What, When, Where, How Ethical Hacking?

What is Ethical Hacking?

             It is a way to hack computer and network with organization permission .By the help of Ethical Hacking you can find the point which has to give permission to enter unauthorized person (intruder). Ethical hacking is a proactive form of information security and is also known as penetration testing, intrusion testing and red teaming. Those who doing Ethical hacking is known as Ethical Hacker.  An Ethical Hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit.

                An ethical hacker is the complete opposite of a malicious hacker. An ethical hacker is an information security professional. This is a good guy. They use the same methods and techniques to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security.

 For hacking to be deemed ethical, the hacker must obey the following rules:

•    Expressed permission to probe the network and attempt to identify potential security risks.
•    Ethical Hacker should respect the individual's or company's privacy.
•    Ethical Hacker should close out your work, not leaving anything open for you or someone     else to exploit at a later time.
•   Ethical Hacker should let the software developer or hardware manufacturer know of any security vulnerabilities you locate in their software or hardware, if not already known by the company.

Purpose of Ethical Hacking: -

• Evaluate the security of a network or system's infrastructure
• Finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible

Whom they need Ethical Hacking: -

•  Any organization that has a network connected to the Internet or provides an online service should consider subjecting it to a penetration test.
• Banker 
•  Government agencies
•   Business Organization

Goal of the Ethical Hacking: -

•   Fighting against terrorism and national security breaches?

• How much effort, time and money are an organization is willing to expend to obtain adequate protections?
• Having adequate preventative measures in place to prevent security breaches?
• What can intruder do with the information capture?
• Having a computer system that prevents malicious hackers from gaining access
• What is organization to protect?
• Are your developers are concerned about security?
• Is your customer and clients data's are exposed to public or not?
• Do you have better brand reputation?

What are the benefits to organization if they have Ethical Hacker: -

•  Organizations under constant Cyber-Attack
•  To build a computer system that prevents hackers’ access and safeguard system and information from malicious attack
•  To manage adequate preventive measures in order to avoid security breaches
•   To safeguard user or customer information available in business transactions and visits
•   To test networks at regular intervals
•   To create security awareness at all levels in a business

How to become a professional and Qualified Ethical Hacker?

•  Know about the different types of hackers, such as White Hat, Grey Hat and Black Hat hackers.
• Seek out job opportunities for ethical hackers.
• Analyse the basic requirements to become an ethical hacker.
•  Decide the area where you would prefer to work primarily with hardware or software.
• Evaluate your strengths and interests and gain some programming knowledge such as C, Python or Java.
• Learn the UNIX operating system as it is regarded as the original operating system built by hackers.
• Take a professional course.
• Do the experiments on your own to know the actual happening of a situation.
•  Start experimenting with hardware and software to learn how to take control of the situations and how to prevent a computer from getting hacked.
• Read on your own to know what are the areas where you need to improve and what need to be learned to refine your focus. 
• Stay connected to the hacker community by sharing technical information and ideas.

 Disadvantages of Ethical Hacking: -

• The ethical hacker using the knowledge they gain to do malicious hacking activities
• Allowing the company’s financial and banking details to be seen
• The possibility that the ethical hacker will send and/or place malicious code, viruses, malware and other destructive and harmful things on a computer system
• Massive security breach

Should we trust Ethical Hacking Certificate courses?

• Hacking is the skill which cannot learnt with in a certification. But can understand what is hacking.
•  Self learning is a right option to become good ethical hacker
•  International certifications are concerned to create brand instead of certification
•  Learn hacking via Open source tool is advisable
• Ethical hacking boundary should depends on your cyber countries security law.

Conclusions: -

                Hacking may be defined as legal or illegal, ethical or unethical. The media’s portrayal of hacking has boosted one version of discourse. Ethical Hacking offer unparalleled insight into an organization’s security effectiveness as well as a road map for enhancing security.  By hiring Ethical Hacker to simulate a cyber-attack, vulnerabilities can be identified and corrected before they are exploited by a hacker or malicious insider.  It is suggested that this section echo portions of the overall test as well as support the growth of the client security posture.

DIRECTORY TRAVERSAL ATTACK

A Directory traversal attack is a HTTP exploit which enables the attacker to get the sensitive data such as username and password by traversing through the directories using commands. The attacker gets access to the files and folders which are not meant to be public, they are only for the Superuser or the Root. This attack is also known as the dot dot slash attack, directory climbing and backtracking.

