SECFORCE is now CREST certified

Monday, July 25th, 2011

As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics.

SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied.

CREST Penetration Testing

“CREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.”

Ian Glover, President of CREST

The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship.

“We are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service delivery”

Rodrigo Marcos, Technical Services Director

For more information about our CREST assessments and discover how we can benefit your organization, please visit our CREST penetration testing page.

Tags: CREST, CREST security, penetration test, Penetration Testing, SECFORCE
Posted in CREST, Penetration Testing, SECFORCE | No Comments »

SECFORCE has co-authored the book “SQL Injection Attacks and Defense”

Tuesday, March 31st, 2009

SECFORCE has co-authored a book fully dedicated to SQL injection attacks and published by Syngess. This book targets developers, penetration testers and security professionals. It is entirely dedicated to SQL injection attacks and defense, and it is a standalone resource with all the necessary information about the topic.

SQL injection is one of the most devastating vulnerabilities affecting web applications. This book provides penetration testing professionals with all the necessary information to discover and exploit this kind of vulnerabilities.

Tags: book, penetration test, Penetration Testing, sql injection, SQL injection Attacks and Defense
Posted in Penetration Testing, SECFORCE, Security Books | No Comments »

Penetration testing - service or commodity

Monday, February 23rd, 2009

We face this kind of issue everyday. There are two different approaches to web application penetration tests:

• An increasingly number of companies are buying automatic web scanners, run them, generate some results and put them in a report-shaped tin, ready to go to the client. No human interaction with the application is needed.
• Some other companies allocate X numbers of days of a highly skilled consultant to assess the security of your web application. Among many other tests the consultant will also run automatic web scanners, but that is only scratching the surface of a real penetration test. The consultant will use all his/her experience to analyse many other factors of the application.

Penetration testing is all about assurance. In the first case the client will get some useful results, no doubt about it, but what level of assurance is it going to get? The report will cover the vulnerabilities discovered by XYZ software. Is that enough? I don’t think so, but that is for the client to decide. There is no question that the report will be incomplete and many issues will be missed.

In the second scenario the client can get the assurance that the results obtained were the work of a motivated attacker focused on the application security for X numbers of days. Is that enough? Again, it is up to the client to decide but in my opinion it gets so much closer to an acceptable assurance level.

It all depends on what do you want to be protected against. The decision in yours.

Tags: information security assurance, penetest, penetration test, Penetration Testing
Posted in Penetration Testing, Risk Management | 1 Comment »

Advantages of penetration testing

Wednesday, January 7th, 2009

Many times we are asked, what are the advantages of penetration testing? why should I conduct a penetration test in my business?

If you find yourself wondering whether or not you should conduct a penetration test, then you should try to answer these questions:

1. Is my system secure?

2. How do I know it is secure?

3. What are the consequences if someone breaks into it?

We often hear people answering these questions saying “Yes, it is secure because it was designed with security in mind”. However one can argue that penetration testing doesn’t test the design of your solution, but the real implementation of it.

We have found many good designs poorly implemented. Too many times the theory is too distant to the real thing.

You may also answer “I don’t know if it is secure or not, but I guess no one is going to attempt breaking into it”. There are many different motivations for attacking a system and the only way of ensuring that the security of your system is not going to be compromised is by securing it.

The advantage of penetration testing is that it gives you very accurate information about the real security posture of your system.

Only if you answered “None” to the third question you should not consider investing your resources in a penetration test.

Tags: advantages, penetration test, Penetration Testing, system security
Posted in Penetration Testing | No Comments »

FTP bounce network scan - My printers are scanning my network

Wednesday, December 24th, 2008

Some time ago we were performing an internal penetration test an we identified a Canon iR C2880 printer within the IP range in the scope of testing. Printers is the kind of device that a penetration tester tend to dismiss as they don’t look very attractive from the attacker’s perspective.

It is a fact that printers are usually installed with all the settings by default. This includes having the default administration password (if any), default administrative interfaces enabled, default services running, default SNMP community string, etc.

