Requirements for penetration tests according to ISO IEC 81001-5-1

The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories.

  • Quality management
  • Software Development Process
  • Software Maintenance Process
  • Security Risk Management Process
  • Software Configuration Management Process
  • Software problem resolution Process

Within the software development process there is the requirement for software system testing, which is divided into security requirement testing, threat mitigation testing, vulnerability testing and penetration testing.

The manufacturer must commission a penetration test to identify security vulnerabilities in the software (health application or medical device). IEC 81001-5-1 requires that penetration testing attempts to compromise confidentiality, integrity and availability. This may involve bypassing several lines of defense in the design by using tools and, in particular, manual skills of the penetration tester.

The standard also emphasizes that penetration testers must be independent of the development department. Since very few medical device manufacturers have their own penetration testing department, a company specializing in this usually has to be commissioned.

Penetration Test according to MDR (Medical Device Regulation)

In Annex I, for “devices that incorporate electronic programmable systems and software that are devices in themselves”, the MDR requires verification and validation under point 17.2 that the product or software was developed according to the state of the art – from the perspective of the IT security:

For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.

REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 5 April 2017

In the Medical Device Coordination Group Document “MDCG 2019-16 Guidance on Cybersecurity for medical devices” there is now the requirement of penetration testing as a specification of the previous verification and validation requirement:

MDR Annex I Section 17.2 and IVDR Annex I Section 16.2 require for devices that incorporate software or for software that are devices in themselves, that the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including information security, verification and validation. The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be one by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.

Medical Device Coordination Group Document, MDCG 2019-16

Penetration Test Requirements of Microsoft 365 App Compliance Program

Participating in the Microsoft 365 Certification App Compliance Program for Microsoft Teams applications, Sharepoint Apps/Add-ins, Office Add-ins and WebApps requires performing a penetration test. In the Initial Document Submission a company needs to submit supporting documentation and evidence. Besides other topics, a Penetration Testing Report is required. A penetration testing report completed within the last 12 months. This report must include the pentest of the live environment that supports the deployment of the app along with any additional environment that supports the operation of the app. If segmentation controls are in place, these must also be validated.

The pentest requirements by Microsoft are:

  • Every 12 months application and infrastructure pentesting must take place annually.
  • These Tests are conducted by a reputable independent company.
  • Remediation of identified critical and high-risk vulnerabilities must be completed within one month after the pentest report.
  • The full external attack surface (IP Addresses, URLs, API Endpoints, etc.) must be included within the scope of penetration testing and must be documented within the penetration testing report.
  • Web application penetration testing must include all typical vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE.
  • Retesting of identified vulnerabilities by the penetration testing company is not required — remediation and self-review is sufficient however, adequate evidence to demonstrate sufficient remediation must be provided during the assessment. Retesting of identified vulnerabilities are nevertheless best practice in information security.
  • Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria:
    • Unsupported operating system
    • Default, enumerable, or guessable administrative accounts.
    • SQL injection risks
    • XSS
    • Directory traversal (file path) vulnerabilities.
    • Typical HTTP vulnerabilities, e.g., Header response splitting, Request smuggling, and Desync attacks
    • Source code disclosure (including LFI)
    • Any critical or high score as defined by the CVSS patch management guidelines.
    • Any significant technical vulnerability which can be readily exploited to compromise a large amount of EUII or OUI

Better Pentesting – No Bullshit

Actually it should have been called BETTER PENTESTING – NO BULLSHIT, considering the advertising and sales promises of many pentesting providers. Somewhat less brutal it became BETTER PENTESTING – NO NONSENSE as the new advertising slogan for pentesting of binsec GmbH.

How to come up with all the bullshit – sorry nonsense – of many other pentesting service providers? Here is a little Best of Nonsense:
  • Advertisement: “We find all vulnerabilities!”
  • Statement: “We perform penetration tests with Nessus.”
  • A pentest is sold and as a report the customer receives an Excel file with about 10 lines of content.
  • Certifications of our pentester: CISSP, CEH…”
  • You don’t have staff for it, but you put the service Penetration Testing on the website. Typical IT system house or data privacy company.
  • Penetration testing depth: vulnerability scan
  • One does not get high in Google ranking and buys pentest backlinks at zdnet ( ~1.000€) or has “Pentest Frankfurt” advertised as a service in forums.
  • Company buy Google Ads with the keyword “blackhole pentest”.
  • One sells the days simply double or triple. In this way, employees can also achieve 250% target fulfillment for their own bonus.

Enterprise Security Magazine Europe: binsec recognized as one of the top Cyber Security Solution Providers

Today I received a very nice mail from Gloria with Enterprise Security Magazine Europe, telling me that binsec is recognized as one of the top Cyber Security Solution Providers.

