Take control

over ERP with

Xpandion’s complete
suite of products
Rapid implementation process No SAP® expertise needed Simple web-based control

Installed externally to SAP and other monitored Optimize SAP licenses

systems, ProfileTailor Dynamics suite is up and Save up to 50% in license usage!
running within days, delivering immediate results
Manage all systems from centralized point
alongside ongoing monitoring and alerting support.
Save on valuable resources
Based on Xpandion’s unique behavioral-profiling
technology, ProfileTailor Dynamics learns Enhance SAP security
actual system consumption, providing maximum Save over 15% on total maintenance fees!
security and management efficiency while
Achieve 360° real-time view of authorizations
significantly reducing IT asset management costs.
Detect sensitive activities and react instantly

Control GRC
Cut GRC expenses by 30-50%!
Request Demo
Proactively prevent fraud

Minimize business risk

SAP® is a registered trademark of SAP AG info@xpandion.com

in Germany and in several other countries. www.xpandion.com
Tel +1-800-707-5144
 PRACTICAL PROTECTION IT SECURITY MAGAZINE

Dear Hakin9

team
Editor in Chief: Krzysztof Samborski
krzysztof.samborski@hakin9.org
Editorial Advisory Board: John Webb, Marco Hermans,
Gareth Watters
Proofreaders: Jeff Smith, Krzysztof Samborski
Special thanks to our Beta testers and Proofreaders who
helped us with this issue. Our magazine would not exist
without your assistance and expertise.
Publisher: Paweł Marciniak
T his edition of Hakin9 Open may be the last one as far as its
content is concerned. The following issues of Open will be
also free and accessible to everybody but, instead of publish-
ing one issue with a bunch of articles on various topics, we are
going to publish many Opens. With every forthcoming issue of
Hakin9 Magazine we will publish its Open which will consist in
a few articles from the paid edition of the issue under the same
topic. You had the chance to spot this method with Metasploit
Tutorials – A Compendium that had its Open published ear-
lier this month. We hope that these publications will contribute
to your interest in our expanded editions of a topic covered in
Opens.

CEO: Ewa Dudzic Hakin9 Open as you know, with many articles on various
ewa.dudzic.@hakin9.org
topics, will be published from time to time, as an additional
Production Director: Andrzej Kuca source of information.
andrzej.kuca@hakin9.org

Art. Director: Ireneusz Pogroszewski If you want to voice your opinion on our editions, please feel
ireneusz.pogroszewski@hakin9.org free to send your messages to en@hakin9.org
DTP: Ireneusz Pogroszewski
Regards,
Marketing Director: Krzysztof Samborski
krzysztof.samborski@hakin9.org
Krzysztof Samborski,
Hakin9 Product Manager
Publisher: Hakin9 Media Sp. z o.o. SK and Hakin9 team
02-676 Warszawa, ul Postępu 17D
Phone: 1 917 338 3631
www.hakin9.org/en

Whilst every effort has been made to ensure the

highest quality of the magazine, the editors make no
warranty, expressed or implied, concerning the results
of the content’s usage. All trademarks presented in the
magazine were used for informative purposes only.

All rights to trade marks presented in the magazine

are reserved by the companies which own them.

DISCLAIMER!
The techniques described in our
articles may only be used in private,
local networks. The editors hold no
responsibility for misuse of the presented
techniques or consequent data loss.

4 03/2013

How to Detect System Intrusions 06
By Almantas Kakarenka
First things first, detecting system intrusion its not the
same as Intrusion Detection System/Intrusion Preven-
tion System (IDS/IPS). We want to detect system intru-
sion once attackers passed all defensive technologies
in the company, such as IDS/IPS mentioned above, full
packet capture devices with analysts behind them, fire-
walls, physical security guards, and all other preventive
technologies and techniques.
Fault Tolerant Network Design 20
By Casey Walters
Whether you’re building a brand new network or looking
for ways to improve the resiliency of your existing infra-
structure, the following guide is intended to give some
tips on how to minimize the effects of failures within the
network.
Experimenting
with dynamic programming in C# 24
By Claudio Varini
Dynamic programming is a concept that is becoming
increasingly popular mostly thanks to widespread pro-
gramming languages such as Python and Javascript.
The C# language from version 4.0 supports dynamic
programming. In this article we show some examples
of dynamic programming in C# and when it can make
sense to use it.
An interview with Anthony
Giallombardo, the founder of
Mafia Security 30
By Krzysztof Samborski
My name is Anthony Giallombardo and I am the owner
of Mafia Security. I am an Information Security Enthusi-
ast belonging to ISSA, Internet Society, and various local
user groups in Grand Rapids Michigan. I am finishing my
bachelors degree at Davenport University, NSA Informa-
tion Assurance Center of Excellence, in Grand Rapids,
MI dual majoring in Information and Network Security.
An Interview with Eran Sagi
– Corporate VP Marketing, the
representative of TADIRAN Company 32
By Ewa Dudzic
Mr. Sagi has over 15 years experience in the Telecom-
munications Industry. Mr. Sagi joined Tadiran in May 2012
www.hakin9.org/en
CONTENTS
as a VP of Marketing, responsible for the company’s glob-
al marketing and Go-to-Market activities. Prior to that Mr.
Sagi worked at NICE Systems Ltd. (both in the UK & Isra-
el) where he accrued various executive positions such as
the Director of Business Development & Product Manage-
ment and head of EMEA Customer Services.
Tool Time: SecureBrowsing 36
By Mervyn Heng, CISSP
The Internet is a dangerous place to venture because
it is rife with websites hosting malware and malicious
code deployed o compromise your systems. How do
you thwart hackers from fulfilling their insidious objec-
tives? Mervyn responds to this question.
Femtocell Attacks
and Countermeasures 38
By Nitin Goplani
“Coverage” is a key term for all telecom operators. Provid-
ing coverage is always a challenge for them. Day by day
mobile users are increasing and because of this growth
mobile operators are very constraint for bandwidth. That’s
why we are facing coverage problem and sometimes un-
able to connect to mobile users in emergency. The con-
cept behind this problem is known as cell splitting.
Social Engineering: The Single Greatest
Threat to Organizational Security 42
By Terrance J. Stachowski, CISSP, L|PT
This paper examines how social engineering attacks
take advantage of normal human behavior and dem-
onstrates the real and present threat that this type of
dishonest attack poses. Historical data extracted from
Kevin Mitnick’s case, and the “DEFCON 18 Social En-
gineering Capture-the-Flag (CTF) – How Strong is Your
Schmooze” results will be utilized to build this case
study. Additionally, this paper will investigate what orga-
nizations can do to diminish this threat.
Your Security Program Is Failing:
What You Can Do To Save It 48
By Terrance J. Stachowski, CISSP, L|PT
Developing and maintaining a successful security pro-
gram, regardless of size, can be a monumental under-
taking. If you’ve found yourself in the middle of a failing
security program, you’re not alone, but take heart, all
may not be lost. This article examines some of the com-
mon issues security programs face, and provides solu-
tions on how to get things moving in the right direction.
5
 How To Detect System
Intrusions
An overlook into different techniques and tactics
on detecting system intrusions. One character in
the output may be the only difference between
clean and compromised box.
What you will learn...
• How and where to look for intrusion artifacts
• How typical compromises happen
• How to defend
F
irst things first, detecting system intrusion
its not the same as Intrusion Detection Sys-
tem/Intrusion Prevention System (IDS/IPS).
We want to detect system intrusion once attackers
passed all defensive technologies in the company,
such as IDS/IPS mentioned above, full packet cap-
ture devices with analysts behind them, firewalls,
physical security guards, and all other preventive
technologies and techniques.
Many preventing technologies are using black-
listing [1] most of the time, and thus that’s why they
fail. Blacklisting is allowing everything by default,
and forbidding something that is considered to be
malicious. So for attacker it is a challenge to find
yet another way to bypass the filter. It is so much
harder to circumvent a whitelisting system.
Monitoring Key Files In The System
What are key files on the server? In Linux machine it
will be /etc/passwd, /etc/shadow just to mention a few.
Lets take a look at example of /etc/shadow file:
Listing 1.
What is wrong whit it? If you take a look at users
list in this file you will notice that apache user has
a hash value to it. Typically apache service never
has any hash associated to it. If there is a hash
for a use in this file that means this user has a
password associated with it and is able to login via
SSH. What happen here is hacker made a brand
6 03/2013
What you should know...
• Reader should have some experience in OS administration
• Reader should understand basic InfoSec principles
new account and is trying to masquerade with a
valid system user/process.
One of the ways to monitor changes in the file
system is to implement LoggedFS. This particular
file system logs everything that happens on inside
the files system. It is easily configurable via XML
files to fit your needs [2].
Example of LoggedFS configuration file: Listing 2.
This configuration can be used to log everything
except it if concerns a *.bak file, or if the uid is
1000, or if the operation is getattr.
Files Integrity
File integrity monitoring (FIM) is an internal con-
trol or process that performs the act of validating
the integrity of operating system and application
software files using a verification method be-
tween the current file state and the known, good
baseline. This comparison method often involves
calculating a known cryptographic checksum of
the file’s original baseline and comparing with the
calculated checksum of the current state of the
file. Other file attributes can also be used to moni-
tor integrity.
Generally, the act of performing file integrity mon-
itoring is automated using internal controls such as
an application or process. Such monitoring can be
performed randomly, at a defined polling interval,
or in real-time.
 How to Detect System Intrusions

Security Objectives • CimTrak

Changes to configurations, files, and file attributes
across the IT infrastructure are common, but hid-
den within a large volume of daily changes can be
the few that impact file or configuration integrity.
These changes can also reduce security posture
and in some cases may be leading indicators of a
breach in progress. Values monitored for unexpect-
ed changes to files or configuration items include:
• Credentials
• Privileges and Security Settings
• Content
• Core attributes and size
• Hash values
• Configuration values [3].
Many open-source and commercial software
products are available that perform file integrity
monitoring:
• OSSEC
• Samhain
• Tripwire
• Qualys
• nCircle
• Verisys
• AIDE [4].
nCircle file integrity monitor panel is in Figure 1.
There is Something Very Wrong Here
One bit or one symbol in the output may make the
difference between war and peace, friend and foe,
compromised and clean system. Lets take a look
at example below, what is very wrong in the Figure
2 screenshot? For those who don’t see the wrong
symbol here I will give you a hint. ls is a command
to list files in directory, switch –h is for listing output
in human readable format, i.e. megabytes will be

Listing 1. Example of /etc/shadow file

# cat /etc/shadow

root:$6$OFny79f/$LC5hcqZXNYKachPKheRh5WkeTpa/zO3y8OX3EUHrFkrFQAdLUTKwGjLPSdZ9uhwJQ9GmChLvbhPRbPw7l-
DTg90:15231:0:99999:7:::
daemon:x:15204:0:99999:7:::
bin:x:15204:0:99999:7:::
sys:x:15204:0:99999:7:::
www-data:15204:0:99999:7:::
<snip>
pulse:*:15204:0:99999:7:::
rtkit:*:15204:0:99999:7:::
festival:*:15204:0:99999:7:::
postgres:!:15204:0:99999:7:::
apache:$6$LqrWIgqp$jdq1exB2GiBFgLL9kDlDkks30azWBJ1/mDU.to84mHn6nmzUzV7iHiMXK7rVm8.plMmaNKg9Yyu7ry-
w00r5VX.:15452:0:99999:7:::

Listing 2. Example of LoggedFS configuration file

<?xml version=”1.0” encoding=”UTF-8”?>

<loggedFS logEnabled=”true” printProcessName=”true”>

<includes>
<include extension=”.*” uid=”*” action=”.*” retname=”.*”/>
</includes>
<excludes>
<exclude extension=”.*\.bak$” uid=”*” action=”.*” retname=”SUCCESS”/>
<exclude extension=”.*” uid=”1000” action=”.*” retname=”FAILURE”/>
<exclude extension=”.*” uid=”*” action=”getattr” retname=”.*”/>
</excludes>
</loggedFS>

