Syrinx Technologies

Syrinx Technologies FAQ



Syrinx Technologies

 Q: How do you pronounce "Syrinx"?
A: sir-i?(k)s or perhaps sear-inks

UP TOP

Q: What are the normal billing terms for services?
A: All services performed by Syrinx Technologies are billed as fixed price projects. The normal terms are Net 15. Unless the project is large enough to be broken into sections with milestones the invoice is submitted with the draft reports.

UP TOP

Q: Does Syrinx Technologies have a blog?
A: Yes, you can read the blog at http://syrinxtech.blogspot.com.

UP TOP

Q: Does Syrinx Technologies have an RSS feed?
A: Yes, you can subscribe to the Syrinx Technologies RSS feed here.

UP TOP

General Topics

 Q: What's the difference between a vulnerability assessment and a penetration test?
A: From "www.darknet.org":
Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
UP TOP

Q: What's the difference between external and internal penetration testing?
A: An "external" penetration test will examine the various resources available from anyone outside the security perimeter (i.e., the firewall). This testing could include the web/email servers, dial-in, wireless and VPN access. The "internal" penetration test will examine resources available to anyone inside the security perimeter. This could include employees, contractors, temporary employees, partners and attackers who manage to break through the external security perimeter.

UP TOP

Q: What's the average length of an external and internal penetration test?
A: The average external test is about 16-24 man hours, while the average internal test is 24-40 man hours. Factors that influence the external testing includes number of Internet-facing devices, the number of IP domains owned by the client and whether there is wireless or dial-in testing to be performed. Factors influencing the internal testing includes the number of servers, network users and remote locations.

UP TOP

Q: Does it make sense to routinely test my networks?
A: Absolutely! Like any regular health checkup, network security audits should be performed annually. Some clients choose to alternate internal and external testing each year. Others perform quarterly testing to ensure that any problems can be quickly discovered and fixed. On a related note, some clients choose to routinely swap among their vendors who perform security audits. This provides the client a fresh set of eyes, toolsets and methodologies every 2-3 years.

UP TOP

Q: What is an RSS feed?
A: You can get more information here.

UP TOP

Q: Is there a difference between an IDS/IPS and a Web Application Firewall (WAF)?
A: Yes, there are definite differences between the two. IDS/IPS systems are typically either signature-based or behavior-based. Sometimes the functionality is built into devices such as firewalls and routers, other times they are built into blades that fit into a larger chassis. They can act as network or host-based protection controls. Sometimes they are used as separate appliances with one or multiple network interfaces. While IDS/IPS systems are designed to provide a higher layer of security over a basic firewall, they do not typically understand or protect against application layer attacks such as SQL Injection, XSS, etc. This reason is why the PCI standard requires a WAF to protect Internet-facing web servers instead of just a firewall with IDS/IPS capabilities.

UP TOP

Applications

 Q: What is SQL Injection?
A: SQL Injection is an attack on databases with a web server front-end. The issue involves the application not properly 'sanitizing' input data. By submitting a carefully crafted response the attacker is able to gain unauthorized access to the database. This access can take various forms including read access, the ability to change data and can also be used in some cases to completely compromise the entire database server.

UP TOP

Q: How do I prevent SQL Injection attacks?
A: You must ensure that ALL input data is properly verified and only the specific data requested is passed to the web application. For example, if the user is asked for a ZIP code only accept the digits 0-9 and perhaps a dash to be input. Check for the proper length and format of each data input field. Don't forget input areas such as search fields, "Contact Us" forms, etc.

UP TOP

Q: What is Blind SQL Injection?
A: Blind SQL Injection is a variation on the standard SQL Injection attack. Blind SQL Injection attacks occur when a web application is vulnerable to SQL Injection but does not display results to the attacker. This type of attack usually takes longer and requires different tools to perform. The use of parameterized statements can help prevent this type of attack.

UP TOP

Q: What is Cross Site Scripting (XSS)?
A: XSS is a web application vulnerability that allows attackers to inject malicious code into the local machine of a user browsing the insecure web application. The attacker will create a phishing email that contains a link to a vulnerable web site. Inside the link will be special commands, often including application code such as Javascript. When the user clicks on the link the special code is sent to the vulnerable web site which echoes back the code to the local user's web browser. Depending on the contents of the special code various attacks can be performed on the local user's PC. Stealing cookies and downloading malware and viruses are often performed via this attack.

UP TOP

Q: Can XSS attacks be prevented?
A: Whether or not XSS attacks can be completely eliminated might be open for debate. However, just like SQL Injection, XSS vulnerabilities can be greatly reduced by properly sanitizing input data. Only allow the specific input data requested. Some times this is not enough to prevent XSS attacks. Proper cookie security is another issue that needs to be addressed. Click here for a reference to other techniques for preventing XSS attacks.

