let’s discuss how security in DevOps attempts to combat the toxic environment surrounding software security; by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems. Human error We’ve all fat-fingered configurations and code before. Usually we catch them, but once in a while they sneak into production and wreak havoc on security. A number of “big names” have been caught in this situation, where a simple typo introduced a security risk. Often these occur because we’re so familiar with what we’re typing that we see what we expect to see, rather than what we actually typed.  To reduce risk from human error via DevOps you can: Use templates to standardize common service configurations Automate common tasks to avoid simple typographical errors Read twice, execute once Lack of process First, there’s the fact that there’s almost no review of the scripts that folks already use to configure, change, shutdown, and start up services across the production network. Don’t let anyone tell you they don’t use scripts to eliminate the yak shaving that exists in networking and infrastructure, too. They do. But they aren’t necessarily reviewed and they certainly aren’t versioned like the code artifacts they are;they rarely are reused. The other problem is simply there’s no governed process. It’s tribal knowledge.  To reduce risk from a lack of process via DevOps: Define the deployment processclearly. Understand prerequisites, dependencies and eliminate redundancies or unnecessary steps. Move toward the use of orchestration as the ultimate executor of the deployment process, employing manual steps only when necessary. Review and manage any scripts used to assist in the process. External threats At first glance, this one seems to be the least likely candidate for being addressed with DevOps. Given that malware and multi-layered DDoS attacks are the most existential threats to businesses today, that’s understandable. There are entire classes of vulnerabilities that can only be detected manually by developers or experts reviewing the code. But it doesn’t really extend to production, where risks becomes reality when it’s exploited. One way that DevOps can reduce potential risk is, more extensive testing and development of web app security policies during development that can then be deployed in production.  Adopting a DevOps approach to developing those policies — and treating them like code too — provides a faster and a more likely, thorough policy that does a better job overall of preventing the existential threats from being all-too-real nightmares.  To reduce the risk of threats becoming reality via DevOps: Shift web app security policy development and testing left, into the app development life cycle. Treat web app security policies like code. Review and standardize. Test often, even in production. Automate using technology such as dynamic application security testing (DAST) and when possible, integrate results into the development life cycle for faster remediation that reduces risk earlier. Best DevOps practices Below is a list of the top five DevOps practices and tooling that can help improve overall security when incorporated directly into your end-to-end continuous integration/continuous delivery (CI/CD) pipeline: Collaboration Security test automation Configuration and patch management Continuous monitoring Identity management Collaboration and understanding your security requirements Many of us are required to follow a security policy. It may be in the form of a corporate security policy, a customer security policy, and/or a set of compliance standards (ex. SOX, HIPAA, etc). Even if you are not mandated to use a specific policy or regulating standard, we all still want to ensure we follow the best practices in securing our systems and applications. The key is to identify your sources of information for security expertise, collaborate early, and understand your security requirements early so they can be incorporated into the overall solution. Security test automation Whether you’re building a brand new solution or upgrading an existing solution, there likely are several security considerations to incorporate. Due to the nature of quick and iterative agile development, tackling all security at once in a “big bang” approach likely will result in project delays. To ensure that projects keep moving, a layered approach often can be helpful to ensure you are continuously building additional security layers into your pipeline as you progress from development to a live product. Security test automation can ensure you have quality gates throughout your deployment pipeline giving immediate feedback to stakeholders on security posture and allowing for quick remediation early in the pipeline. Configuration management In traditional development, servers/instances are provisioned and developers are able to work on the systems. To ensure servers are provisioned and managed using consistent, repeatable and reliable patternsit’s critical to ensure you have a strategy for configuration management. The key is ensuring you can reliably guarantee and manage consistent settings across your environments. Patch management Similar to the concerns with configuration management, you need to ensure you have a method to quickly and reliably patch your systems. Missing patches is a common cause of exploited vulnerabilities including malware attacks. Being able to quickly deliver a patch across a large number of systems can drastically reduce your overall security exposures. Continuous monitoring Ensuring you have monitoring in place across all environments with transparent feedback is vital so it can alert you quickly of potential breaches or security issues. It’s important to identify your monitoring needs across the infrastructure and applicationand then take advantage of some of the tooling that exists to quickly identify, isolate, shut down, and remediate potential issues before they happen or before they become exploited. Part of your monitoring strategy also should include the ability to automatically collect and analyze logs. The analysis of running logs can help identify exposures quickly. Compliance activities can become extremely expensive if they are not automated early. Identity management DevOps practices help allow us to collaborate early with security experts, increase the level of security tests and automation to enforce quality gates for security and provide better mechanisms for ongoing security management and compliance activities. While painful to some, it has to be important to all if we don’t want to make headlines.  About the Author Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