www.hakin9.org/en 7
 megabytes and gigabytes will be gigabytes, not 1
073 741 824 bytes. Switch –l makes a list of files,
once again to be easier readable by humans. Now
we are coming to the main piece of information
here, switch –a output will include directory entries
whose names begin with a dot (.). A common hack-
er’s technique is to hide within legit file names, or
within somewhat legit names. In this case hacker
has a directory on the system, which is named ‘. ‘
and this is the main issue here. In usual output you
should see 1 single dotted directory, in this case
we see 2 single dotted directories and it should
Figure 1. nCircle file integrity monitor panel
Figure 2. What is wrong in the figure?
Figure 3. An example of additional account DBNET
8 03/2013
pop big red flags in your head. We change to this
hidden directory by issuing command cd ‘. ‘. Just
make sure there is a space after dot.
So that’s why we want to use ls –hal with switch
‘a’ all the time, because we want to see hidden di-
rectories and hidden files. It is pretty common to
have these hidden directories in well known plac-
es, such as /root, /var/www, /home and others.
Additional Accounts On The System
Every account on the system should be accounted
for. If there are accounts that nobody knows what
they belong to that may mean system is compro-
mised. Sometimes IT admins forget to disable old
accounts for people who have left company, some
of these accounts may be active for months and
even years. This is unnecessary risk being intro-
duced by poor IT administrators’ management. A
good practice is to disable employee’s account
before exit interview. After compromise hackers
make new account on the server and try to mimic
some legit accounts that should exist. An example
of additional account DBNET is in Figure 3.
Time Stamps
A timestamp is a sequence of characters or encoded
information identifying when a certain event occurred,
usually giving date and time of day, sometimes accu-
rate to a small fraction of a second. The term derives
from rubber stamps used in offices to stamp the cur-
rent date, and sometimes time, in ink on paper docu-
ments, to record when the document was received. A
common example of this type of timestamp is a post-
mark on a letter. However, in modern times usage
of the term has expanded to refer to digital date and
time information attached to digital data. For exam-
ple, computer files contain timestamps that tell when
 How to Detect System Intrusions
the file was last modified, and digital cameras add
timestamps to the pictures they take, recording the
date and time the picture was taken.
A timestamp is the time at which an event is re-
corded by a computer, not the time of the event
itself. In many cases, the difference may be incon-
sequential: the time at which an event is recorded
by a timestamp (e.g., entered into a log file) should
be close to the time of the event.
The sequential numbering of events is some-
times called time stamping.
This data is usually presented in a consistent for-
mat, allowing for easy comparison of two different
records and tracking progress over time; the prac-
tice of recording timestamps in a consistent manner
along with the actual data is called time stamping.
Timestamps are typically used for logging events or
in a sequence of events (SOE), in which case each
event in the log or SOE is marked with a time stamp.
In file systems, times tamp may mean the stored
date/time of creation or modification of a file [5].
Lets say you have a lot of folders and executable
files in C:/Windows/System32 directory, all of them
pretty much match OS installation date and time,
but there is one folder which does not match OS
installation time. Could there be a problem? This
executable might be just some additional software
installed later on the system, or it also might be
malware hiding in this directory. Windows malware
just loves this folder! Folder was modified in differ-
ent month than all others in Figure 4.
Hidden Files and Directories
A hidden file is a file that is not normally visible
when examining the contents of the directory in
which it resides. Likewise, a hidden directory is a
directory that is normally invisible when examining
the contents of the directory in which it resides.
Figure 4. Modified folder
www.hakin9.org/en
A file is a named collection of related information
that appears to the user as a single, contiguous block
of data and that is retained in storage. Storage refers
to computer devices or media that can retain data
for relatively long periods of time (e.g., years or de-
cades), such as hard disk drives (HDDs), CDROMs
and magnetic tape; this contrasts with memory, which
retains data only as long as the data is in use or the
memory is connected to a power supply.
A directory (also sometimes referred to as a fold-
er) can be conveniently viewed as a container for
files and other directories. In Linux and other Unix-
like operating systems, a directory is merely a spe-
cial type of file that associates file names with a
collection of metadata (i.e., data about the files).
Likewise, a link is a special type of file that points
to another file (which can be a directory). Thus, it
is somewhat redundant to use phrases such as
hidden files and directories; however, they are de-
scriptive and convenient, and thus they are fre-
quently used. More precise terms are hidden file
system objects and hidden items.
Hidden items on Unix-like operating systems are
easily distinguishable from regular (i.e., non-hid-
den) items because their names are prefixed by a
period (i.e., a dot). In Unix-like operating systems,
periods can appear anywhere within the name of a
file, directory or link, and they can appear as many
times as desired. However, usually, the only time
that they have special significance is when used to
indicate a hidden file or directory.
In the Microsoft Windows operating systems,
whether a file system object is hidden or not is
an attribute of the item, along with such things as
whether the file is read-only and a system file (i.e.,
a file that is critical to the operation of the operating
system). Changing the visibility of such items is ac-
complished using a multi-step procedure.
Unix-like operating systems provide a larger set
of attributes for file system objects than do the Mi-
crosoft Windows operating systems, including a
system of permissions, which control which user(s)
have access to each such object for reading, writ-
ing and executing. However, whether objects are
hidden or not is not among the attributes. Rath-
er, it is merely a superficial property that is easily
changed by adding or removing a period from the
beginning of the object name.
Many operating systems and application pro-
grams routinely hide objects in order to reduce the
chances of users accidentally damaging or delet-
ing critical system and configuration files. Hiding
objects can also be useful for reducing visual clut-
ter in directories, and thereby making it easier for
users to locate desired files and subdirectories.
9
 Another reason to hide file system objects is to
make them invisible to casual snoopers. Although
it is a very simple matter to make hidden files and
directories visible, the great majority of computer
users are not even aware that such files and direc-
tories exist (nor need they be) [6].
0 Day Attacks
About 90 percent of all successful compromises
are made via known flaws, so 0day attacks are not
that common. A zero-day attack or threat is an at-
tack that exploits a previously unknown vulnera-
bility in a computer application, meaning that the
attack occurs on “day zero” of awareness of the
vulnerability. This means that the developers have
had zero days to address and patch the vulner-
ability. 0day exploits (actual software that uses a
security hole to carry out an attack) are used or
shared by attackers before the developer of the
target software knows about the vulnerability.
Attack Vectors
Malware writers are able to exploit zero-day vulnera-
bilities through several different attack vectors. Web
browsers are a particular target because of their
widespread distribution and usage. Attackers can
also send e-mail attachments, which exploit vulner-
abilities in the application opening the attachment.
Exploits that take advantage of common file types
are listed in databases like US-CERT. Malware can
be engineered to take advantage of these file type
exploits to compromise attacked systems or steal
confidential data such as banking passwords and
personal identity information.
Vulnerability Window
Zero-day attacks occur during the vulnerability win-
dow that exists in the time between when vulnera-
bility is first exploited and when software developers
start to develop and publish a counter to that threat.
For viruses, Trojans and other zero-day attacks, the
vulnerability window typically follows this time line:
• The developer creates software containing an
unknown vulnerability
• The attacker finds the vulnerability before the
developer does
• The attacker writes and distributes an exploit
while the vulnerability is not known to the de-
veloper
• The developer becomes aware of the vulnera-
bility and starts developing a fix.
Measuring the length of the vulnerability window
can be difficult, as attackers do not announce
10
when the vulnerability was first discovered. Devel-
opers may not want to distribute data for commer-
cial or security reasons. Developers also may not
know if the vulnerability is being exploited when
they fix it, and so may not record the vulnerabili-
ty as a zero-day attack. However, it can be easily
shown that this window can be several years long.
For example in 2008 Microsoft confirmed vulner-
ability in Internet Explorer, which affected some
versions that were released in 2001. The date the
vulnerability was first found by an attacker is not
known; however, the vulnerability window in this
case could have been up to 7 years.
Discovery
A special type of vulnerability management pro-
cess focuses on finding and eliminating zero-day
weaknesses. This unknown vulnerability manage-
ment lifecycle is a security and quality assurance
process that aims to ensure the security and ro-
bustness of both in-house and third party software
products by finding and fixing unknown (zero-day)
vulnerabilities. The unknown vulnerability man-
agement process consists of four phases: analyze,
test, report and mitigate.
• Analyze: this phase focuses on attack surface
analysis
• Test: this phase focuses on fuzz testing the
identified attack vectors
• Report: this phase focuses on reproduction of
the found issues to developers
• Mitigate: this phase looks at protective mea-
sures explained below
Protection
Zero-day protection is the ability to provide protec-
tion against zero-day exploits. Zero-day attacks can
also remain undetected after they are launched.
Many techniques exist to limit the effectiveness of
zero-day memory corruption vulnerabilities, such as
buffer overflows. These protection mechanisms ex-
ist in contemporary operating systems such as Win-
dows 7, Microsoft Windows Vista, Apple’s Mac OS
X, recent Oracle Solaris, Linux and possibly other
Unix and Unix-like environments; Microsoft Win-
dows XP Service Pack 2 includes limited protection
against generic memory corruption vulnerabilities.
Desktop and server protection software also exists
to mitigate zero day buffer overflow vulnerabilities.
“Multiple layers” provides service-agnostic protec-
tion and is the first line of defense should an exploit in
any one layer be discovered. An example of this for a
particular service is implementing access control lists
in the service itself, restricting network access to it via
03/2013
 How to Detect System Intrusions
local server firewalling (i.e., IP tables), and then pro-
tecting the entire network with a hardware firewall. All
three layers provide redundant protection in case a
compromise in any one of them occurs.
The use of port knocking or single packet au-
thorization daemons may provide effective protec-
tion against zero-day exploits in network services.
However these techniques are not suitable for en-
vironments with a large number of users.
Whitelisting effectively protects against zero day
threats. Whitelisting will only allow known good
applications to access a system and so any new
or unknown exploits are not allowed access. Al-
though whitelisting is effective against zero-day at-
tacks, an application “known” to be good can in
fact have vulnerabilities that were missed in test-
ing. To bolster its protection capability, it is often
combined with other methods of protection such
as host-based intrusion-prevention system or a
blacklist of virus definitions, and it can sometimes
be quite restrictive to the user.
Keeping the computer’s software up-to-date is
very important as well and it does help.
Users need to be careful when clicking on links or
opening email attachments with images or PDF files
from unknown users. This is how many cyber crimi-
nals deceive users, by pretending they are some-
thing they are not and gaining the user’s trust.
Utilize sites with Secure Socket Layer (SSL),
which secures the information being passed be-
tween the user and the visited site.
Ethics
Differing views surround the collection and use of
zero-day vulnerability information. Many comput-
er security vendors perform research on zero-day
vulnerabilities in order to better understand the na-
ture of vulnerabilities and their exploitation by indi-
viduals, computer worms and viruses. Alternatively,
some vendors purchase vulnerabilities to augment
their research capacity. While selling and buying
these vulnerabilities is not technically illegal in most
Figure 5. Monitoring running processes in the system
www.hakin9.org/en
parts of the world, there is much controversy over
the method of disclosure. A recent German deci-
sion to include Article 6 of the Convention on Cyber-
crime and the EU Framework Decision on Attacks
against Information Systems may make selling or
even manufacturing vulnerabilities illegal.
Most formal efforts follow some form of disclo-
sure guidelines or the more recent OIS Guidelines
for Security Vulnerability Reporting and Response.
In general these rules forbid the public disclosure
of vulnerabilities without notification to the devel-
oper and adequate time to produce a patch [7].
Good Known State
When attackers compromise a system, what is the
very first thing they do? They install different back-
doors, and as many as possible. So, if some back-
door was found on the system and it was deleted,
it does not mean the system is clean. It is much
safer to restore the system to a good known state;
typically it is done via OS re-installation. Big com-
panies typically have a gold image for their sys-
tems. They use gold image to quickly wipe any
infected machine and reinstall OS with all its up-
dates, and software at once. On Linux systems the
software called System Imager is capable of doing
many Linux installations at once.
System Imager is software that makes the instal-
lation of Linux to masses of similar machines rela-
tively easy. It makes software distribution, config-
uration, and operating system updates easy, and
can also be used for content distribution [8].
Monitoring Running Processes In The
System
What is wrong on the running process list in the
following Linux system in Figure 5? Process ./httpd
Figure 6. Files with weird names
11
 should catch a security professional eye. Dot slash
at the beginning indicates it was launched locally
from the directory. Processes on the servers typical-
ly are not launched locally from their directories. At-
tacker has launched a process and is trying to hide
by renaming his software to legit looking software
typically found on the server.
Files With Weird Names
Malware frequently make files with weird looking
file names, and example in Windows system is in
Figure 6. We see some file kj4hkj4hl4kkl4hj.exe is
running in the memory. This should be a first indi-
cator something funky is going on in the system.
Windows updates create random named temporary
folders and should not be confused with malware.
Rootkits
A rootkit is a stealthy type of malicious software
designed to hide the existence of certain process-
es or programs from normal methods of detection
and enable continued privileged access to a com-
puter. The term rootkit is a concatenation of “root”
(the traditional name of the privileged account on
Unix operating systems) and the word “kit” (which
refers to the software components that implement
the tool). The term “rootkit” has negative connota-
tions through its association with malware.
Rootkit installation can be automated, or an at-
tacker can install it once they’ve obtained root or
Administrator access. Obtaining this access is ei-
ther a result of direct attack on a system (i.e. ex-
ploiting a known vulnerability, password (either by
cracking, privilege escalation, or social engineer-
ing)). Once installed it becomes possible to hide
the intrusion as well as to maintain privileged ac-
cess. Like any software they can have a good pur-
pose or a malicious purpose. The key is the root/
administrator access. Full control over a system
means that existing software can be modified, in-
cluding software that might otherwise be used to
detect or circumvent it.
Rootkit detection is difficult because a root-
kit may be able to subvert the software that is in-
tended to find it. Detection methods include using
an alternative and trusted operating system, be-
havioral-based methods, signature scanning, dif-
ference scanning, and memory dump analysis.
Removal can be complicated or practically impos-
sible, especially in cases where the rootkit resides
in the kernel; reinstallation of the operating sys-
tem may be the only available solution to the prob-
lem. When dealing with firmware rootkits, removal
may require hardware replacement, or specialized
equipment. [9]
12
Karnel Level Rootkits
Kernel-mode rootkits run with the highest operat-
ing system privileges (Ring 0) by adding code or
replacing portions of the core operating system,
including both the kernel and associated device
drivers. Most operating systems support kernel-
mode device drivers, which execute with the same
privileges as the operating system itself. As such,
many kernel-mode rootkits are developed as de-
vice drivers or loadable modules, such as loadable
kernel modules in Linux or device drivers in Micro-
soft Windows. This class of rootkit has unrestricted
security access, but is more difficult to write. The
complexity makes bugs common, and any bugs in
code operating at the kernel level may seriously
impact system stability, leading to discovery of the
rootkit. One of the first widely known kernel rootkits
was developed for Windows NT 4.0 and released
in Phrack magazine in 1999 [10].
Kernel rootkits can be especially difficult to detect
and remove because they operate at the same se-
curity level as the operating system itself, and are
thus able to intercept or subvert the most trusted
operating system operations. Any software, such
as antivirus software, running on the compromised
system is equally vulnerable. In this situation, no
part of the system can be trusted.
A rootkit can modify data structures in the Windows
kernel using a method known as direct kernel object
modification (DKOM). This method can hook ker-
nel functions in the System Service Descriptor Table
(SSDT), or modify the gates between user mode and
kernel mode, in order to cloak itself. Similarly for the
Linux operating system, a rootkit can modify the sys-
tem call table to subvert kernel functionality. It’s not
uncommon for a rootkit to create a hidden, encrypted
file system in which it can hide other malware or origi-
nal copies of files it has infected.
Operating systems are evolving to counter the
threat of kernel-mode rootkits. For example, 64-
bit editions of Microsoft Windows now implement
mandatory signing of all kernel-level drivers in or-
der to make it more difficult for untrusted code to
execute with the highest privileges in a system.
Userland Rootkits
User-mode rootkits run in ring 3, along with other
applications as user, rather than low-level system
processes. They have a number of possible instal-
lation vectors to intercept and modify the standard
behavior of application programming interfaces
(APIs). Some inject a dynamically linked library
(such as a .dll file on Windows, or a .dylib file on
Mac OS X) into other processes, and are thereby
able to execute inside any target process to spoof
03/2013
 How to Detect System Intrusions
it; others with sufficient privileges simply overwrite
the memory of a target application. Injection mech-
anisms include:
• Use of vendor-supplied application extensions.
For example, Windows Explorer has public in-
terfaces that allow third parties to extend its
functionality
• Interception of messages
• Debuggers
• Exploitation of security vulnerabilities
• Function hooking or patching of commonly
used APIs, for example, to mask a running pro-
cess or file that resides on a file system.
Rootkit Detection
There are a lot of software for rootkit searches
meant to be run on live system. One of many ex-
amples would be software called “rootkit hunter” in
Figure 7 [11].
Low Hanging Fruit
Do you have to run faster than bear? Not neces-
sarily, you just have to be running faster than your
friend, so he will be eaten and not you. Do your sys-
tems have to be as secure as Pentagon computers
with myriad of controls? Not necessarily, your sys-
tem have to be more secure than your neighbor’s
and hopefully you will avoid trouble. Some other
techniques to deter intrusions:
• Deterring intrusions by snow flaking (no two
snowflakes are the same, so it takes more
time to analyze particular system in order
to gain access. Making them useless to be
scanned with automatic tools). Example would
be to move SSH port from default TCP/22 to
TCP/31234. Some determined hacker will find
it out pretty soon, but it will be an extra step for
a script kiddie.
Figure 7. “rootkit hunter”
www.hakin9.org/en
• Low hanging fruit is attacked most of the time,
simply ignoring pings to the host will deter
some hackers, as there are many more sys-
tems that reply to ping and it takes much less
time to detect those live IPs and scan them for
vulnerabilities [12].
Antivirus Software
The biggest fear for malware is antivirus engine on
the system. Antivirus can detect attack, but it might
be too late already. AV is based on signatures in
the files. Hackers bypass signature detection by
encrypting their executables in unique ways. Every
executable is encrypted in unique way and AV en-
gines are always losing by being late into the game
of detection. If your AV engine fires – that means
malware managed to slip by your IDS/IPS solution
into the network and/or system.
Homegrown Intrusion Detection
In order to defeat a hacker you have to think as
a hacker. Lets take a look what is a robots.txt file
in web server. This file sits in the root of a web
page, for example www.mywebpage.com/robots.
txt and provides information to search engines
what should be cached, what should be skipped,
how frequently crawling has to be done, etc. Lets
say you have sensitive files in directory called “re-
ports”. This directory can be excluded from search
engines crawlers and will not end up in search re-
sults. Other files and directories such as /private/,
/adminpanel/, /phpmyadmin/ should be excluded from
search engine results. This technique looks great
so far, but a little more experienced attacker will
take a look at robots.txt file and see what you don’t
want him to know!
Incorrect robots.txt im- Correct robots.txt implemen-
plementation tation
Disallow: Move all sensitive
/adminpanel/ directories into one
Disallow: /phpmyadmin/ directory called for
Disallow: /backup/ example /private/ and
Disallow: /uploads/ disallow this directory:
Disallow: /private/
A little customized robots.txt file would look like
this:
User-Agent: *
Disallow: /private/
Allow: /
User-Agent: hacker
Disallow: /please/go/to/an/easier/target/
13
 It would give attacker some clue that this is probably
not the easiest target, and hopefully he will move to
