KRITIS penetration test: requirements of the german BSI law

Leave a Comment

Penetration tests are mandatory for operators of critical infrastructures. In the BSI law under paragraph “8a Security in the information technology of critical infrastructures”, companies are obliged to take appropriate organizational and technical measures to protect their critical infrastructure.

The actual law is typically general and abstract. The wording itself does not require penetration tests for KRITIS companies to be conducted. But in the BSI publication of the controls to be carried out in order to adhere to the german law, penetrationtests are required.

Penetration testing: The company binsec GmbH is your service provider for pentests from Frankfurt am Main

Leave a Comment

binsec GmbH is a consulting company for information security from Frankfurt am Main that I co-founded in 2013. I have been the managing director of binsec GmbH since it was founded. As a service provider, we carry out penetration tests and also advise our customers in the areas of security management and IT security.

binsec GmbH is completely in the hands of the three shareholders via the binsec group GmbH: Patrick Sauer, Florian Zavatzki and Dominik Sauer. We are interested in the long-term satisfaction of our customers and employees: Short-term sales and profit maximization is not our goal.

My team consists of experienced, certified specialists. Our focus is always the security of business-critical IT systems and information. Even when we conduct penetration tests, we keep the business aspects in mind.

As a provider of penetration tests and security consulting, we have become the top address as a pentest service provider in the Frankfurt am Main area in recent years.

More information about our company and services is available at https://www.binsec.com.

MPA Content Security Program Requirements for Penetration Testing

Leave a Comment

The Content Security Program of the Motion Picture Association (MPA) specifies security requirements in three areas in its Content Security Best Practices Common Guidelines (Version 4.10 of February 8, 2022):

  • Management System
  • Physical Security
  • Digital Security

In the requirements for the management system, vulnerability scans and external penetration tests are to be carried out in number MS-2.1 in the risk management category. There a reference is made to the requirements DS-1.8 and DS-1.9.

The requirement DS-1.9 (Firewall / WAN / Perimeter Security) requires the implementation of annual penetration tests of all external IP addresses and systems. DS-1.8 also requires monthly vulnerability scans.

Furthermore, one also finds the requirement to carry out web application penetration tests (DS-15.9, Client Portal). Here are some more detailed requirements:

  • The pentest should also include any APIs.
  • The test should be carried out both with and without valid access data.
  • The typical guidelines such as the OWASP publications should be adhered to so that XSS, SQL injections, and CSRF can also be found.

It is generally recommended that penetration testing is performed by an independent third party.

i-Kfz: Requirements for penetration tests from the german Federal Motor Transport Authority (KBA)

Leave a Comment

The “minimum security requirements for decentralized portals and registration authorities” for “internet-based vehicle registration (i-Kfz)” from the german Federal Motor Transport Authority (KBA) are extremely extensive. In addition to the architecture of the i-Kfz system, its interfaces and the security requirements derived from them, they also include requirements for conducting a penetration test.

To check the effectiveness of the implemented security controls, the KBA requires the implementation of the following as a penetration test:

  • IS short revision (if no ISO 27001/IT basic protection certification available)
  • IS web check
  • IS penetration test

All of the above tests are to be carried out as white box tests and the personal conducting the tests need to be qualified and independent.

A non-invasive vulnerability scan (defined test depth) with manual validation of the vulnerabilities is defined as an IS web check. The OWASP Top 10 should be checked and the corresponding modules of the IS web check should be carried out: “Module 1 – Vulnerability search”, “Module 2 – Vulnerability test”, “Module 3 – Logical errors/configuration errors” and “Module 4 – Exploits (optional) “. The test is to be carried out via the Internet and the filtering of security gateways is to be deactivated.

In the IS penetration test, the technical attack surface of an institution is examined from the outside. A technical security audit in combination with a non-invasive vulnerability scan is defined as test depth. In the scope, at least all network elements, security gateways, servers, web applications, relevant clients and infrastructure facilities must be checked, if technically possible and reasonable. The following modules are to be carried out: “Module 1 – conceptual weaknesses”, “Module 2 – implementation of hardening measures”, “Module 3 – known vulnerabilities” and “Module 4 – exploits (optional)”.

It should be mentioned here that experience has shown that the required depth of testing should be designed more as a non-invasive penetration test. The use of a typical automated vulnerability scanner is not technically sufficient to fullfill the requirements.