Cybercriminals are continally developing new and more sophisticated ways to exploit software vulnerabilities, making it increasingly difficult to defend our systems. Today, then, we need to be proactive in how we protect our digital properties. That's why penetration testers are so in demand. Although risk analysis can easily be done by internal security teams, support from skilled penetration testers can be the difference between security and vulnerability. These highly trained professionals can “think like the enemy” and employ creative ways to identify problems before they occur, going beyond the use of automated tools. Pentesters can perform technological offensives, but also simulate spear phishing campaigns to identify weak links in the security posture of the companies and pinpoint training needs. The human element is essential to simulate a realistic attack and uncover all of the infrastructure’s critical weaknesses. Being a pen tester can be financially rewarding because trained and skilled ones can normally secure good wages. Employers are willing to pay top dollar to attract and retain talent. Most pen testers enjoy sizable salaries depending on where they live and their level of experience and training. According to a PayScale salary survey, the average salary is approximately $78K annually, ranging from $44K to $124K on the higher end. To be a better pen tester, you need to upgrade or master your art in certain aspects. The following skills will make you stand out in the crowd and will make you a better and more effective pen tester. I know what you’re thinking. This seems like an awful lot of work learning penetration testing, right? Wrong. You can still learn how to penetration test and become a penetration tester without these things, but learning all of these things will make it easier and help you understand both how and why things are done a certain way. Bad pen testers know that things are vulnerable. Good pen testers know how things are vulnerable. Great pen testers know why things are vulnerable. Mastering command-line If you notice that even in modern hacker films and series, the hackers always have a little black box on the screen with text going everywhere. It’s a cliché but it’s based in reality. Hackers and penetration testers alike use the command line a lot. Most of the tools are normally command line based. It’s not showing off, it’s just the most efficient way to do our jobs. If you want to become a penetration tester you need to be at the very least, comfortable with a DOS or PowerShell prompt or terminal. The best way to develop this sort of skillset is to learn how to write DOS Batch or PowerShell scripts. There are various command line tools that make the life of a pen-tester easy. So learning to use those tools and mastering them will enable you to pen-test your environment efficiently. Mastering OS concepts If you look at penetration testing or hacking sites and tutorials, there’s a strong tendency to use Linux. If you start with something like Ubuntu, Mint or Fedora or Kali as a main OS and try to spend some time tinkering under the hood, it’ll help you become more familiar with the environment. Setting up a VM to install and break into a Linux server is a great way to learn. You wouldn’t expect to be able to comfortably find and exploit file permission weaknesses if you don’t understand how Linux file permissions work, nor should you expect to be able to exploit the latest vulnerabilities comfortably and effectively without understanding how they affect a system. A basic understanding of Unix file permissions, processes, shell scripting, and sockets will go a long way. Mastering networking and protocols to the packet level TCP/IP seems really scary at first, but the basics can be learned in a day or two. While breaking in you can use a packet sniffing tool called Wireshark to see what’s really going on when they send traffic to a target instead of blindly accepting documented behavior without understanding what’s happening. You’ll also need to know not only how HTTP works over the wire, but also you’ll need to understand the Document Object Model (DOM) and enough knowledge about how backends work to then, further understand how web-based vulnerabilities occur. You can become a penetration tester without learning a huge volume of things, but you’ll struggle and it’ll be a much less rewarding career. Mastering programming If you can’t program then you’re at risk of losing out to candidates who can. At best, you’re possibly going to lose money from that starting salary. Why? You would require sufficient knowledge in a programming language to understand the source code and find a vulnerability in it. For instance, only if you know PHP and how it interacts with a database, will you be able to exploit SQL injection. Your prospective employer is going to need to give you time to learn these things if they’re going to get the most out of you. So don’t steal money from your own career, learn to program. It’s not hard. Being able to program means you can write tools, automate activities, and be far more efficient. Aside from basic scripting you should ideally become at least semi-comfortable with one programming languageand cover the basics in