Penetration Testing

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

Pen test strategies include: -

Targeted testing

Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.

External testing

This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.

Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing

Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.

Penetration Testing Tools
1) Nmap – Worlds Best Port Scanner
2) Nessus – Vulnerability Scanner
3) Metasploit – Exploit framework
4) Pass-The-Hash – Who needs passwords?
5) Hydra – Brute force password guessing
6) Cain & Abel – The ultimate MITM utility
7) Wireshark – network protocol analyzer
Snort – traffic analysis and packet logging on IP networks
9) Netcat – reads and writes data across TCP or UDP network connections
10) Nikto – web server scanner which performs comprehensive tests against web servers

Books to Change Life

This is a collection of book name that changed or influenced people life. I prepared this on the basis of a Linkedin discussion. This can be helpful for reading.

Srl. No.	Book	Author
1	Quran / Bible / Gita	Quran / Bible / Gita
2	How to Win Friends and Influence People	Dale Carneg
3	7 Habits of highly effective people	Stephen MR Covey
4	The speed of trust	Stephen MR Covey
5	The Secret	Rhonda Byrne
6	Who will Cry when you Die	Robin Sharma
7	Our Iceberg is Melting	John Kotter
8	Rich dad poor dad	Robert Kiyosaki
9	The Greatness Guide	Robin Sharma
10	Don’t Worry About Tomorrow	Dale Carnegie
11	MIND MAPPING TECHNIQUES	Tony Buzan
12	MIND CONTROL METHODS	Jose Silva
13	The Goal	Eliyahu M Goldratt
14	The Saint, The Surfer and The CEO	Robin Sharma
15	Awaken the giant within	Anthony Robbins
16	The Profit Zone	Adrian Slywotzky
17	Creating a World Without Poverty	M Yunus
18	Anatomy of the Spirit	Caroline Myss
19	Seat of the Soul	Gary Zukav
20	The Palace of Nowhere	James Finley
21	Values Shift	Brian Hall
22	The Palm at the End of the Mind	Wallace Stevens
23	Creating a world without poverty	Muhammad Yunus
24	Find Your Own Way In Difficult Time	David Rascott
25	Execution	Bossidy & RamCharan
26	Built to last	Jim Collin
27	Good to great	Jim Collins
28	In Search of excellence	Thomas
29	Awakening the entrepreneur within	Michael Gerber
30	Fountainhead	Ayn Rand
31	Many Lives Many Masters	Brian Weiss’s
32	The Power of Now	Eckhard Tolle
33	Blink	Malcolm Gladwell
34	You Can Negotiate Anything	Herb Cohen
35	Old Path White clouds	Thich Nhat Hanh
36	Success Principles’	Jack Canfield
37	Notes to Myself	Hugh Prather
38	The Same Old Story	Ivan Goncharov
39	Atlas Shrugged	Ayn Rand
40	Law of Attraction	Michale Loussiar
41	Out of my comfort zone	Steve Waugh
42	When Genius Failed	Roger Lowenstein
43	The Making of a Financial Legend	Paul Volcker:
44	PURPOSE DRIVEN LIFE	Pastor Rick Warren
45	WHAT YOU SAY IS WHAT YOU GET	Pastor Don Gossett
46	WHAT’S ON IN YOUR MIND	Merlin Carothers
47	The Google Story	David Vise
48	The Palace of Illusions	Chitra Banerjee Divakaruni
49	Emotional Intelligence	Daniel Goldman
50	Unlimited Power	Anthony Robbins
51	Awaken the Giant Within	Anthony Robbins
52	Getting Things Done	David Allen
53	Lateral Thinking	Edward Debono
54	Embracing Change	Tony Buzan’s
55	Good to great	Jim Collins
56	FIRST THINGS FIRST	Stephen Covey
57	EMOTIONAL INTELLIGENCE	Stephen Covey
58	WHO MOVED MY CHEESE,	Spencer Johnson
59	You can heal your life	Louis L Hay
60	The celestine Prophecy	James Redfield
61	The truth shall set you free and The robot’s rebellion	David Icke
62	Mutant Message	Marlo Morgon
63	Johanthan Livingston seagull	Richard Bach
64	The Bridge forever	Richard Bach
65	Future Shock	Alvin Toffler
66	The range of works	Bertrand Russell
67	A Passion for Excellence	Tom Peters
68	The Seven Spiritual Laws of Success	Deepak Chopra
69	Make Your Site Sell	Ken Evoy
70	Brief history of time	Stephen Hawking
71	How to Stop Worrying and Start Living	Dale Carnegie
72	Worthy human performance	Thomas gilbert
73	cultures of organisation	Gret Hopstead
74	Love is the Killer App	Thomas Sanders
75	Rules of the Red Rubber Ball	Kevin Caroll
76	Outliers	Malcolm Gladwell
77	Talent is Overrated	Geoff Colvin
78	The Secret	Rhonda Byrne
79	Magic of thinking Big	David Schwartz
80	Eat that Frog	Brian Tracy
81	Little things Big results	Roger Fritz
82	The business School	Robert  Kiyosaki
83	Are You Ready to Succeed?	Srikumar Rao
84	Improving performance	Rummler and Brache
85	2Developing management skills	Whetton & Cameron
86	Games people Play	Eric Berne
87	The 3rd Wave	Alvin Toffler
88	Maverics at Work	William Taylor
89	Circle of Innovation	Tom Peters
90	Re Imagine	Tom Peters
91	Al Chemist	Paulo Coelho
92	Wings of Fire	APJ Kalam
93	Six thinkng Hats	De bono
94	The Man who sold the ferrari	Robin Sharma
95	Execution	Chuck Bossidy
96	In Search of excellence	Tom Peters
97	Blue Ocean strategy	Kim and Mauborgne
98	How to get whatever you want	Kopmeyers
99	The power of positive thinking	Norman Vincent Peale
100	The Magic of Thinking Big	David J Schwartz
101	Tough Times Never Last, But Tough People do	Robert H Schuller
102	Richest Man in Babylon	George S Clason
103	Who Moved my Cheese	Spencer Johnson
104	The 360 Degree Leader	John C
105	The One Minute Millionnaire	Robert Allen