an easier one. Needles to say it will not push away
targeted attack [13]. So, if you have somebody try-
ing to access non existing directory /please/go/to/an/
easier/target/ on the server it should give you a clue
who is interested in your website.
Full Packet Capture Devices
Sometimes it is easier to detect intrusion on the
wire, i.e. by monitoring ingress and egress traffic.
We have to be aware of out of band communica-
tions, for example communication that come to the
corporate network via GSM signals. These com-
munications do not go through border routers of
the company, and thus cannot be inspected via
this technology.
Packet capture appliance is a standalone de-
vice that performs packet capture. Packet capture
appliances may be deployed anywhere on a net-
work, however, most commonly are placed at the
entrances to the network (i.e. the internet connec-
tions) and in front of critical equipment, such as
servers containing sensitive information.
In general, packet capture appliances capture
and record all network packets in full (both header
and payload), however, some appliances may be
configured to capture a subset of a network’s traffic
based on user-definable filters. For many applica-
tions, especially network forensics and incident re-
sponse, it is critical to conduct full packet capture,
though filtered packet capture may be used at times
for specific, limited information gathering purposes.
Deployment
The network data that a packet capture appliance
captures depends on where and how the appli-
ance is installed on a network. There are two op-
tions for deploying packet capture appliances on a
network. One option is to connect the appliance to
the SPAN port (port mirroring) on a network switch
or router. A second option is to connect the appli-
ance inline, so that network activity along a net-
work route traverses the appliance (similar in con-
figuration to a network tap, but the information is
captured and stored by the packet capture appli-
ance rather than passing on to another device).
When connected via a SPAN port, the packet cap-
ture appliance may receive and record all Ethernet/
IP activity for all of the ports of the switch or router.
When connected inline, the packet capture ap-
pliances captures only the network traffic travel-
ing between two points, that is, traffic that passes
through the cable to which the packet capture ap-
pliance is connected. There are two general ap-
14
proaches to deploying packet capture appliances:
centralized and decentralized.
Centralized
With a centralized approach, one high-capacity,
high-speed packet capture appliance connects to
data-aggregation point. The advantage of a cen-
tralized approach is that with one appliance you
gain visibility over the network’s entire traffic. This
approach, however, creates a single point of fail-
ure that is a very attractive target for hackers; ad-
ditionally, one would have to re-engineer the net-
work to bring traffic to appliance and this approach
typically involves high costs.
Decentralized
With a decentralized approach you place multiple ap-
pliances around the network, starting at the point(s)
of entry and proceeding downstream to deeper net-
work segments, such as workgroups. The advan-
tages include: no network re-configuration required;
ease of deployment; multiple vantage points for in-
cident response investigations; scalability; no single
point of failure – if one fails, you have the others;
if combined with electronic invisibility, this approach
practically eliminates the danger of unauthorized ac-
cess by hackers; low cost. Cons: potential increased
maintenance of multiple appliances.
In the past, packet capture appliances were
sparingly deployed, oftentimes only at the point
of entry into a network. Packet capture applianc-
es can now be deployed more effectively at vari-
ous points around the network. When conducting
incident response, the ability to see the network
data flow from various vantage points is indispens-
able in reducing time to resolution and narrowing
down which parts of the network ultimately were
affected. By placing packet capture appliances at
the entry point and in front of each work group, fol-
lowing the path of a particular transmission deep-
er into the network would be simplified and much
quicker. Additionally, the appliances placed in front
of the workgroups would show intranet transmis-
sions that the appliance located at the entry point
would not be able to capture.
Capacity
Packet capture appliances come with capacities
ranging from 500 GB to 32 TB and more. Only a
few organizations with extremely high network us-
age would have use for the upper ranges of capac-
ities. Most organizations would be well served with
capacities from 1 TB to 4 TB.
A good rule of thumb when choosing capacity is
to allow 1 GB per day for heavy users down to 1
03/2013
 How to Detect System Intrusions
GB per month for regular users. For a typical office
of 20 people with average usage, 1 TB would be
sufficient for about 1 to 4 years.
Features
Filtered vs. Full Packet Capture
Full packet capture appliances capture and record
all Ethernet/IP activity, while filtered packet capture
appliances captured only a subset of traffic, based
on a set of user-definable filters, such as IP ad-
dress, MAC address or protocol. Unless using the
packet capture appliance for a very specific, nar-
row purpose covered by the filter parameters, it is
generally best to use full packet capture applianc-
es or otherwise risk missing vital data. Particularly
when using a packet capture for network forensics
or cyber security purposes, it is paramount to cap-
ture everything because any packet not captured
on the spot is a packet that is gone forever. It is im-
possible to know ahead of time the specific char-
acteristics of the packets or transmissions needed,
especially in the case of an advanced persistent
threat (APT). APTs and other hacking techniques
rely for success on network administrators not
knowing how they work and thus not having so-
lutions in place to counteract them. Most APT at-
tacks originate from Russian and China.
Encrypted vs. Unencrypted Storage
Some packet capture appliances encrypt the cap-
tured data before saving it to disk, while others
do not. Considering the breadth of information that
travels on a network or Internet connection and
that at least a portion of it could be considered
sensitive, encryption is a good idea for most situ-
ations as a measure to keep the captured data
secure. Encryption is also a critical element of au-
thentication of data for the purposes of data/net-
work forensics.
Sustained Capture Speed vs. Peak Capture
Speed
The sustained captured speed is the rate at which
a packet capture appliance can capture and re-
cord packets without interruption or error over a
long period of time. This is different from the peak
capture rate, which is the highest speed at which
a packet capture appliance can capture and re-
cord packets. The peak capture speed can only
be maintained for short period of time, until the
appliance’s buffers fill up and it starts losing pack-
ets. Many packet capture appliances share the
same peak capture speed of 1 Gbps, but actual
sustained speeds vary significantly from model to
model.
www.hakin9.org/en
Permanent vs. Overwritable Storage
A packet capture appliance with permanent stor-
age is ideal for network forensics and permanent
record-keeping purposes because the data cap-
tured cannot be overwritten, altered or deleted.
The only drawback of permanent storage is that
eventually the appliance becomes full and requires
replacement. Packet capture appliances with over-
writable storage are easier to manage because
once they reach capacity they will start overwriting
the oldest captured data with the new, however,
network administrators run the risk of losing impor-
tant capture data when it gets overwritten. In gen-
eral, packet capture appliances with overwrite ca-
pabilities are useful for simple monitoring or testing
purposes, for which a permanent record is not nec-
essary. Permanent recording is a must for network
forensics information gathering.
Data Security
Since packet capture appliances capture and store
a large amount of data on network activity, including
files, emails and other communications, they could,
in themselves, become attractive targets for hack-
ing. A packet capture appliance deployed for any
length of time should incorporate security features,
to protect the recorded network data from access by
unauthorized parties. If deploying a packet capture
appliance introduces too many additional concerns
about security, the cost of securing it may outweigh
the benefits. The best approach would be for the
packet capture appliance to have built-in security
features. These security features may include en-
cryption, or methods to “hide” the appliance’s pres-
ence on the network. For example, some packet
capture appliances feature “electronic invisibility”,
that is, have a stealthy network profile by not requir-
ing or using IP nor MAC addresses.
Though on the face of it connecting a packet cap-
ture appliance via a SPAN port appears to make it
more secure, the packet capture appliance would
ultimately still have to be connected to the network
in order to allow management and data retrieval.
Though not accessible via the SPAN link, the appli-
ance would be accessible via the management link.
Despite the benefits, a packet capture appli-
ance’s remote access feature presents a securi-
ty issue that could make the appliance vulnerable.
Packet capture appliances that allow remote ac-
cess should have a robust system in place to pro-
tect it against unauthorized access. One way to
accomplish this is to incorporate a manual disable,
such as a switch or toggle that allows the user to
physically disable remote access. This simple so-
lution is very effective, as it is doubtful that a hack-
15
 er would have an easy time gaining physical ac-
cess to the appliance in order to flip a switch.
A final consideration is physical security. All the
network security features in the world are moot if
someone is simply able to steal the packet cap-
ture appliance or make a copy of it and have ready
access to the data stored on it. Encryption is one
of the best ways to address this concern, though
some packet capture appliances also feature tam-
perproof enclosures [14].
Out Of Band Attack Vectors
What is the weakest link in any corporation? The
answer is people. People fall into social engineer-
ing attacks; people bring “forgotten” USB sticks and
CDs from bathrooms/parking lots and plug them in-
to their computers just out of curiosity. People bring
their own devices from home and connect to corpo-
rate networks. BYOD or Bring Your Own Device is
a big pain for IT administrators to manage. It also
introduces additional risk, because employee’s own
devices might already be backdoored or infected
and by connecting these devices to corporate net-
work employees are introducing a new risk. Social
engineering attack with lost CD – Figure 8.
Demyo power strip is a full-blown Linux based OS
with many penetration testing tools preinstalled, it
looks like innocent power surge/strip, but has Wi-
Fi, Ethernet and Bluetooth installed inside. Once
connected to the power outlet it immediately calls
back home via GSM 3g modem and establishes
connection. Once connected penetration testers
Figure 8. Social engineering attack with lost CD
Figure 9. Demyo power strip
16
can use it as a jump box to do further penetration
testing inside the LAN of the corporation [15]. De-
myo power strip is shown in Figure 9.
How to prevent employees bringing “lost CDs”
and “lost USB sticks” from parking lots and plug-
ging them into their machines? A strong policy
should be in place disallowing connecting non-ap-
proved hardware to workstations. It is not enough
just to write a policy and consider the job to be
done. Policy has to be enforced and most impor-
tantly policy has to be understood by employees.
There is no way rules can be followed if they are
not understood. Another way to minimize risk is to
provide security awareness training to employees
explaining typical social engineering attacks and
how not to fall for them.
Security Awareness Training
Security awareness is the knowledge and attitude
members of an organization possess regarding
the protection of the physical and, especially, in-
formation assets of that organization. Many orga-
nizations require formal security awareness train-
ing for all workers when they join the organization
and periodically thereafter, usually annually. Topics
covered in security awareness training include:
The nature of sensitive material and physical as-
sets they may come in contact with, such as trade
secrets, privacy concerns and government classi-
fied information.
Employee and contractor responsibilities in han-
dling sensitive information, including review of em-
ployee nondisclosure agreements.
Requirements for proper handling of sensitive
material in physical form, including marking, trans-
mission, storage and destruction
Proper methods for protecting sensitive informa-
tion on computer systems, including password pol-
icy and use of two-factor authentication
Other computer security concerns, including
malware, phishing, social engineering, etc.
Workplace security, including building access,
wearing of security badges, reporting of incidents,
forbidden articles, etc.
Consequences of failure to properly protect in-
formation, including potential loss of employment,
economic consequences to the firm, damage to in-
dividuals whose private records are divulged, and
possible civil and criminal penalties
Being security aware means you understand that
there is the potential for some people to deliber-
ately or accidentally steal, damage, or misuse the
data that is stored within a company’s computer
systems and throughout its organization. There-
fore, it would be prudent to support the assets of
03/2013
 How to Detect System Intrusions
the institution (information, physical, and personal)
by trying to stop that from happening.
According to the European Network and Informa-
tion Security Agency, ‘Awareness of the risks and
available safeguards is the first line of defense for
the security of information systems and networks.’
‘The focus of Security Awareness consultancy
should be to achieve a long-term shift in the attitude
of employees towards security, whilst promoting a
cultural and behavioral change within an organiza-
tion. Security policies should be viewed as key en-
ablers for the organization, not as a series of rules
restricting the efficient working of your business. ‘[16]
Data Correlation
Data correlation is a technique used in information
security to put all pieces together and come up with
some meaningful information. For example if you
see in Linux system SSH connections coming in all
day long, and after 200 tries to login in there is a
successful login after all. What does it tell you? It
should be a good starting point to suggest a brute
force attack is going on with a success at the end.
All technologies help to find out intrusions, however
technologies do not find intrusions, people do. Ap-
pliances and sensors are typically good about find-
ing bad events, but good events can combine into
bad one as well. How is it possible you would ask?
Lets outline a simple scenario where human makes
determination about compromise. Lets say there is
a company with many employees which travel a lot
around the globe. Company is doing a good job by
implementing various control systems, various log-
ging systems, this company also uses RFID enabled
cards for its employees in order to track who is com-
ing and leaving its offices. All data is collected and
pushed to SIEM [17] engine to do correlation be-
tween events and logs. One morning 2 seemingly
good events come into SIEM. First event is user john
VPN connection is established from overseas to cor-
porate office. Second event is user john RFID badge
being scanned at the entrance to the corporate of-
fice. Well both events are pretty standard and are
harmless when taken separately, but then combined
together they reveal something weird. How can user
john VPN in from overseas and get a physical en-
trance to the office at the same time? The answer
is one of two: either VPN credentials are compro-
mised, or his employee card is used by somebody
else to enter the office. Figure 10 shows how 2 good
things can create 1 bad thing when combined.
Siem
Security Information and Event Management
(SIEM) solutions are a combination of the formerly
www.hakin9.org/en
disparate product categories of SIM (security in-
formation management) and SEM (security event
manager). SIEM technology provides real-time
analysis of security alerts generated by network
hardware and applications. SIEM solutions come
as software, appliances or managed services, and
are also used to log security data and generate
reports for compliance purposes. The acronyms
SEM, SIM and SIEM have been used interchange-
ably, though there are differences in meaning and
product capabilities. The segment of security man-
agement that deals with real-time monitoring, cor-
relation of events, notifications and console views
is commonly known as Security Event Manage-
ment (SEM). The second area provides long-term
storage, analysis and reporting of log data and is
known as Security Information Management (SIM).
The term Security Information Event Manage-
ment (SIEM), describes the product capabilities of
gathering, analyzing and presenting information
from network and security devices; identity and ac-
cess management applications; vulnerability man-
agement and policy compliance tools; operating
system, database and application logs; and exter-
nal threat data. A key focus is to monitor and help
manage user and service privileges, directory ser-
vices and other system configuration changes; as
well as providing log auditing and review and inci-
dent response.
Siem Capabilities
• Data Aggregation: SIEM/LM (log management)
solutions aggregate data from many sources,
including network, security, servers, databas-
es, applications, providing the ability to consol-
idate monitored data to help avoid missing cru-
cial events.
• Correlation: looks for common attributes, and
links events together into meaningful bundles.
This technology provides the ability to perform
a variety of correlation techniques to integrate
different sources, in order to turn data into use-
ful information.
• Alerting: the automated analysis of correlated
events and production of alerts, to notify recipi-
ents of immediate issues.
• Dashboards: SIEM/LM tools take event da-
ta and turn it into informational charts to assist
in seeing patterns, or identifying activity that is
not forming a standard pattern.
• Compliance: SIEM applications can be em-
ployed to automate the gathering of compliance
data, producing reports that adapt to existing
security, governance and auditing processes.
17
 • Retention: SIEM/SIM solutions employ long-
term storage of historical data to facilitate corre-
lation of data over time, and to provide the re-
tention necessary for compliance requirements.
Other Weird Stuff On The System
What are other symptoms of possible system com-
promise? Some examples below:
• Log files are missing completely. Why there
are no log files?
Script kiddies delete logs whereas hackers
modify them by taking out only their IP ad-
dresses, their commands and manipulations
with system.
• Network interface is in promiscuous mode
In computer networking, promiscuous mode is a
mode for a wired network interface controller (NIC)
or wireless network interface controller (WNIC) that
causes the controller to pass all traffic it receives to
the central processing unit (CPU) rather than pass-
ing only the frames that the controller is intended
to receive. This mode is normally used for packet
sniffing that takes place on a router or on a comput-
er connected to a hub (instead of a switch) or one
being part of a WLAN. The mode is also required
for bridged networking for hardware virtualization.
In IEEE 802 networks such as Ethernet, token
ring, and IEEE 802.11, and in FDDI, each frame in-
cludes a destination Media Access Control address
(MAC address). In non-promiscuous mode, when a
NIC receives a frame, it normally drops it unless the
frame is addressed to that NIC’s MAC address or
is a broadcast or multicast frame. In promiscuous
mode, however, the card allows all frames through,
thus allowing the computer to read frames intended
for other machines or network devices.
Many operating systems require super user
privileges to enable promiscuous mode. A non-
routing node in promiscuous mode can generally
Figure 10. How 2 good things can create 1 bad thing when
combined
18
only monitor traffic to and from other nodes with-
in the same broadcast domain (for Ethernet and
IEEE 802.11) or ring (for token ring or FDDI). Com-
puters attached to the same network hub satisfy
this requirement, which is why network switches
are used to combat malicious use of promiscuous
mode. A router may monitor all traffic that it routes.
Promiscuous mode is often used to diagnose net-
work connectivity issues. There are programs that
make use of this feature to show the user all the data
being transferred over the network. Some protocols
like FTP and Telnet transfer data and passwords in
clear text, without encryption, and network scanners
can see this data. Therefore, computer users are en-
couraged to stay away from insecure protocols like
telnet and use more secure ones such as SSH.
Detection
As promiscuous mode can be used in a malicious
way to sniff on a network, one might be interested
in detecting network devices that are in promiscu-
ous mode. In promiscuous mode, some software
might send responses to frames even though they
were addressed to another machine. However,
experienced sniffers can prevent this (e.g., using
carefully designed firewall settings).
An example is sending a ping (ICMP echo re-
quest) with the wrong MAC address but the right
IP address. If an adapter is operating in normal
mode, it will drop this frame, and the IP stack never
sees or responds to it. If the adapter is in promis-
cuous mode, the frame will be passed on, and the
IP stack on the machine (to which a MAC address
has no meaning) will respond as it would to any
other ping. The sniffer can prevent this by configur-
ing his firewall to block ICMP traffic [18].
• Immutable files on the system that cannot be
deleted, find those with lsattr command
lsattr is a command-line program for listing the
attributes on a Linux second extended file sys-
tem. It is also a command to display attributes
of devices on an AIX operating system. Some
malware puts +i flag on its own executable, so
you cannot delete it, even if you are root.
• Mysterious open ports and services
All open ports and running services should be
accounted for. For example if there is a ser-
vice running, but its not clear what it does, or
why is it running – an investigation should be
launched [19].
Summary
As we outlined above there are so many ways to
detect system intrusions and so many ways to hide
03/2013
 On The Web
1. Whitelisting vs blacklisting – http://bit.ly/RNxEHO
2. LoggedFS – http://loggedfs.sourceforge.net/
3. File Integrity Monitoring – https://en.wikipedia.org/
wiki/File_integrity_monitoring
4. AIDE – http://aide.sourceforge.net/
5. Timestamps – https://en.wikipedia.org/wiki/Timestamp
6. Hidden files – http://www.linfo.org/hidden_file.html
7. 0day attacks – https://en.wikipedia.org/wiki/Zero-
day_attack
8. SystemImager – http://sourceforge.net/projects/sys-
temimager/
9. Rootkit – https://en.wikipedia.org/wiki/Rootkit
10. Phrack – http://phrack.org/
11. Rootkit hunter – http://rkhunter.sourceforge.net/
12. What is vulnerability – http://bit.ly/PFCWCh
13. Targeted attack – http://bit.ly/MTjLVv
14. Full Packet Capture – https://en.wikipedia.org/wiki/
Packet_Capture_Appliance
15. Demyo power strip – http://www.demyo.com
16. Security Awareness – https://en.wikipedia.org/wiki/
Security_awareness
17. SIEM – https://en.wikipedia.org/wiki/Siem
18. Promiscuous mode – https://en.wikipedia.org/wiki/
Promiscuous_mode
19. Intrusion Detection – http://bit.ly/OCB7UU