another. Web people like Ruby. Python is popular amongst reverse engineers. Perl is particularly popular amongst hardcore Unix users. You don’t need to be a great programmer, but being able to program is worth its weight in goldand most languages have online tutorials to get you started. Final thoughts Employers will hire a bad junior tester if they have to, and a good junior tester if there’s no one better, but they’ll usually hire a potentially great junior pen tester in a heartbeat. If you don’t spend time learning the basics to make yourself a great pen tester, you’re stealing from your own potential salary. If you’re missing some or all of the things above, don’t be upset. You can still work towards getting a job in penetration testing and you don’t need to be an expert in any of these things. They’re simply technical qualities that make you a much better candidate for being (and probably better paid) hired from a hiring manager and supporting interviewer’s perspective. About the author Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

Security has been a problem for web developers since before the Internet existed. By this, I mean network security was a problem before the Internet—the network of networks—was created. Internet and network security has gotten a lot of play recently in the media, mostly due to some high-profile hacks that have taken place. From the personal security perspective, very little has changed. The prevalence of phishing attacks continues to increase as networks become more secure. This is because human beings remain a serious liability when securing a network. However, this type of security discussion is outside the scope of this blog.  Due to the vast breadth of this topic, I am going to focus on one specific area of web security; we will discuss securing websites and apps from the perspective of an open source developer, and I will focus on the tools that can be used to secure Node.js. This is not an exhaustive guide to secure web development. Consider this blog a quick overview of the current security tools available to Node.js developers.  A good starting point is a brief discussion on injection theory. This article provides a more in-depth discussion if you are interested. The fundamental strategy for injection attacks is figuring out a way to modify a command on the server by manipulating unsecured data. Aclassic example is the SQL injection, in which SQL is injected through a form into the server in order to compromise the server’s database. Luckily, injection is a well-known infiltration strategy and there are many tools that help defend against it.  One method of injection compromises HTTP headers. A quick way to secure your Node.js project from this attack is through the use of the helmet module. The following code snippet shows how easy it is to start using helmet with the default settings:  var express = require('express') var helmet = require('helmet') var app = express() app.use(helmet()) Just the standard helmet settings should go a long way toward a more secure web app. By default, helmet will prevent clickjacking, remove the X-Powered-By header, keep clients from sniffing the MIME type, add some small cross-site scripting protections (XSS), and add other protections. For further defense against XSS, use of the sanitizer module is probably a good idea. The sanitizer module is relatively simple. It helps remove syntax from HTML documents that could allow for easy XSS.   Another form of injection attacks is the SQL injection. This attack consists of injecting SQL into the backend as a means of entry or destruction. The sqlmap project offers a tool that can test an app for SQL injection vulnerabilities. There are many tools like sqlmap, and I would recommend weaving a variety of automated vulnerability testing into your development pattern. One easy way to avoid SQL injection is the use of parameterized queries. The PostgreSQL database module supports parameterized queries as a guard against SQL injection.  A fundamental part of any secure website or app is the use of secure transmission via HTTPS. Accomplishing encryption for your Node.js app can be fairly easy, depending on how much money you feel like spending. In my experience, if you are already using a deployment service, such as Heroku, it may be worth the extra money to pay the deployment service for HTTPS protection. If you are categorically opposed to spending extra money on web development projects, Let’s Encrypt is a free and open way to supply your web app with browser-trusted HTTPS protection. Furthermore, Let’s Encrypt automates the process of using an SSL certificate. Let’s Encrypt is a growing project and is definitely worth checking out, if you haven’t already.  Once you have created or purchased a security certificate, Node’s onboard https can do the rest of the work for you. The following code shows how simply HTTPS can be added to a Node server once a certificate is procured:  // curl -k https://localhost:8000/ const https = require('https'); const fs = require('fs'); const options = {   key: fs.readFileSync('/agent2-key.pem'),   cert: fs.readFileSync('/agent2-cert.pem') }; https.createServer(options, (req, res) => { res.writeHead(200); res.end('hello securityn'); }).listen(8000); If you are feeling adventurous, the crypto Node module offers a suite of OpenSSL functions that you could use to create your own security protocols. These include hashes, HMAC authentication, ciphers, and others.  Internet security is often overlooked by hobbyists or up-and-coming developers. Instead of taking a back seat, securing a web app should be one of your highest priorities, especially as threats on the Web become greater with each passing day. As far as the topic of the blog post, what’s new and what’s not, most of what I have discussed is not new. This is in part due to the proliferation of social engineering as a means to compromise networks instead of technological methods. Most of the newest methods for protecting networks revolve around educating and monitoring authorized network users, instead of more traditional security activities. What is absolutely new (and exciting) is the introduction of Let’s Encrypt. Having access to free security certificates that are easily deployed will benefit individual developers and Internet users as a whole. HTTPS should become ubiquitous as Let’s Encrypt and other similar projects continue to grow.  As I said at the beginning of this blog, security is a broad topic. This blog has merely scratched the surface of ways to secure a Node.js app. I do hope, however, some of the information leads you in the right, safe direction.  About the Author Erik Kappelman is a transportation modeler for the Montana Department of Transportation. He is also the CEO of Duplovici, a technology consulting and web design company. 

