330 likes | 482 Views
THE CPA’s PERSPECTIVE ON PENETRATION STUDIES AND VULNERABILITY ASSESSMENTS. NEW YORK STATE SOCIETY OF CERTIFIED PUBLIC ACCOUNTANTS - EMERGING TECHNOLOGIES COMMITTEE Joel Lanz, Principal JOEL LANZ, CPA, P.C. AGENDA. Introduction & Overview Market Overview The Market
E N D
THE CPA’s PERSPECTIVE ON PENETRATION STUDIES AND VULNERABILITY ASSESSMENTS NEW YORK STATE SOCIETY OF CERTIFIED PUBLIC ACCOUNTANTS - EMERGING TECHNOLOGIES COMMITTEE Joel Lanz, Principal JOEL LANZ, CPA, P.C.
AGENDA • Introduction & Overview • Market Overview • The Market • Network Security Testing • Network Mapping • Vulnerability Scanning • Penetration Testing • Common Testing Tools • Basic Lessons • Opportunities (and risks) for the CPA • Available Guidance • Questions and Answers
JOEL’S PARADIGM • Over 20 years of IT risk management experience • Leads a CPA Practice that focuses on Information Technology Risk Management • Prior experience as a Big 5 Technology Risk Consulting Partner • Adjunct faculty member at Pace University Graduate School of Computer Science and Information Systems • CISA, CISSP, CFE, CITP • Various Technology Risk-Related Publications • etc., etc.
WHY THE NEED? • Identify Vulnerabilities and Repair • Regulatory Expectations • Board of Director “Due Diligence” • Fulfill Insurance Requirement • Risk Assessment • Test a Vendor or Employees • Impress Customers or Prospects • Prove a Point
PLAYERS TO SATISFY THE NEED • CPA Firms • in-house staff • technology partner • Non-CPA “Audit” Corporations • Security Consultants • security boutiques • VARs • third-party service providers • other computer businesses • Software Vendors • Independents
TYPICAL OFFERINGS • Penetration Testing • Periodic Vulnerability Analysis • Security Assessment • Outsourced Security Services (e.g., CISO) • Board Due Diligence • Policy Development and Monitoring • Privacy • Managed Security Services • etc., etc.
ENTRY PATHS(source: Hacking Exposed – 3rd Edition) • Misconfigured Routers • Unsecured/Unmonitored Remote Access • Excessive Trust Relationships • Accounts with Excessive Privileges • Unpatched, Outdated and “Default” Software • Poor Policies, Procedures & Guidelines • Excessive File & Directory Privileges
ENTRY PATHS (cont.)(source: Hacking Exposed – 3rd Edition) • Unauthenticated Services (capturing remote keystrokes) • Weak, Easily Guessed User Passwords • Misconfigured Internet Servers (CGI Scripts) • Misconfigured Firewall • Running Unnecessary Services • Information Leakage • Inadequate Logging, Monitoring & Detection
POPULAR NETWORK SECURITY TESTING TECHNIQUES • Network Mapping • Vulnerability Scanning • Penetration Testing • Security Testing and Evaluation • Password Cracking • Log Reviews • File Integrity Checkers • Virus Detectors • War Dialing
WHAT IT IS Use a port scanner to identify all active hosts connected to an organization’s network, network services operating on the hosts, and the specific application running the identified service TYPICAL FINDINGS Disconnect unauthorized hosts Disable or remove unnecessary and vulnerable services Restrict to limited number of required hosts Modify firewalls to restrict access to known vulnerabilities ACTIONS Identify active hosts in the address range specified by the user Scan for open TCP and UDP Ports that will identify the network services operating on that host. e.g., if host has TCP Port 135 and 139 open, it is most likely a NT or W2K host. e.g., if host has TCP Port 80 open, it is most likely running a web server (however, it may not reveal which web server). NETWORK MAPPING
STRENGTHS Fast Efficiently scans a large number of hosts Many excellent freeware tools available Highly automated Low cost OTHER INFO Quarterly Medium level of complexity, effort and risk WEAKNESSES Does not directly identify known vulnerabilities Generally used as a prelude to penetration testing not as a final test Requires significant expertise to interpret results BENEFITS OF DOING Enumerates the network structure and what’s active Ids unauthorized hosts and services Identifies open ports NETWORK MAPPING (cont.)