them. What is the proper way to analyze suspect

system then? The proper sequence is:

1. Memory dump and analysis. Hackers are get-

ting smart these days; they stay in memory as
long as possible. Why? Because they know fo-
rensics will be done on the HDD itself, but if
they stay in memory it requires better skill to
do memory analysis. Some companies just
pull the plug from the power and network and
do HDD forensics analysis. This is wrong, be-
cause as soon as you pull the power plug –
half of the goodies are gone…
2. Selective HDD files analysis (we make HDD im-
age first, and work from the copy). Depending on
the machine role on the network it might be an
overkill to do full blown forensic analysis. In some
situations partial forensic examination is enough.
3. Full HDD analysis if needed (we make HDD
image first, and work from the copy).

Almantas Kakareka
Almantas Kakareka is a founder and
CTO of Demyo, Inc. and has over 15
years of IT security related experi-
ence. His expertise is vulnerability as-
sessments, and penetration testing.
Almantas has a Master of Science de-
gree in Computer Science from Florida
International University and certifications such as CIS-
SP, GSNA, GSEC, CEH, MCDST, MCP, Net+ and Sec+. Web-
site: www.demyo.com.

www.hakin9.org/en
 Fault Tolerant Network
Design
Whether you’re building a brand new network or looking
for ways to improve the resiliency of your existing
infrastructure, the following guide is intended to give some
tips on how to minimize the effects of failures within the
network. This guide explains configuration for primarily
Cisco equipment, but a lot of these same principles and
protocols can be used with other vendor equipment.
W
e’ll start by talking about a relatively sim-
ple concept of redundant power, but you
might find that this is one of the most ne-
glected parts of a network design. I’ve encountered
many dead switches in wiring closets that probably
could have lived a longer life if the proper power
protection was implemented when the switch was
installed. It’s also important to note that most net-
working devices were not built to be rebooted very
often, so when a power loss occurs for a split sec-
ond and reboots all your switches, this isn’t exactly
healthy for the devices. It amazes me sometimes
how people will drop thousands of dollars on new
network equipment and not bother to protect this
new investment with a solid Uninterruptable Power
Supply. (UPS) The concept here is pretty simple,
when a power loss occurs in the building; UPSs in
each wiring closet take over with a battery backup
to keep this equipment running. I’m finding that this
is only going to become more important as pow-
er over Ethernet (PoE) devices gain in popularity.
A great example here is a network that is running
voice over IP (VoIP) and maybe some wireless ac-
cess points that get power from your PoE switches
in each closet. If a power blip occurs and you’re not
running UPSs in each of your wiring closets, all of
your phones and wireless access points will reboot
as well once the power to the building is fully re-
stored. This could add up to be a LOT of downtime
if there is a storm that keeps knocking out power for
a few split seconds every hour. If it’s in your budget,
I always recommend going with UPSs that are IP
enabled. This means there is either a built in Ether-
20
net port on the device or a separate module you can
install in it to remotely manage the device over the
network. It’s also very cool to have the device send
you an email when it needs a replacement battery
or send an SNMP trap to your monitoring server,
which leads me to the importance of monitoring.
You can build all the redundancy and fault toler-
ance into your network that you want, but if you
are not monitoring for failures and acting on those
alerts, you’re only prolonging the outages that will
eventually occur. There are many ways to do this,
but the most popular ways I’ve seen are using
SNMP (Simple Network Management Protocol),
Syslog, and believe it or not, a simple ping. PRTG,
Solarwinds, and Nagios are a few programs that
come to mind for SNMP monitoring and I know
there are a few freebees for Syslog monitoring as
well. Here is a quick breakdown of how you can
setup SNMP on a Cisco switch. (The commands
are the same or similar for other devices)
SNMP works by using community names. If your
device is programmed with the same community
name that you have setup on your SNMP monitor-
ing server you will see statistics and data populat-
ing in your monitoring application. You’ll also need
to make sure UDP ports 161 and 162 are allowed
on your network before deploying this. Here is a
config snippet to get you started with some notes.
Switch(config)#snmp-server community EXMAPLE RO
The “EXAMPLE” part of this command is the ac-
tual community name string that will need to
03/2013
 Fault Tolerant Network Design
match on whatever program you’ll be using to poll
SNMP data. The “RO” portion signifies that this
is a read-only SNMP community string, so you
can’t actually send commands to the device us-
ing SNMP, just read data. You can optionally add
a number at the end of this command to bind this
string to an access-list number that can either be
a standard or extended list of access-lists. This
will make it so only the IP addresses you allow in
your access-lists will be allowed to poll SNMP da-
ta from the device for monitoring.
Another feature that is built into every Cisco switch
that is often neglected is spanning tree protocol and
I would be crazy not to include a short discussion of
this in my guide, so here goes. Spanning tree pro-
tocol is a nice insurance policy to make sure your
network is running loop free, so I highly recommend
using it. It’s also a nice way to purposely build in
some redundant links into your network. There is
a ton of information on spanning tree protocol and
how you can fine tune it, but I’ll concentrate on the
basics. By default, almost all modern Cisco switch-
es have PVST (Per VLAN Spanning Tree) enabled.
This makes use of the 802.1D standard or in oth-
er words, a standard STP instance for each VLAN.
With regular STP, it’s possible for us to have to wait
50 seconds for spanning tree to reconverge on
the network from a link failure. This is long enough
for phones to reset, web pages time out, and the
phones to start ringing on your desk with angry us-
ers wondering what is going on. This was once an
acceptable amount of time for a network hiccup
in the middle of the day, but modern networks re-
quire much more uptime than ever before and this
amount of downtime is often not acceptable. Now
if you remember to enter this one command below
on every switch in your network you can drastically
speed up your spanning tree convergence time.
Switch(config)#spanning-tree mode rapid-pvst
This command enables rapid spanning tree
(802.1w) on your switch. Once this is turned on
you’re only looking at about a 3 second delay for
spanning tree to converge from a link failure. An-
other thing that is often left out when deploying
switches is statically setting the root switch in the
spanning tree topology. Let’s bring up an exam-
ple to show what I’m talking about. Maybe we are
a growing network and we are constantly adding
switches to new parts of the building and I have
not decided on what switch I want to be my root
bridge in the spanning tree topology. Now by de-
fault the switch that has the lowest MAC address
will be elected the root bridge in the topology which
www.hakin9.org/en
is often the oldest switch in the network. This is a
MAJOR problem, because if my network has hun-
dreds of VLANs this means I have hundreds of
spanning tree instances for the root bridge to keep
track of. If the oldest switch in the network can’t
handle this you’ll experience major instabilities on
the network. This is why it’s very important to care-
fully plan what switch will be the root bridge in the
network and then statically set its priority. You can
accomplish this with the following command:
Switch(config)#spanning-tree vlan [VLAN # or range]
priority 0
I always set mine to the lowest (best) priority to
eliminate any consequences of somebody who
brings in a switch that is set to a higher priori-
ty, but please note that if another switch appears
on the network with the same priority of 0 you’re
back at a lowest MAC address determination for
the root bridge.
So now you’ve got some redundant links in your
network and your monitoring software will tell you
when a link has failed over so you can make the
necessary adjustments to restore that link, but
what if we want to minimize downtime even further
by using link aggregation for sub-second failover
on our redundant links? This is where the use of
Etherchannels can really shine. In short, an Ether-
channel is a grouping of physical links on a switch
to form one virtual link. If you’ve ever worked with
T1s to setup multi-link bundles, the concept is very
similar to this in that we are load balancing across
two separate physical links (Figure 1).
If spanning tree protocol is setup correctly on your
network you’ll see something that looks like the fig-
ure below with one port in the “blocking” state where
traffic is not being forwarded on this link.
When you run the “Show spanning-tree” com-
mand you will see this link’s status as “BLK.” Let’s
bundle these two links together into an Etherchan-
nel using the following commands.
At both ends we will have identical config, because
we chose ports that have the same port number on
each side. This is a nice way to add some consisten-
cy to your network and be able to easily predict how
the other end is setup in troubleshooting any issues.
Figure 1. An Identical config
21
 First we’ll create the virtual interface by simply
typing in interface and then the string “port-chan-
nel” with a number directly after it.
Switch(config)#interface port-channel1
*The range of numbers you can use will be de-
pendent on what model of switch you are config-
uring and might vary between IOS versions.
Now we will be dropped into interface configura-
tion mode where we will need to add the configu-
ration we need for our switch to switch link just like
we would if it was a physical interface. Since this is
a switch to switch link I’m going to configure it as a
trunk port, so it can carry traffic for multiple VLANs
across it.
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate
From here, this should look quite familiar. I like to
use the “switchport nonegoatiate” command after
setting a link as a trunk to disable DTP (dynamic
trunking protocol). Just make sure that if you con-
figure it this way, both ends of your configuration
are identical, because this command forces you
to set a port to trunk manually instead of relying
on a negotiation to take place between switches.
I’ve heard mixed things on whether or not this ac-
tually speeds up your convergence time, but I pre-
fer to configure trunks this way anyways, because
I generally don’t like relying on the network to au-
tomatically do anything and it’s nice to eliminate
extra overhead from DTP packets.
Our next step is to assign physical interfaces to
our newly created port-channel interface. I’ll select
both my interfaces at once using the range com-
mand shown below and configure both interfaces
in one swipe.
Switch(config)#interface range
GigabitEthernet1/0/1-2
Next make sure that the configuration on your
physical interfaces matches what we just applied
to the port-channel interface. If it doesn’t, there
could be very unpredictable issues occurring over
the link once it is enabled as an Etherchannel.
Some IOS fills in the configuration on your virtual
interface to all of the physical interfaces assigned,
but not all IOS does this, so make sure to check
this before moving on.
Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#switchport nonegotiate
22
Now we’ll enter our channel-group configuration.
Switch(config-if-range)#channel-group 1 mode on
We start with the string, “channel-group” to tell the
switch that the selected physical interfaces will be
part of a virtual interface. Next we’ll need to enter
the number that we used earlier in our port-chan-
nel interface to bind this physical interface to that
port-channel interface.
For the next part of this command I used “mode
on” to tell the physical interfaces to unconditionally
become an Etherchannel. You have a few options
here, but the short story is that PAgP (Port aggre-
gation protocol) or LACP (Link Aggregation Control
Protocol) can be configured to negotiate an Ether-
channel. Again, similar to configuring trunk ports,
my preference here is to not use a negotiation pro-
tocol unless required, so since this is just a switch to
switch link, a negotiation protocol really isn’t need-
ed. Most Cisco documentation I have read will sug-
gest that you use their proprietary PAgP to form
Etherchannels, but from what I understand this is
only recommended due to the fact that PAgP will
help you out and shutdown links if a configuration
mistake is made. So the key here is making sure
that both ends of the Etherchannel have identical
configuration. I have had a lot of success with se-
lecting “mode on” for Etherchannels.
After these steps are complete, you should be
able to do a “no shutdown” on your physical inter-
faces and see the Etherchannel come up. Span-
ning tree will not block the port since it is now a
single logical link and you should have sub-sec-
ond failover times in the event that one of the links
goes down. You can run a quick “show etherchan-
nel summary” command from enable mode to veri-
fy that both ports are up in the Etherchannel. Ports
that are “up” in the Etherchannel will be labeled
with a “P” next to them from this output. Now your
topology should logically look like this: Figure 2.
Make sure to note what load balancing method
your switches are using by default for Etherchan-
nels, as you may need to adjust this depending on
the placement in the network. Many of the newer
models will allow you to load balance using source/
Figure 2. Load balancing method
03/2013
 PC Fix
destination MAC address, source/destination IP
address, and layer 4 ports. I recommend load bal-
ancing by source or destination IP address when
you can, but know that this is not always the best
configuration. For example, if you have an Ether-
channel going to a heavily utilized server in your
organization and you load balance by destination
IP address you might find that the majority of your
traffic only traverses one link since users are all
trying to get to the one IP address on the other end
of your Etherchannel, which is your server’s IP ad-
dress. It’s also important to note that Etherchannel
load balancing is a global configuration, so once
you choose a load balancing method, this method
will be used by all Etherchannels configured on the
switch.
Here is the command to adjust the load balanc-
ing method:

Switch(config)#port-channel load-balance ?
Dst-mac Dst Mac Addr
Src-mac Src Mac Addr

And you can verify what load balancing is current-

ly running with the “show etherchannel load-bal-
ance” command.
Now the next time you are tasked with building a
network from the ground up or implementing some
high availability features into your network, keep
these tips and configuration examples in mind. Re-
member that failure points within any network are
a matter of “when” and not a matter of “if.” The fa-
mous saying of “even the best laid plans…” might
come back to bite you if the proper monitoring,
countermeasures against link failure and electrical
power protection are not built in.

Casey Walters
Before you
continue:
Casey is currently working as a net-
work technician for an IT services pro-
vider in the Southwest Michigan ar-
ea. He is a current senior at Daven-
port University attending his last se- Free scan your Computer now!
mester before completion of his Bach-
elor of Science degree in Network Se- Improve PC Stability and performances
curity. Casey specializes in routing,
Clean you registry from Windows errors
switching, wireless, and network design primarily using
Cisco equipment. He is actively working towards CCNP
(Cisco Certified Network Professional) certification and
currently holds active CCNA: Security, CCDA, MCSA:
2003, and CompTIA A+, Network+, and Security+ certifi-
cations. When he is not at work, Casey enjoys spending
time at the beaches of Lake Michigan, visiting family in
Colorado, going to the movie theater, and going to live
music performances.

www.hakin9.org/en
 Experimenting with
Dynamic Programming in C#
Dynamic programming is a concept that is becoming
increasingly popular mostly thanks to widespread
programming languages such as Python and Javascript. The C#
language from version 4.0 supports dynamic programming. In
this article we show some examples of dynamic programming
in C# and when it can make sense to use it.
What you will learn...
Some basic concepts of dynamic programming
How to use dynamic programming in C#
When it makes sense to use dynamic programming
S
upport for dynamic programming can prob-
ably be considered as the biggest innova-
tion introduced by the version 4.0 of the
C#language.
The concept of dynamic programming is related
to the work the compiler does for binding methods
and typing variables, and that can be either static
or late binding/typing.
Static binding/typing means that the method call
connection to method implementation (binding)
and determination of variables data types (typing)
is performed at compile time. If a method is called
but there is no implemetation you get a compile er-
ror. In the same way if you try to assign a string to
a float variable you get a compile error.
Late binding/typing, typically from dynamic lan-
guages, means that the compiler does not check
for the existence of method implementations nor it
performs any data type checking. All these check-
ings are performed at runtime instead. As a result,
if a method implementation is missing, you get an
error only at runtime.
Dynamic programming is not a new idea, the
first concepts of dynamic programming were in-
troduced in languages with an old history such as
Lisp and Smalltalk. In recent years, several dy-
namic programming languages, such as Python
and Ruby, have become increasingly popular. An-
other very popular dynamic language is JavaS-
24
What you should know...
Basic knowledge of C#, Linq and XML.
How to edit files and compile source code using Microsoft
tools.
cript, which has become the de-facto dominant
language in the Web client side.
Dynamic programming in C# 4.0 was mainly in-
troduced to simplify interoperability between dy-
namic languages and the .NET framework. Dy-
namic programming in .NET 4.0 is allowed by
the Dynamic Language Runtime (DLR). DLR is
build on top of the common language runtime
and enables the interoperation between dynam-
ic languages and the .NET framework. DLR is a
project derived from IronPython, which was the
first dynamic language implemented on the .NET
Framework. At first the DLR was an opensource
project (http://dlr.codeplex.com/), which was later
incorporated into the official .NET Framework 4.0.
The Dynamic keyword in .NET
In C# dynamic programming is based on the dy-
namic keyword (defined in the System.Dynamic
namespace; Listing 1).
Listing 1. Code snipped with dynamic
// dynamic data type.
Dynamic myNumber = 10;
Console.WriteLine(myNumber + “ “ + myNumber.
GetType());
03/2013
 Running the piece of code of Listing 1 will result
in the following to be printed on the console:

10 System.Int32

In the code myNumber is a dynamic data type at

compile time and is transformed into an Int32 at
runtime.
If you call a method against myVariable that does
not exist, the program will compile anyway. Only at
runtime you will be notified that the method is not
defined (Listing 2).
The dynamic keyword represents a static data
type (I know, it may sound a bit confusing), such
that C# has dynamic features while remaining a
statically typed language. Actually when you use
dynamic you say the compiler to switch off any
checking. Under the hood the dynamic keyword is
implemented by the object data type, that is the
base class for all .NET classes. A detailed expla-
nation for that is out of the purpose of this article.
For further information you can refer at http://ms-
dn.microsoft.com/en-us/magazine/ff714583.aspx.

Differences between dynamic, object and var

in C#
At first sight dynamic, var and object keywords
share many similarities.
Consider the Listing 3; at runtime the variables
i, j, k are all Int32 data types. However things
change at compile time, in particular i is an object
type at compile time and transformed into Int32 at
runtime, j is of type Int32 both at compile time and
runtime, k is of type dynamic at compile time and
of type integer at runtime.
As a consequence you have different types of
compile checkings, summarized in the Listing 4,
5 and 6.

When dynamic programming is useful in C#

When using dynamic programming you do not get
errors at compile time and the fuctions of Intelli-
sense are not available for dynamic objects, lead-
ing to potential loss of efficiency. So you should
make use of alternative techniques such as unit
testing to guarantee your code quality.
On the other hand the usage of dynamic pro-
gramming in C# can significantly reduce the num-
ber of code lines in a number of cases such as,

• when working with objects whose data type is

only known at runtime. In that case calling a
method requires the use of object + casting +
reflection. Suppose you get an instance of a
StringConcatenator, where the data type is only

www.hakin9.org/en
 know at runtime. Prior to C# 4.0 you needed a
code such as that of Listing 7
The same code using the dynamic keyword is
much more simple and readable as shown in
Listing 8.
• when working with COM Objects, such as
when accessing/creating Microsoft Office files
(for example an Excel file), as for instance in
Listing 9.
• implementing a custom dynamic class as
wrapper for existing classes
In the following an example is shown where dy-
namic programming can simplify the syntax for
accessing XML data. In particular we create a
custom dynamic class that acts as a wrapper for
an XML element.
XML root is contacts and each element is a con-
tact. Until here 3 instances of DynamicXMLWrapper
have been created and no dynamic code was
used at all. Now things get more interesting.
When calling
Listing 2. Code snipped with dynamic where an error is
raised at runtime
Dynamic myNumber = 10;
// error only at runtime because no method binding
// is performed by the compiler on dynamic data types
Console.WriteLine(myNumber.GetFormatted-
String());
Listing 3. Code snipped with dynamic, var and object

Custom dynamic class for XML data access. object i=3;

Suppose you have the following XML file: Listing 10. var j=3;
We want to implement a custom dynamic class dynamic k=3;
that allows us to simplify the code syntax for ac-
cessing the XML data (Listing 11). Listing 4. Code snipped with object
The most common way to implement custom dy-
namic classes in C# is to derive your class from object i=3;
the System.Dynamic.DynamicObject class, as shown in
Listing 12. // not allowed because i1 is of type object at
The DynamicXMLWrapper class acts as a wrap- compile time.
per for an XML element and that XML element is // The + operator is not defined for an object
saved in _xElement (of type XElement). The XElement data type.
class was introduced in .NET 3.5 and represents object i1 = i+3;
an XML element. The dynamic behavior of the
DynamicXMLWrapper class is given by the TryGetMember // ok with an explicit cast
method (inherited from DynamicObject). This object i2 = (int)i+3;
method is called when trying to access a member
of the class. This method has an input parameter Listing 5. Code snipped with var
of type GetMemberBinder, which represents the mem-
ber we are trying to access. If the method is not // the data type of j (Int32) is inferred at
found, TryGetMember returns false, and an error is compile runtime
raised at runtime. var j=3;
This becomes more clear if we explain the code
in Listing 10. When calling // ok, the compile allows that because j is an
Int32 type
dynamic myXMLWrapper = new var j2 = j+3;
DynamicXMLWrapper(fileName);

the root element (i.e. contacts) of our XML file is Listing 6. Code snipped with dynamic
loaded in myXMLWrapper. When calling
// dynamic data type: compiler checking is
foreach(var contact in myXMLWrapper) switched off
dynamic k=3;
the DynamicXMLWrapper.GetEnumerator() method is
called. In this method each XML element of the // ok no compiler checking
current XML root is retrieved and wrapped into a dynamic k2 = k+3;
new instance of DynamicXMLWrapper. In our case the

