Getting the most value from your next penetration test

November 24th, 2009 by Michael Oglesby

We here at True Digital Security conduct quite a lot of engagements around penetration testing, or “Pen-Tests”. Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don’t quite know what I mean?  Try this little experiment: Google for “Penetration Testing” and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I’ll wait ….  Confused yet? The vast array of methods, styles, and differing  goals can be overwhelming. Even security experts themselves don’t agree on what the purpose or goal of a penetration test should be.

If experts don’t agree on penetration testing, how can we expect clients and customers to understand how this type of testing leads to increased security? If you have ever created an RFP for penetration testing services, you will have seen the vast differences in vendor’s scope, methodology, and pricing. Since penetration testing is fairly undefined, there exists a myriad of testing “styles”. Internal vs. external, network vs. application, white box, black box, gray box,  red team, tiger team, fuchsia team. Ok, I made that last one up.

The point is penetration testing is not a one size fits all solution. Each engagement should be custom tailored to your organization.  During the vendor selection of your next penetration engagement, include vendor flexibility in your evaluation and make sure they take the time to really understand your needs and goals. Leverage their expertise to define a custom penetration testing style and methodology that will provide the most benefit to your unique infrastructure and organization.

Now that you have a vendor selected who has designed a penetration test for your organization, it’s time to actually conduct the penetration testing. Whatever style and methodology was designed for you, at its core, penetration testing is about ethically hacking or attacking your organization’s security controls. Your security program has put in place security controls designed to reduce organizational risk and protect against potential threats. The penetration test should evaluate and test those security controls in order to measure their effectiveness.

One aspect of penetration testing that is rarely discussed is the role of the client during the engagement. Many clients simply schedule a window of time in which to conduct the engagement and wait for the final report documents. In my opinion, this is a missed opportunity to greatly increase the value of your penetration test. Additional benefits and value can be realized by playing an active role and being engaged throughout the engagement. Below are two areas where being an active participant can increase the value from your next engagement.

1. Treat the engagement as a live-fire opportunity and conduct active response.

  • Actively attempt to defend and prevent the vendor from gaining access. View them as you would any outside attacker.
  • Implement your CSIRT (Computer Security Incident Response Team) procedures and treat this as a live exercise for them. Do they respond properly? Do your procedures provide adequate coverage?
  • Conduct and evaluate your incident response plan. Were any gaps identified?
  • Did you have the visibility to respond to the attackers? What steps can be taken to increase that visibility?

2. Map the engagement to your security controls and evaluate their effectiveness. Ask questions about how and why the controls succeeded or failed.

  • Did your IDS system detect or prevent the access? Why or why not? Do the rules need to be tuned? Do additional rules need to be created? Was it monitoring the correct networks?
  • Did your firewall stop the intruders? Why or why not? Do the rules need updating or tuning?
  • Did your log monitoring solution alert the right personnel? Were the right logs captured for your incident response? What logs did you need?
  • Did your file-integrity monitor perform as expected? Did it detect or prevent the compromise?
  • Were your policies and procedures properly followed? Did they provide meaningful guidance and direction?
  • Were your employees properly trained? What training areas need to be addressed or refreshed?

These questions and activities are just a sampling of the benefits that can be obtained from participating in your penetration test. At the end of the day, many clients only view the penetration test from a vulnerability standpoint. They want to know what vulnerabilities were discovered so they can patch and move on. While correcting vulnerabilities is always an important remediation step, by playing an active role and custom tailoring the testing to your organization, you can get the most value from your next penetration test.

Michael Oglesby

Posted in Compliance, Security | No Comments »

Adobe Acrobat products update available

October 14th, 2009 by Brett Edgar

Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.

What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.

Posted in Advisories, Malware, Security | No Comments »

Cybersecurity Act of 2009 – Professional Licenses?

October 13th, 2009 by Brett Edgar

The Cybersecurity Act of 2009[opencongress.org] was introduced April 1, 2009, by Senator John Rockefeller (D-WV). The act is:

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

One of the more talked about provisions of this bill is the granting of authority to the POTUS to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.” Perhaps that will be another blog post, but the provision currently bothering me is the one in Section 7[opencongress.org] of the bill. That section directs the Secretary of Commerce to establish a “national licensing, certification, and periodic recertification program for cybersecurity professionals” and that, after 3 years, makes it “unlawful for any individual to engage in business…as a provider of cybersecurity services…who is not licensed and certified under the program.” The provision only applies to professionals providing services to Federal agencies, their networks, or a network deemed as “critical infrastructure” by the POTUS.

Why does this bother me? Well, to start off with, licensing and certification sure sound like there will be some exchange of money involved, just as private certifications like CISSP, CCNA, MCSE, etc., require you to fork over some cash to take the test and/or maintain membership. If the Federal Government steps in and does the same thing either

  1. the Feds are getting a de facto tax from cyber security professionals; or
  2. if an already existing certification is chosen, that certification body essentially gets public welfare.