Hi Patrick,

I am Gloria Lam with Enterprise Security Magazine Europe.

I am excited to inform you that our magazine’s evaluation panel has shortlisted binsec to feature as one of the ‘Top 10 Cyber Security Solution Providers in Europe 2022’ in our upcoming 2nd annual edition of ‘Cyber Security 2022’.

We want to feature binsec and bring out your specialization with a client-centric profile. binsec ‘s recognition feature published in this edition will depict your organization as a leader in the Cyber Security space and thus generate potential prospects while helping you convert existing prospects to clients. Our team has received positive feedback from our clients that the recognition profile has helped them convert their prospects to clients, and I’m sure you will see similar results.

At 3,000 Euros, you will receive a full-page exclusive interview-based profile. We will feature an HTML page of the profile on our website with a backlink to your website. Most importantly, you will acquire unlimited print and digital rights for the recognition profile, Logo, and Certificate of Honor. Upon your confirmation, we will schedule a telephonic interview with binsec ‘s CEO/Senior Management for us to move ahead.

Concerning the magazine, Enterprise Security Magazine Europe is a print and digital magazine with over 99,900 qualified subscribers across Europe. It provides a comprehensive platform for senior-level industry experts and decision-makers to share their insights following a unique learn-from-peers approach. This special edition will reach out to C-level decision-makers such as CISOs, Directors of Cyber Security, and Heads of Audit for Information security and privacy, to name a few, who are our subscriber base.

Patrick, we have worked with Industry leaders such as Ramy Houssaini (Chief Cyber & Technology Risk Officer & Group Privacy Officer at BNP Paribas); Steve Williamson (Audit Account Director, Information Security, and Data Privacy at GSK); Cedric Gourio (Group Chief Security Officer at Worldline), to name a few. Similarly, this year, we will have articles from such specialists. It will be an excellent platform for binsec to be highlighted along with them.

E-Mail from Glorian with Enterprise Security Magazine Europe, 19th of October 2022

Great, just 3,000 Euros for being listed and getting a backlink. Isn’t that a good offer?

Are VPN services worth it – useful or a rip off?

VPN service providers advertise with the promise of making Internet browsing more secure and protecting the user’s privacy. They also claim to make it possible using streaming services from other countries. But that’s not enough, they are even supposed to save you money when shopping online. Impressive. But is it true – are vpn worth it? I was asked to be an expert on this for a program on public television, but unfortunately had to cancel it. Nevertheless, I would like to explain my view on the advertising promises of VPN providers like NordVPN, ExpressVPN, ProtonVPN etc. Are VPN services worth it – is it useful or a rip off?

Basics of IP addresses and VPN

There’s no getting around of two basic IT topics. What is an IP address and what is a VPN anyway? In very simplified terms, an IP address in our example identifies an Internet access point. In my case, for example, this is currently 91.63.111.254 from the German Telekom. Due to the technical functionality behind it, we automatically send this IP to everyone, including Netflix, Amazon, booking.com, Google and all other providers, as soon as we use their services on the Internet or call up a website. This is not something the advertising industry or the government came up with for surveillance, this is just technical reality since several decades and will not change. It is similar to a sender address on a letter. Without it, you can’t deliver a reply.

A VPN is a virtual private network – private in the sense of non-public, not in the sense of privacy – and is used to connect private networks with each other or to provide access to a private network. The data traffic transmitted within it can be encrypted. Companies use VPN solutions, for example, to enable employees to access the company network from home via the Internet. A VPN is also often used to connect several company networks. The use of modern encryption techniques within the VPN also ensures the confidentiality and integrity of the transmitted data. Companies use solutions from hardware manufacturers such as Cisco and Juniper for this purpose – or use free open source software such as OpenVPN. The VPN providers mentioned at the beginning are not missing from this listing by mistake.

From a technical point of view, the use of a VPN provider can ensure that the website opened or the streaming service used no longer “sees” the actual IP address of your own Internet connection. Instead, it only receives an IP of the VPN provider as the remote station. Without evaluating this as an advantage or disadvantage, the use of such a VPN now brings the following technical features with it:

  • the transmitted data is encrypted, at least from your own computer to the VPN provider
  • your own IP address is not communicated to the service or provider (google, netflix, ..) you are using

From these two features, VPN providers now derive the following marketing promises.

Marketing Promise #1: Secure Internet

As described before, a VPN encrypts data – from the end device used to the end point of the VPN provider. After that, the data continues to be transmitted to the actual service used, as it would have been without a VPN.

