Assessments,%20Audits,%20and%20Penetration%20Tests,%20Oh%20My

1
Assessments, Audits, and Penetration Tests, Oh My

• Ira Winkler, CISSP
• ira_winkler_at_hp.com
• 1-410-544-3435

2
Why This Presentation?

• Everyone wants to assess their vulnerabilties
• Most people think they need a penetration test
• They actually need something more basic
• They dont really know what they need
• They really dont know what their options are

3
More Importantly

• The people performing the work dont know the
  issues either
• Sometimes they are doing things that are cool
• They dont know what their deliverables or end
  results should be
• Sometimes they underbid and give people what they
  pay for, not what they wanted
• Conservatively, 75 of consultants fit into this
  category
• My horror story

4
The Classification of Consultants

• Dont know what they dont know
• Know what they dont know
• Know what most others dont know they dont know

5
The Critical Question to Ask

• Why do you want a penetration test?
• The answer should specify the actual work
• Be careful about possible disappointment in the
  customer
• There may be disappointment in the testers
• Typically, penetration tests will not be performed

6
A Basic Only Two Ways to Hack

• This is the core reason of any test
• Anyone can learn to hack a computer
• Take advantage of problems built into the
  operating system
• Take advantage of admin and user configuration
  errors

7
What are We Talking About?

• A Penetration Test tries to compromise security
• An Assessment attempts to find as many
  vulnerabilities as possible
• An Audit tests to a specific standard
• Penetration tests are generally the least useful

8
Audits

• An assessment to a specific standard
• Some audits are technical, some are operational

9
Common Standards

• BS7799/ISO 17799
• CoBIT
• SAS70
• Dashboards
• Corporate standards
• HIPAA

10
Choosing an Audit and Standard

• Depends on purpose
• ISO 17799 is a regulatory requirement in some
  countries
• SAS70 has been widely accepted to show other
  people
• Dashboards developed for Six Sigma
• If you dont need a specific standard, perform an
  assessment

11
Who Should Perform an Audit

• Since the standards are boiler plate, a person
  with limited skill can run the audit
• The people should be familiar with the standard
• Some organizations provide certification for the
  evaluators
• SAS70 requires the oversight of a CPA firm
• It depends on who will look at the results
• Look for sample reports

12
General Criteria

• This should be completely overt
• Auditors may not have to touch computer systems
• They should have the complete cooperation of the
  organization
• Audits seem almost always adversarial

13
Assessments

• A free form attempt to locate vulnerabilities in
  an organization
• There are no universal standards to follow
• The methodology depends on what is agreed upon
  between the client and the tester
• Typically companies have a standard assessment
  methodology
• Work should be bound in advance

14
Typical Methodology

• Information gathering
• Network mapping
• High level reconnaissance
• Detailed assessment where appropriate
• Manual techniques
• Create report
• Brief client

15
Method of Scans

• Network scans
• Host scans

16
General Notes

• An assessment is completely overt
• There should be complete access granted by the
  administrators and full support available
• Someone should be watching the assessment team at
  all times, if possible

17
The Results

• Identification of as many vulnerabilities as
  possible
• The methodology should focus on that
• MOST IMPORTANTLY, a prioritized plan to address
  the vulnerabilities
• The identification of problems without solutions
  is generally worthless

18
Notes on Pricing

• Be concerned about prices that are too cheap
• Expensive prices dont indicate quality
• Watch out for ISS scanner output
• Watch out for other things that look good, but
  are boiler plate
• Quality of the people becomes more important

19
Notes on Staffing

• Assessors should be technically competent
• Watch the bait and switch
• Ask for resumes of people who will actually
  perform the work

20
Penetration Tests

• Purely an attempt to compromise security
• They may find unique problems that are not found
  through other assessments
• The test should be completely covert
• There should be no cooperation from the target,
  within reason
• The goal is to prove that security can fail

21
Why Perform a Pen Test

• To see where you are, when you dont know
• As part of a larger vulnerability assessment
• To test operational readiness
• To get management attention

22
Ideal Goals of a Pen Test

• See how a malicious party may attack you and how
  far they would get
• See if you can detect the attacks
• Identify as many vulnerabilities as possible
• To get the attention of management

23
Why Not Perform a Pen Test

• They are the least useful
• They are the least efficient
• They can cause a great deal of damage
• They can cause a serious political problems
• They require the most skill, that is seriously
  scarce
• You need to have a tight plan if you are detected

24
Notes on Social Engineering

• Social Engineering will make a penetration test
  more realistic
• Tests operational and physical vulnerabilities
• They require more damage control
• There is much more sensitivity as to what and how
  you report things
• I strongly recommend only really trained people
  perform the work

25
Types of Penetration Tests

• Outsider no knowledge
• Outsider with inside knowledge
• Low level insider
• High level insider (Administrators)
• Social Engineering

26
Critical Success Factors

• Quality of the people performing the work
• This is even more critical than with an
  assessment
• Clear definition of end results
• Focus on business goals, not technical

27
Keys of the Test

• Results indicate the scope of the problem from a
  business perspective
• Damage control in effect
• Methods used are all common
• No inside information used
• People were all skilled

28
General Disclaimer

• Running tools, such as CyberCop, nmap, war
  dialers, etc., is not a penetration test
• They may be tools of a pen test, but they are not
  a pen test
• Rules of engagement must be clearly defined
• I strongly recommend that someone watch the pen
  test team as much as possible to protect both
  sides
• Make sure there are recent backups
• 33 of the time, I have discovered actual
  criminal activities

29
Hiring Hackers?

• The logic is, Who better to protect the system
  than the people who know how to break it?
• The problem is that it is infinitely harder to
  protect a system than to hack it
• Just because you can shoot a gun, it doesnt mean
  you can design and build a bullet proof vest
• The best penetration testers I have known were
  administrators who go into security or worked for
  the Government
• Hire a resume, not criminal records

30
Use the Right Test for the Right Purposes

• Audits only for a specific purpose
• Assessments when you actually want productive
  results
• Penetration tests only when you really need them

31
General General Notes

• Make sure that you save enough money to fix
  problems
• Make sure that you get qualified people to do the
  work
• You better get recommendations that you can
  actually use

32
For More Information

• Ira Winkler, CISSP
• ira_winkler_at_hp.com
• 1-410-544-3435