TYPES OF DIRECTORY TRAVERSAL ATTACKS

• URI encoded directory traversal
• UNICODE/UTF-8 encoded directory traversal
• ZIP/ARCHIVE traversal attacks

 URI encoded directory traversal

Some websites scan for the Query Strings such as dot dot backward slash (../) or dot dot forward slash (..\) or dot dot (..)   to prevent directory traversal attacks. But if we look on how are these query processed then we find out that they are URI encoded, therefore they are vulnerable to percent encoded directory traversals such as:

• %2e%2e%2fwhich translates to ../
• %2e%2e/which translates to ../
• ..%2fwhich translates to ../
• %2e%2e%5cwhich translates to ..\

 UNICODE /UTF-8 encoded directory traversal attacks

When Microsoft added Unicode support to their web server a new way of directory traversal attack was generated. Attackers had a new way of encoding the dot dot slash ( ../ ) ,multiple percent coding such as :

1. %c1%1c
2. %c0%af

These can be then translated to / or \ characters. Percent encodings were decoded into corresponding 8 bit characters by Microsoft webserver. Microsoft performed the anti-traversal checks without UTF-8 cannibalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character enabling attackers to attack the webserver using directory traversal attack.

 ZIP/ARCHIVE TRAVERSAL ATTACKS

This type of attack is carried out by providing a zip or archived file which can overwrite the files on the File System enabling backtracking. Code that decompress archive files can be written to check that the paths of the files in the archive do not engage in path traversal.

EXAMPLE OF DIRECTORY TRAVERSAL ATTACK

The URL which can be attacked can be of the following type:
http://www.somewebsite.com/itemone.php?page=notification.php
Now let’s assume that the webserver is running on UNIX like operating system. Then there will be a directory 'etc' on unix/linux which contains configuration files of programs that run on system. Some of the files are passwd, shadow, profile, sbin, placed in 'etc' directory, etc is generally the default folder so can be found out at certain level of hierarchy in file system.
Now to check for the directory traversal attack we need to do some adjustment in the given URL, we need to alter its path to the desired directory.
http://www.somewebsite.com/itemone.php?page=../../../../etc/passwd
The dot dot slash(../) will take you up the directory one level each time, so it totally depends upon the hierarchy as to how much dot dot slash (../) you will be needing in order to reach to the desired location.
If you reach the desired location, which means the passwd file you will get the contents of it which can give out valuable information such as username and password.

IMPACT OF DIRECTORY TRAVERSAL ATTACK

This attack can leak out the sensitive data stored in different folders which is not meant to be viewed by the public such as username and passwords. Using the data the attacker can get the administration as root and exploit the web server accordingly.
The attacker can erase, edit or sell the gathered data which would be a greater breach. Also the attacker can install some malicious programs such as malware, virus, backdoors, rootkits.
Attackers can also download files from the server and execute commands and expose the source code which may lead to more number of attacks.

 CONCLUSION

As we can see the severity of the attack and its highly undesired impact, one should take all the measures to protect himself or herself from this attack. These measures can be updating the Web Server regularly and patching all known vulnerabilities as soon as possible.
Also the data can be kept on different drive as traversing to other drives is not possible through this type of attack. Effectively filter any user input. Ideally remove everything but the known good data and filter Meta characters from the user input.

WebsitePentest:

We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.
Reach us websitepentest@briskinfosec.com

• You no need to pay if you not vulnerable
• You no need to pay before testing
• We just need your website with official conformation.

Still thinking to reach us? Well, there is an high probability of an intruder already found a loop to get into your website by now! “Before they starts, we will stop and secure you!!”,Hurry and send us email.

Top 20 practical software security testing tips for Pentesters (Security Testers)

1) Learn to analyze your test results thoroughly. Do not ignore the test result. The final test result may be ‘pass’ or ‘fail’ but troubleshooting the root cause of ‘fail’ will lead you to the solution of the problem. Testers will be respected if they not only log the bugs but also provide solutions.

2) Learn to maximize the test coverage every time you test any application. Though 100 percent test coverage might not be possible still you can always try to reach near it.

3) To ensure maximum test coverage break your application under test (AUT) into smaller functional modules. Write test cases on such individual unit modules. Also if possible break these modules into smaller parts.