Cyberoam End Point Data Protection

More than half of corporate data lies unprotected over endpoints in organizations. Sensitive information like customer data, trade secrets, intellectual property, and legal documents reside over endpoints for their productive use by authorized users. However, easy access by users to portable devices and applications like USBs, DVDs, MP3s, file-sharing applications, Instant Messengers, and more, make it easy for them to maliciously or accidentally leak this data. Today, the cost of lost/stolen data to an organization is massive with lost business resulting in 65% of breach costs, according to research. Hence, organizations need to protect their corporate data at endpoints from unauthorized sharing or leakage by insiders.

Besides, centralized, automated Asset Management is necessary at the endpoint due to the presence of large number of users, branch offices, rise in sophisticated attacks and the resultant bugs and vulnerabilities. Hence, securing the endpoint to protect corporate data and assets has become critical, with a rapidly rising number of organizations deploying dedicated data protection suites that offer user-level controls when handling data.

Benefits

• Prevent endpoint data leakage
• Extend data security beyond the network
• Enhance employee productivity by blocking unauthorized applications
• Streamline IT infrastructure management
• Lower Total Cost of Ownership of IT infrastructure
• Reduce malware penetration through patch management
• Meet security compliance with IT asset management
• Reduce legal liability and business losses

 

Endpoint Data Protection

Cyberoam Endpoint Data Protection protects the organization’s endpoints from data leakage through Identity and group-based policy controls, encryption, shadow copies, logging, reporting and archiving. Cyberoam offers data protection and asset management in four easy-to-deploy and use modules –

1. Data Protection and Encryption
2. Device Management
3. Application Control
4. Asset Management 

Application Control

Unrestricted application usage can result in the use of unauthorized, illegal and malware-laden applications, causing data loss, productivity loss, legal liability and network outages. The Application Control module allows organizations to prevent data loss by allowing or blocking access to specified applications. Application logs allow them to view the type and time of applications used at endpoints across the organization.

a)    Capture Instant messenger in / out communication

b)    Capture Outlook / Outlook Express in / out mail conversation with attachment

c)    Capture webmail out content with attachment

d)    Capture details even user offline

Technology Trends 2010

1. Unified Communication
2. Information Security
3. Cloud Computing
4. Virtualisation
5. Mobile application
6. Data Centre Management
7. Mobility & GPS
8. Business Intelligence
9. Gaming Application & Animation
10. Bar-coding & RFID

Server Virtualization

What is Virtualization?

Virtualization is a method of running multiple independent virtual operating systems on a single physical computer.  It is a way of maximizing physical resources to maximize the investment in hardware.  Virtualization technology is a way of achieving higher server density. However, it does not actually increase total computing power; it decreases it slightly because of overhead.  But since a modern $3,000 2-socket 4-core server is more powerful than a $30,000 8-socket 8-core server was four years ago, we can exploit this newly found hardware power by increasing the number of logical operating systems it hosts.  This slashes the majority of hardware acquisition and maintenance costs that can result in significant savings for any company or organization.