26 03/2013
 Experimenting with dynamic programming in C#
Console.WriteLine(contact.name);
we have that., for each contact (that now it
wrapped in a DynamicXMLWrapper), the Name mem-
ber is called. At this point dynamic programming
comes into play. The method TryGetMember for the
current DynamicXMLWrapper instance is called. With-
in this method it is checked whether the Name
member exists. In this specific case the Name
member exists if the current _ xElement has an
XML element with name Name. If that XML el-
ement exists, it is wrapped in a new instance of
DynamicXMLWrapper.
In our XML file each contact element has a
name element. As a result, a new instance of
DynamicXMLWrapper is created for each name XML el-
ement. In other words each call to contact.name
returns a new instance of DynamicXMLWrapper. Finally
that instance is written to console. For this purpose
the DynamicXMLWrapper.ToString() method is called.
The contact.name member is created at runtime,
at compile time it does not exists but we do not get
any compile error because the dynamic keyword
switches off any compiler checking.
Finally the output of our program is
Listing 7. Code snipped using object + casting + reflection
object stringConcatenator = GetStringConcatena-
tor();
Type type = stringConcatenator.GetType();
object res = stringConcatenator.InvokeMemb
er(“Concat”,BindingFlags.
InvokeMethod,null,new object[]
{“ab”,”cd”});
string stringConc = res.ToString();
Listing 8. Code snipped dynamic instead of object +
casting + reflection
dynamic stringConcatenator = GetStringConcatena-
tor();
string stringConc = stringConcatenator.
Concat(“ab”, “cd”);
Listing 9. COM interop without and with dynamic
// code without dynamic
((Excel.Range)excelApp.Cells[1, 1]).Value =
“val1”;
Excel.Range range2008 = (Excel.Range)
excelApp.Cells[1, 1];
// code with dynamic. Note that the cast-
ings are missing,
// making the code more readable
www.hakin9.org/en
John
Paul
Finally, using dynamic programming we could re-
trieve XML data with a relative readable and com-
pact code. Of course we could retrieve XML da-
ta using other C# libraries, like for example Linq to
XML (Listing 13).
As a comparison the code in Listing 12 is less
compact than the one in Listing 9 where we used
dynamic programming.
Conclusion
In this article we have explored some concepts of
dynamic programming and we have seen some
examples of dynamic programming in C# that al-
lows us to have more compact and readable code.
On the other hand it is to keep in mind that more
compact code comes at a cost of potentially more
bugs, as the compiler checkings are disabled.
Therefore it is necessary to put some more effort
into the testing of dynamic code.
There would be much more to say about dynamic
programming in C# but there is no enough space
for that. For example you could have a look at Ex-
excelApp.Cells[1, 1].Value = “val1”;
Excel.Range range2010 = excelApp.Cells[1,
1];
Listing 10. Create a member
<contacts>
<contact contactId=”2”>
<name>John</name>
</contact>
<contact contactId=”3”>
<name>Paul</name>
</contact>
</contacts>
Listing 11. Code using dynamic programming for
accessing XML data
string fileName = “myXML.xml”;
dynamic myXMLWrapper = new
DynamicXMLWrapper(fileName);
foreach(var contact in myXMLWrapper)
Console.WriteLine(contact.name);
27
 pando objects at http://msdn.microsoft.com/en-us/
magazine/ff796227.aspx. Expando objects are ob-
ject where members can be added or removed
at runtime. Another introductive article about dy-
namic programming in C# is http://msdn.microsoft.
com/en-us/magazine/gg598922.aspx.
Claudio Varini
Claudio Varini is Italian but lives in Munich (Germany)
with his girlfried. He holds a Phd in computer science
from the University of Bielefeld (Germany). He has been
programming software for a number of industrial fields
for the last seven years. He works mainly with Microsoft
technologies, in particular Dot.Net, C# and WPF (Win-
dows Presentation Foundation).

Listing 12. Dynamic custom class acting as wrapper for an

XML element return false;
}
using System.Linq;
using System.Xml.Linq; public IEnumerator GetEnumerator()
using System.Collections; {
using System.Dynamic; return _xElement.Elements().
Select(child => new
class DynamicXMLWrapper : DynamicObject, IEnu- DynamicXMLWrapper(child)).GetE-
merable numerator();
{ }
public DynamicXMLWrapper(string fileName)
{ public override string ToString()
_xElement = XElement.Load(fileName); {
} if (_xElement != null)
{
private DynamicXMLWrapper(XElement element) return _xElement.Value;
{ }
_xElement = element; else
} {
return string.Empty;
public override bool }
TryGetMember(GetMemberBinder }
binder, out object result)
{ // data that stores an XML element
result = null; XElement _xElement;
if (_xElement == null) }
{
// the called element was not found Listing 13. Code using XML to XML for accessing XML data
return false;
} Xdocument xDoc = XDocument.Load(fileName);
// check if _xElement has an element with var contacts = from x in xDoc.Descendants(“contact”)
name binder.Name
XElement sub = _xElement.Element(binder. select new
Name); {
if (sub != null) name = x.Descendants(“name”).First().Value
{ };
result =
new DynamicXMLWrapper(sub); foreach (var contact in contacts)
Console.WriteLine(contact.name);
return true;
}

28 03/2013

Developments, Strategies and Best Practice
in Global Cyber Security
Featuring 30 top
level speakers!
TARIQ AL HAWI, Director, AE CERT
BADER AL-MANTHARI, Executive
Information Security, ITA OMAN
OMAR ALSUHAIBANU, Network
Security Engineer,
CERT SAUDI ARABIA
AHMED BAIG, Head, Information
Security and Compliance,
UAE GOVERNMENT ENTITY
TAMER MOHAMED HASSAN,
Information Security
Specialist, UAE
GOVERNMENT ENTITY
AMANI ALJASSMI, Head of
Information Security Section,
DUBAI MUNICIPALITY
NAVEED AHMED, Head of IT
Security, DUBAI CUSTOMS
RIEMER BROUWER, Head
of IT Security, ADCO
AYMAN AL-ISSA, Digital Oil
Fields Cyber Security
Advisor, ABU DHABI MARINE
OPERATING COMPANY
MOSTA AL AMER, Information
security Engineer,
SAUDI ARAMCO.
HESHAM NOURI, IT Manager,
KUWAIT OIL COMPANY
KENAN BEGOVIC, Head of
Information Security,
AL HILAL BANK
USAMA ABDELHAMID Director, UBS
ABEER KHEDR, Director of
Information Security,
NATIONAL BANK OF EGYPT
BIJU NAIR, Head of Audit,
NOOR ISLAMIC BANK
BHARAT RAIGANGAR, Director,
Corporate Security Advisor,
ROYAL BANK OF SCOTLAND
ASHRAF SHOKRY, Chief
Information Officer,
AJMAN BANK
MOHAMED ROUSHDY,
Chief Information
Officer, NIZWA BANK
ZAFAR MIR Regional Manager
Information Security Risk,
TEL +44 (0)207 127 4501
www.cybersecurityuae.com Conference & Exhibition
2nd Annual
CYBER SECURITY UAE
SUMMIT 2013 Special
focus on the
May 13th & 14th, Dubai Banking, Oil & Gas
& Government
Sectors
Protecting critical infrastructures
Main Sectors Covered:
Electricity & Water
Assess the nature of the latest The only d
s kin
threats being faced and the impact
event of it lace Oil & Gas
t o t ake p E
of these upon your organisation
Discuss the most promising in the UA
cyber security technologies
in the marketplace Financial Services
Assess the trends to watch in global cyber security
International Case Studies: Discover the best practice
in protecting your organisation from cyber-attack Transportation
Network with your industry peers in
the comfort of a 5 star venue
The only event of its kind to take place in the Middle East
Government
HSBC BANK MIDDLE EAST
MAHMOUD YASSIN Lead Security
CYBER SECURITY Defense
& System Eng Manager, UAE TECH 2013
NATIONAL BANK OF ABU DHABI
HUSSAIN ALKHASAN, IT GRC Hurry exhibition
Manager, COMMERCIAL GOLD SPONSOR
space for the 30
BANK OF DUBAI (UAE)
booth exhibition is
FURQAN AHMED HASHMI,
(PMP, CISSP, CCIE, TOGAF) expected to sell out.
Architect, EMIRATES
INVESTMENT AUTHORITY 1 19
20
STEVE HAILEY, President CEO, 21 22
NET WORKING AREA
NET WORKING AREA
2 18
CYBER SECURITY INSTITUTE
23 24
OMER SYED, Project Manager, 3
25 26
17
ROADS & TRANSPORT AUTHORITY 4 16
BIJU HAMEED, ICT Security 5
27 28
15
Manager, DUBAI AIRPORTS 6
29 30
14
MOHAMMED AL LAWATI, ICT 7
8 9 10 11 12
13
policy and Procedure
Advisor, OMAN AIRPORTS
MANAGEMENT COMPANY For further details on SILVER SPONSOR
MURTAZA MERCHANT, exhibiting place email
Senior Security Analyst, info@oliverkinross.com
EMIRATES AIRLINE
AMR GABER, Senior Network
Security Engineer, DUBAI MEDIA PARTNERS
STATISTICS CENTRE
ANDREW JONES, Chairman
of Information Security,
KHALIFA UNIVERSITY Make valuable
NASIR MEMO, Principal connections at
Investigator, NEW the networking
YORK UNIVERSITY
Plus many more to be announced!
evening
FAX +44 (0)207 127 4503 EMAIL info@oliverkinross.com
 An Interview with

Anthony Giallombardo
the founder of Mafia Security

H9: Please introduce yourself to our
readers.
Anthony: My name is Anthony Giallombardo and
I am the owner of Mafia Security. I am an Informa-
tion Security Enthusiast belonging to ISSA, Inter-
net Society, and various local user groups in Grand
Rapids Michigan. I am finishing my bachelors de-
gree at Davenport University, NSA Information As-
surance Center of Excellence, in Grand Rapids, MI
dual majoring in Information and Network Security.
I started a student organization in 2009 at Daven-
port University for Cyber Defense where we com-
pete against other schools in the National Colle-
giate Cyber Defense Competition.
the Mafia. My condolences to any families or
businesses that have been or are affected by any
state-based Mafia.
When choosing a business name you need to
pick something both relevant and memorable. Ma-
fia Security does both.
Taking the evil out of the Mafia, you can find hon-
our, integrity, loyalty, and valor. These are all terms
to describe the work of Mafia Security. Information
Security is a huge community and there is a great
culture behind it. There is a lot of sharing and this
was my way to give back to the community.

H9: Please tell us more about your

association.
Anthony: Mafia Security promotes the academic
and professional work of students and alumni to
turn their research, tutorials, guides, and papers
into more than just a letter grade. Authors are a
part of a contributing group, which allows them to
expand their Internet identity, exposure, reputa-
tion, and portfolio.
It is not a news source for infosec, netsec, and
hacking. Mafia Security strives for the best pro-
fessional and academic research and peer review
material.

H9: Tell us something about the name of

your association.
Anthony: The reason I picked the name ‘Mafia’ in
Mafia Security?
Under no circumstances did I pick the name
‘Mafia’ for Mafia Security because I endorse, ap-
prove, or condone any illegal activities done by

30 03/2013
 An interview with Anthony Giallombardo, the founder of Mafia Security
H9: This is a very interesting approach
to the nomenclature of your association.
What about the members of your group?
Anthony: As said before, Infomation Security is a
good community, almost like a family. Anyone who
wishes to give back to the family through authorita-
tive articles, reviews, guides, can do so. I targeted
my fellow students first as they are already writing
papers and doing project research through school.
This offers them a way to show their work to their
future employers. Its a targeted method of allowing
people to have a digital portfolio. Instead of each
person creating a blog I have centralized the mate-
rial to have a larger impact.
H9: So, everybody can join your
community?
Anthony: The main target is anyone pursing an
active degree or recent graduate that can contrib-
ute. However, there are InfoSec professionals join-
ing to help the overall cause and increase visibility
H9: Is it easy for you to manage all these
people by yourself?
Anthony: As of right now, I have been able to
manage successfully all the people; however, as
the site continues to grow I hope to offer internship
positions to other majors such as marketing and
journalism to help them use this organization to
aid their own portfolio. The leadership opportuni-
ties that Davenport University has offered definite-
ly helped me in this type of work. The University is
known for it’s business school. The association or
Mafia Security
Mafia Security promotes the academic and pro-
fessional work of students and alumni to turn
their research, tutorials, guides, and papers into
more than just a letter grade. Authors are a part
of a contributing group, which allows them to ex-
pand their Internet identity, exposure, reputation,
and portfolio.
Mafia Security is not a news source for hack-
ing, information security, networking, and server
administration. Mafia Security strives for the best
professional and academic research and peer
review material.
www.hakin9.org/en
business is like any student organization; however,
we are not bound to any university or college.
H9: Who would be your target partner
then?
Anthony: I have received a lot of support from
both Davenport University and GRRCon which
is the DEFCON hacker conference for the Grand
Rapids, Michigan Area. As far as continued growth
and success is concerned, any IT vendors allowing
demo software or hardware units to aid the study
would be appreciated. Not only will this allow stu-
dents get more exposure to more material, it will
aid in the integrity/authority of the articles we put
out.
H9: What can a prospective partner expect
from this partnership?
Anthony: Given the cause of the organization we
have a very limited budget. However, I believe the
value a prospective partner can expect is when the
student graduates and out in the workforce, they
are already familiar with the product and may rec-
ommend it for use throughout their career.
H9: Anything in particular about your
partnership with Hakin9 Magazine?
Would you like to say something to our
readers?
Anthony: Being able to be featured and able to
write for Hakin9 Magazine is a wonderful reward
for the authors of Mafia Security for additional
exposure and opportunities. To all readers, self
branding and marketing is very important; howev-
er, it doesn’t have to be limited to writing articles.
Anyone who provides video tutorials, is actively in-
volved in various information security associations,
or is involved in creating and modifying tools are all
valued in the Information Security community.
H9: Last question – How can our readers
reach you?
Anthony: There is a contact form easily accessi-
ble on mafiasecurity.com or by visiting www.mafia-
securiry.com/contact. I am also available through
email anthony@mafiasecurity.com, www.mafiase-
curity.com/contact.
Krzysztof Samborski
31
 An Interview with

Eran Sagi
Corporate VP Marketing, the representative of
TADIRAN Company

Dear Mr Sagi, could you tell our readers Ltd. (both in the UK & Israel) in various executive
something about yourself and the role positions where I gained over 15 years experience
you play at Tadiran? in the Telecommunications Industry.
Eran Sagi: I joined Tadiran in May 2012 as a Cor- My role in Tadiran is conveying the benefits our
porate VP of Marketing and am responsible for the prospects can reap from our technologically ad-
company’s global marketing and Go-to-Market ac- vanced offerings and emphasizing our unique ap-
tivities. Prior to Tadiran I worked at NICE Systems proach to Unified Communication as well as ex-
Mr. Sagi has over 15 years
experience in the Tele-
communications Industry.
Mr. Sagi joined Tadiran in
May 2012 as a VP of Mar-
keting, responsible for the
company’s global market-
ing and Go-to-Market ac-
tivities. Prior to that Mr. Sa-
gi worked at NICE Systems
Ltd. (both in the UK & Isra-
el) where he accrued var-
ious executive positions
such as the Director of
Business Development &
Product Management and
head of EMEA Customer
Services.
Mr. Sagi was responsible
for the Public Safety Busi-
ness Unit P&L, building
and maintaining business
with global and regional
partners, defining Go-to
Market and product strat-
egies for each product, re-
gion, and vertical market.
Mr. Sagi holds a BA degree
in Computer Science and
Management from the
Open University in Israel.