Living in the digital age brings its own challenges. News of security breaches in well-known companies is becoming a normal thing. In the battle between those who want to secure the Internet and those who want to exploit its security vulnerabilities, here's a list of five significant security challenges that I think information security is/will be facing in 2017. Army of young developers Everyone's beloved celebrity is encouraging the population to learn how to code, and it's working. Learning to code is becoming easier every day. There are loads of apps and programs to help people learn to code. But not many of them care to teach how to write secure code. Security is usually left as an afterthought, an "advanced" topic to learn sometime in future. Even without the recent fame, software development is a lucrative career. It has attracted a lot of 9-to-5ers who just care about getting through the day and collecting their paycheck. This army of young developers who care little about the craft is most to blame when it comes to vulnerabilities in applications. It would astonish you to learn how many people simply don't care about the security of their applications. The pressure to ship and ever-slipping deadlines don't make it any better. Rise of the robots I mean IoT devices. Sorry, I couldn't resist the temptation. IoT devices are everywhere. "Internet of Things" they call it. As if Internet wasn't insecure enough already, it's on "things" now. Most of these things rarely have any concept of security. Your refrigerator can read your tweets, and so can your 13-year-old neighbor. We've already seen a lot of famous disclosures of cars getting hacked. It's one of the examples of how dangerous it can get. Routers and other such infrastructure devices are becoming smarter and smarter. The more power they get, the more lucrative they become for a hacker to attack them. Your computer may have a firewall and anti-virus and other fancy security software, but your router might not. Most people don't even change the default password for such devices. It's much easier for an attacker to simply control your means of connecting to the Internet than connecting to your device directly. On the other front, these devices can be (and have been) used as bots to launch attacks (like DDoS) elsewhere. Internet advertisements as malware The Internet economy is hugely dependent on advertisements. Advertisements is a big big business, but it is becoming uglier and uglier every day. As if tracking users all over the webs and breaching their privacy was not enough, advertisements are now used for spreading malware. Ads are very attractive to attackers as they can be used to distribute content on fully legitimate sites without actually compromising them. They've already been in the news for this very reason lately. So the Internet can potentially be used to do great damage. Mobile devices Mobile apps go everywhere you go. That cute little tap game you installed yesterday might result in the demise of your business. But that's just the tip of the iceberg. Android will hopefully add essential features to limit permissions granted to installed apps. New exploits are emerging everyday for vulnerabilities in mobile operating systems and even in the processor chips. Your company might have a secure network with every box checked, but what about the laptop and mobile device that Cindy brought in? Organizations need to be ever more careful about the electronic devices their employees bring into the premises, or use to connect to the company network. The house of security cards crumbles fast if attackers get access to the network through a legitimate medium. The weakest links If you follow the show Mr. Robot (you should, it's brilliant), you might remember a scene from the first Season when they plan to attack the "impenetrable" Steel Mountain. Quoting Elliot: Nothing is actually impenetrable. A place like this says it is, and it’s close, but people still built this place, and if you can hack the right person, all of a sudden you have a piece of powerful malware. People always make the best exploits. People are the weakest links in many technically secure setups. They're easiest to hack. Social engineering is the most common (and probably easiest) way to get access to an otherwise secure system. With the rise in advanced social engineering techniques, it is becoming crucial everyday to teach the employees how to detect and prevent such attacks. Even if your developers are writing secure code, it's doesn’t matter if the customer care representative just gives the password away or grants access to an attacker. Here's a video of how someone can break into your phone account with a simple call to your phone company. Once your phone account is gone, all your two-factor authentications (that depend on SMS-based OTPs) are worth nothing. About the author Charanjit Singh is a freelance JavaScript (React/Express) developer. Being an avid fan of functional programming, he’s on his way to take on Haskell/Purescript as his main professional languages.

