in Compliance

Elimination of the Data Boundary

A growing trend in information technology is obviously the use of cloud-based hosting. In many cases, the hosting of applications and data involves the use of large providers covering a number of geographies all over the world. The benefit to this is the ability to use infrastructure located in different geographies to host your cloud-based application. If an issue occurs in one geographic location that negatively impacts your application, the load can simply be moved either manually or automatically to a different geography. This can help to ensure that you’ve covered the foundational security tenet of availability.

Data, on the other hand, often has restrictions that preclude the ability to move it from location to location. Various regulatory and privacy requirements may force you to keep your data within a certain geographical boundary such as within one country or collection of countries. The cloud-based architecture described above still works as you can easily control which geographies your cloud-based applications and data reside within.

Or can you?

Let’s take a hypothetical situation to illustrate the challenge:

Company XYZ has an agreement in place to utilize the cloud hosting capabilities of Company ABC. Company XYZ’s data includes particular elements which cannot leave the United States due to regulatory requirements. Company XYZ uses Company ABC’s management console to select only US-based infrastructure in their cloud application deployment. The application is deployed to the cloud infrastructure and begins collecting, and appropriately restricting, the protected data.

Company XYZ identifies a problem with their application that indicates some sort of an infrastructure issue. They contact their cloud service provider for assistance in troubleshooting the issue. Company ABC receives the support request and begins working with Company XYZ to find the issue. This involves the Company ABC support technician accessing the cloud infrastructure to perform troubleshooting.

This scenario is very common and has been experienced by most consumers of cloud-based services. From the regulatory perspective, however, what if the support technician is not located in the United States? Company XYZ’s data is now theoretically available across geographical boundaries. Are they out of compliance? Did either company do anything wrong? Did the contractual agreement between them indicate any geographical boundary protection or did it indicate that data is the responsibility of the customer?

It’s important to play out various scenarios as you look at regulatory requirements and how they apply to your use of cloud infrastructure. The use of cloud-based hosting changes or eliminates the data boundary and can have an impact to your regulatory compliance.

Reuse Your Skills: Penetration Testing for Auditing

As a penetration tester, your work tends to be fairly straightforward. You obtain a client engagement, define the scope of your penetration testing work, and then use your knowledge, skills, and tools to provide the client with a report of their vulnerabilities. As more and more people are starting to learn the value of penetration testing, it is slowly starting to become a market with more competition. This is excellent for the customer and for us as testers as a larger market footprint tends to lead to better tools and more recognition of the value of penetration testing. However, it also means that we need to be able to provide even more value to our customer in order to stay ahead of our competition.

One method of providing more value is to reuse our penetration testing skills to perform other tasks that our client may need. A common trend exists around using these skills to aid clients in performing internal audits. Outside of the penetration testing aspect of audits, it is very common for clients to need to audit their installed software and hardware inventory. If you are able to assist them with this process, you can demonstrate your versatility, offer additional services (at additional cost), and potentially become a full-service provider for your client. This can, of course, lead to additional revenue and set you apart from your competitors.

So the question then becomes, how do you leverage your penetration testing skills to perform this type of audit work? As penetration testers, we use reconnaissance and enumeration to gather data on the systems that we are testing and these processes can be easily reused to audit systems. As an example, a client was recently required by Oracle to audit the number of installed Oracle databases that exist within their company. Using a tool such as Nmap, we can easily perform this type of scan:

 

To scan a single server for port 1521 and reverse resolve hostname:

nmap -p 1521 10.10.10.10 -R

 

To scan multiple servers:

nmap -p 1521 10.10.10.1/24 -R

 

To scan Oracle version, etc (takes a lot longer):

nmap -p 1521 10.10.10.1/24 -R –sV

 

This works great for software installed and running as a service, but what about client-side software? Occasionally, a client is required to scan for a specific software product on client workstations to gather an inventory of the software install base. Since the client software may not run as a service, it may not have an open port to scan for. In situations like this, we can use other tools that leverage existing services provided by the operating system such as SNMP or WMI. For example, on a Windows XP system running the SNMP service, the snmpwalk tool can be used to display a software inventory using the following syntax:

 

snmpwalk -c public -v1 127.0.0.1 1 | findstr 3.6.1.2.1.25.6.3.1.2

 

Of course, running this from a UNIX system, one would replace “findstr” with “grep”, but the syntax is similar. Using this method, you can easily audit all software installed on a client system or all client systems on a network.

Hardware audits are another area where your skills can be valuable. In some cases, companies will need to audit their installed hardware base and determine what they have on the network. Nmap is, of course, the tool of choice for this type of audit as well. Using Nmap, you can simply scan the subnet(s) in question and report back on the detected system types.

In conclusion, be aware that the knowledge, skills, and tools that you use as a penetration tester can be reused in a number of ways. This can help increase your personal value to your clients as well as drive new business and new service offerings. Additional details on the tools discussed in this article as well as a plethora of other open source tools can be found in my book, Penetration Tester’s Open Source Toolkit, Third Edition available at http://www.amazon.com/Penetration-Testers-Source-Toolkit-Edition/dp/1597496278 or your favorite technical book retailer.

Pentesting Training Lab

I’ve been asked many times for the Linux distribution that I use for my pentesting classes. This distro is a modified version of the BackTrack Linux distribution with a number of vulnerable virtual machines stored within the distro for testing skills and tools. This lab is open source so feel free to download it and give it a try. If you’re interested in one of my penetration testing classes, please let me know and I can work with you to get you enrolled.

BackTrack 5r2 Lab Edition