assessments, audits, and penetration tests, oh my ira winkler, cissp [email protected]...
TRANSCRIPT
Why This Presentation?
Everyone wants to assess their vulnerabilties
Most people think they need a penetration test
They actually need something more basic
They don’t really know what they needThey really don’t know what their
options are
More Importantly
The people performing the work don’t know the issues either
Sometimes they are doing things that are “cool”
They don’t know what their deliverables or end results should be
Sometimes they underbid and give people what they pay for, not what they wanted
Conservatively, 75% of consultants fit into this categoryMy horror story
The Classification of ConsultantsDon’t know what they don’t knowKnow what they don’t knowKnow what most others don’t know
they don’t know
The Critical Question to AskWhy do you want a penetration test?The answer should specify the actual workBe careful about possible disappointment
in the customerThere may be disappointment in the
testersTypically, penetration tests will not be
performed
A Basic – Only Two Ways to HackThis is the core reason of any testAnyone can learn to hack a computerTake advantage of problems built into
the operating systemTake advantage of admin and user
configuration errors
What are We Talking About?A Penetration Test tries to
compromise securityAn Assessment attempts to find as
many vulnerabilities as possibleAn Audit tests to a specific standardPenetration tests are generally the
least useful
Audits
An assessment to a specific standardSome audits are technical, some are
operational
Common Standards
BS7799/ISO 17799CoBITSAS70DashboardsCorporate standardsHIPAA
Choosing an Audit and StandardDepends on purposeISO 17799 is a regulatory requirement
in some countriesSAS70 has been widely accepted to
show other peopleDashboards developed for Six SigmaIf you don’t need a specific standard,
perform an assessment
Who Should Perform an AuditSince the standards are boiler plate, a
person with limited skill can run the auditThe people should be familiar with the
standardSome organizations provide certification for
the evaluatorsSAS70 requires the oversight of a CPA firmIt depends on who will look at the resultsLook for sample reports
General Criteria
This should be completely overtAuditors may not have to touch
computer systemsThey should have the complete
cooperation of the organizationAudits seem almost always adversarial
AssessmentsA free form attempt to locate
vulnerabilities in an organizationThere are no universal standards to followThe methodology depends on what is
agreed upon between the client and the tester
Typically companies have a standard assessment methodology
Work should be bound in advance
Typical Methodology
Information gatheringNetwork mappingHigh level reconnaissanceDetailed assessment where appropriateManual techniquesCreate reportBrief client
Method of Scans
Network scansHost scans
General Notes
An assessment is completely overtThere should be complete access
granted by the administrators and full support available
Someone should be watching the assessment team at all times, if possible
The Results
Identification of as many vulnerabilities as possible
The methodology should focus on thatMOST IMPORTANTLY, a prioritized
plan to address the vulnerabilitiesThe identification of problems without
solutions is generally worthless
Notes on Pricing
Be concerned about prices that are too cheap
Expensive prices don’t indicate qualityWatch out for ISS scanner outputWatch out for other things that look
good, but are boiler plateQuality of the people becomes more
important
Notes on Staffing
Assessors should be technically competent
Watch the bait and switchAsk for resumes of people who will
actually perform the work
Penetration Tests
Purely an attempt to compromise securityThey may find unique problems that are
not found through other assessmentsThe test should be completely covertThere should be no cooperation from the
target, within reasonThe goal is to prove that security can fail
Why Perform a Pen Test
To see where you are, when you don’t know
As part of a larger vulnerability assessment
To test operational readinessTo get management attention
Ideal Goals of a Pen Test
See how a malicious party may attack you and how far they would get
See if you can detect the attacksIdentify as many vulnerabilities as
possibleTo get the attention of management
Why Not Perform a Pen Test
They are the least usefulThey are the least efficientThey can cause a great deal of damageThey can cause a serious political
problemsThey require the most skill, that is
seriously scarceYou need to have a tight plan if you are
detected
Notes on Social Engineering
Social Engineering will make a penetration test more realistic
Tests operational and physical vulnerabilities
They require more damage controlThere is much more sensitivity as to what
and how you report thingsI strongly recommend only really trained
people perform the work
Types of Penetration Tests
Outsider no knowledgeOutsider with inside knowledgeLow level insiderHigh level insider (Administrators)Social Engineering
Critical Success Factors
Quality of the people performing the work
This is even more critical than with an assessment
Clear definition of end resultsFocus on business goals, not technical
Keys of the Test
Results indicate the scope of the problem from a business perspective
Damage control in effectMethods used are all commonNo inside information usedPeople were all skilled
General DisclaimerRunning tools, such as CyberCop, nmap, war
dialers, etc., is not a penetration testThey may be tools of a pen test, but they are
not a pen testRules of engagement must be clearly definedI strongly recommend that someone watch the
pen test team as much as possible to protect both sides
Make sure there are recent backups33% of the time, I have discovered actual
criminal activities
Hiring Hackers?
The logic is, “Who better to protect the system than the people who know how to break it?”
The problem is that it is infinitely harder to protect a system than to hack it
Just because you can shoot a gun, it doesn’t mean you can design and build a bullet proof vest
The best penetration testers I have known were administrators who go into security or worked for the Government
Hire a resume, not criminal records
Use the Right Test for the Right PurposesAudits only for a specific purposeAssessments when you actually want
productive resultsPenetration tests only when you really
need them
General General Notes
Make sure that you save enough money to fix problems
Make sure that you get qualified people to do the work
You better get recommendations that you can actually use