We’re living in a world that’s more connected than we once ever thought possible. Even 10 years ago, the idea of our household appliances being connected to our Nokias was impossible to comprehend. But things have changed now and almost every week we seem to be seeing another day-to-day item now connected to the internet. Twitter accounts like @internetofShit are dedicated to pointing out every random item that is now connected to the internet; from smart wallets to video linked toothbrushes to DRM infused wine bottles, but the very real side to all the laughing and caution - For every connected device you connect to your network you’re giving attackers another potential hole to crawl through. This weekend, save 50% on some of our very best IoT titles - or, if ones not enough pick up any 5 features products for $50! Start exploring here. IoT security has simply not been given much attention by companies. Last year two security researchers managed to wirelessly hack into a Jeep Cherokee, first by taking control of the entertainment system and windshield wipers before moving on to disable the accelerator; just months earlier a security expert managed to take over and force a plane to fly sideways by making a single engine go into climb mode. In 2013 over 40 million credit card numbers were taken from US retailer Target after hackers managed to get into the network via the AC company that worked with the retailer. The reaction to these events was huge, along with the multitude of editorials wondering how this could happen… when security experts were wondering in turn how it took so long. The problem until recently was that the IoT was seen mostly as a curio – a phone apps that turns your light on or sets the kettle at the right time was seen as a quaint little toy to mess around with for a bit, it was hard for most to fully realize how it could tear a massive hole in your network security. Plus the speed of which these new gadgets are entering the market is becoming much faster, what used to take 3-4 years to reach the market is now taking a year or less to capitalize on the latest hype; Kickstarter projects by those new to business are being sent out into the world, homebrew is on the rise. To give an example of how this landscape could affect us the French technology institute Eurecom downloaded some 32,000 firmware images from potential IoT device manufacturers and discovered 38 vulnerabilities across 123 products. These products were found in at least 140K devices accessible over the internet. Now imagine what the total number of vulnerabilities across all IoT products on all networks is, the potential number is scarily huge. The wind is changing slowly. In October, the IoT Security Summit is taking place in Boston, with speakers from both the FBI and US Homeland Security playing prominent roles as Speakers. Experts are finally speaking up about the need to properly secure our interconnected devices. As the IoT becomes mainstream and interconnected devices become more affordable to the general public we need to do all we can to ensure that potential security cracks are filled as soon as possible; every new connection is a potential entrance for attackers to break in and many people simply have little to no knowledge of how to improve their computer security. While this will improve as time goes on companies and developers need to be proactive in their advancement of IoT security. Choosing not to do so will mean that the IoT will become less of a tech revolution and more of a failure left on the wayside.

What do Sys Admins and Security specialists need to get the best salary they can get in the world today? What skills are companies looking for their employees to have mastered? We interviewed over 2,000 sys admins and security specialists to see the latest trends so far this year for you to take advantage of. Which industries value admins the most hightly? Do Linux or Windows lead the way with superior tools? What role does Python have for the budding pentester in the community today? And what comes out on top – Puppet, Chef, Ansible, or Salt? With this animation on our Skill Up survey results you can get the answers you need and more! View the full report here: www.packtpub.com/skillup/sys-admin-salary-report

See the highlights from our comprehensive Skill Up IT industry salary reports, with data from over 20,000 IT professionals. Read on to discover which skills you should learn and which industry to get into to earn the big bucks! Download the full size infographic here.    