E.g: Lets assume you have divided your website application in modules and ‘accepting user information’ is one of the modules. You can break this ‘User information’ screen into smaller parts for writing test cases: Parts like UI testing, security testing, functional testing of the ‘User information’ form etc. Apply all form field type and size tests, negative and validation tests on input fields and write all such test cases for maximum coverage.

4) While writing test cases, write test cases for intended functionality first i.e. for valid conditions according to requirements. Then write test cases for invalid conditions. This will cover expected as well unexpected behavior of application under test.

5) Think positive. Start testing the application by intend of finding bugs/errors. Don’t think beforehand that there will not be any bugs in the application. If you test the application by intention of finding bugs you will definitely succeed to find those subtle bugs also.

6) Write your test cases in requirement analysis and design phase itself. This way you can ensure all the requirements are testable.

7) Make your test cases available to developers prior to coding.Don’t keep your test cases with you waiting to get final application release for testing, thinking that you can log more bugs. Let developers analyze your test cases thoroughly to develop quality application. This will also save the re-work time.

8 ) If possible identify and group your test cases for regression testing. This will ensure quick and effective manual regression testing.

9) Applications requiring critical response time should be thoroughly tested for performance. Performance testing is the critical part of many applications. In manual testing this is mostly ignored part by testers due to lack of required performance testing large data volume. Find out ways to test your application for performance. If not possible to create test data manually then write some basic scripts to create test data for performance test or ask developers to write one for you.

10) Programmers should not test their own code. As discussed in our previous post, basic unit testing of developed application should be enough for developers to release the application for testers. But you (testers) should not force developers to release the product for testing. Let them take their own time. Everyone from lead to manger know when the module/update is released for testing and they can estimate the testing time accordingly. This is a typical situation in agile project environment.

11) Go beyond requirement testing. Test application for what it is not supposed to do.

12) While doing regression testing use previous bug graph (Bug graph – number of bugs found against time for different modules). This module-wise bug graph can be useful to predict the most probable bug part of the application.

13) Note down the new terms, concepts you learn while testing. Keep a text file open while testing an application. Note down the testing progress, observations in it. Use these notepad observations while preparing final test release report. This good habit will help you to provide the complete unambiguous test report and release details.

14) Many times testers or developers make changes in code base for application under test. This is required step in development or testing environment to avoid execution of live transaction processing like in banking projects. Note down all such code changes done for testing purpose and at the time of final release make sure you have removed all these changes from final client side deployment file resources.

15) Keep developers away from test environment. This is required step to detect any configuration changes missing in release or deployment document. Some times developers do some system or application configuration changes but forget to mention those in deployment steps. If developers don’t have access to testing environment they will not do any such changes accidentally on test environment and these missing things can be captured at the right place.

16) It’s a good practice to involve testers right from software requirement and design phase. These way testers can get knowledge of application dependability resulting in detailed test coverage. If you are not being asked to be part of this development cycle then make request to your lead or manager to involve your testing team in all decision making processes or meetings.

17) Testing teams should share best testing practices, experience with other teams in their organization.

18) Increase your conversation with developers to know more about the product. Whenever possible make face-to-face communication for resolving disputes quickly and to avoid any misunderstandings. But also when you understand the requirement or resolve any dispute – make sure to communicate the same over written communication ways like emails. Do not keep any thing verbal.

19) Don’t run out of time to do high priority testing tasks.Prioritize your testing work from high to low priority and plan your work accordingly. Analyze all associated risks to prioritize your work.

20) Write clear, descriptive, unambiguous bug report. Do not only provide the bug symptoms but also provide the effect of the bug and all possible solutions.

Don’t forget testing is a creative and challenging task. Finally it depends on your skill and experience, how you handle this challenge.

US charges 6 in major credit card, Nasdaq hacking cases

U.S. prosecutors charged six foreign nationals with hacking crimes, including credit and debit card thefts that authorities say cost U.S. and European companies more than $300 million in losses, and charged one of them with breaching Nasdaq computers. By David Jones and Jim Finkle.

 

 

 

Prosecutors said the indictments unsealed on Thursday for the payment card hacking were the biggest cyber fraud case filed in U.S. history.

The long list of victims include financial firms Citigroup Inc, Nasdaq OMX Group Inc, PNC Financial Services Group Inc and a Visa Inc licensee, Visa Jordan. Others include retailers Carrefour SA and J.C. Penney Co along with JetBlue Airways Corp, prosecutors said as they announced indictments.