If you use your online banking, Google, shop at Amazon, surf the daily news or read along here on the blog, the data is already encrypted – and thus secure – when it is transmitted over the Internet. The entire transmission path from the browser to the servers used to provide the service is already encrypted. While the use of SSL/TLS (https:// at the top of the browser bar) for encryption was rare in the past, it is now standard. Even if there are exceptions, a VPN provider also does not encrypt the entire data traffic, but only up to its endpoint. If the endpoint is in Russia and the destination in the USA, the data traffic is also transmitted across the globe without encryption.

The only advantage comes into play when the end device is being used in a public and insecure WIFI or WLAN. If you surf in a public Internet cafe on a non important insecure unencrypted website, then others can possibly intercept the data traffic. But you could also use the free Tor browser instead of paying for a VPN service. Solves the problem – if it really is a “problem” in the situation – and costs no money.

Marketing Promise #2: Privacy against user tracking

Advertisers use tracking via cookies, IP addresses, browser information, etc. to deliver personalized ads. Also the IP address of the used internet connection, but not only. Usually the IP used changes regularly even on one’s own connection, or one goes from home WIFI with a cell phone (IP from home), to the train using mobile data there (IP from mobile provider), goes to the company’s WIFI (IP from company), etc.

Using the IP to track a user is… a bad technical idea. There are exceptional cases where it may matter. Let’s say one has a fiber line at home with static IP (and pays the 400€ a month e.g. at Colt) and then wants to use video portals to view sexual acts. Yes, maybe I would use a VPN provider there as well. There is the question of how far it is relevant that a Cypriot company for adult online entertainment knows your own sexual wishes, but that would also bother me. Unfortunately, the VPN providers do not advertise this at all: Privacy at xHamster – keep secret that you like to lick dirty feet. Tell it only to us!

Marketing Promise #3: Remove Geo Fencing

There is a limited pool of IP addresses and they are assigned to companies or organizations. Companies have a location and thus sit in a country. Sometimes, the IP addresses used can be attributed not only to the country, but also to a rough location. Sometimes, rather inaccurate. Currently my IP address is assigned to the city of Munich, which is about 400km away from me. But the identification of the country works quite reliable. Germany, that is correct.

So as Netflix, for example, you can make sure that German customers can’t watch US movies on the American Netflix. This IP restriction can now be circumvented with a VPN provider, in the past you may used free proxies on the web for this. You simply select an endpoint of the VPN, which is located in America, for example. Netflix now thinks that you are an American customer. If you can now specify an American credit card, residence, etc., then this will work. Or you get stolen Netflix access data from America in the darknet and use a VPN provider that is located somewhere in the world, where American 3-letter agencies have no access to it. That’s not a call for it! But it is a use case. It’s just that no VPN provider advertises it here either: Use your stolen US Netflix credentials with DubiusVPN – 100% FBI protection!

Marketing promise #4: cheaper shopping

Other countries, other prices. Flights and hotels, for example, can cost less when marketed in Greece than in Germany. That’s not a rip-off at all, it’s a realistic pricing model and also depends on the costs in the respective country, the tax rates and laws there.

So far, so good, so if you want to book a vacation in Spain via a booking portal in Greece and you are sitting in Germany, a different price will be displayed there than in Germany – at least just because of the tax rates. A VPN can make sure that you can pretend to be a Greek user and book. Possibly one has again the problem with the indication of the domicile and the means of local payment. If one is successful, however, one has then also made the legal transaction in Greece and not in Germany. As soon as something goes wrong, it gets complicated. Nothing ever goes wrong on vacation: Flights are never cancelled. Hotel ratings are never fake.

For normal online shopping within a country, it doesn’t matter anyway. You can’t show potential customers from Kronberg am Taunus a higher price than customers from Frankfurt an der Oder. That is not technically possible, GEO-IP is too imprecise for that. What is technically possible, however, is to show customers with an iPhone a higher price than customers with a Google smart phone. However, no VPN provider would be able to help here.

Marketing Promise #5: Protection from DNS Leaks

Okay, I’ll let the VPN providers win: Anyone who sits in an Internet cafe (insecure WIFI) and calls up the website of his bank even encrypted has leaked something beforehand. His browser asks in the background via the DNS protocol, which IP address the servers of the bank website have. The moment one calls up the address in the browser. After that, all communication is secure and encrypted… but this information that you now wanted to know which IP addresses your bank’s server use for online banking – everyone there can see that. At least anyone with enough technical know-how and that is interested in it. If that bothers you, you could use a VPN provider – or just do online banking at home or from your work company.

Conclusion

I would not call the service of VPN providers a rip-off, but I find their marketing and advertising promises misleading. Their own representations of the advantages of VPN services in terms of security and privacy are not really wrong, but in context often without any further real benefit.

