News
Welcome Paul Blowers
Mar 2010
We are very pleased to welcome Paul Blowers to the Aura team. Paul will be heading up our fast-expanding IT Security Architecture practice.
Troopers 10 - Heidelberg, Germany
8-12 Mar 2010
Graeme Neilson is continuing his world tour with Troopers 10 in Heidelberg, Germany.
Winner of Electra Awards New Thinking 2009
10 Nov 2009
We are very proud to be the winners of the Electra Business Awards 2009 - New Thinking and Innovation category! Putting "Silicon Gorge" on the map
Help Sponsor our Southern Crossing
January 2010
In loving memory of Betty Nicholson and Helen Palmer, Andy Prow and family (Diane, Josh and Autumn) are walking the Southern Crossing - 3 day hike over the top of the Tararua Range!
Please help support us in raising funds for the Neurological Foundation.
Find out how...
Day-Con III - Dayton Security Summit
15 Oct 2009
The now world-famous and highly sought after Graeme Neilson is off to present at Day-Con III in Ohio, USA, and Aura is proud to be a Gold Sponsor of this excellent IT security event.
Microsoft TechEd
14-16 Sept 2009
Microsoft's TechEd NZ was another HUGE event this year, all the more so of course because Andy Prow presented with Kirk Jackson - check out "SEC313: Hack-Ed, Teaching the Good-Guys Bad-Tricks"
Microsoft Code Camp 09
13 Sept 2009
If you're heading to TechEd this year and need to scratch up on your Secure Coding Practices then definately come along to the .Net Code Camp. Andy Prow will be presenting with Kirk Jackson of Xero on Secure Coding Practices.
BlackHat Vegas
25-30 July 2009
Aura's Graeme Neilson gave an EXCELLENT presentation at BlackHat USA 09. Graeme presented his now world famous "NetScreen of the Dead" (sorry Juniper). BlackHat is "the World's Premier Technical Security Conference", so we're very proud to have Graeme invited to speak!

Read more...
CIO Summit
21-22 July 2009
The NZ CIO Summit 2009 was an excellent event! Almost twice the size of last year it was buzzing.
Thanks to Paul Blowers, Enterprise Security Architect from the NZ Police for an excellent talk. Read more...
OWASP DAY 2009
13 July 2009
Look out for the OWASP NZ Day 2009 on July 13th in Auckland.
Andy Prow is presenting with Kirk Jackson from Xero - "XSS The Gloves are Off". Andy's hacking, Kirk's defending... hopefully not too much blood spilt!
.Net User Group
29 Apr 2009
Andy Prow presented at the .Net User Group talk at Xero, Wellington. Find out more... If you couldn't be there - download the presso

IT Security Summit 09
14-15 April 2009
Mark Keegan again gave an excellent presentation at this year's Brightstar Annual IT Security Summit
Mark presented "Hacks and Demos: Securing Web Applications" - see our presentations

ISACA
Dec 2008
Andy Prow presented at the ISACA Computer Security Day on the 2nd Dec 2008 in Wellington. Andy's presentation focussed on the "SANS Defensive Wall 1 - Proactive Software Assurance". Read more...

RUXCON
Nov 2008
Great conference - Graeme Neilson presented at RUXCON in Sydney this year - 29th,30th Nov 08. Graeme presented on how to hack Juniper firewalls, rebuilding and reloading the OS, to create an untraceable "zombied" firewall - you run it, we own it, what more could you ask for? This preso was certainly one of the best of the whole conference (totally unbiased opinion of course!). Read more...

CIO Summit
July 2008
We showcased our services at the BrightStar/IDC CIO Summit on July 22nd & 23rd in Auckland, especially our new RedEye.
If you were there you'd have heard an excellent presention by Craig Walker the CTO of Xero casestudying our services with them.

QualIT Partnership
May 2008
We're excited to accounce our partnership with QualIT through which we're providing our PRODUCTION STRENGTH testing service, combining security testing and performance testing services.
IT Security Summit
April 2008
Our very own Mark Keegan presented at this year's Brightstar Annual IT Security Summit
A good 2 days session - well worth attending if you haven't before.

Graeme on IT Radio - Australia
Feb 2008
A great interview with Graeme Neilson on Ausy's IT Radio all about BlackBerry hacking and Aura's "RedBerry" security tool. IT Radio #46
Microsoft Certified Partners
January 2008
We're very proud to announce that Aura Software has just become a Microsoft Certified Partner.
Research & Development
December 2007
We are extremely happy to have been granted a TBG grant from the Foundation of Research, Science and Technology - see www.FRST.govt.nz for more info.