Prosecutors said they conservatively estimate that a group of five men stole at least 160 million credit card numbers, resulting in losses in excess of $300 million.

Authorities in New Jersey charged that each of the defendants had specialized tasks: Russians Vladimir Drinkman, 32, and Alexandr Kalinin, 26, hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.

Russian Dmitriy Smilianets, 29, is accused of selling the stolen data and distributing the profits. Prosecutors said he charged $10 for U.S. cards, $15 for ones from Canada and $50 for European cards, which are more expensive because they have computer chips that make them more secure.

The five concealed their efforts by disabling anti-virus software on victims computers and storing data on multiple hacking platforms, prosecutors said. They sold the payment card numbers to resellers, who then sold them on online forums or to "cashers" who encode the numbers onto blank plastic cards.

"This type of crime is the cutting edge," said U.S. Attorney Paul J. Fishman for the District of New Jersey. "Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security."

The indictment also cited Albert Gonzalez as a co-conspirator. He is serving 20 years in federal prison after pleading guilty to helping mastermind one of the biggest hacking fraud schemes in U.S. history, helping steal millions of credit and debit cards.

Drinkman and Smilianets were arrested on June 28, 2012, while traveling in Netherlands at the request of U.S. authorities. Smilianets was extradited last September and is expected to appear in New Jersey Federal court next week. Drinkman is awaiting an extradition hearing in the Netherlands.

Asked if he believed the other three are still in Russia, Fishman said: "I'm not going to say where I believe they are, we just know they're not in our custody."

Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Gonzalez, 32, in connection with five breaches - including one on Heartland Payment Systems.

NASDAQ BREACH

The U.S. Attorney's Office in Manhattan announced two other indictments against Kalinin, one charging he hacked servers used by Nasdaq from November 2008 through October 2010. It said he installed malicious software that enabled him and others to execute commands to delete, change or steal data.

The infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities, prosecutors said. Officials with Nasdaq said they could not immediately comment.

A source with knowledge of the breach said on Thursday the indictment was not related to a 2010 attack that Nasdaq had previously disclosed, though it has said little about the matter. Sources told Reuters in 2011 that the previously disclosed attack was targeted against Directors Desk, a service used by corporate boards to share documents and communicate with executives, among other things. ()

The source who spoke to Reuters on Thursday, who asked to remain anonymous due to the sensitivity of the matter, said that Nasdaq was working with the FBI and Department of Justice on the matter.

The second indictment filed against Kalinin in Manhattan, which was unsealed on Thursday, charged that he worked with a sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank account information from thousands of customers at Citibank and PNC Bank from 2005 to 2008, resulting in the theft of millions of dollars.

MAKING PROGRESS

Mark Rasch, a former federal cyber crimes prosecutor, told Reuters that the arrests show that law enforcement is making progress in identifying those responsible for major cyber crimes.

"They involve dozens or even hundreds of people huddled over computer terminals all over the world in a common purpose of stealing of disseminating credit card numbers," said Rasch, who was not involved in bringing the case.

Among the breaches cited in the New Jersey indictment, prosecutors charged that the group was responsible for the theft of more than 130 million credit card numbers from U.S. payment processor Heartland Payment Systems beginning in December 2007, resulting in approximately $200 million of losses.

The indictment charged that they took approximately 30 million payment card numbers from British payment processor Commidea Ltd in 2008 and 800,000 card numbers from Visa Inc's licensee Visa Jordan in 2011.

An attack on Global Payment Systems that begin in about January 2011 resulted in the theft of more than 950,000 cards and losses of about $93 million, according to the indictment.

It charged the ring with stealing approximately 2 million credit card numbers from French retailer Carrefour SA, beginning as early as October 2007, and 4.2 million card numbers from U.S. grocer Hannaford Brothers Co., a unit of Delhaize Group. It said the theft of card numbers from Dexia Bank Belgium resulted in $1.7 million in losses.

Other victims included Dow Jones, Wet Seal Inc and 7-Eleven Inc, according to prosecutors.

Dow Jones said in a statement that there was "no evidence" that information of Dow Jones or Wall Street Journal customers information was compromised as a result of the breaches. DM

U.S. spied on United Nations by hacking into video conferencing system at New York headquarters: report

The German magazine Der Spiegel says the U.S. National Security Agency secretly monitored the U.N.’s internal video conferencing system by decrypting it last year.


