penetration testing as audit tool
Post on 04-Jun-2018
234 Views
Preview:
TRANSCRIPT
-
8/13/2019 Penetration Testing as Audit Tool
1/13
atsec information security 2010 atsec information security 2010
Penetration Testing as an Auditing Tool
March 1, 2011ISACA Austin Chapter uncheon!eremy Po"ell, Consultant, atsec information security
-
8/13/2019 Penetration Testing as Audit Tool
2/13
atsec information security 2010
atsec information security 2010 2
A#out the Spea$er
Security consultant
%&aluates the security features of'
(perating systems
)et"or$ appliances
Cryptographic modules )et"or$s and "e#sites
*ele&ant Standards'
Common Criteria +IS(I%C 1-.0/
IPS 1.02 cryptographic module &alidation Payment Card Industry 3ata Security Standard +PCI3SS
ead penetration tester in atsec 45S5 #ranch
-
8/13/2019 Penetration Testing as Audit Tool
3/13
atsec information security 2010
atsec information security 2010 3
Agenda
Assurance and Security
6rea$ing the *ules
Penetration Testing
)et"or$ and 7e# Application
Physical Social %ngineering
%thics and egality
Complimenting Audits
-
8/13/2019 Penetration Testing as Audit Tool
4/13
atsec information security 2010
atsec information security 2010 4
Assurance and Security
Assurance is esta#lished trust in information
Information might need to #e'
Accurate
Confidential
A&aila#le Trac$ed
8o" is trust esta#lished9
3esign a sound model
Implement the model *egularly audit the implementation against the model
6rea$ the model
ather, *inse, *epeat
-
8/13/2019 Penetration Testing as Audit Tool
5/13
atsec information security 2010
atsec information security 2010 5
6rea$ing the *ules
Models are often #ased on assumption
All prison guards are trusted5
6ri#es
Planted guards
Impostors )o one $no"s ho" the system is designed
*e&erse engineering
Someone lea$s the plans
)o one can ha&e a "eapon inside airport security Cleaning supplies inside concourse
*estaurant utensils
-
8/13/2019 Penetration Testing as Audit Tool
6/13
atsec information security 2010
atsec information security 2010 6
Penetration Testing
Controlled rule #rea$ing
Simulated attac$ scenarios
3ifferent Types
)et"or$
7e# application Physical
Social engineering
3ifferent Approaches
7hite #o: ; prior $no"ledge 6lac$ #o: ; no prior $no"ledge
Tests assumptions that may ha&e #een made that are nottrue
-
8/13/2019 Penetration Testing as Audit Tool
7/13
atsec information security 2010 atsec information security 2010 7
)et"or$ and 7e# Applications
-
8/13/2019 Penetration Testing as Audit Tool
8/13
atsec information security 2010 atsec information security 2010 8
Physical
-
8/13/2019 Penetration Testing as Audit Tool
9/13
atsec information security 2010 atsec information security 2010 9
Social %ngineering
-
8/13/2019 Penetration Testing as Audit Tool
10/13
atsec information security 2010 atsec information security 2010 10
%thics and egality
Testers must #e &ery "ell trusted
Contractual *ules of %ngagement
3efines the e:act scope of testing
3efines ho" testers should react if they identify
&ulnera#ilities Constrains the testing to certain limitations
In turn, pro&ides tester a
-
8/13/2019 Penetration Testing as Audit Tool
11/13
atsec information security 2010 atsec information security 2010 11
Complimenting Audits
Auditors may dra" incorrect conclusions
Audits are #ased on presented +possi#ly incomplete orincorrect e&idence
Auditors often sample the e&idence
Auditors may ma$e assumptions The standard or model may #e #ro$en
Penetration testing co&ers these gaps
Testers ha&e simple yet strong moti&ation
Testers may not ha&e seen the audit, therefore they maynot ha&e made similar assumptions
7ith competent testers, penetration testing re&eals "hatcompetent attac$ers are capa#le of
-
8/13/2019 Penetration Testing as Audit Tool
12/13
atsec information security 2010 atsec information security 2010 12
urther Information
The Art of 3eception' Controlling the 8uman %lement ofSecurity, Ee&in Mitnic$, 7illiam Simon
The Art of Intrusion' The *eal Stories 6ehind the %:ploits of8ac$ers, Intruders and 3ecei&ers, Ee&in Mitnic$, 7illiamSimon
atsecs "e#site'"""5atsec5com
atsecs ne"s #loghttp'atsecinformationsecurity5#logspot5com
http://www.atsec.com/http://atsec-information-security.blogspot.com/http://atsec-information-security.blogspot.com/http://www.atsec.com/ -
8/13/2019 Penetration Testing as Audit Tool
13/13
atsec information security 2010 atsec information security 2010 1F atsec information security 2010 13
Than$ you5
top related