WHAT IT IS Identifies not just hosts and open ports but any associated vulnerabilities automatically instead of relying on human interpretation of the results. TYPICAL FINDINGS Upgrade or patch vulnerable systems Deploy mitigating strategies Tighten configuration management program Monitor vulnerability alerts and mailing lists and determine applicability to environment Modify security policies for updates and upgrades ACTIONS Identify active hosts on a network Identify active & vulnerable ports on hosts Identify application and banner grabbing Identify operating systems Identify vulnerabilities associated with discovered operating systems and applications Testing compliance with host application usage/security policies Establishing a foundation for penetration testing VULNERABILITY SCANNING
STRENGTHS Fairly fast & efficient Some freeware tools available Highly automated for known vulnerabilities Often provides advice for mitigating strategies Easy to run regularly Cost varies by tool used OTHER INFO Every 2-3 months High level of complexity and effort with medium risk WEAKNESSES High false positive rate Large amount of network traffic Not stealthy (detected) Not for rookies Often misses new stuff Identifies the easy stuff BENEFITS OF DOING Enumerates the network structure and what’s active Identifies vulnerabilities on a target set of computers Validate up-to-date patches and software versions VULNERABILITY SCANNING (cont.)
WHAT IT IS A security test in which evaluators attempt to circumvent the security of a system based on their understanding of the system design and implementation by using common tools and techniques used by hackers. TYPICAL FINDINGS (Exploits) Kernel Flaws Buffer Overflows Symbolic Links Race Conditions File & Directory Permissions Trojans Social Engineering ACTIONS (“Rules of Engagement”) Specific IP address/ranges to be tested Host not to be tested A list of acceptable testing techniques and tools Time that scanning is to be conducted IP addresse(s) of attack machine Prevention of false alarms to law enforcement Handling of information collected by the testing team PENETRATION TESTING
PENETRATION TESTING (cont.) • DISCOVERY PHASE • footprinting, scanning and enumeration • GAINING ACCESS • Gather info to make an informed attempt at the target • ESCLATING PRIVILEGE • The tester seeks to gain additional privileges or rights • SYSTEM BROWSING • Pilfering: Attempt to gain access to trusted systems • LEAVE BEHINDS • Covering Tracks, Creating Back Doors
STRENGTHS Employ hacker “methodology” Goes beyond surface vulnerabilities to show how they can be exploited to gain access Shows that vulnerabilities are real Social engineering allows for testing of procedures and human reactions OTHER INFO Annually High level of complexity, effort and risk WEAKNESSES What’s a hacker “methodology” Requires great expertise – dangerous when conducted by rookies Due to time requirements not all resources tested individually Certain tools may be banned or controlled by regulations Legal complications and organizationally disruptive Expensive BENEFITS OF DOING Determines how vulnerable and level of damage that can occur Tests IT staff response and knowledge of security policies PENETRATION TESTING (cont.)