UP TOP

Q: For what types of vulnerabilities does an average web site analysis test?
A:
  • SQL Injection
  • Blind SQL Injection
  • Cross Site Scripting
  • Cookie Tampering
  • Incorrect Directory Permissions
  • Missing Patches
  • Authentication Credentials
UP TOP

Dial-In

 Q: Does it still make sense to test for dial-in vulnerabilities?
A: Yes. Any method of accessing corporate resources from external sources should be tested. This could include just the known dial-in phone numbers or perhaps the entire DID block of phone numbers allotted to the client. Don't forget about the phone lines connected to your PBX!

UP TOP

Q: What is 'wardialing'?
A: Wardialing is a common term for testing connections to various computing devices over normal phone lines. Many organizations still have phone lines connected to routers, servers, PBX's, etc. for diagnostic and troubleshooting activities. If these connections are not secure they can represent a great threat to your organization.

UP TOP

Q: How is dial-in testing typically performed?
A: Usually, one of two ways. The first method is to only dial the specific numbers that you know are connected to some form of computing device (typically excluding fax machines). The second method involves dialing a block of phone numbers. The goal of the second method is to find "hidden" dial-in access that which IT might not be aware. Blocks of phone numbers can range from several to several thousand.

UP TOP

Wireless

 Q: Are wireless networks safe?
A: The answer has to be a qualified "maybe". Without any protection (including simple WEP) most wireless networks are extremely insecure. With additional security such as WPA/WPA2, two-factor authentication and 802.1x, wireless networks can be made much more secure.

UP TOP

Q: Should I worry about Bluetooth?
A: Bluetooth could be a problem depending on how and where you use it. There are many myths about Bluetooth vulnerabilities. Like any other communication method it should be disabled if not needed. Several options to secure Bluetooth include disabling discovery and using secure PIN's.

UP TOP

PCI

 Q: What is PCI? Does it apply to my organization?
A: PCI stands for "Payment Card Industry". It consists of a collaboration between American Express, Discover, JCB, MasterCard and Visa. The PCI Data Security Standard (DSS) is a set of 12 requirements for protecting cardholder data. More information can be found here.

UP TOP

Social Engineering

 Q: What is "social engineering"?
A: From Wikipedia:
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.
UP TOP

Q: What kinds of tests can be performed?
A: There are many different kinds of tests that can be performed under the umbrella of 'social engineering'. Some of these are listed below:

  • Calling the help desk and pretending to be an employee.
  • Phishing emails - attempting to gain sensitive information from employees.
  • Arriving dressed as a service technician - can we gain access to the computer room.
  • Dumpster diving - yes, going through the trash cans.
  • Shoulder surfing - attempting to discover passwords over a users shoulder.
  • Standing around the "smoking area" and going inside the building without credentials.
UP TOP

Policies & Procedures

 Q: Are IT security policies that important?
A: YES. Syrinx Technologies strongly recommends that accurate and comprehensive policies and procedures be developed before any money is spent on security hardware, software or services. After all, how do you program a firewall without knowing specifically what network traffic is being allowed and denied? A well written set of policies and procedures will guide all future security implementations.

UP TOP

Q: What kinds of tests are typically performed during an audit?
A: The typical policy audit consists of two phases. In Phase 1, Syrinx Technologies will read and study all of the existing IT policy and procedure documentation. Syrinx Technologies will then make recommendations as needed to add material to the existing documents or to suggest new policy documents. Phase 2 of the audit consists of taking a sampling of the policy and procedure documents and verifying that they are actually followed by sitting down with employees and watching them perform common tasks. This ensures that everyday practice is in compliance with written procedures.

UP TOP

Virtualization

 Q: What are some advantages of virtualization?
A:
  • Cost savings through server consolidation.
  • Enhanced availability of network services.
  • Faster provisioning of new services.
  • Increased utilization.
  • Leverage the security of virtual networks.
UP TOP

Q: What are some disadvantages of virtualization?
A:
  • Creates new costs.
  • Magnifies the impact of hardware failures.
  • Server sprawl.
  • Software pricing/licensing issues.
  • Possible performance issues due to hardware bottlenecks.
UP TOP

Q: What are some best practices?
A:
  • Use virtual savings to fund security gaps in physical world.
  • Use the same tools and procedures to manage the virtual world as you do in the physical world.
  • Don't allow less security in the virtual world than you have in the physical world.
  • Carefully consider configuration management of the virtual machines.
UP TOP

Q: Are there any additional considerations?
A:
  • Hypervisor security configuration.
  • Virtual network security.
  • Security of server images.
  • Denial of Service (DoS) attacks on underlying hardware.
  • Loss of separation of duties among server administrators.
  • Disaster recovery scenarios.
  • Access control to host & guest servers.
  • Building configuration, security and corporate standards into common virtual server images.
  • Remote access/configuration issues on headless servers.
UP TOP

Q: What are the implications to PCI?
A: The PCI DSS released an document in June of 2011 addressing virtualization. You can download this document by clicking here.

UP TOP

Q: Where can I go for more information?
A: UP TOP