The fruits of this project will be seen in the next versions of our RedEye service.

Kiwicon 2k7
November 2007
Mark Keegan and Graeme Neilson both gave presentations at the inaugral Kiwicon Event - NZ's own Security Conference.

Check out www.Kiwicon.org for info on the conference, and our publications page to have a look yourself

Over the Ditch
October 2007
This Kiwi Security consulting company engaged in our first penetration test across the ditch in Australia, testing the Managed Accounts website owned and operated by Investment Administration Services Pty.

Read the full case study here

Our Methodology
     
    One of the crucial factors in the success of a security test is the underlying methodology. Lack of a formal methodology means no consistency. While a penetration tester's skills need to be specialized for the job, the approach shouldn't be. In other words, a formal methodology should provide a disciplined framework for conducting a complete and accurate penetration test, but need not be restrictive - it should allow the tester to fully explore his intuitions.

Aura Software Security’s methodology is based on the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP).

We use a combination of commercial scanning applications as well as the very latest open source tools. These open source tools are very important in the test process because they are freely available and are what today’s hackers use to exploit a system.

Whilst running a security test in a live environment is a true reflection of the impact of a hacker penetrating the system, it is Aura’s preference to run invasive tests in a staging environment so that components can be tested in isolation. This is because some of the more invasive tools can result in a higher network load slowing the network or even causing a denial of service (DOS). If a staging environment is not possible, care is always taken to minimise disruptions however this is a somewhat more risky approach.
 
     
   
     
Planning & Preparation   In order to make the penetration test a success, the following will need to be finalised:
• Scope and objectives
• Communications channels
• Timing and duration of the tests
• Discussion of the tests
• Will staff be notified of the test? (i.e. when testing Intrusion Detection Systems should your support staff be pre-warned?)
• Are relevant contractual documents in order? e.g. non-disclosure.
     
Information Gathering & Analysis   The next step is to gather as much information as possible about the targeted systems or networks. You’ve stated that this will be a “black box” engagement, meaning we will have little or no access to information of the systems. Information gathering is a crucial step in any penetration test.

The results of this stage will include:
• Initial information – Search publicly assessable web sites for company information.
• Range – gather the address range for the network.
• Active Machines – How many machines are actively running?
• Open Ports – This defines possible entry points into a system.
• Fingerprint the OS – Scan for the version and patch level of the target systems.
• Services – Obtain what is running on each port.
• Create a Network Map – This will help clarify and visualize the entire network
 
     
 Vulnerability Detection   We then determine if vulnerabilities exist on the targeted systems. This is done by running a vulnerability detection tool that contains a database of known exploits.

Searches of online databases are also carried out to identify any exploits of exposed services that may be possible.

The Vulnerability Detection stage can produce a number of false-positives so the tester must then manually verify that these vulnerabilities do in fact exist on the targeted systems.
 
     
Penetration Attempt   his is the core part of the security test process, where actual tests are performed.
Every test performed has the following characteristics defined:
• What is classed as success or failure of a test?
       e.g. can we access the server? Or can we gain Administrator access?
• What are the possible impacts of a test?
       e.g. a test may impact the server’s response time, and therefore will have to be performed out of hours.
• Is the security test performed as an outside test (from the public internet) or is it an “insider” attacking attempt against the web-servers? This point is important, as insider attacks will test the web-server directly, to identify potentially weak systems that are shielded by the firewalls.
 
     
Analysis & Reporting   After conducting all the steps above, the next task ahead is to generate a report for the organization.

The report delivered at the end of the engagement will include the following:

• Detailed listing of all information gathered during the security testing.
• Summary of all unsuccessful penetration scenarios, describing the measures that are in place that protected the systems.
• Summary of any successful penetration scenarios.
• Detailed listing of all vulnerabilities found including:
       - Description of vulnerability found.
       - Impact of the vulnerability.
       - Suggestions and techniques to resolve vulnerabilities.
• Ongoing recommendations
     
Cleaning up   A detailed list of all actions performed during the Security test will be kept. This is vital so that any cleaning up of the system can be done.
Any documentation that is deemed sensitive and confidential will either be returned, destroyed or securely archived.
 

© Copyright 2007 - Aura Software Security Ltd - All Rights Reserved