When to use virtualization

Virtualization is the perfect solution for applications that are meant for small- to medium-scale usage.  Virtualization should not be used for high-performance applications where one or more servers need to be clustered together to meet performance requirements of a single application because the added overhead and complexity would only reduce performance. 

While some in the virtualization industry like to tout high CPU utilization numbers as an indication of optimum hardware usage, this advice should not be taken to the extreme where application responsiveness gets excessive.  A simple rule of thumb is to never let a server exceed 50% CPU utilization during peak loads; and more importantly, never let the application response times exceed a reasonable SLA (Service Level Agreement).  Most modern servers being used for in-house server duties are utilized from 1 to 5% CPU.  Running eight operating systems on a single physical server would elevate the peak CPU utilization to around 50%, but it would average much lower since the peaks and valleys of the virtual operating systems will tend to cancel each other out more or less.

 

 

Physical to virtual server migration

Any respectable virtualization solution will offer some kind of P2V (Physical to Virtual) migration tool.  The P2V tool will take an existing physical server and make a virtual hard drive image of that server with the necessary modifications to the driver stack so that the server will boot up and run as a virtual server.  The benefit of this is that you don’t need to rebuild your servers and manually reconfigure them as a virtual server—you simply suck them in with the entire server configuration intact!

So if you have a data center full of aging servers running on sub-GHz servers, these are the perfect candidates for P2V migration.  You don’t even need to worry about license acquisition costs because the licenses are already paid for.  You could literally take a room with 128 sub-GHz legacy servers and put them into eight 1U dual-socket quad-core servers with dual-Gigabit Ethernet and two independent iSCSI storage arrays all connected via a Gigabit Ethernet switch.  The annual hardware maintenance costs alone on the old server hardware would be enough to pay for all of the new hardware!  Just imagine how clean your server room would look after such a migration.  It would all fit inside of one rack and give you lots of room to grow.

As an added bonus of virtualization, you get a disaster recovery plan because the virtualized images can be used to instantly recover all your servers.  Ask yourself what would happen now if your legacy server died.  Do you even remember how to rebuild and reconfigure all of your servers from scratch?  (I’m guessing you’re cringing right about now.) With virtualization, you can recover that Active Directory and Exchange Server in less than an hour by rebuilding the virtual server from the P2V image.

Licensing and support considerations

A big concern with virtualization is software licensing.  The last thing anyone wants to do is pay for 16 copies of a license for 16 virtual sessions running on a single computer.  Software licensing often dwarfs hardware costs, so it would be foolish to run a $20,000 software license on a machine on a shared piece of hardware.  In this situation, it’s best to run that license on the fastest physical server possible without any virtualization layer adding overhead.

For something like Windows Server 2003 Standard Edition, you would need to pay for each virtual session running on a physical box.  The exception to this rule is if you have the Enterprise Edition of Windows Server 2003, which allows you to run four virtual copies of Windows Server 2003 on a single machine with only one license.  This Microsoft licensing policy applies to any type of virtualization technology that is hosting the Windows Server 2003 guest operating systems.

 

Microsoft Office Communicator

Microsoft Office Communicator is a unified communications application that helps end users be more productive by enabling them to communicate and collaborate easily with others in different locations or time zones using a range of different communication options, including instant messaging (IM), voice, desktop sharing and video. Integration with programs across the Microsoft Office system — including Word, Excel, PowerPoint, OneNote, Groove, and SharePoint — gives end users many different ways to communicate directly from the context of their task.

 

• Simplify communications with immediate presence awareness.
• Let others know the best way to contact you.
• Manage your contacts more easily.
• Choose the communication method that meets your needs.
• Access powerful phone features through your PC.
• Work faster with intuitive device integration and support.
• Quickly communicate from Microsoft Office applications.
• Take advantage of familiar tools to improve productivity
• Keep a conversation history.
• Connect and communicate from the location of your choice
• Convenient access through multiple devices

Cisco DMVPN (Dynamic Multipoint Virtual Private Network)

DMVPN is a simple, secure, low cost, scalable VPN-Tunnel. DMVPN supports distributed applications including: data, voice, and video, with QoS. All of this can be done in a secure IPSec VPN tunnel over an Internet connection.  The only change is the IP address of the GRE Tunnel.  The spoke uses dynamic discovery of IPSec tunnel end-points, (other spokes). No IPSec static configuration for each spoke.

Because DMVPN supports multipoint GRE tunneling you can run VoIP, Video, and Multicast services across your secure DMVPN link. Hub-and-Spoke, (H&S) and Spoke-to-Spoke, (S2S). With H&S the design.