32 03/2013
 An Interview with Eran Sagi
tending and strengthening our global business
partnercommunity.
What prompted you to start cooperating
with Telecommunication Industry as
we know you were studying Computer
Science and Management?
Eran Sagi: The telecommunications domain was
a major, growing domain when I started my career
and I saw it as a great place to start. My back-
ground helped me to better understand the bits
and bytes of the telecommunications technologies
I worked with.
The technology transition that the telecommuni-
cations sector went through during the last decade
makes it a very interesting place to work and learn.
Could you let our readers know what
things have been happening lately at
Tadiran?
Eran Sagi: Tadiran was recently acquired by Afcon
Holdings Ltd., which is part of the Shlomo Group
– a conglomerate engaged in a wide variety of in-
dustrial and service businesses..
The acquisition kept us focused on growth and
market needs in unified communications and al-
so served as a technological turning point for the
company. We put more emphasis on software plat-
forms that would stand the test of time, allowing
perpetual integration as new applications are de-
veloped and market needs evolve.
In September 2012 we acquired a proven contact
center technology that was implemented in more
than 3000 customers worldwide from Easyrun. We
implemented it in our new innovative UC&C plat-
form – Aeonix which was released to the market in
January 2013.
We are looking to expand our business partner
community as well as staying committed to our ex-
isting partners and encouraging them to migrate to
the new technology with special offers.
Please tell us more about the latest and
from your point of view the most exciting
products?
Eran Sagi: Tadiran Telecom heard the call of Me-
dium & Large Size Businesses for a single, robust
yet flexible platform that would deliver the features
most relevant to them in their vertical markets. We
created an innovative platform for SMBs as well as
Enterprises providing open and scalable architec-
ture that allows us to leverage the power of a new
wave of innovative applications. Aeonix will allow
customers to evolve within their market while en-
abling them to utilize the most advanced dedicated
www.hakin9.org/en
technologies available all the while reducing their
total cost of ownership
I am extremely excited about the project be-
cause of the exceptionally positive feedback we
received during the comprehensive, global beta
phase among our huge installed base. That was a
real test for the system and it excelled.
What was the biggest change regarding
strategy and what it meant for Tadiran?
Eran Sagi: The Telecom industry has experienced
a dramatic strategic inflection point. The technol-
ogy and market change quickly. Those who will not
adapt to the change, will lose business but those
who manage to recognize change and leverage it
will soar to new heights.
Our strategy is to leverage the sheer power of
innovation that is developed in the market and in-
tegrate it into our robust and reliable open plat-
form. We have done this with UC&C, Contact Cen-
ter and Call logging solutions, and we delivered a
solid and a complete solution that containing best
of breed technologies. The countless solutions out
there mean we can answer the specific needs of
the various vertical markets and remain ahead of
the game in the long run. Customers know they
are buying a solution that will evolve and last for a
very long time.
What marketing tools do you use at
Tadiran?
Eran Sagi: It is important to us that our clients and
prospects are informed about our products and
offers. So we are constantly reaching out to an-
alysts, interviewing with the media, not just tele-
com media but also vertical markets’ media. I
have just returned from a media tour in the USA.
Journalists were very positive about our solu-
tion, and I think our excitement was apparent to
them.
We supply content and marketing material for our
business partners and support them as they mar-
ket our products. In addition we recognized that
we need to assist our partners in becoming prod-
uct proficient and to reduce their costs, therefore
we have released a complete and comprehensive
online certification program for engineers for Aeo-
nix at no cost so they can learn our products easily
and rapidly on their own premises.
We also use social networks, specifically Linke-
dIn, to connect and support the community of re-
sellers and users and keep them up-to-date. We
are headed for growth and technology advance-
ment and would like to see our business partners
grow with us.
33
 Please tell us more about your clients and
what features of your products are the
most suitable for them?
Eran Sagi: Tadiran Telecom has been a leader in
various markets with clients such as Beijing rail-
ways, and Indian railways in the transport market,
and Medford School in the Education field. We
have a large presence in the Energy market in Chi-
na and India as well as large installed base in the
health care market including our recent Aeonix win
at a hospital in Europe.
Aeonix provides the highest levels of fault toler-
ance and failover capabilities which is extremely
important for mission critical environments. Cus-
tomers know that they get the innovative and re-
liable solution when they choose Tadiran. An ad-
ditional important feature for our clients is our
complete SIP compatibility which makes integra-
tions with specific market’s applications easy in-
cluding dispatch consoles for the transportation
and energy markets as well as nurse call systems
for healthcare customers.
Those integrations make our solution perfect for
customers that are looking for tailored made solu-
tions.
Before rolling out Aeonix we asked some of our
customers to test it with us in a comprehensive be-
ta phase. Tadiran wanted to have their client’s in-
put before the launch. We received exceptionally
positive feedback.
In the Medford School district, for example, they
commented on the easy implementation process
and intuitive management interface that allowed
them to install the entire system in half the time
they expected
Whether it’s a contact center, a healthcare tele-
phony system, a railway control room or an emer-
gency service, our systems integrate seamlessly
with existing architecture, are reliable and simple
to operate.
see, one of our biggest marketing advantages is
our huge global installed base. If they are happy
with our solutions and services they tell their net-
work, and in today’s social communication era that
means a lot.
What are your plans for the next years e.g.
Are you still looking for resellers around
the world?
Eran Sagi: We are aiming to grow our installed
base further, through innovation and tointroduce
features and new applications that will be tailored
to the demand of the various vertical markets. Uni-
fied Communications is definitely the trend, but it
means different things in different markets. With
Tadiran we want a world, where resellers and cus-
tomers can find all their solutions in one place.
What advice would you like to give to new
players in the market?
Eran Sagi: Customers are looking for solutions
which consolidating different technologies togeth-
er providing desktop and mobile intuitive applica-
tions.
Cost of ownership is a major part and custom-
ers require getting more but investing less. New
players that will be able to provide innovative tech-
nologies with a great look and feel that can reduce
operational costs have a great chance to get cus-
tomer’s attention.

What has been your biggest marketing

challenge and how have you overcome it?
Eran Sagi: Some say Tadiran is a well hidden
treasure. We have wonderful solutions and an abil-
ity to meet the needs of customers in a spectrum
of vertical markets, but the market is saturated
with small companies that simply can’t provide the
same level of reliability. On the other hand we are
also competing with big telecom players that can
shout their message twice as strong as we can.
The way we approach this challenge is to strive
for 100% customer satisfaction for return busi-
ness and referrals, and by constantly reaffirming
our commitment to our business partners. You Ewa dudzic

34 03/2013
 IT Security Courses and Trainings
IMF Academy is specialised in providing business information by means of distance
learning courses and trainings. Below you find an overview of our IT security
courses and trainings.

Certified ISO27005 Risk Manager Information Security Management

Learn the Best Practices in Information
Security Risk Management with ISO
27005 and become Certified ISO 27005
Risk Manager with this 3-day training!
CompTIA Cloud Essentials
Professional
This 2-day Cloud Computing in-company
training will qualify you for the vendor-
neutral international CompTIA Cloud
Essentials Professional (CEP) certificate.
Cloud Security (CCSK)
2-day training preparing you for the
Certificate of Cloud Security Knowledge
(CCSK), the industry’s first vendor-inde-
pendent cloud security certification from
the Cloud Security Alliance (CSA).
e-Security
Learn in 9 lessons how to create and
implement a best-practice e-security
policy!
Improve every aspect of your information
security!
SABSA Foundation
The 5-day SABSA Foundation training
provides a thorough coverage of the
knowlegde required for the SABSA
Foundation level certificate.
SABSA Advanced
The SABSA Advanced trainings will
qualify you for the SABSA Practitioner
certificate in Risk Assurance & Govern-
ance, Service Excellence and/or Architec-
tural Design. You will be awarded with
the title SABSA Chartered Practitioner
(SCP).
TOGAF 9 and ArchiMate Foundation
After completing this absolutely unique
distance learning course and passing
the necessary exams, you will receive
the TOGAF 9 Foundation (Level 1) and
ArchiMate Foundation certificate.

For more information or to request the brochure

please visit our website:
http://www.imfacademy.com/partner/hakin9

IMF Academy
info@imfacademy.com
Tel: +31 (0)40 246 02 20
Fax: +31 (0)40 246 00 17
 Tool Time:
SecureBrowsing
The Internet is a dangerous place to venture because it
is rife with websites hosting malware and malicious code
deployed o compromise your systems. How do you thwart
hackers from fulfilling their insidious objectives?
U
ser awareness alone is not foolproof as le-
gitimate sites can also be ridden with such
harmful content. SecureBrowsing is a Firefox
addon that can easily be installed in your Firefox
browser. It was originally developed by Finjan and is
currently maintained by Trustwave. Search for it from
Add-ons Manager and install it by clicking Accept and
Install. Restart your browser to complete the instal-
lation (Figure 1). I accessed my Webmail inbox from
Firefox and identified a suspicious link that the Web
Content Security filter has failed to block (Figure 2).
Mouse over the SecureBrowsing icon in front of the
link to reveal information pertaining to it. No informa-
tion is currently available about the said link (Figure 3).
Click on the suspicious link. SecureBrowsing offers 3
options to you. This is unique to this tool as it does not
Figure 1. Install SecureBrowsing
Figure 2. Suspicious link
Figure 3. Link status
36
permit you to access the link immediately unlike other
similar tools. Click on Scan (Figure 4). SecureBrows-
ing determined that the website displays malicious
behaviour. Do not persist in visiting the site (Figure
5). This plugin presents information regarding all links
listed in your browser. Trustwave even categorises
websites as part of their research into the safety and
reputation of those sites. This tool works with Firefox
regardless of what Operating System (OS) you have
installed. It does not require any configuration and is
ready to use immediately upon restarting your brows-
er. A must-have tool that provides peace of mind with-
out consuming a lot of resources.
Mervyn Heng
Mervyn Heng, CISSP, is into Ubuntu, Comic Universe
characters, Pop culture and Art outside of Information
Security. If you have any comments or queries, please
contact him at commandrine@gmail.com.
Figure 4. SecureBrowsing options
Figure 5. Malicious link
03/2013
 BOSTON • May 28-31, 2013
The Westin Boston Waterfront

Get the best real-world Android

developer training anywhere!
• Choose from more than 75 classes
and tutorials
• Network with speakers and other
Android developers
• Check out more than
40 exhibiting companies

“AnDevCon is one of the best

networking and information hubs
available to Android developers.”
—Nate Vogt, Android Developer, Willow Tree Apps

Register NOW at www.AnDevCon.com

A BZ Media Event Follow us: twitter.com/AnDevCon AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robot
is used under terms of the Creative Commons 3.0 Attribution License.
 Femtocell Attacks and
Countermeasures
“Coverage” is a key term for all telecom operators. Providing
coverage is always a challenge for them. Day by day mobile
users are increasing and because of this growth mobile
operators are very constraint for bandwidth. That’s why
we are facing coverage problem and sometimes unable
to connect to mobile users in an emergency. The concept
behind this problem is known as cell splitting.

I
n a general telecom network, the number of
serving base station is equal to the number of
cells. When mobile users increase, then net-
work traffic increases, and hence number of base
station will increase. A cell is directly depended
on the base station, so telecom operators have to
increase cell size. This principle is known as Cell
Splitting.
Advantages for Users
• Installed at home so high voice quality, distor-
tion free signal and more coverage.
• Low Power Usage
• High dedicated bandwidth
• Location Service (Need to search)
• Provide Landline support

Cell Splitting Principle in Femtocell Advantages for Mobile Operators

Telecom operators use cell splitting to reduce net-
work traffic and provide better coverage and voice
quality to users by implementing a concept of
“femtocell”. Femtocell is a small Access point or
you can say your own Base station with coverage
less than 50m. It is developed for enhancing 3G
connectivity meaning higher bandwidth and bet-
ter voice quality. A Femtocell operates in licensed
spectrum and provides connectivity to mobile de-
vices for connecting to the mobile network via a
broadband connection. For accessing a femtocell
the mobile number should be registered. Once it is
registered the mobile receives an SMS with a hid-
den OTA with the reconfiguration commands. The
SIM Card gets reconfigured according to the com-
mands and thus enabling the mobile device to con-
nect to the femtocell.
In short, we can list the advantages of femtocell
for users as well as for operators.
Advantages of Femtocell
Using femtocell has lots of advantages for users
as well as for operators.
• No Installation and maintenance cost
• Less manpower required as no need of going
and installing at user side.
• Traffic reduction, giving a high quality signal
hence overall quality service increased
• Cheap hardware
• No investment on extra base stations, or their
maintenance etc.
• Customer satisfaction at low cost
Femtocell Architecture
The Figure 1 shows mobile users directly connect-
ed to the Femtocell Access Point (FAP). The num-
ber of users that can connect to FAP depends on
the FAP capacity. A FAP is connected to the SeGW
using the public IP network and after mutual au-
thentication it may allow connection to the Femto-
cell Management System (FMS)
There are two possibilities for the FMS:
• Inside Operators Core Network
• Outside Operators Core Network (Public Internet)

38 03/2013
 Femtocell Attacks and Countermeasures
When the FMS is inside the operator’s core net-
work, then a FAP has to communicate to the FMS
through the Security Gateway (SeGW). So before
connecting to the FMS a subscriber has to verify
his identity to the SeGW and vice versa. Every or-
ganization protects its infrastructure by implement-
ing a high level of security. Attacking an FMS in-
side the operator’s core network is more difficult as
compared to if it was located outside the operator’s
network (available on public Internet). Since the
communication between the FAP and SeGW is on
the IP network, it is assumed to be untrusted and
that’s why before connecting the FAP to FMS it is
essential to authenticate the FAP. Inside the opera-
tor’s core network there is an entity AAA (Authenti-
cation, Authorization and accounting server) which
is used to authenticate the FAP on the basis of
stored authorization related credential information.
The main purpose of the AAA server is to control
who is allowed (Authentication), what to allowed
(Authorization) and tracks the user’s activity (Ac-
counting), so a proper security policy should be
adopted by an organization. Lacking the security
protocol and policy for protecting the resources
can be a serious issue.
Sometimes a FAP fails to connect to the SeGW,
in this case the operator’s uses an outside FMS
to connect via the public internet to diagnose the
problem. If the FMS is outside of the operator’s
core network it will not be as secure as if the FMS
was inside the network. An attacker can take this
advantage to try to break the communication be-
tween FAP and FMS and for this reason mutual
authentication with secure communication is es-
sential. Authentication is achieved by use of mu-
tual certificates for authentication while secure
communication is accomplished using a TLS con-
nection. There are two ways used in femtocells to
authenticate a subscriber and operator.
Certificate Based Authentication
X.509 certificates are used for authentication over
IP Based networks. The FAP and SeGW authen-
ticate each other by the mutual sharing of trusted
X.509 certificate using IKEv2. IKEv2 is considered
secured because:
• It uses symmetric key share between both FAP
and FGW.
• Public key is embedded in the certificate and
private key is only known to one of the entities.
• Password known to both FAP and FGW.
The certificate is issued by the manufacturer dur-
ing the manufacturing process and signed by a
www.hakin9.org/en
Certification Authority. The private key of this cer-
tificate is stored securely inside the FAP. This FAP
Certificate contains the serial number of the FAP.
This is a global key which is fixed during the life-
time of a FAP. (FEID Example)This key is direct-
ly given by an operator to the manufacturer and it
is hardcoded in the FAP. This key is used with a
subscriber’s public key. After the mutual authen-
tication is performed successfully, a trusted link
between the FAP and SeGW is established using
IPSec tunnel. IPSec protocol works in 2 modes:
Transport
In this mode only data to be transferred encrypted
while the IP Header is not. If Authentication Head-
er is used, then transport as well as application
layer are secured because of hashing.
Tunnel
Both header and data is encrypted and then encap-
sulated into a new IP packet with a new IP header.
SIM Card Based Authentication
This is a traditional method for authenticating hand-
sets. Authenticated information is stored inside the
SIM Card and it has to be installed inside the FAP. So
while connecting to the SeGW, the AAA server com-
municates with the HLR and the Authentication Cen-
ter (AuC) for authenticating the subscriber according
to the stored information inside HLR and AuC.
FAP Security Concerns
Authentication
It is achieved by mutual certification exchange.
This certificate is issued by the manufacturer dur-
ing manufacturing and signed by a Certification
Authority. The FAP stores sensitive information like
the private key of the certificate securely which is
not exposed outside. The key used to sign the cer-
tificate is at least 2048 bits and algorithm SHA256
with RSA encryption.
Authorization
It is achieved by FEID(FAP equipment identifier).
Integrity Protection
HMAC and AES-XCBC-MAC-96 is recommended.
Confidentiality Protection
This is achieved by using AES with a minimum 128
bit key in CBC mode.
Device Integrity
This can be achieved during boot up process. Be-
fore connecting to the SeGW it performs device
39
 integrity checks by matching trusted values with
cryptographic hash values and if matches then the
FAP boot up process is successful.
Need of Security in femtocell
Few of the most concerning points of femtocell se-
curity
• Femtocells are located at user side, so it need
to be more secur
• It’s out of the operators control and monitoring.
iIf user is not aware of security practices then
it would be very easy for an attacker to exploit
the femtocell Access Point.
• Communication travels over the Internet so it
must be kept private and secure.
• Using an IP link so chances of attacks are
greater.
• Connecting in the link between FAP and oper-
ator’s core network and sending unauthorized
messages can create a Denial of Service attack.
• Closed Subscriber mode of a femtocell allows
connection to the femtocell those who are sub-
scribed (are in the access control list).While
in Open Access Mode anyone can connect to
femtocell. So it is important to configure femto-
cell modes.
Attackers Eyes
Few of the important cases where one need to be
careful.
• Check Proper Update in FAP: Organizations
using the software update feature to provide
their customers better service, improve per-
formance and security enhancements etc.
Threat 1 Threat 2
Femtocell
Access Point
FAP
Mobile Users
Figure 1. Threat points in Femtocell architecture
40
According to them software update means
“Patches” Software/firmware needs to be up-
date periodically as day by day new technolo-
gies come and older versions of software be-
come vulnerable so it is very essential to them
patched. vulnerabilities by using software up-
date. Software updates in the femtocell is per-
formed by the FAP Server which is located in-
side the operator’s network or may be outside,
depend on the operator’s policy.
• Communication between the FAP and its serv-
er must be secure using TLS or IPSec.
• Location verification is used to ensure that op-
erators have licensed spectrum in that area
where FAP is working
• FAP Firewall is implemented or not.
• Proper handover is there between 2 femtocell.
• Femtocells are located at the user side and it
will access operator’s core network using an IP
Link so it will be a major concern from a securi-
ty point. As one can attack the femtocell obtain
user credentials and then can access the oper-
ator’s core network
Possible Attack Scenarios
Few of the possible Attack Scenarios are:
FAP Root Access
If an attacker gets root access to the FAP, then he
may change internal configuration and other set-
tings, maybe disable the firewall. Thus anyone
who is using this FAP will be a victim. Root Ac-
cess can be doneseveral ways like scanning open
ports and if any are found the attacker could telnet
or ssh to the open port(s) then launch attacks on
these ports.
Threat 3 Threat 4
AAA
Public IP SeGW HLR
Network AuC
FMS
Operators
Core Network
FMS
Public
03/2013
 Femtocell Attacks and Countermeasures
Software Update
It is also possible for an attacker to connect the
FAP to an unauthenticated server and then it can
install any software, spoofing devices etc to per-
form his desired action.
If the software updating center is compromised
(not secured or through internal employees) the at-
tacker can install malicious software.
Memory Attack
Checking flash memory of a femtocell whether to if it
contains any secret information like list of registered
users. It is also possible that list contains registered
mobile number’s IMSI, which is unique identity of
sim card. After getting the list, it is possible for an
attacker to delete or add users without registering.
Adding an international number may charge roam-
ing and deduct money from the victims account
Eavesdropping
As femtocells are used inside the home, most of
the time (depends on user) only the owner’s phone
numbers communicate through that femtocell, but
the condition is that all numbers have to be regis-
tered in the operator’s website. Whenever a femto-
cell boots, the operator’s network provide the fem-
tocell a complete list of registered users. This list
is stored inside the device in xml form which can
be altered by the attacker allowing the attacker to
eavesdrop on their call if he has modified the list
and also available within the range of femtocell.
Denial of Service: Attacker can launch DoS attack
against a femtocell as well as DDoS against the op-
erator’s core network by using multiple femtocells.
He may also use software simulation installed on
computer and then can launch further attacks.
Booting Femtocell
If the booting process is not secured cryptographi-
cally then it is possible for an attacker to modify
the boot software. Modification/Change to the soft-
ware may help an attacker to perform various at-
tacks, for example Man in the Middle Attack.
Thus, a proper security policy should be imple-
mented by operator. This includes strong crypto-
graphic algorithm, User Secret Identity Informa-
tion should not be reveal and will store only on
operators network not on the users FAP, and au-
thentication is based on certificates
Recommendation
• Algorithm with higher strength used for authen-
tication and confidentiality.
www.hakin9.org/en
• Private Key should be securely stored In the
FAP, in a way that unauthorized modification is
not allowed.
• FEID should not be reveal.
• Before using a femtocell, proper knowledge of
security should be given to customer.
• FAP firewall should be used.
• Booting process should be secured
• Sensitive information like authentication details
should not be stored in plain text in the FAP, if
stored.
• Use of IPSec and Authentication Protocol like
Extensible Authentication Protocol (EAP).EAP
is known universal authentication framework
for wireless networks.
• Software updates and configuration changes
should be signed.
• Femtocell should use special technology to de-
tect physical replacement of components.
Conclusion
As is evident, Mobile usage continues to increase
many fold, day after day at an unprecedented pace
due to the mass adoption of smart phones, tablets
and wireless modems for laptops. This is driving the
need for continued innovations in wireless data tech-
nologies to provide more capacity, high speed con-
nections and generate large amounts of data traffic
to the network along with higher quality of service.
Femtocellsare an upcoming need for home users or
small business but adding more security measures
can make it more reliable and make it worth it to use.
Proper security update, strong authentication algo-
rithm and user awareness etc can make it more se-
cure. Femtocells provide an easy and cost efficient
way for mobile operators to offer a more fulfilling user
experience and deliver broadband data services in-
doors – consistently and reliably. Femtocells and Wi-
Fi will coexist in the future. Customers and operators
both can benefit from femtocell technology if it is used
securely But for this the device must be used intelli-
gently enough to select the most appropriate and se-
cure connection while following security mechanisms.
Nitin Goplani
Nitin has been working with Aujas as a Security Research-
er in the Telecom Security domain. With a rich back-
ground in application, Mobile and net-work security, Nitin
is now involved in researching about new and emerging
threats to the Telecom Core Nodes. Apart from Research,
Nitin is also involved in assisting in the implementation of
security measures for Fixed/ Mobile Network (2g/3G/LTE)
and core fixed network systems to regulate access to spe-
cific network elements for the secure operation of the core
fixed network and all its variants
41
 Social Engineering
The Single Greatest Threat to Organizational Security
Security planning is an onerous, complex and continual
process, largely because there exists two factions which
are continually at ends with one another. Security
professionals work to erect walls which provide security to
an organization’s data, networks, and personnel – whereas
the opposition is continually developing ways to go over,
under, around or through security barriers.
O
ne major problem with many security
plans is that most organizations focus
exclusively on technical countermea-
sures, but the weakest link in security, the hu-
man element, is often overlooked. Attackers are
aware of this deficiency, and use an unethical
approach known as social engineering to exploit
this weakness. This paper examines how so-
cial engineering attacks take advantage of nor-
mal human behavior and demonstrates the real
and present threat that this type of dishonest at-
tack poses. Historical data extracted from Kevin
Mitnick’s case, and the DEFCON 18 Social En-
gineering Capture-the-Flag (CTF) – How Strong
is Your Schmooze results will be utilized to build
this case study. Additionally, this paper will inves-
tigate what organizations can do to diminish this
threat.
Introduction
In the current age of technology, many organiza-
tions have come to rely on information systems
as one of the most important tools for facilitating
nearly every aspect of business activities. The use
of information technology expedites workflow, in-
creases productivity, accelerates communication
and allows for multiple employees to view and
work on a single project concurrently. One major
concern with organizations relying so heavily on
information systems is that enormous amounts of
data, much of which could be considered sensitive
or valuable in nature, is used, stored, and created
on these systems.
42
Security has become a critical affair for manag-
ers at all levels of innumerable governments and
organizations; clients with concerns about pro-
tection of their personally identifiable information
(PII), privacy and identity fraud or theft are de-
manding it; vendors, suppliers, and business part-
ners require it from one another, especially when
there exists a mutual network and information ac-
cess (Allen, 2009).
Though many organizations take security seri-
ously and put an enormous emphasis on both tech-
nical and physical safeguards such as firewalls,
id cards, intrusion detection systems (IDS), and
guards, there is little emphasis placed on the hu-
man element of security. A million dollars worth of
state-of-the-art technical and physical safeguards
could be, and continues to be, rendered useless
by hackers who know how to manipulate and by-
pass the weakest link in any security program, the
human being.
Understanding Social Engineering
Social engineering is an art or a better put, the
science, of expertly manipulating other humans to
take some form of action in their lives (Hadnagy,
2011). A social engineer is someone who takes
advantage of the credulity, indolence, good man-
ners, or even passion of employees (Microsoft,
2006). Social engineering is basically a con-game
and the social engineer is nothing more than a
sophisticated con-artist who employees tactics of
skillful lying, influencing, persuading, smooth talk-
ing, trickery, and deception to convince their tar-
03/2013
get that they are someone they are not, or require
access to something they do not have authoriza-
tion to access.
The goals of a social engineer are similar to a
traditional hacker: they want to gain unauthor-
ized access to an organization’s network so they
can steal the organization’s money, data or IT re-
sources. The major difference between a tradi-
tional ‘technical hacker’ and a social engineer is
their toolkit, a traditional hacker typically will have
a strong understanding of technical vulnerabilities,
exploits, hacking tools, programming, and coding,
whereas social engineering doesn’t require much
technical know-how, but rather a good lie to con-
vince people to supply information or assistance.
It’s the difference between manipulating technol-
ogy vs. manipulating people (Figure 1).
Kevin Mitnick (2005), arguably the most re-
nowned hacker and social engineer of all time, de-
scribes the social engineer as an attacker who is
accomplished in the art of deception, whom preys
on the greatest qualities of human nature: our nat-
ural tendency to be polite, helpful, supporting, and
yearning to be a team player.

