Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435.

Similar presentations


Presentation on theme: "Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435."— Presentation transcript:

1 Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP

2 Why This Presentation? Everyone wants to assess their vulnerabilties Most people think they need a penetration test They actually need something more basic They don’t really know what they need They really don’t know what their options are

3 More Importantly The people performing the work don’t know the issues either Sometimes they are doing things that are “cool” They don’t know what their deliverables or end results should be Sometimes they underbid and give people what they pay for, not what they wanted Conservatively, 75% of consultants fit into this category My horror story

4 The Classification of Consultants Don’t know what they don’t know Know what they don’t know Know what most others don’t know they don’t know

5 The Critical Question to Ask Why do you want a penetration test? The answer should specify the actual work Be careful about possible disappointment in the customer There may be disappointment in the testers Typically, penetration tests will not be performed

6 A Basic – Only Two Ways to Hack This is the core reason of any test Anyone can learn to hack a computer Take advantage of problems built into the operating system Take advantage of admin and user configuration errors

7 What are We Talking About? A Penetration Test tries to compromise security An Assessment attempts to find as many vulnerabilities as possible An Audit tests to a specific standard Penetration tests are generally the least useful

8 Audits An assessment to a specific standard Some audits are technical, some are operational

9 Common Standards BS7799/ISO CoBIT SAS70 Dashboards Corporate standards HIPAA

10 Choosing an Audit and Standard Depends on purpose ISO is a regulatory requirement in some countries SAS70 has been widely accepted to show other people Dashboards developed for Six Sigma If you don’t need a specific standard, perform an assessment

11 Who Should Perform an Audit Since the standards are boiler plate, a person with limited skill can run the audit The people should be familiar with the standard Some organizations provide certification for the evaluators SAS70 requires the oversight of a CPA firm It depends on who will look at the results Look for sample reports

12 General Criteria This should be completely overt Auditors may not have to touch computer systems They should have the complete cooperation of the organization Audits seem almost always adversarial

13 Assessments A free form attempt to locate vulnerabilities in an organization There are no universal standards to follow The methodology depends on what is agreed upon between the client and the tester Typically companies have a standard assessment methodology Work should be bound in advance

14 Typical Methodology Information gathering Network mapping High level reconnaissance Detailed assessment where appropriate Manual techniques Create report Brief client

15 Method of Scans Network scans Host scans

16 General Notes An assessment is completely overt There should be complete access granted by the administrators and full support available Someone should be watching the assessment team at all times, if possible

17 The Results Identification of as many vulnerabilities as possible The methodology should focus on that MOST IMPORTANTLY, a prioritized plan to address the vulnerabilities The identification of problems without solutions is generally worthless

18 Notes on Pricing Be concerned about prices that are too cheap Expensive prices don’t indicate quality Watch out for ISS scanner output Watch out for other things that look good, but are boiler plate Quality of the people becomes more important

19 Notes on Staffing Assessors should be technically competent Watch the bait and switch Ask for resumes of people who will actually perform the work

20 Penetration Tests Purely an attempt to compromise security They may find unique problems that are not found through other assessments The test should be completely covert There should be no cooperation from the target, within reason The goal is to prove that security can fail

21 Why Perform a Pen Test To see where you are, when you don’t know As part of a larger vulnerability assessment To test operational readiness To get management attention

22 Ideal Goals of a Pen Test See how a malicious party may attack you and how far they would get See if you can detect the attacks Identify as many vulnerabilities as possible To get the attention of management

23 Why Not Perform a Pen Test They are the least useful They are the least efficient They can cause a great deal of damage They can cause a serious political problems They require the most skill, that is seriously scarce You need to have a tight plan if you are detected

24 Notes on Social Engineering Social Engineering will make a penetration test more realistic Tests operational and physical vulnerabilities They require more damage control There is much more sensitivity as to what and how you report things I strongly recommend only really trained people perform the work

25 Types of Penetration Tests Outsider no knowledge Outsider with inside knowledge Low level insider High level insider (Administrators) Social Engineering

26 Critical Success Factors Quality of the people performing the work This is even more critical than with an assessment Clear definition of end results Focus on business goals, not technical

27 Keys of the Test Results indicate the scope of the problem from a business perspective Damage control in effect Methods used are all common No inside information used People were all skilled

28 General Disclaimer Running tools, such as CyberCop, nmap, war dialers, etc., is not a penetration test They may be tools of a pen test, but they are not a pen test Rules of engagement must be clearly defined I strongly recommend that someone watch the pen test team as much as possible to protect both sides Make sure there are recent backups 33% of the time, I have discovered actual criminal activities

29 Hiring Hackers? The logic is, “Who better to protect the system than the people who know how to break it?” The problem is that it is infinitely harder to protect a system than to hack it Just because you can shoot a gun, it doesn’t mean you can design and build a bullet proof vest The best penetration testers I have known were administrators who go into security or worked for the Government Hire a resume, not criminal records

30 Use the Right Test for the Right Purposes Audits only for a specific purpose Assessments when you actually want productive results Penetration tests only when you really need them

31 General General Notes Make sure that you save enough money to fix problems Make sure that you get qualified people to do the work You better get recommendations that you can actually use

32 For More Information Ira Winkler, CISSP


Download ppt "Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435."

Similar presentations


Ads by Google