For most normal users, VPN services are unnecessary and so neither useful nor worth it. Those who really want or even need privacy should look at the Tor browser.

Those who use VPN services primarily to prepare or perform illegal actions (watching stolen Netflix accounts, script kiddie hacking) should not rely on the pseudo-anonymity of VPN services. There are more reliable ways of hiding yourself for this, which I can’t go into more depth here publicly. But the evil hacker (if he is good) does not use VPN services and the ethical hacker (in the sense of penetration testing) does not need it.

Penetration test in and from Frankfurt am Main: Company binsec GmbH as german security Service Provider and pentest firm from Germany

German penetration test company from Frankfurt am Main: binsec GmbH has its headquarters in Frankfurt am Main in the middle of Germany. Founded in 2013 by the IT security department of a financial service provider, binsec GmbH is now fully owned by the company’s management and offers penetration test (pentest) in and from Frankfurt (Germany).

While many penetration testing provider in Germany advertise the implementation of penetration test as a service in Frankfurt am Main or even rent a mailbox in Frankfurt claiming to sit there, binsec GmbH has had its headquarters in the German financial metropolis since it was founded.

  • Pentest Mobile Banking App (Android und iOS)
  • Pentest Payment API (z.B. REST)
  • Pentest Online Banking
  • Pentest Depot Banking Portal
  • Credit Card (CC) Payment Gateway Penetration Test
  • PCI DSS Compliance Penetration Testing
  • PCI DSS Compliance Segmentierungstest (Scpoe Segmentation Test)

How to learn Kali Linux?

I read this a lot on the internet: I’m making familiar myself with Kali Linux! I want to learn Kali Linux! I’ve already installed Kali – now what? But what is Kali Linux anyway? How to learn Kali Linux? And is it really right for it to be so much in the spotlight?

What is Kali Linux?

Kali Linux is a free Linux distribution. It describes itself as an operating system aimed at various information security tasks – such as performing penetration tests, security research, computer forensics and reverse engineering.

What is Kali Linux based on?

Kali Linux is first of all just a Linux distribution based on Debian GNU/Linux, like Ubuntu Linux for example. Debian itself is a free open source operating system: Debian GNU/Linux is based on the basic system tools of the GNU project and the Linux kernel. It exists since 1993 and is appreciated by many Linux users as a very stable and free server operating system, but is also used as a desktop operating system. It has an exceptionally mature system for software package management, and is the mother – or father – of many other Linux distributions as well as Kali Linux. Kali Linux uses Debian Testing as its base. There is Debian in stable – that is the stable and well tested branch of Debian, which is always provided with security updates for a few years, but not with new functionalities. Kali is based on Debian Testing to get new versions of software packages on a regular basis. The publisher Offensive Security uses the large database of software packages from Debian Testing and complements it with other – free open source tools – for hacking or penetration testing. In principle, Kali Linux is just another Linux distribution based on Debian Testing with a few changes or additions.

How popular is Kali Linux?

Kali Linux is very popular, especially among hacking beginners. Primarily because it has the reputation as “the hacker Linux distribution” and is positioned accordingly in Offensive Security’s marketing. But most importantly, you don’t have to download and install various hacking tools from different sources, but can directly try and experiment with the installed hacking tools. That is the advantage of Kali Linux!

Is Kali Linux used in professional penetration testing?

Kali Linux is less used in professional penetration testing. On the one hand, you usually don’t need all the installed tools, but you need a stable Linux distribution for penetration testing instead that is not based on Debian Testing. There are penetration testers who have to use Windows as their operating system due to internal company requirements – my personal condolences at this point – and then use Kali Linux as a virtual machine. This can make sense in this setup, but I prefer to use Debian stable as operating system for penetration testing.

Now how do I learn Kali Linux?

Actually, the question how to learn Kali Linux is already wrong. Nevertheless, it is asked over and over again and haunts various forums: I want to learn Kali Linux! If you just want to try out some hacking tools (locally, on your own private network), you can simply install Kali Linux as a VM and experiment with the installed tools. But you won’t get beyond the level of experimenting. But if you really want to deal with a Linux distribution and hacking tools, you should better install Debian stable – or another reasonable distribution for daily use. Hacking is learned by being curious, not doing anything illegal or just not getting caught and gaining experience. Penetration testing is learned by building a high enough background in IT, hacking, and then learning structured procedures for penetration testing. Kali Linux is learned by downloading it, starting it as a VM, looking at the tools installed, and then realizing that it is simply a Linux distribution with tools pre-installed. Just a Debian Linux distribution with a cool reputation as a Linux distribution used by real hackers.