Do You Scan with Network Security Controls Enabled or Disabled?
Submitted by Kevin Beaver on June 21, 2012 – 8:46 pm

As application security professionals, we want to get as much as possible out of our security assessments. We’re not only expected to but we’re proud of our work and want to provide the best results and most value possible. As I’ve written in a previous article about how to  plan your web security assessments, ensuring you have your ducks in a row before you start your testing is crucial. Planning is key. But there’s one literal roadblock to web application testing that’s often overlooked – or comes as an afterthought: firewalls and intrusion prevention systems. What do you do about those pesky network security controls that keep blocking your scans?

The answer seems obvious: just setup trusting rules so that you can have unfettered access to the application. Simple enough, right? Well, not really. The minute you do that you’re changing the real-world view of the application. Why not just test it as the bad guys see it and be done with it? That’s a great point and along the lines of the age-old black box/white box/gray box testing debate. I’m just not convinced that’s the best approach for managing overall risks. Oh, and for larger organizations with complex (i.e. inefficient) change management procedures, making such a request can take a week or longer. If you find out that you’re being blocked after you begin your scanning, this will put you even further behind the eight ball.

Here’s my take: if I know that firewalls and IPSs may or will block my web vulnerability scans, I’ll usually run my scans anyway to see what happens. You’d be surprised what you can get away with if the scanning is done over SSL and, thus, the network security controls can’t see what’s going on. I’ll document any such findings. If I continue on and a firewall or IPS keeps blocking or even slowing my scans yet I know I need to keep digging in, I’ll proceed to have trusting rules configured. Many will argue that this is not real-world. What’s your reality? If a web flaw exists and cannot be found via automated scans because of network security controls blocking it and then a criminal comes along and exploits it during a targeted manual attack, how’s that going to fly? It would’ve been nice to know about this flaw beforehand if you could’ve scanned with trusting rules in place from the get-go.

Setting up trusting rules can provide additional assurance that all’s well behind the scenes for those times that your network security controls don’t (or can’t) provide adequate security. In the end, management and other stakeholders want to know: where do things stand with web security? Sure there are tons of variables. Semantics too. But we have to approach this sensibly and logically. Use some common sense and do what’s best. Only you’ll know what that is for your specific situation.

Because Just Password are not Enough....!!!!

Having said the above Headline it means that in today's world technology has evolved a lot when it comes to communicate to anyone on the cloud or paying your utility bills via credit card or transferring fund to anyone anywhere in the world....
Everything is possible...and this possibility has been made available to us via Internet -> Net banking -> eMail and ++++++....
So, is it so easy as it was for me to write on the Blog....the answer is "No"...
Lets try to find out the reason why I said "NO"....Now lets go back to the Topic of this Blog....
------> Because Just Password are not Enough....!!!! <--------

1) Security Issues : While making online payments for your utility bills or transferring money from one account to another, the online users (like you and me ) are always concerned about the fraud...what if sumbody will hack my account and wipe out all my money from the account, or if hacker will steal my credit / debit card information . Hacking (a process by which a person from out side the network ) can get hold of your password, account details etc..) enables the unethical hackers ( there are ethical hackers too..:-) to penetrate the accounts of online users, and spend their money. Availability of confidential information which is just secured by a user name and password, makes it vulnerable to such threats.
------> Because Just Password are not Enough....!!!! <-------- :-)

Most of the banks / and the online portals try to make their sites secured by implementing latest network security software ( depends upon their spending capability ) . However, there have been plenty of cases in which web surfers were accidentally exposed to the financial details of online bankers. Internet security had a setback when in 2004, Morgan Stanley admitted a serious security flaw in the system of the latest online banking operation. This flaw allowed customers to access account details of other clients.

2) Online Fraud : You just won the online lottery ............( I almost receive 2-3 mails daily in my mail box... specially comes from Nigeria.
The threat of duping customers with Nigerian mails like fraudulent emails, lottery or advance fee mails, fake websites, fake online surveys, etc., is very common in Indian online world ( lack of internet knowledge and internet fraud). Phishing activities also result in the disclosure of confidential details such as name, address, bank account number, passwords, etc., of the customers, giving rise to identity thefts. Many of the Indian e-commerce websites have no proper implementation of procedures to protect the encrypted data, thus leading to leakage of key information of the online transactions. As a result, Indian customers are afraid to do transactions online.

How to tackle these kind of Frauds.....
As said and mentioned above...Just password are not enough...you have involve 2 Factor while doing any online transaction.
the way we withdraw money from the ATM...it involves 2 Factors :

1 Factor : PIN Number ( which we remember)
2 Factor :- ATM Card (which we carry)

without the combination of both the Factor money withdrawal is impossible....same way we can involve 2 factor while doing any Online payment / transactions.

one is your password another is token (made available by all the banks now)...token generates a 6 digit number on the monitor which you can combine along with your password and put it while doing any online transactions/payments..
remember always make sure that you are landing on the intended page...for that look for https:// in the address bar as prefix of the url:-- https://login.icicibank.com...
also you can double click on the Lock pad on the below or on the address bar..it will give you the correct information about the website (correct website name aswell), so that you can be sure that you are on the right page.. (pishing attack :- fake website will look similar to the original website and it will store your username and password) which can be used by the hacker to screw your happiness....

SO please be careful in the Web World...
cya...