It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT command.

The PORT command is sent by the FTP client to establish a secondary channel for data to travel over. This command can be abused by attacker to network scan other hosts on your network, as shown in the next diagram:

Why an attacker would want to do that? Well, there might be several reasons:

- The target host is not reachable from the network segment the attacker is connected but it is from the printer.
- The target host is reachable but there is a firewall filtering some of the traffic whereas the printer has full connectivity to it.
- The attacker wants to remain stealth and conduct the scans only using FTP connections to the printer without triggering any alarm from potential IDS systems.

This is an example of how the sniffed network traffic would look during an FTP bounce scan:

The network traffic screenshot shows that the attacker is using the printer as a bounce host and the only traffic exchanged is FTP based.

As you can see, IT security and penetration testing is about identifying every issue in your infrastructure and exploiting the weakest link.

Tags: FTP bounce scan, ftp port command, internal penetration test, internal penetration testing, network scan, penetration test, printer security
Posted in Penetration Testing | No Comments »

why penetration test? firewall is not secure enough?

Tuesday, December 9th, 2008

A few days ago someone visited our website after searching in Google “why penetration test? firewall is not secure enough?“. We are going to dedicate this post just to that topic.

A firewall is a device connected to two different networks and with a number of rules which determine what traffic goes from one network to the other and vice versa. That simple. For example, a recommended configuration for a firewall protecting a web server is to filter all inbound and outbound network traffic by default, allowing only inbound traffic to your web server port (TCP/80).

Firewall protecting web server at the network layer

No doubts this is a good configuration which will protect the web server from many attacks. The firewall will filter network access to many services, but the question is “why penetration test? firewall is not secure enough?”. Well, the answer is “no”, with just a firewall the above environment is not secure enough. A firewall is always going to allow some traffic, otherwise it would be better removing the firewall and having both networks disconnected.

In the configuration above the firewall allows connectivity to the web server, therefore an attacker targeting the website will have full network access to it. The firewall will do very little to protect the web application.

So back to the question, “why penetration testing?”. Penetration testing is a method of assessing the security of a system or network by emulating a real attack scenario whereby a security consultant assumes the role of a motivated but non destructive ‘hacker’. In the scenario above a penetration test will highlight any misconfiguration on the firewall and, what it’s more important in this case, will identify any vulnerability affecting your website which could be exploited by remote attackers.

In summary, a firewall is a great security tool which can protect your infrastructure from some threats, but they certainly can not protect you from everything. Additially, penetration testing can be beneficial to assure that your systems and applications are secure.

Tags: firewall, penetration test, Penetration Testing, web server security
Posted in Penetration Testing | No Comments »

Black box penetration testing vs white box penetration testing

Monday, November 3rd, 2008

One of the common questions that we get from our clients is about the differences between a black box penetration test and a white box penetration test.

White box testing, also known as clear box testing or glass box testing, is a penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases. In application penetration tests the source code of the application is usually provided along with design information, interviews with developers/analysts, etc. In infrastructure penetration tests network maps, infrastructure details, etc. are provided. The goal of a white box penetration test is to provide as much information as possible to the penetration tester so that he/she can gain insight understanding of the system and elaborate the test based on it.

White box penetration testing has some clear benefits:

• Deep and thorough testing
• Maximizes testing time
• Extends the testing area where black box testing can not reach (such as quality of code, application design, etc.)

However, there are also some disadvantages:

• Non realistic attack, as the penetration tester is not in the same position as an non-informed potential attacker

A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system.

The benefits of this type of attack are:

• It simulates a very realistic scenario

The disadvantages of a black box penetration test are:

• Testing time can not be maximised in certain scenarios
• Some areas of the infrastructure might remain untested

When commissioning a penetration test, there is no right/wrong decision about white box or black box, it really depends on the scenario that needs to be tested.

Tags: black box, penetration test, Penetration Testing, white box
Posted in Penetration Testing | 1 Comment »