"The autopsy report details that the victim was wearing a Google Glass at the time of death." "So it looks like we're through the looking glass on this one!" "Be respectful detective, a man just died." CSI: Miami-esque exchange aside, the continual advancements made in wearable smart technologies, such as the Google Glass, smart watches, and other peripherals mean the expertise and versatility of professional analysts working in the digital forensics space will face ever greater challenges in the future. The original innovation of smartphones steepened the learning curve for forensic investigators and analysts, who have been required to adapt to the rapid development of mobile systems approaching the computing power and intelligence of desktop computers. Since then, this difficulty has only escalated with the constant iteration of new mobile hardware capabilities and updates to mobile operating systems. The velocity at which mobile technology updates makes it a nightmare for analysts to keep up to speed with system architectures (whether Android, iOS, Windows, or Blackberry) so they have the ability to forensically examine devices in a range of critical, sometimes criminal, investigations. That’s even before considering knock-off phones and those that may have been on the wrong end of a baseball bat. For forensic experts, the art of data extraction is an imperative one to master, as crucial evidence lies in the artefacts stored on devices, and encompasses common system files such as texts, emails, call logs, pictures, videos, web histories, passwords, PINs, and unlock patterns, but also less typical objects stored on third-party applications. Geolocation data, timestamps, and user accounts can all provide key evidence to working out the what, where, when, how, why for an investigation. "Perishable" or anonymous messaging services such as Snapchat and Whisper add another dimension to the discoverability of data that is intended to be temporary or anonymous (although Whisper has come under fire recently for storing confidential data, contrary to the application’s anonymity promise). In cases where app data has been "destroyed" or anonymised, forensic technicians need to extract deleted data through manual decoding and even piece together the evidence, Columbo-style, to unravel the perpetrators and the crime. The sophistication of numerous third-party applications and the types of data they are capable of storing adds a considerable degree of complexity and demands a lot in terms of forensic method and data analysis. Mobile forensics is a developing discipline, and with the rise of smart wearables, there is yet another dimension for analysts to get to grips with in the future. The smartwatch is still in the infancy stage of sophistication and adoption among consumers, but the impending release of the Apple Watch, along with the already available Samsung Gear and Pebble Steel ranges indicate that the market is going to expand in the next few years, and this makes it likely that smartwatches will become another addition in the digital (mobile) forensics space. The interesting kink in smartwatch technology is the paired interface they must share with phones, as the devices must effectively be synced in order to function, so that the watch receives notifications (texts, calls) pushed from the phone. The event logs stored on both devices when phone and watch interact may prove to be an important forensic artefact should they ever be the cause of investigation, and while right now, native apps on smartwatches are on the limited side (contacts, calendar, media, weather), greater sophistication in the realm of smartwatch apps cannot be far away. A hugely intriguing layer for mobile forensics is brought by the Google Glass and its array of functionalities, as once it eventually becomes globally available it will become an important device for analysts to understand how to image and pull apart. The Glass can be used for typical smartphone activities, such as sending messages, making calls, taking pictures, and social media interaction, but it's the ability to enable on-the-fly navigation and translation out in the real world, along with voice commanded Google search and access to real-time information updates through Google Now that make it particularly fascinating from a forensics standpoint. Even considering the familiarity experts will have with Android systems, the unique properties of the Glass in its use of voice commands and the search and geospatial information it collects will potentially provide crucial artefacts in investigations. Examiners will need to know how to pull voice command event logs and parse timeline data, recover deleted visual data, analyse GPS usage and locations, and even determine when in time a Glass was on or off. A student in digital forensics has even begun attempting to forensically examine the Glass. At this point in time, Glass wearers are those select few chosen for the Explorer beta program, but we should fully expect—when the device becomes completely publically available—for it to become popular enough for it to make another significant addition to the field of smart device forensics. Apparently Google Glass carriers are split into two camps—‘Explorers’ and ‘Glassholes’. Whatever the persuasion, forensic investigators may be required to look through a glass, darkly, sooner than they think.