COMMON TESTING TOOLS • Password Crackers • John the Ripper (Unix) • L0pht (Windows) • Nwpcrack (Netware) • Nmap (port scanner) • Vulnerability Scanning Tools • CyberCop, ISS, NESSUS • War Dialing
NETWORK NOT AS IMPORTANT AS PHYSICAL SECURITY • Terminated Employees or Consultants • HR policy typically requires • all keys and cards be turned in • consider changing locks and combination • Security policy • may (not always) mention the need to adjust security settings • vast majority of audit reports cite that terminated employees and consultants still have access to system resources
NETWORK NOT AS IMPORTANT AS PHYSICAL SECURITY (cont) • How To Manage The Risk • Build the responsibility into the corporate culture • approver is always accountable for what they approved (user) • incorporate notifying security as part of the termination process (HR and yes it is your job!!!) • question inactivity (security) • Estimated Cost/Benefit • Low Cost/High Return
NOT ENFORCING NEED TO HAVE ACCESS • “it won’t happen here” • “the security group (or user admin) doesn’t have the time or resources” • “we need the flexibility for cross-training or backup” • “Mary’s been with us for over 30 years so she deserves to be designated a security administrator” • “we only need to worry about external hackers”
NOT ENFORCING NEED TO HAVE ACCESS (cont) • Consider these issues • 60%-70% of unauthorized system break-ins are from internal sources • Based on forensic experience, this worst-practice is a primary contributor to internal fraud and facilitates the circumvention of management designed controls (including organizational chart responsibilities) • Prime Directive • Many professionals believe that it is impossible to maintain a control environment that satisfies “stakeholders” expectation while using this worst-practice • Estimated Cost/Benefit • Low Cost/High Return
LEAVING “FACTORY” DEFAULT SETTINGS UNCHANGED • “Operating systems are often shipped with default users with default passwords to make setting up easier. If the systems administrator doesn’t know about the default accounts, or forgets to turn them off, then anyone who can get hold of a list of default accounts and passwords can log into the target computer” • Page 66 • “Anyone who knows how to do basic research using the internet can get hold of these lists” • Joel Lanz
NOT APPYING SECURITY PATCHES • “Finding the low-hanging fruit should always be your top priority – mainly because it is the attacker’s first priority. Devastating web vulnerabilities still exist after years of being publicly known” • Page 596 • “Typically this is what “kiddie scripts” use and results in embarrassment for the organization” • Joel Lanz
NOT MONITORING SECURITY-RELATED ADVISORIES & UPDATES • Respected organizations (e.g., CERT, SANS) distribute free newsletters providing guidance on recent and projected security threats. For example, • SANS/FBI released a Top 20 vulnerability list with appropriate tools (free) to detect if a particular organization is exposed. • CISECURITY.ORG provides generally accepted benchmarks to effectively manage technology risk. • These warnings/guidance are typically ignored in worst-practices organizations
WE’RE SAFE, RIGHT? • “We engage an outside firm to conduct a penetration test. Last year we didn’t have any major findings. This review proves that we’re safe – right?” WRONG!!!!!!!!
HOW MUCH TO FIX? • Not as much as you would expect • You don’t necessarily need to purchase advanced technology • 80% of the problems can be resolved very cost-effectively • Organizational culture and behavior modification require the greater efforts
“AND WHAT OF THESE PATCHES WE KEEP HEARING ABOUT?” • Create an organizational software inventory • Identify newly discovered vulnerabilities and security patches (remember the free emails?) • Prioritize patch application • Create an organization-specific patch database • Test patches • Distribute patches and vulnerability information as appropriate • Verify patch installation through network and host vulnerability scanning • Train system administrators in the use of in vulnerability databases
HOW THE CPA CAN HELP? • Who is responsible for security and how is accountability enforced? • Does everyone in the organization understand the importance of security? • How is information used? • How effective and relevant is the security policy? • What is the ROI on security investments? • How is security integrated into daily business processes? • Is information shared with outside entities?
OFFERING THE SERVICE • Risk Management • Expectations: vulnerability vs. penetration • Legal liability – especially with outsourcers and other service providers • Skills • Some type of “technololgy-related” certification • Strong networking skills and understanding • Keeping up to date • Ethics • Tools • Practice Lab • Interrogation Tools
KEEPING UP (good guys only!) • www.njisaca.org • csrc.nist.gov • www.securityfocus.com • www.sans.org • www.computer.org • www.computerworld.com • www.ciso.com • www.cert.org • “Counter Hack” by Ed Skoudis
SECURITY CONCLUSION A team sport that doesn’t necessarily require the most fancy equipment to win - but does require you to understand the fundamentals of the game and that you and your team must provide best efforts to win! Otherwise – you are playing to just give the ball to the other side.
IN CASE YOU’RE IN A RUSH TO LEAVE AND HAVE A QUESTION Joel Lanz Principal Joel Lanz, CPA, P.C. P.O. BOX 597 Jericho, NY 11753-0597 (516) 637-7288 www.itriskmgt.com jlanz@itriskmgt.com