Comparison of PCI DSS 3.2.1 and 4.0 penetration testing requirements

Leave a Comment

The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4.

These requirements are basically identical in both versions 3.2.1 and 4.0:

  • based on industry-accepted penetration testing approaches
  • coverage of entire CDE perimeter and critical systems
  • testing from both inside and outside the network
  • validation of any segmentation and scope-reducting controls
  • testing network-layer and application-layer
  • including review and consideration of threats and vulnerabilities experienced last 12 month
  • perform external, internal and segmentation testing every 12 month and after any significant change
  • service provider only needs to perform segmenation testing every 6 month

There are two topics where both standards diverge, while PCI 4.0 has the more mature version. So PCI 4.0 has a slightly different approach for its requirements on the application layer penetration test:

  • PCI v3.2.1 includes requirement 6.5 for application layer testing to check for:
    • injection flaws (e.g. SQL, LDAP, OS Commant, XPath)
    • buffer overflows
    • insecure crypto storage, insecure communications
    • improper error handling
    • XSS
    • improper access controls
    • CSRF
    • broken authentication and session management
    • also include the current best practices (e.g. OWASP Top 10)
  • PCI v4.0: including requirement 6.2.4 for application layer testing to perform at least:
    • injection attacks (including SQL, LDAP, XPath, command parameters, object fault or injectiontype flaws)
    • attacks on data and data structures (for example manipulating buffers, input data)
    • attacks on cryptography usage
    • attacks on business logic including XSS and CSRF
    • attacks on access control mechanisms

In PCI 4.0 the segmentation test also needs to include confirming the effectiveness of any use of isolation techniques for different security levels (see requirement 2.2.3).

Of course, the applied penetration testing approach needs to include fixing and re-testing any relevant vulnerabilities previously identified independently of the PCI standard’s version.

Why penetration tests at ISO27001 audits?

Leave a Comment

As part of the ISO 27001 certification process, auditors are increasingly asking to see a penetration test report. But where does this requirement come from if the word pentest or penetration test does not exist in the text of ISO 27001?

ISO 27001 is the international standard for setting up and operating an ISMS (Information Security Management System). Appendix A of this standard contains control objectives for implementation. A more specific explanation of the individual controls can be found in the ISO 27002 standard, which corresponds in its document structure to the control objectives of Appendix A of ISO 27001.

In Appendix A of ISO 27001, section A.18.2 now contains the requirement to carry out “information security reviews”. The ISO27002 implementation guideline for this control includes performing vulnerability scans and/or penetration testing as a solution to fullfill this requirement.

Requirements for penetration tests of DiGa APPS – Penetration test for digital health applications in the german fast-track procedure

Leave a Comment

In order to be included in the register of reimbursable digital health applications (DiGa), the fast-track procedure at the BfArM must be completed. With the Digital Supply and Care Modernization Act (DVPMG), the corresponding guideline included the requirement that company applicants must have a penetration test carried out for their DiGa application.

Penetration tests: With the DVPMG, this requirement was included in the DiGAV for all DiGA. Ensuring the security of the data throughout the entire application process and all conceivable usage scenarios is an essential requirement for DiGA.
Penetration tests enable the simulation of possible attack patterns and can thus help to uncover security gaps. For the product version for which inclusion in the DiGA directory is requested, a penetration test must have been carried out for all components. These tests are to be repeated as required, e.g. B. when new interfaces are added. The implementation concept for penetration tests of the BSI and the current OWASP top 10 security risks are to be used as the basis for the pentest design. Upon request, the BfArM must be provided with proof of the execution of the corresponding tests.

Inofficial translation of:
https://www.bfarm.de/SharedDocs/Downloads/DE/Medizinprodukte/diga_leitfaden.pdf
(document status as of 18 March 2022)

In principle, the requirements for a DiGa pentest can be summarized as follows:

  • Implementation concept for penetration tests of the BSI
  • OWASP Top 10
  • for all components
  • to be repeated as required (e.g. new interfaces)

I have already had several discussions with manufacturers of DiGA apps that they only want to have the actual mobile app (i.e. usually the iOS and Android versions) checked. However, the scope should not include an underlying API, which is used to implement some business functionality, which handles user authentication and is intended to serve as a central storage location for health data.