In the latter case, whoever spends the most money lobbying the Congress Critters (probably) wins.

This sounds like some unnecessary meddling to me. Yes, the Feds need some well-trained cyber geeks to shore up their defenses. A lot of the cyber security professionals that are already in the government are incompetent–I’ve taken various educational courses and met them, and also worked around some of them–but the way to fix that problem is to make it possible for the Feds to fire people. Right now, if you get in to the Federal government, you’re employed for life unless you do something extremely stupid and illegal.

But even the NSF Scholarship for Service (AKA CyberCorps) program (which this act evidently re-authorizes) won’t help. First of all, you can’t train enough cyber security professionals fast enough to make a difference. More importantly, the lack of people is not the real issue. The real issue is the politics, red-tape, and managerial incompetence that restricts the competent CSPs that are already in the Federal government from securing their networks.

To defend a network, you have to be able to react quickly. To defend a network that has little or no existing defense in place, you have to be able to rapidly re-configure the network with up-to-date tools and hardware. It takes entirely too long to get approval for purchasing those devices, and entirely too long to get approval to deploy them. Then some manager can’t understand that some things are going to break and take a while to fix, and pretty soon you have a half-deployed three year-old “security is in the blinky thingy” device that can’t keep up with the volume of traffic transiting the new OC-128 the Undersecretary for Porn Surfing demanded be put in place.

I just don’t see this going well. Someone’s going to get very rich, another 1500 jobs are going to be added to the federal government to oversee this program, more tax money is going to be wasted, CSPs are still going to be frustrated in their attempts to repair Federal networks, and the Internet is still going to be a DANGEROUS PLACE with unfriendlies from all points south of our border and across the oceans trying to steal our information.

Posted in Security | No Comments »

YAAV (Yet Another Adobe Vulnerability)

October 8th, 2009 by Brett Edgar

Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.

Adobe is set to release an update on October 13. Until then, keep on your toes!

TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.

Posted in Advisories, Security, Windows | No Comments »

Voice Over IP Security

September 18th, 2009 by Nathaniel James

According to NIST, with the proliferation of VOIP, the demands for security are significantly compounded.  Now, network administrators must protect two invaluable assets – our data and our conversations. Federal agencies are required by law to protect a great deal of information, even if it is unclassified. The current Internet architecture does not provide the same physical wire security as the phone lines. What’s the solution? Encryption! Encryption! Encryption!

Encrypting VOIP traffic and running it over a virtual private network provides excellent security when dealing with external communications. Architecture decision, like locating IP Telephones behind NATs and Firewalls, are also important.

Posted in Encryption, Security | No Comments »

President Obama’s Cyber Security Policy

July 9th, 2009 by Nathaniel James

President Obama’s new cyber security policy and the creation of a White House office for cyber defense is a step in the right direction. I think the new cyber boss can be effective regardless of title or hierarchical position within the White House.

According to the Cyberspace Policy Review referenced above, the Federal government cannot succeed in the many facets of securing cyberspace if it works in isolation. The public and private sectors’ interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Government and industry leaders both nationally and internationally need to delineate roles and responsibilities, integrate capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cyber security and reap the full benefits of the digital revolution.

Whatever the outcome cyber security need the same attention of law enforcement as other crimes.

Tags: , , , , , ,
Posted in Security, Uncategorized | No Comments »

Vista SP2…it works

May 27th, 2009 by Brett Edgar

Well, installation wasn’t too bad.  It took about 20 minutes or so.  As a bonus, all of my settings seem to be intact and all of my programs continue to function properly.  Even our corporate AV is working… I hope this isn’t premature, but: Good job, Microsoft.

Posted in Uncategorized | No Comments »

Vista SP2

May 27th, 2009 by Brett Edgar

So Vista SP2 is now available to the masses.  I’ve downloaded it and am in the process of installing it.  So far no problems, but it is claiming that my machine may reboot several times and the total installation time may be 1 hour or more.  Here’s hoping the upgrade goes smoothly and I still have full functionality when the process completes…I’ll post my results here later today.

Posted in Microsoft | No Comments »

Phishing on Facebook

May 25th, 2009 by Brett Edgar

As noted on several discussion sites around the Internet, there seems to be a new phishing attack against Facebook users.  The login page is being spoofed by several .BE and .AT domains in an attempt to steal user’s credentials.  Be careful signing in to Facebook for a few days…make sure everything looks correct and your browser is showing you the real Facebook login page.

Posted in Malware | No Comments »

Microsoft Attempting to Assassinate Google?

May 21st, 2009 by Brett Edgar

Microsoft appears set to display a new version of its search engine early next week.  The boys in Redmond have been scratching their heads trying to compete with the behemoth that is Google for the past few years.  Looks like this may be their latest attempt at assassination.

Sometimes I feel bad for Microsoft.  They have to compete with both Google and Apple.  Then I remember all the unfair things Microsoft has done to stifle competition in the past and I stop feeling bad.

Posted in Microsoft | No Comments »

« Older Entries