11th amc conference on securely connecting … · 11th amc conference on . securely connecting...
TRANSCRIPT
![Page 1: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/1.jpg)
Information Security Testing How Do AMCs Ensure Your Networks are Secure
June 22, 2015
Ray Hillen, Dennis Schmidt, Adam Bennett
11th AMC Conference on
Securely Connecting Communities for Improved Health
![Page 2: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/2.jpg)
Session Objectives • Participants should gain:
• Understanding what the vendor must do to adequately prepare and perform a penetration test - what information is needed, what precautions should be taken, and how to do the test.
• Knowledge of what the AMC customer should expect - AMC concerns, precautions to identify and provide for to reach an agreement with the vendor, and expected results and applicability of the test
• Practical insight of the necessary steps to optimize the efficiency and effectiveness of the entire process
2
![Page 3: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/3.jpg)
Ray Hillen Director, Security Consulting Practice
Agio
Technical Security Testing: What You Should Know & Ask About the Vendor’s Offering
![Page 4: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/4.jpg)
Vulnerability Scan or Penetration Test
• Vulnerability Scan • Identifies vulnerable systems • Automated tools • Network and application layer • Short duration
![Page 5: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/5.jpg)
A Good Penetration Test Should Evaluate the People, Processes, & Technologies That Safeguard e-PHI
• Penetration test • Identifies methods to exploit system vulnerabilities, workflows, user
awareness • Attempts to gain unauthorized access and/or privilege escalation • Automated tools and manual checks. • Network & application layer • Social engineering
• Phishing • USB drive baiting • Pretexting
• Wireless security review • Physical security review
![Page 6: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/6.jpg)
Assessor Organization’s Qualifications
• Past experience • Years of experience • Network layer • Application layer • Social engineering • Assessments similar in size/scope
• Industry experience • Methodology
![Page 7: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/7.jpg)
Security Assessor’s Qualifications
Certifications • Global Information Assurance Certification (GIAC) Certifications
-GIAC Certified Penetration Tester (GPEN) -GIAC Web Application Penetration Tester (GWAPT) -GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• Certified Ethical Hacker (CEH) • Offensive Security Certified Professional (OSCP)
![Page 8: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/8.jpg)
Pre-Engagement
• Scoping • Documentation • Network diagrams depicting all segments in scope
• Key/critical systems • Data flows
![Page 9: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/9.jpg)
Rules of Engagement • Communication during engagement, e.g., issues, questions, updates • Define appropriate time window for testing • Identify legacy systems that may not respond well to automated tools and
determine best method for evaluating • Security devices: evaluate “as is,” “whitelist,” hybrid • Compromised passwords • Data (incidental e-PHI) discovered, BAA? • Identification of previously compromised system/s • Third-party-hosted / cloud environments
• Approval
• Web-management portals • Security assessor’s equipment; threat?
![Page 10: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/10.jpg)
Success Criteria
• Remember the goal: simulate real-world attack in order to determine how far an attacker could penetrate the environment, but..
• Set the parameters and limits, e.g., access to root folder, establish administrative account on X system/s, no access gained, etc.
• Establish prior to testing!!! • Different for every environment
![Page 11: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/11.jpg)
The Test (Engagement)
• Application layer • Network layer • Segmentation • What to do when e-PHI is encountered • Post-exploitation
![Page 12: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/12.jpg)
Post-Engagement
• Reporting • Remediation best practices (Adam Bennett will cover this) • Retesting identified vulnerabilities • Cleaning up the environment
![Page 13: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/13.jpg)
Penetration Testing from The Customer’s Point of View
Dennis Schmidt Assistant Dean for Information Technology
HIPAA Security Officer
![Page 14: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/14.jpg)
University of North Carolina • Nation’s first public university, chartered 1789
• 29,000 students
• 3,600 faculty
• Number of servers: Unknown, but it’s a lot!!!
• 5% or campus is protected by firewall ‒Block 87 million unwanted connections weekly
• IPS blocks 5.1 million malicious threat events
14 Managing the Integrated Information Environment
![Page 15: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/15.jpg)
UNC School of Medicine
• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff
Managing the Integrated Information Environment 15
![Page 16: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/16.jpg)
What Is Our Goal?
• NIST 800-42: “security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system”.
• Locate weaknesses in our network and systems before the bad guys do.
• Educate our users and our technicians • Test our social engineering weaknesses
• Phishing, Phone calls, etc.
![Page 17: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/17.jpg)
How do we start?
• Setting Up Rules of Engagement • Potential impact on systems • Hours of operation • How much system information to provide penetration team • How much initial access to give to the penetration team • What type of attacks will be used
• Zero Knowledge (Black Box test) • Partial Knowledge (Grey Box test) • Full Knowledge (White Box test)
• Coordinate with other entities to prevent collateral damage • Central IT Security
• What authorizations and legal waivers do we need beforehand?
![Page 18: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/18.jpg)
Concerns during the testing
• How do we know it’s the test and not a real penetration? • Correlating testing activity with SIEM
• Will we cause an unexpected Denial of Service? • Will we cause any unexpected reboots? • What if we find exposed sensitive data?
![Page 19: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/19.jpg)
Non-Electronic Testing (Social Engineering) • Phishing test • Lost USB Drive Test • Phone calls
• “Hi, I’m from Microsoft…….” • “This is your IT support, I need to remotely log into your machine
to test…..” • Dumpster diving
![Page 20: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/20.jpg)
Practical Next Steps After a Penetration Test
Adam Bennett Vice President
Cloudburst Security
![Page 21: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/21.jpg)
Cloudburst Security
• Cloudburst founded by Adam Bennett in 2006
• 100% cybersecurity-focused company
• Federal government (DoD, civilian, homeland security, intelligence) and commercial clients (healthcare, banking/finance, non-profit)
• Have conducted over 400 vulnerability assessments and penetration tests
• Leading provider of managed security monitoring, incident response, malware analysis, forensics, and cyber threat intelligence services
21 Managing the Integrated Information Environment
![Page 22: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/22.jpg)
We conducted a pen test, now what?!
![Page 23: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/23.jpg)
Common mistakes, challenges, & trends
• Pen Tester didn’t succeed—’we must be totally secure!’ • Pen Tester succeeded—’the sky is falling!’ • Security issue ‘hot potato’ • Lack of organization and remediation planning • Lack of follow up & integration with SOC/Incident
Response • Budget & Human Resource Challenges • Security awareness • Educating Leadership
![Page 24: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/24.jpg)
Tips for Post-Security Testing Success
• Develop a formal remediation plan with milestones • Display a team attitude, no matter how serious the test results—the
common goal is to improve security posture • Present Executive Summary of Remediation Plan to Management—
get their buy-in! • Form a committee of stakeholders to track remediation progress • Leverage high-risk findings to ‘move the ball’ on security projects and
budget items • Track organization & team performance metrics annually
![Page 25: 11th AMC Conference on Securely Connecting … · 11th AMC Conference on . Securely Connecting Communities for Improved Health . Session Objectives ... -GIAC Certified Penetration](https://reader030.vdocument.in/reader030/viewer/2022020303/5b81adc57f8b9ae97b8ccb75/html5/thumbnails/25.jpg)
Group Discussion