The weekly said Sunday that documents it obtained from American leaker Edward Snowden show the NSA decoded the system at the UN’s headquarters in New York last summer.
Quoting leaked NSA documents, the article said the decryption “dramatically increased the data from video phone conferences and the ability to decode the data traffic.”

AP Photo/The Guardian, FileEdward Snowden, who worked as a contract employee at the U.S. National Security Agency, in Hong Kong.

In three weeks, Der Spiegel said, the NSA increased the number of decrypted communications at the UN from 12 to 458.
Snowden’s leaks have exposed details of the United States’ global surveillance apparatus, sparking an international debate over the limits of American spying.
The U.S. government’s efforts to determine which highly classified materials the leaker took from the National Security Agency have been frustrated by Snowden’s sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.
The government’s forensic investigation is wrestling with Snowden’s apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren’t authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration’s assurances to Congress and the public that the NSA surveillance programs can’t be abused because its spying systems are so aggressively monitored and audited for oversight purposes: If Snowden could defeat the NSA’s own tripwires and internal burglar alarms, how many other employees or contractors could do the same?
In July, nearly two months after Snowden’s earliest disclosures, NSA Director Keith Alexander declined to say whether he had a good idea of what Snowden had downloaded or how many NSA files Snowden had taken with him, noting an ongoing criminal investigation.

SAUL LOEB/AFP/Getty ImagesThe National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, in this January 29, 2010 file photo. The NSA has said that it destroys all data it isn't supposed to see.

NSA spokeswoman Vanee Vines told the AP that Alexander “had a sense of what documents and information had been taken,” but “he did not say the comprehensive investigation had been completed.” Vines would not say whether Snowden had found a way to view and download the documents he took without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed, Deputy Attorney General James Cole told Congress last month that the administration effectively monitors the activities of employees using them.

These decisions are made to make sure that nobody has done the things that you’re concerned about happening

“This program goes under careful audit,” Cole said. “Everything that is done under it is documented and reviewed before the decision is made and reviewed again after these decisions are made to make sure that nobody has done the things that you’re concerned about happening.”
The disclosure of Snowden’s hacking prowess inside the NSA also could dramatically increase the perceived value of his knowledge to foreign governments, which would presumably be eager to learn any counter-detection techniques that could be exploited against U.S. government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda – the partner of Guardian journalist Glenn Greenwald – in an effort to help quantify Snowden’s leak of classified material to the Guardian newspaper. Authorities there stopped Miranda last weekend as he changed planes at Heathrow Airport while returning home to Brazil from Germany, where Miranda had met with Laura Poitras, a U.S. filmmaker who has worked with Greenwald on the NSA story.

Marcelo Piu/AFP/Getty ImagesDavid Miranda (left), the Brazilian partner of Glenn Greenwald, a U.S. journalist with Britain's Guardian newspaper who worked with intelligence leaker Edward Snowden to expose US mass surveillance programmes, is pictured at Rio de Janeiro's Tom Jobim international airport upon his arrival on August 19, 2013. British authorities faced a furore after they held Miranda for almost nine hours under anti-terror laws as he passed through London's Heathrow Airport on his way home to Rio de Janeiro from Berlin.

Snowden, a former U.S. intelligence contractor, was employed by Booz Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post. As a system administrator, Snowden had the ability to move around data and had access to thumb drives that would have allowed him to transfer information to computers outside the NSA’s secure system, Alexander has said.
In his job, Snowden purloined many files, including ones that detailed the U.S. government’s programs to collect the metadata of phone calls of U.S. citizens and copy Internet traffic as it enters and leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn’t know necessarily how the programs functioned. He dipped into compartmentalized files as systems administrator and took what he wanted. He managed to do so for months without getting caught. In May, he flew to Hong Kong and eventually made his way to Russia, where that government has granted him asylum.
NBC News reported Thursday that the NSA was “overwhelmed” in trying to figure what Snowden had stolen and didn’t know everything he had downloaded.
Insider threats have troubled the administration and Congress, particularly in the wake of Bradley Manning, a young soldier who decided to leak hundreds of thousands of sensitive documents in late 2009 and early 2010.
Congress had wanted to address the insider threat problem in the 2010 Intelligence Authorization Act, but the White House asked for the language to be removed because of concerns about successfully meeting a deadline. In the 2013 version, Congress included language urging the creation of an automated, insider-threat detection program.