How Real is the Threat?

Rich Mogull, a Gartner analyst believes that “So-
cial engineering is the single greatest threat to en-
terprise security (Hiner, 2002),” and the figures
would indicate that he is correct.
Some (Figure 2) fascinating data presented on
‚The Virus Bulletin’ by AVG Technologies demon-
strates that employees are four times as likely to
be exploited by a social engineer than to be at-
tacked by a malware exploit. This is largely due to
the fact that offenders know that the human ele-
ment is most often the weakest target in a securi-
ty design. Social engineering isn’t going away; it’s

Figure 1. Social Engineering (2002). Source: GartnerG2.

Retrieved 16 February, 2012, from: http://www.techrepublic.
com/article/change-your-companys-culture-to-combat-
social-engineering-attacks/1047991

www.hakin9.org/en
 been here since the beginning of time, as long as Some statistic from the event: Table 1.
there remains humans who can be duped, it’s here This was the first time that a social engineer-
to stay (Hughes, 2010). ing event had been put on display for the public
Those are some impressive numbers, but how re- in a controlled context against unsuspecting real
al is the threat? Well, in 2007 a government-spon- companies, and the findings show that for aware-
sored study showed that 60% of IRS employees ness training to be effective, it requires complete
fell for a social engineering hack where an attack- coverage of all employees. When employees do
er posing as a fellow worker asked them to alter not have clear guidelines set in place on how to
their passwords; this was after a comparable test respond to a given situation, the tendency is that
had been conducted previously and the staff had they will default to actions that they perceive as
been given a heads up about the scam. A study being helpful. This natural response was exploited
by the University of Idaho found that 40% of the by every contestant to obtain high scores in the
school’s staff had fallen victim to a similar tactic,
but unlike the IRS penetration test where employ-
ees were asked to simply change their passwords,
the school’s staff was asked to actually supply their
password to someone claiming to be a fellow em-
ployee over the phone (Scher, 2011).
At the 2010 DEFCON 18 conference, an event
called “Social Engineering CTF – How strong is
your Schmooze?” was held to help raise aware-
ness of the threat that social engineering poses.
Social engineers using nothing but a telephone,
made calls to companies and manipulated them
into providing data that could potentially be used
to harm the company.
Table 1. DEFCON 18 CTF Results (2010). Source: Social-
engineer.org. Retrieved 20 February, 2012, from: http://www.
social-engineer.org/resources/sectf/Social-Engineer_CTF_
Report.pdf
Number of Companies Called: 15
Possible Flags: 25 Figure 3. Mitnick Wanted Poster. Source: US Department
of Justice. Retrieved 20 February, 2012, from: http://
Number of Companies with Flags Captured: 14 enterprisefeatures.com/2011/08/most-common-ways-
Days Contest Was Held: 2 hackers-exploit-using-social-engineering/
Total Phone Calls Made: 135
Companies Who Put Up Resistance: 7
Employees Who Put Up Resistance: 11

Figure 4. Mitnick Today (2010). Source: str8upgeeksta.

Figure 2. Frequency of SE vs. ME (2011). Source: Virusbtn.com. blogspot.com. Retrieved 20 February, 2012, from: http://
Retrieved 19 February, 2012, from: http://www.virusbtn.com/ str8upgeeksta.blogspot.com/2010/08/king-of-social-
conference/vb2010/abstracts/Hughes.xml engineering-talks-about.html

44 03/2013
 Social Engineering: The Single Greatest Threat to Organizational Security

challenge (Aharoin, Hadnagy, & O’Gorman, 2010) three books: The Art of Deception, The Art of In-
(Figure 3). trusion, and Ghost in the Wires; all three offer an
Beyond the awareness raised by the DEFCON excellent view into the real world of social engi-
18 challenge, there are real world examples of neering and provide useful insight into how an or-
how much damage a skilled social engineer can ganization can protect itself from the types of ex-
wreak on a company, and none better fit the bill ploits he used.
than hacking poster boy, former FBI’s most want-
ed, #3 on the all-time greatest hackers list, the What can you do to protect your
man the Department of Justice has described as: organization?
“The most wanted computer criminal in U.S. his- Organizations (Figure 5) should develop and de-
tory,” hacker turned author, speaker and security ploy processes that weaken the threat of social
consultant: Kevin Mitnick (Figure 4). engineering. They should institute a culture of de-
One need look no further than the Federal Bu- fense and responsibility within the organization.
reau of Investigation’s 1999 case against Kev- Workers should be made aware of the dangers
in Mitnick to realize just how much damage one surrounding social engineering, and educated
skilled social engineer can do. Mitnick plead guilty on how to handle a given situation, an organi-
to a string of federal offenses that were encapsu- zation should also attempt to set up a common-
lated in a computer hacking spree that lasted two sense business process that helps aids in chang-
and a half years. He pled guilty to the following: ing the culture of the organization (Hiner, 2002).
wire fraud, 4 counts; Computer fraud, 2 counts; Il- Awareness is the number one defensive measure
legally intercepting a wire communication, 1 count
(“U.S. Department of Justice,” 1999).
In his trial, Mitnick admitted to breaking into a
number of computer systems and stealing unique
development and source code software from Mo-
torola, Fujitsu, Novell, Sun Microsystems, Nokia
Mobile Phones, Ltd., PacBell as well as other
companies. He admitted that social engineer-
ing was one of the tools he used to commit his
crimes, which included impersonating employ-
ees of victim companies. Many of Mitnick’s vic-
tims purportedly underwent damages that were
counted in the millions. The loss was a result of:
lost research and development (R&D), sales de-
lays, lost licensing fees, and safeguarding main- Figure 5. Education Leads to Defense (2002). Source:
GartnerG2. Retrieved 16 February, 2012, from: http://www.
tenance that had to be performed on the com- techrepublic.com/article/change-your-companys-culture-to-
puter systems that he had compromised (“U.S. combat-social-engineering-attacks/1047991
Department of Justice,” 1999).
Mitnick served five years in prison. He was held
in solitary confinement and restricted from using a
phone for eight months of his sentence because
law enforcement spokespersons lead a judge to be-
lieve that Kevin had the capabilities to start a nu-
clear war by dialing into NORAD from a payphone
and whistling launch codes that would trigger a mis-
sile launch; as silly as that may sound now, perhaps
anything seemed possible in 1999, especially in the
context of dealing with someone who had basical-
ly duped people at companies that were leaders in
technology into simply handing him the keys to their
castles so he could steal their data.
Following his release from prison, Mitnick has
crossed from the black hat side of hacking to the Figure 6. Confidence Chart (2011). Source: TechRepublic.
Retrieved 20 February, 2012, from: http://www.techrepublic.
white hat realm, he is now a successful speaker, com/article/admins-lack-confidence-in-social-engineering-
author, and security consultant. He has published preparations/1047960

www.hakin9.org/en 45
 against social engineer attacks. Beyond simply
informing employees that threats exist, provid-
ing them with the most commonly used tactics
can help shape the way they think about securi-
ty (Goodchild, 2011). Security awareness should
and can be more than an annual training require-
ment that glazes over the generic basics of se-
curity, there are plenty of vehicles to get people
thinking about security on an everyday basis;
posting flyers or posters, sending a weekly, orga-
nization-wide email with security tips, and plug-
ging security at staff meetings are just a few ways
to spread the message (Figure 6).
TechRepublic performed a survey in 2002 that
measured the confidence level that company
employees could not be manipulated by social
engineering attacks, and the results were that
61% were not very confident that their employ-
ees could not be manipulated. Based on the find-
ings of the IRS, University of Idaho, the results
of the DEFCON 18 challenge, and the exposed
exploits of Kevin Mitnick, those numbers are not
very far off the mark. A climate change using a
top-down approach, utilizing smart risk manage-
ment, user awareness, and incident manage-
ment may be the most effective way to shape se-
curity and limit the organization’s vulnerability to
social engineering.
Conclusion
Many organizations spend a small fortune on
latest and greatest technical and physical safe-
guards and countermeasures, but do little to
nothing to safeguard against the simplest and
most effective of attacks, social engineering.
There are many documented cases that show
the amount of damage or loss that can occur due
to social engineering, some listed in this study,
yet many companies simply ignore the threat or
believe that they are not vulnerable to that type of
attack, sadly this is just not true, social engineers
are skilled at extracting bits of information from
employees who are apathetic, lazy, eager, Orga-
nizations should make informing their employees
of the dangers of social engineering a number
one priority. Education, awareness, and training
at all levels may in fact turn your weakest link into
your strongest.
Terrance Stachowski
Terrance Stachowski is a Defense Con-
tractor currently working as an Infor-
mation System Security Officer (ISSO)
in Ramstein, Germany. He has worked
in Information Technology for the last
fifteen years, currently holds nineteen
IT certifications including the CISSP
and L|PT, and will finish his M.S. in Cybersecurity from
Bellevue University in March of 2013. He specializes in IT
Security, Penetration Testing, Networking, and Systems
Administration.

References
• Aharoni, M., Hadnagy, C. J., O’Gorman, J. (2010). Social engineering capture the flag results: Defcon 18. Retrieved
20 February, 2012, from: http://www.social-engineer.org/resources/sectf/Social-Engineer_CTF_Report.pdf
• Allen, J. H. (2009). Security is not just a technical issue. Retrieved 14 February, 2012, from: https://buildsecurityin.us-
cert.gov/bsi/articles/best-practices/management/563-BSI.html
• Goodchild, J. (2011). Social engineering: The basics. Retrieved 20 February, 2012, from: http://www.csoonline.com/
article/514063/social-engineering-the-basics?page=1
• Hadnagy, C. J. (2011). Social engineering: The art of human hacking. Indianapolis, IN: Wiley Publishing, Inc.
• Hiner, J. (2002). Change your company’s culture to combat social engineering attacks. Retrieved 18 February,
2012, from: http://www.techrepublic.com/article/change-your-companys-culture-to-combat-social-engineering-at-
tacks/1047991
• Hughes, B. (2010). Social engineering trumps a zero-day every time. Retrieved 19 February, 2012, from: http://
www.virusbtn.com/conference/vb2010/abstracts/Hughes.xml
• Microsoft. (2006). How to protect insiders from social engineering threats. Retrieved 14 February, 2012, from:
http://technet.microsoft.com/en-us/library/cc875841.aspx
• Mitnick, K. D., Simon, W. L. (2005). The art of intrusion: The real stories behind the exploits of hackers, intruders &
deceivers. Indianapolis, IN: Wiley Publishing, Inc.
• Scher, R. (2011). Is this the most dangerous man in America? Security specialist breaches networks for fun & profit.
Retrieved 20 February, 2012, from: http://www.social-engineer.org/resources/CPU-MostDangerousMan.pdf
• U.S. Department of Justice (1999). Kevin Mitnick sentenced. Retrieved 20 February, 2012, from: http://www.justice.
gov/criminal/cybercrime/mitnick.htm

46 03/2013
 International Conference On
“Diversifying Trends in
Technology & Management”

6 - 7 April’ 2013
at
Indian Institute of Technology (IIT - Delhi)
New Delhi, India.

CTIJTM

Important dates
th
Last date of Full Paper Submission: 5 March’ 2013
th
Last Date of Full Paper Submission: 15 March’2013 (With Late Fee)
For More Details Visit “http://journal.cybertimes.in” *Conditions Apply.

Chief Guest:
l Dr. Gulshan Rai, Director General, CERT-In, MIT, India.
Guest of Honour:
l Justice Talwant Singh, CBI Judge, Delhi, India.
l Mr. Rajiv P Saxena, Deputy Director General, NIC, Govt. of India. http://journal.cybertimes.in
Ph: +91-9312903095
l Shri V.K. Panchal, (Scientist-G, DTRL, DRDO). *Conditions Apply.

