penetration testing and vulnerability assessment p 14... · 2018-04-28 · need to do a risk...
TRANSCRIPT
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
©2013 C
lifto
nLars
onA
llen L
LP
CLAconnect.com
Penetration Testing and
Vulnerability Assessment
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Presentation overview
• What is Risk Assessment
• Governance Frameworks
• Types of “Audits”
• Vulnerability Assessment
• Penetration Testing
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
CliftonLarsonAllen – Started in 1953 with a goal of total client service
– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Our perspective… CliftonLarsonAllen – Started in 1953 with a goal of total
client service
– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.
– Information Security offered as specialized service offering for over 15 years
– Largest Credit Union Service Practice*
*Callahan and Associates 2014 Guide to Credit Union CPA Auditors.
CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including
more than 20 principals. The group focuses on audit, assurance, consulting and advisory,
information technology, and human resource management for credit unions across the country.
www.larsonallen.com – news release
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“We need…”
• “Our board said we need to do an
IT Audit…”
• “To be in compliance with XYZ, we
need to do a Risk Assessment…”
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
• Standards for Penetration Testing
• NIST 800-53
• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf
• OWASP
• http://www.owasp.org
• OSSTMM
• http://www.osstmm
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Governance Frameworks
• Common Frameworks - Matrix Resources:
http://net.educause.edu/ir/library/pdf/CSD5876.pdf
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Types of Risk Assessments and Audits • Risk Assessment
– Enterprise Risk Assessment
– IT Risk Assessment
– Compliance Risk Assessment
• IT Audits
– Process Audits (ie. ACH)
– IT Compliance Audits
• Security Assessment
– Vulnerability Assessments
– Penetration Testing
– Social Engineering
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Audit Philosophy and Approach Philosophy:
• People, Rules and Tools
Approach:
• Understand
• Test
• Assess
People Rules
`
Tools
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Risk Assessment” Theory
• Inherent Risk – Likelihood vs Impact
• Control Risk
• Total Risk
IR X CR = TR
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Risk Assessment”
• ID Assets
• Define Threats and Vulnerabilities
• Classify the likelihood of bad things
• Quantify the impact
– Stop here: Residual Risk
– Continue: Test Effectiveness of Controls (audits)
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Traditional IT Audit”
• Broad audits
– IT General Controls Review
• Specific/focused audits
– DRP/IR/BCP audits and testing
– SDLC and Change Management audits
– User and group permission audits
– Vendor management
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Traditional IT Audit” • IT General Controls Review
“A mile wide and 10 feet deep”
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Traditional IT Audit” • PCI – DSS
1
2
3
4
5
6
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Traditional IT Audit”
• IT General Controls Review
– Good for broad, high level coverage of IT management,
information security program, and compliance
requirements
– Answers the question: “Do we have the right standards
and are they well documented?”
– Effectiveness testing tends to be light
– Does not really test the systems or ID exceptions
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
“Traditional IT Audit” – Focused Audits
• Common Examples include DRP/IR/BCP audit and
testing; user access reviews; SDLC and Change
Management; ACH or other application audits
– More focused audits get to the next level of detail; focus on
the process and perhaps application level controls (ie.
menus); effectiveness testing tends to be more thorough,
but likely still based on sampling
– These can be Design or Compliance focused
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Vulnerability Assessment • Port Scans and Vulnerability Scans
– They are like Radar…
– Pros
– Cons
• External and Internal Scanning
– What are the benefits?
• Example – Monthly scanning for local municipality
– July – nothing new/unusual
– August – nothing new/unusual
– September - SSH open, and…
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Penetration Testing
• External Network
• Applications
• Internal Network
• Wireless
• Facilities (social engineering)
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Penetration Testing
• Goals and Objectives:
• “Understand, Test, and Assess…”
• Validate things behave as expected…
• Find/Identify new things…
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
External Network Penetration Testing Everything that touches the outside 1. Routing devices
2. Remote access
3. Web/applications*
4. Other*:
___________________
___________________
___________________
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
External Network Penetration Testing
• Pros
• Cons
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Application Penetration Testing External Network
Everything that touches the outside
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Application Penetration Testing
• Pros
• Cons
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Internal Network Penetration Testing Internal Network
Everything inside with an IP address.
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Internal Network Penetration Testing
• Pros
• Cons
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Wireless Network Penetration Testing Wireless Network
What do we know we have.
What do we have that we don’t know.
Anything else.
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Wireless Network Penetration Testing
• Pros
• Cons
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Social Engineering Tests
• Pros
• Cons
People Rules
`
Tools
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Definition of a Secure System
29
People Rules
`
Tools
“A secure system is one we can depend on to
behave as we expect.” Source: “Web Security and Commerce”
by Simson Garfinkel with Gene Spafford
• Confidentiality
• Integrity
• Availability
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Questions?
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
©2013 C
lifto
nLars
onA
llen L
LP
CLAconnect.com
Thank you!
Randy Romes, CISSP, CRISC, MCP, PCI-QSA
Principal
Information Security
888.529.264
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
Sources for Standards and Guidelines
• NIST 800-53: Information Security and IT Auditing http://csrc.nist.gov/publications/PubsSPs.html
• PCI Requirements https://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
• HIPAA Security Rule The HIPAA Security Rule Requirements for periodic technical validation
testing: Evaluation (§ 164.308(a)(8))
Information from Health and Human Services and here