How You Get Hacked at Starbucks

      For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

           According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

SEE ALSO: AP Twitter Hack Falsely Claims Explosions at White House

Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.

Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you. Note: Click to enlarge the infographic.

Add caption

Eight Trends That Are Changing Network Security

1. Mobile networks, VPNs and roaming users

Today’s connect-from-anywhere road warriors regularly test the traditional boundaries of network security. Firewalls are increasingly porous as employees access services from devices such as iPads, Android phones, tablets and PCs—all of which require security that mirrors but also

improves upon PC solutions. Extending connectivity to small branch or home offices for many organizations. Your network strategy needs to consider how to secure access across

platforms over an expanding network perimeter.

2. Targeted attacks and APTs

APTs (or advanced persistent threats) represent the next generation of Internet crimeware. For years network security capabilities such as web filtering or IPS played a key part in identifying such attacks (mostly after the initial compromise). As attackers grow bolder and employ more evasive
techniques, network security must integrate with other security services to detect attacks. We’ll need to evolve security capabilities in response to these threats in the coming years.

3. Consumerization and BYOD

Consumerization and the BYOD (bring your own device) movement means consumer devices like iPads, iPhones and Android phones are moving onto the corporate network. To deal with consumerization, your security strategy needs to focus on network security for devices where an endpoint agent may not have been deployed, or may not be functioning properly. For example, if a user connects with a Mac running malicious code, your network security layer
should be able to identify that the device is attempting to retrieve malicious code updates or other suspicious activities—and be able to identify and remeate it. Otherwise you may not find out until you’re already infected, and remediation can only happen after the fact. Consumerization and BYOD increase the importance of alignment between your various security layers.

4. Web application and web server protection

The threat of attacks on web applications to extract data or to distribute malicious code persists. Cybercriminals distribute their malicious code via legitimate web servers they’ve compromised. But data-stealing attacks, many of which get the attention of media, are also a big threat. Organizations
used to focus security investment on PCs and preventing conventional malware from spreading to them and onto the network. Now, you need a greater emphasis on protecting web servers and web applications. Similar challenges lie ahead for emerging technologies such as HTML5. See our article HTML5 and Security on the New Web for more information on thi trend.

5. IPv6: Major surgery for the Internet

IPv6 is the new Internet protocol replacing IPv4, long the backbone of our networks in general and the Internet at large. Protecting IPv6 is not just a question of porting IPv4 capabilities. While IPv6 is a wholesale replacement in making more IP addresses available, there are some very fundamental
changes to the protocol which need to be considered in security policy. Whether your organization adopts it later rather than sooner, make sure that IPv6 is on your network security agenda. For more on IPv6, check out our article Why Switch to IPv6.

6. Contending with cloud services

Small, medium and large enterprises are beginning to adopt cloud services and SaaS at a greater rate. This trend presents a big challenge for network security, as traffic can go around traditional points of inspection. Additionally, as the number of applications available in the cloud grows, policy controls for web applications and cloud services will also need to evolve. For example, which users should be able to interface with which services? Who should be able to
post data, and who should have read-only privileges? While cloud services are developing their own security models, they will still need to be harmonized with your own strategy to avoid multiplication of password, permissions and other security infrastructure concerns. To be sure, the cloud represents a great opportunity. But as the cloud evolves, so too must network security.

7. More encryption

Encryption at every level protects the privacy and integrity of data. We’re increasingly deploying encryption at every layer. However, more use of encryption will bring more challenges for network security devices. For example, how will your network DLP (data loss prevention) inspect traffic
which is encrypted end-to-end as it accesses a certain cloud service? Collaboration between the network and the endpoint to deliver complete security in scenarios like this will be critical. You need to have a network security strategy that integrates your network security with other layers of security such as endpoint, web protection and mobile devices.

8. The elastic network

The network perimeter is expanding like an elastic to include high-speed 4G and LTE networks, wireless access points, branch offices, home offices, roaming users, cloud services, and third parties accessing your applications and data to perform services. These changes to the size, scope and surface of your network can lead to misconfiguration or change control errors that could lead
to security breaches. You’ll need security solutions you can consistently deploy at each device or point of infrastructure. And you need central management to keep on top of the dynamics of this elastic infrastructure and the various layers of security at each endpoint.