It’s a cost effective and secure communication for branch offices.

DMVPN Overview

Unified Communication

Unified communication is an industry term used to describe all forms of call and multimedia/cross-media message-management functions controlled by an individual user for both business and social purposes. This includes any enterprise informational or transactional application process that emulates a human user and uses a single, content-independent personal messaging channel for contact access.

The essence of communication is breaking down barriers. In its simplest form, the telephone breaks distance and time barriers so that people can communicate in real time or near real time when they are not together. There are now many other barriers to be overcome. People can use many different devices to communicate (wireless phones, personal digital assistants, personal computers, thin clients, etc.), and there are now new forms of communication as well, such as instant messaging. The goal of unified communications involves breaking down these barriers so that people using different modes of communication, different media, and different devices can still communicate to anyone, anywhere, at any time.

Unified communication (UC) encompasses several communication systems or models including unified messaging, collaboration, and interaction systems; real-time and near real-time communications; and transactional applications.

• Unified messaging focuses on allowing users to access voice, e-mail, fax and other mixed media from a single mailbox independent of the access device.
• Multimedia services include messages of mixed media types such as video, sound clips, and pictures, and include communication via short message services.
• Collaboration and interaction systems focus on applications such as calendaring, scheduling, workflow, integrated voice response, and other enterprise applications that help individuals and workgroups communicate efficiently.
• Real-time and near real-time communications systems focus on fundamental communication between individuals using applications or systems such as conferencing, instant messaging, traditional and next-generation private branch exchanges.
• Transactional and informational systems focus on providing access to m-commerce, e-commerce, voice Web-browsing, weather, stock-information, and other enterprise applications.

Cisco Unified Communications

End Point Security

Endpoint security is a strategy in which security software is distributed to end-user devices but centrally managed. Endpoint security systems work on a client/server model. A client program is installed on or downloaded to every endpoint, which, in this case, is every user device that connects to the corporate network. Endpoints can include PCs, laptops, handhelds, and specialized equipment such as inventory scanners and point-of-sale terminals. A server or gateway hosts the centralized security program, which verifies logins and sends updates and patches when needed.

Simple forms of endpoint security include personal firewalls or anti-virus software that is distributed and then monitored and updated from the server. The term is evolving, however, to include security elements such as intrusion detection and prevention, anti-spyware software, and behaviour-blocking software (programs that monitor devices and look for operations and actions that are typically initiated by unsanctioned applications or those with malicious intent).

The most complex endpoint security programs use network access control to grant authentication and specific forms of access to user devices. When a device attempts to log in to the network, the program validates user credentials and also scans the device to make sure that it complies with defined corporate policies before allowing access. Required elements may include an approved operating system, a firewall, a VPN and anti-virus software with current updates, as well as any mandatory corporate software. The program will also scan to ensure the lack of unauthorized software, such as peer-to-peer applications and games. Devices that do not match the policy are given limited access or quarantined

Cisco Endpoint Security

Check Point Endpoint Security

Disaster Recovery

Disaster recovery planning is a subset of a larger process known as business continuity planning and should include applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.

General steps to follow while creating BCP/DRP

1. Identify the scope and boundaries of business continuity plan. First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets.
2. Conduct a business impact analysis (BIA). Business impact analysis is study and assessment of financial losses to institution resulting from destructive event as unavailability of important business services.
3. Sell the concept of BCP to upper management and obtain organizational and financial commitment. Convincing senior management to approve BCP/DRP is key task. It is very important for security professional to get approval for plan from upper management to bring it to effect.
4. Each department will need to understand its role in plan and support to maintain it. In case of disaster, each department has to be prepared for the action. To recover and to protect the critical systems each department has to understand the plan follows it accordingly. It is also important to maintain and help in creation of plan for each individual department.
5. The BCP project team must implement the plan. After approval from upper management plan should be maintained and implemented. Implementation team should follow the guidelines procedures in plan.
6. NIST tool set can be used for doing BCP. National Institute of standards and Technologies has published tools which can help in creating BCP.

Acronis

Acronis, Inc. is a company incorporated in Delaware that produces hard disk utility software, including disk-imaging backup and recovery, partition management, and boot management software. It also develops software for virtualization migration and conversion, for the purpose of migrating a physical server to a virtual server (such as VMware), or what is also termed P2V. Its best-known product, Acronis True Image, creates a software image of a computer disk in order to restore an exact image on the same or another computer. Most software is produced in different versions, from low-priced software for single computers up to versions for companies with many desktop and server computers.

Reference: Wikipedia