Whenever we discuss something in a particular situation we use special keywords to describe facts concisely. IT Security is not free from these buzzwords at all. A few of the most important ones are discussed in this article.
The attack surface of a software is the sum of all different attack vectors at which an unauthorized user (the “attacker”) can attempt to enter or extract data from the platform.
The smaller the attack area, the harder it is for an attacker to find and exploit vulnerabilities in the software. Therefore, the attack area should be kept as small as possible.
A Blue Team is the internal IT security of a company. These security teams defend the company against both malicious attackers and Red Teams.
Their task is to protect and secure the IT infrastructure.
Bruce force attack
The purpose of a brute force attack is to gain access to a password protected area.
If the credentials cannot be accessed by other means (e. g. Social Engineering) the only thing that remains is brute force. With a brute force attack, the credentials to a system are guessed. This is done either manually by an attacker or by special tools.
By using these tools, different character combinations can be tested very quickly. Referring to short passwords this leads to a decryption quite fast. However, with longer passwords, the computing time increases rapidly. By using larger servers, which have been specially developed for this purpose, even longer passwords can be cracked.
An interesting article on how fast such a dedicated password cracker is can be found here.
In a buffer overflow attack, vulnerabilities in the implementation of a program are exploited. If a program does not verify whether the transferred data fits into the designated area (“buffer”), an overflow occurs if the data volume is too large. This can overwrite memory areas that are normally reserved for the execution logic of the program.
Cross Site Scripting (XSS)
Cross-site scripting uses vulnerabilities in the web application to gain access to sensitive user data.
CVE – Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures is a standard for better identification of security vulnerabilities in the IT area through naming conventions. By assigning CVE IDs, public vulnerabilities can be uniquely identified.
More information about the CVE can be found directly on the CVE homepage.
CWE – Common Weakness Enumeration
The Common Weakness Enumeration is aimed at developers and security researchers. It is used for standardization of software vulnerabilities.
The CWE list standardizes the description of vulnerabilities. It also serves as a measuring stick for software security tools.
Further information about the CWE can be found on the CWE homepage.
In order to be able to exploit a found security vulnerability, a special program is developed. These exploits give the attacker access to the program’s computer system or files without needing permission.
Those who now ask themselves what hats have to do with IT security are in exactly the right place.
Do you know the expression “wear a hat”? That’s what our hats are all about. Generally speaking, we differentiate between three groups of hackers on the basis of the legality of their work:
White Hats use their knowledge and skills in accordance with legal requirements. These are, for example, security researchers who search for and uncover security gaps in order to make systems safer. Others provide companies with their skills as professional pentesters.
Black Hats describes what is commonly known in the media as “hackers”. Hackers who use their knowledge for criminal activities. Be it the mere destruction or crippling of an IT infrastructure or the theft of data, such as credit card or user data.
Mixing black and white results in grey. In this case, a grey hat. Grey hats are difficult to describe, they don’t use their abilities directly for willful destruction, but they don’t always act according to legal regulations.
Internet of Things (IoT)
The Internet of Things (IoT) refers to the connection of all kinds of devices to the Internet. The increasing networking of all areas of life changes our daily work.
The ever-increasing availability of all kinds of devices online, see Smart Homes or Smart Cars, also harbours all kinds of dangers. The problems that could arise with the connection were revealed by a security researcher in 2015 with the Opel OnStar-Hack, in which a car could be unlocked and started by mobile phone.
The interpretation of what exactly falls under IT security varies according to language and author. We understand IT security as the protection against dangers and threats and the minimization of risks of an IT system. This includes all types of IT systems, be it a large corporate network, a smart home or a user’s mobile device.
According to Claudia Eckert, “IT security[…] has the task of protecting companies and their values (know-how, customer data, personal data) and to prevent economic damage that may result from violations of confidentiality, manipulation or disruptions of the availability of the company’s services.” (Eckert 2014, 1)
The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving software security. For this purpose, OWASP provides its own wiki on the topic of software security at https://www.owasp.org.
OWASP publishes an annual top 10 of the largest vulnerabilities for web applications. These can be found in the OWASP Top 10 Project.
Pen Testing or Penetration Testing
A penetration test simulates the attack behaviour on an IT infrastructure in order to detect weak points and estimate possible damage. There are two approaches:
A Black Box Penetration Test simulates the attack behavior of an external attacker who has little or no knowledge of the infrastructure. Most of his knowledge is based on publicly available data.
In contrast to the Black Box, this simulates the attacking behavior of an internal attacker, who has detailed information about the target, its infrastructure and internal processes.
You can find more information about the procedure of a penetration test on our Pentesting page.
Pivoting is a process of penetration testing in which an already compromised machine is used to penetrate further into the network. Either to bypass firewall configurations or to access machines and networks that are not accessible from outside.
If an attacker gains access to a computer system through an exploit, this often does not happen with administrative privileges because many programs are started with limited user rights. In order to gain access to the entire system, however, vulnerabilities are searched for which the authorizations can be changed.
The term is composed of the English words for user rights (“privilege”) and escalation.
Red Teams are external security experts hired to test the security and effectiveness of a company’s security measures. This simulates an attack on the IT infrastructure as realistic as possible.
A Red Team always works hand in hand with the Blue Team of the company to identify weak points in the system in a targeted and effective way. Good and open communication between the two teams should be the basis of their work.
Differences between Red Teams and Pentests
A Red Team plays the hardship case of an attack against a company’s infrastructure. This is necessary to put the effectiveness of the Blue Team through its paces.
During a penetration test, the system is checked for weak points. Supported by the Blue Team, we clarify exactly what can and should be checked. During the tests, no explicit reaction of the Blue Team is necessary.
The greatest weakness in IT security is the human being. This is the target of attack in social engineering. By deception, persuasion and manipulation, the attempt is made to gain information about the target. The use of technology is not always necessary.
This includes, among other things, mails that are pretending to come from a superior or a well-known company, but that forward the user to a fake site to intercept his access or credit card data.
SQL Injection is a common vulnerability in web applications. If user inputs are not checked correctly before forwarding to the database, it is possible to break out of the original query to perform further actions.
This ranges from access to other database information (access data, credit card data, personal data) to direct access to the computer system.
A vulnerability is an error in the IT system that can damage the system or company.
These can be incorrect programming or configurations. In this case, exploit code exploits are based on vulnerabilities that exploit them.
However, the causes can also lie within the company in the course of its operations or organization.
Eckert, Claudia 2014: IT-Sicherheit Konzepte – Verfahren – Protokolle, 9. Edition, Oldenbourg