Organized by Sponsored by
R

(http://journal.cybertimes.in) (www.sedulitygroups.com)

For Sponsorship,
Contact - Email: editor@cybertimes.in, Ph: +91-9312903095.
 Your Security Program
Is Failing: What You Can Do To Save It

Developing and maintaining a successful security program,

regardless of size, can be a monumental undertaking. If
you’ve found yourself in the middle of a failing security
program, you’re not alone, but take heart, all may not be
lost. This article examines some of the common issues
security programs face, and provides solutions on how to
get things moving in the right direction.

A
well-designed and well-functioning security
program does not spring up overnight. It is
typically the result of sound management,
skillful security mapping, and well thought-out en-
gineering practices, which have toiled together
from the conception of a program to ensure that
security was integrated as a fundamental compo-
nent of the business process. In the perfect world,
a security program would entail unquestionable
senior-leadership involvement, a knowledge-
able and experienced Chief Information Officer
and Senior Information Security Officers, highly-
trained and highly-skilled Information System Se-
curity Officers, information owners and end-users
who find best security practices to be second na-
ture, policies and procedures which are easy to
read and follow, and technical controls which are
seamlessly deployed and integrated into the sys-
tem. Unfortunately, scenarios fitting that bill are
rare.
Regardless of how an organization’s securi-
ty posture appears on the surface, chances are
things could be better, in many cases, a lot bet-
ter. In the numerous years I have spent in the IT
industry, very few security programs come to mind
where there was not room for major improvements.
This paper will examine some of the more preva-
lent issues that seem to plague security programs
of all shapes and sizes.
Issue 1: People
When a security program fails, a breach occurs,
information is stolen, or a major security violation
occurs, there is sure to be plenty of finger pointing.
It is generally accepted that the only way to 100%
secure a network and it’s computers is to power
them off and physically control access to them,
barring that impractical solution, security events
will occur, but the questions often asked following
an event are: “Could this risk have been mitigated?
Where did we fail?”
Sometimes every control that could have been
in place was there, but an event still occurred, for
example, a brand new zero-day exploit was used
to breach security, but more often than not, there
was a failing on someone’s part which allowed the
event to come to fruition.
The following sections will examine what contrib-
utes to a failing program, starting with one of the
more crucial components of a security program:
people.
Issue 1: People
Security Staff
The security staff is as good a place to start as
any, as they are typically where the finger pointing
begins when something goes wrong. Take a step
back and give your team an honest assessment,
here are some questions to consider:
• Are there any gaping, apparent holes or weak-
links in your team’s skill-set?
• Is there dead wood that needs to be purged to
make room for better skilled individuals?
• Does your team have the right blend of techni-
cal, administrative, managerial, and soft skills?

48 03/2013
 Your Security Program Is Failing: What You Can Do To Save It
• Are there specific critical players who if re-
moved, a particular leg of your program would
likely collapse?
• Does your team have the proper training, and if
not, what training would best benefit the team
and the program?
• Do you have enough staff on your security
team to perform effectively?
• Are roles and responsibilities clearly defined?
Depending on the size of your team, it may re-
quire a checklist to fully evaluate your posture,
but any apparent issues or deficiencies should
be handled immediately, if that is not possible it
should at least be put on management’s radar so
they are aware an issue exists.
What about the team’s CISO? Are they capable
of doing the job, or were they simply in the right
place at the right time to get a promotion, but they
are now the poster-child for the “Peter Principle?”
It has been my experience that at times senior
leadership doesn’t have a good pulse on these
sort of things, or sadly, they are aware but don’t re-
ally care because no major incident has occurred;
if the captain of the ship is a fool, getting on the
right course is nearly impossible.
Relationships
The security programs that do best, like any team,
are ones where there exists a good working re-
lationship, both internally among members of the
security team, as well as with management and
the end-users. The following should be common
sense, but since I have seen it so many times in
real life, here is a list of Do’s and Don’ts:
• DO – work with your end-users, engineers,
management, developers, and configuration
management team, let them know that secu-
rity is everyone’s responsibility, and that ev-
eryone’s contribution is valued. DON’T – run
around telling everyone that you have your
CISSP so everything is under control.
• DO – take into consideration advice and sug-
gestions from other departments, especially
from Subject Matter Experts (SME), data own-
ers, and engineers, they may have a great idea
or process to help strengthen the overall secu-
rity of a site. DON’T – think that because they
don’t work in security that they don’t have a
clue.
• DO – remove the word “No” from your vocab-
ulary. DON’T – be the harbinger of the word
“No.” As security specialists one of the prima-
ry definitions of our job is to find solutions to
www.hakin9.org/en
tough problems, not to simply wander around
barking “negative!” at our fellow employees.
Here’s the truth of the matter, if you get in the
habit of simply telling your co-workers “no” all
of the time, without attempting to provide a so-
lution, most people will not simply think: “well
that ends it, some dork from security told me
I can’t do it, so I’ll stow that idea.” No, people
are crafty, if they are anything like most end-
users I have worked with, they will get creative,
finding their own workaround to bypass what-
ever hurdle they are facing. Check their title, if
it reads “Engineer,” it’s in most of their blood to
craft solutions to problems, in fact I would haz-
ard to guess many would consider it a healthy
challenge to find their own solutions to circum-
vent the “impractical security rules which are
holding up progress” if they’re working in the
world of “no.”
• DO – have an open, trusting relationship with
co-workers, assure them that mistakes will
happen, but it is best to report them so that
they can be fixed as soon as possible. DON’T
– walk around scowling at everyone in the or-
ganization; refer to yourself as “The Hammer,”
“The Iron Fisted,” or any other contrived, me-
dieval dictator designation. I once had a CI-
SO tell me that he was the most hated man in
the building, to which I responded, “Well then,
you’re doing it wrong.” People who fear the se-
curity department are less willing to come for-
ward with an incident because they are afraid
of the heavy-handed repercussions, I don’t
know about you, but I would much rather be
approachable and have my co-workers feel it’s
in the interest of the organization to report an
incident rather than conceal it.
• DO – cross-training. Cross-training is a great
way for your security team to grow as a whole,
if you have technically savvy security admin-
istrators but they are weak in writing policy,
have them shadow someone who is strong in
the administrative portion of security, and vice
versa. DON’T – allow for stagnation by allow-
ing yourself or your team to work in information
vacuums. Identify those weak areas in yourself
and your team and allow for growth.
End-Users
News headlines are constantly delivering reports
of the latest attack by Anonymous, LulzSec, for-
eign nation state hackers, etc. but do end-users re-
ally care? We follow those stories because they in-
trigue most of us because they pertain to our field.
Even with “cyber threats” being so common in the
49
 news, it seems that many end-users are grossly
under-educated in how easy it is for them to open
the proverbial ‘front door’ to your organization’s
network to hackers.
Think about the end-users of your organization
for a minute, do they know not to click on pop-ups,
not to open attachments from strangers, or forward
suspicious e-mails? Do your end-users respond to
spam-mail asking to be removed from the mailing
list? Have they been educated enough to recog-
nize false security warning pop-ups (scareware),
such as: “your system is infected; click here to up-
date your antivirus.”?
Beyond the end-users who commit the above-
mentioned security no-no’s, what about the users
who know just enough to be dangerous? The ones
who are downloading and installing unapproved
software, or visiting sites that are not approved
or work, or bringing in thumb drives that have not
been scanned, or syncing their personal equip-
ment with their work computer?
Are the end-users to blame for their carefree or
ignorant approach to security, or is your user-train-
ing program simply an hour of annual “death-by-
PowerPoint?”
End-users have to believe that they are mak-
ing a difference, and that security is everyone’s
responsibility. That begins with delivering a clear
message to the organization that security is a
fundamental part of operations. At the end of
the day, end-users have their own jobs to wor-
ry about, their own field to master, so security is
often a back-burner topic to them, it’s up to the
security staff and management to emphasize the
importance of an strong organizational security
posture.
Management
Management is crucial to a solid security program,
if there is no leadership buy-in, good luck on fixing
things. Management has the teeth to enforce pol-
icy and procedures, to empower the security de-
partment, and to set the tone for the organization’s
security.
Issue 2: The Environment
The environment of the organization plays a major
factor in how well a security program functions. It
goes back to senior leadership and security lead-
ers to set the tone of the environment.
I have visited organizations where I seriously
questioned if the secretaries were armed, because
security had been so engrained into their daily life
– piggybacking through a secure door in those en-
vironments was not even an option in my mind.
50
On the flip side, I have passed through various or-
ganizations where the tempo was free-for-all, dev-
il-may-care, Wild West, where even the laxest of
controls were not in place.
Environmental and physical controls only work if
everyone is trained and working to enforce them.
For example, if a secure door requires a pin-num-
ber to open, that door is mostly useless if peo-
ple are being kind and holding the door open for
strangers. You might think this never happens, but
I cannot count the amount of times I have walked
into areas clearly marked “restricted personnel on-
ly” simply by wearing a three-piece-suit and walk-
ing with a sense of urgency; granted I was autho-
rized to be in these areas, but the stranger holding
the door open for me as I passed through the
clearly marked portal had no idea who I was... or
worse, wasn’t.
Safeguards and countermeasures are not hard
to implement if there is leadership buy-in, and peo-
ple are called out for deviating from the set stan-
dards.
Issue 3:
Policy, Procedure, or Practice Issues
Creating security policies and procedures are all
well and good, but are nearly meaningless if lead-
ership does not give their full backing, and you are
not able to enforce them; they look great on paper,
but have zero impact.
Even with leadership buy-in, there is the issue
of getting end-users to actually read security poli-
cies, and follow procedures. There has to be a
measure in place to ensure that they are actu-
ally reading the material so that if needed, if ig-
nored, consequences can exist. These docu-
ments should be in an easy to locate area, and
employees should be encouraged to learn them,
not simply perform the pencil-whip training, and
say they have read them.
Consider how you are getting the message of
security out to the organization, use of boring or
generic security posters, which catch nobody’s at-
tention? A weekly security e-mail that repeats the
same tips it repeated the previous week? Consider
livening things up if the message becomes dull.
Another issue pertaining to policy and procedures
is not following a formalized Information Security
Management Systems (ISMS), such as NIST, CO-
BIT, or ISO 27002. Pick the one that makes sense
for your organization and use it, they exist for a
reason and make getting -and staying – on track,
so much easier.
Consider the following issues that may need ad-
dressing:
03/2013
 Your Security Program Is Failing: What You Can Do To Save It
• Still fighting with the same issues that you
were dealing with five years ago, not making
the corrections you have received from a pene-
tration tester or auditor.
• Caring more about passing an audit and get-
ting a ‘meets compliancy’ stamp of approval
than actually caring about the security of the
organization. A good indicator you are doing it
wrong: if you are stressed-out over audits, or
feel that external auditors are “the bad guys,”
if you are doing it right, you should be on the
same page as the auditors, it is fine if they un-
cover something, simply work to repair the
identified vulnerability and press on.
• No oversight on system development lifecycle.
• No continuity planning.
• No formal operational procedures or incident
handling procedures.
• No separation of duties.
• No policy for media handling or access control.
When working to develop or refine policies and
procedures, utilize a layered, logical approach,
and be realistic in setting your goals, follow the
adage: “How do you eat an elephant?” Answer
“One bite at a time.”
Issue 4:
The Technical Aspect / Practices
Beyond policy, user-training, environment fac-
tors, we get to the part of security I absolutely
love, the technical aspect, the hands-on, play-
ing with the equipment. For me, this aspect of se-
curity is where the rubber meets the road, with-
out your technical security experts, your program
is doomed to failure. In day-to-day operations, I
guess you couldn’t argue that any one facet of
security is more important than another, but if
your organization is suffering an attack, it’s going
to be those geeks with the technical know-how
who step in to save the day, the CISSP, ITIL, and
Six Sigma certifications aren’t going to save you
here, hackers don’t care what management certi-
fications you have.
That being said, if you’re in a management role,
it’s your policy and procedures which are going
to keep your team on track to not lose touch with
the basics: patch management, account manage-
ment, security log review, etc., sure it’s boring,
there’s nothing sexy about sitting around applying
patches, reviewing logs, or scrubbing through user
accounts, but they are considered ‘fundamentals’
for a reason.
Some things to consider and correct in regards
to the technical aspect of the job:
www.hakin9.org/en
• Does your team properly understand and cor-
rectly utilize your tools? Deploying security
products to simply inform leadership: “Yes, we
have an IDS, a Firewall, and anti-virus in place”
is not considered good practice. These devic-
es and software suites have to be deployed
correctly, fine-tuned, monitored, patched, re-
viewed, and updated. This means that there
should be several people on the team that un-
derstand the finer details of each tool.
• Are said tools ineffective or outdated?
• Vulnerability scans. Are they being performed
but the results aren’t being analyzed? This
is one of those areas that many find monoto-
nous, and it’s easy to ‘pencil-whip,’ but what’s
the point of running scans if you’re not going to
review them?
• Deploy anti-virus software but not patching or
update regularly?
• Security logs. Reviewing security logs shares
all the tedium of reviewing vulnerability scans,
and is another area that is easy to ‘pencil-
whip,’ but if you are not monitoring your logs
how do you know if there is anything out of
place?
• Ratcheting down on security controls to the
point where getting legitimate work done be-
comes a struggle?
• Deploying new rules or security standards
without explaining or training the end-users.
• Has your staff given up on learning about new
technologies, exploits, attacks, and counter-
measures?
• Allowing junior or inexperienced people to take
responsibility of security-related tasks without
following-up on their work to ensure they are
doing it correctly?
Issue 5:
Risk Management / Classification Issues
How security programs exist without security man-
agers having a proper understanding of risk man-
agement is beyond me, but it happens. How are
end-users supposed to know how to mitigate risk
if their security team cannot? I would recommend
that if your security team is weak in the area of risk
management to get educated on NIST, Cobit, or
ISO standards.
Some common troubling issues I have come
across in the past:
• Over-classification- to be ‘on the safe side.’
While I agree that it’s better to be safe than
sorry, classify all information as “Top Secret”
regardless of what level of classification it be-
51
 longs at is not the correct way of doing things.
If everything is “Top Secret” soon enough,
nothing is.
• Missing the ‘big picture’ while focusing on the
small stuff.
• Being overly paranoid, or too carefree.
• Not fully understanding risk, vulnerabilities, or
controls.
The basic method of handing risk is to perform
steps such as:
1. Identify potential threats.
2. Assess the vulnerability of assets to specific
threats.
3. Determine the risk involved.
4. Identify possibilities for reducing the risks.
5. Rack-n-stack risk reduction measures based
on a scale.
A quick rehash of the four major categories of risk
management:
1. Avoidance – simply avoid the risk.
2. Reduction – reduce the effect or probability of
the risk.
3. Transference – transferring the risk to another
party.
4. Acceptance – accept the potential consequenc-
es of a risk.
Follow the Seven cardinal rules for the practice of
risk communication (Allen & Covello, 1988):
• Accept and involve the public/other consumers
as legitimate partners (e.g. stakeholders).
• Plan carefully and evaluate your efforts with a
focus on your strengths, weaknesses, opportu-
nities, and threats (SWOT).
• Listen to the stakeholders’ specific concerns.
• Be honest, frank, and open.
• Coordinate and collaborate with other credible
sources.
• Meet the needs of the media.
• Speak clearly and with compassion.
Getting a solid grasp on risk management takes
a lot of work, but without properly understanding
it, I would argue everything that follows is kind
of shooting from the hip. There are plenty of re-
sources available to educate yourself on risk man-
agement, I personally like NIST because it is in
my wheelhouse, it is what my organization uses,
and it is free.
52
References
• Allen., F. H., Covello, V. T. (1988). Seven cardinal
rules of risk communication. Washington, DC: U.S.
Environmental Protection Agency.
• Martin, L. (2011). Moore’s Law for security threats.
Retrieved from: http://www.voltage.com/security/
moores-law-for-security-threats/
Issue 6: Threat Rate Growing
As reported by Luther Martin (2011): “According
to the report “Federal Information Security Mar-
ket, 2010 to 2015” by industry analyst firm INPUT,
US government agencies have seen the threats
against their IT systems grow by 445 percent since
2006. That works out to a CAGR of about 45 per-
cent, or doubling in a bit more than 22 months.
That’s even faster than the form of Moore’s law
that says that the number of transistors on an inte-
grated circuit doubles in about two years.” Perhaps
this Moore’s Law for security threats pushes most
security staff to their limits.
Conclusion
No security program is perfect. If you think that
your organization is as secure as it could possibly
be, and there is no room for improvement, chanc-
es are you are in a state of serious denial. The fact
of the matter is, most security programs are un-
derstaffed, missing critical tools or infrastructure,
or do not have the level of talent required to have a
smoking hot security program. Sadly, it seems like
most of the time the only people who really care
about the security of an organization are those of
us in the security field, and getting buy-in from se-
nior leaders or end-users is akin to pulling teeth.
Security is a mindset and it is everyone’s respon-
sibility. I hope that the topics identified in this article
will help you analyze and scrutinize your own se-
curity program and find areas for improvement. It
is up to all of us to continue our trade and educate
those around us of the value that a thriving security
program brings to the table.
Terrance Stachowski
Terrance Stachowski is a defense con-
tractor supporting the United States
Air Force. He has fifteen years of IT
experience, a M.S. in Cybersecurity
from Bellevue University, and current-
ly holds nineteen IT certifications, in-
cluding the CISSP and L|PT. He special-
izes in IT Security, Penetration Testing, and Solaris Sys-
tems Engineering. He can be reached at terrance.ski@
skeletonkeyss.com
03/2013
 Industry’s Most Comprehensive Real Time
Dynamic Reputation List

Relationships
Restoring Security, Integrity &
Reliability to Messaging Systems

TrustSphere 3 Phillip Street

Tel: +65 6536 5203 #13-�03 Commerce Point
Fax: +65 6536 5463 Singapore 048693
www.TrustSphere.com