Of course, a “Mobile App” and an “API” are two different things and the regulation speaks of digital health applications (so Mobile Apps). However, this interpretation of the regulation does not achieve the goal and is simply wrong. The penetration test is intended to ensure “the security of the data throughout the application process” and the penetration test must be carried out for “all components”. Of course, this means that backend systems and APIs in the background are also included in the scope of the penetration test and not just the actual mobile app from the Android or Apple store.

DDoS Ransom E-Mail: black shadow group

Leave a Comment

A blackmail e-mail from the black shadow group has just arrived at a customer:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are the BLACK SHADOW hacker group.
Your network will be DDoS-ed starting 12:00 UTC+1 on 08 May 2021 if you don’t pay protection fee – 10 Bitcoins @ 1FfmbHfnpbZjKFvyi1okTjJJusN455paPH
If you don’t pay by 12:00 UTC on 08 May 2021, attack will start, your service will go down permanently. Price to stop will increase up 5 BTC for every day of attack.
This is not a joke. We are the BLACK SHADOW liberty hackers.
Our attacks are extremely powerful – sometimes over 1,3 Tbps per second. And we pass CloudFlare, Link11 and others DDoS protections! So, neither cheap or expensive protection will help.
Try to reply, we will not read. Pay and we will know its you.

Mail black-shadow@protonmail.com

In fact, about 200GBits ingoing traffic on the uplink. Mainly UDP traffic. We had to blackhole the attacked IP addresses from the network and put new IPs on the services. Everything was back online in an hour when the traffic in DeCIX was thrown away by their routers due to the null route. Fortunately, the attacker did not react to our evasion technique.

“Digital Forensics” lecture in study course of Business Information Technology

Leave a Comment

The recent hacker attack on the University of Gießen has made many people aware that the threat posed by attackers from the Internet is continuously growing. In order to to learn from such security incidents, IT forensic scientists are required to investigate the 7 W questions of criminalistics: Who (perpetrator), What (crime), When (time of crime), Where (crime scene), how (sequence of events) and Which (Tools) and Why (motive). They use the digital traces left by the attacker to reconstruct the security incident and – ideally – to convict the perpetrator.

Through university contacts in the winter semester 19/20, I had the opportunity to offer the module “Digital Forensics” in the master’s program Business Information Technology at the Technical University of Middle Hesse (THM). As a pentester from the attacker’s perspective, I am already avoiding traces left behind during an attack and how they can be concealed. So the following topics were on the agenda for me:

  1. Hacking
  2. Anti forensics
  3. Reports
  4. Live forensics
  5. Disk analysis
  6. Application forensics
  7. Creation of malware
  8. Malware analysis
  9. Reverse Engineering

Following Sunzi’s quote – “You have to know your enemy to be able to defeat him” – I changed the perspective between the two opponents depending on the lecture unit and had the content discussed in the following scenario applied by the students:

Dubius Payment Ltd. is a recently established payment service provider that stores, processes and forwards credit card information. Since November 14, 2019 at 4:45 p.m. (Thursday), the production system has been experiencing breakdowns and its intrusion detection system has regularly reported unusually high network traffic by its payment gateway. Fearing a hacker attack, they asked the students as IT forensic experts to analyze the case.

In their practical work, collecting and analyzing digital traces on the live system, students found that an employee of the company tapped credit card data from the database at regular intervals. Just as like in reality, the students had to verify this conclusion and answer the question of whether the user had been the victim of a hacker attack himself or was actually responsible for the theft of the data via a subsequent data medium analysis of the suspect’s work computer. They compiled their results in the form of an expert report.

Of course, not everything went smoothly at the beginning. For example, I had to struggle with the construction of my planned laboratory: My goal was that the students would learn to use their own toolkit on a compromised system. So I replaced the Linux program “/usr/bin/ls” with the following “malicious code” on the live system:

#include <iostream>

#include <cstdlib>

using namespace std;

int main() {

cout << "I've got ya! ;)" << endl;

system("sleep 1");

system("sudo reboot");

return 0;

}

However, since “ls” is also used by init scripts, the malware led to an endless loop in the event of a restart. The use of an alias in Linux provided a better solution here. The students response to the course was great:

“It is the most exciting module in the entire master course. It is captivating and lots of fun”

Student

The previous comment contributed to my goal designing for a new online course for the binsec academy: The “Digital Forensics Training”, in which participants will certify as Binsec Academy Certified Digital Forensic Professional (BACDFP) in the future.