Archive for the ‘Compliance’ Category

Getting the most value from your next penetration test

Tuesday, November 24th, 2009

We here at True Digital Security conduct quite a lot of engagements around penetration testing, or “Pen-Tests”. Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don’t quite know what I mean?  Try this little experiment: Google for “Penetration Testing” and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I’ll wait ….  Confused yet? The vast array of methods, styles, and differing  goals can be overwhelming. Even security experts themselves don’t agree on what the purpose or goal of a penetration test should be.

If experts don’t agree on penetration testing, how can we expect clients and customers to understand how this type of testing leads to increased security? If you have ever created an RFP for penetration testing services, you will have seen the vast differences in vendor’s scope, methodology, and pricing. Since penetration testing is fairly undefined, there exists a myriad of testing “styles”. Internal vs. external, network vs. application, white box, black box, gray box,  red team, tiger team, fuchsia team. Ok, I made that last one up.

The point is penetration testing is not a one size fits all solution. Each engagement should be custom tailored to your organization.  During the vendor selection of your next penetration engagement, include vendor flexibility in your evaluation and make sure they take the time to really understand your needs and goals. Leverage their expertise to define a custom penetration testing style and methodology that will provide the most benefit to your unique infrastructure and organization.

Now that you have a vendor selected who has designed a penetration test for your organization, it’s time to actually conduct the penetration testing. Whatever style and methodology was designed for you, at its core, penetration testing is about ethically hacking or attacking your organization’s security controls. Your security program has put in place security controls designed to reduce organizational risk and protect against potential threats. The penetration test should evaluate and test those security controls in order to measure their effectiveness.

One aspect of penetration testing that is rarely discussed is the role of the client during the engagement. Many clients simply schedule a window of time in which to conduct the engagement and wait for the final report documents. In my opinion, this is a missed opportunity to greatly increase the value of your penetration test. Additional benefits and value can be realized by playing an active role and being engaged throughout the engagement. Below are two areas where being an active participant can increase the value from your next engagement.

1. Treat the engagement as a live-fire opportunity and conduct active response.

  • Actively attempt to defend and prevent the vendor from gaining access. View them as you would any outside attacker.
  • Implement your CSIRT (Computer Security Incident Response Team) procedures and treat this as a live exercise for them. Do they respond properly? Do your procedures provide adequate coverage?
  • Conduct and evaluate your incident response plan. Were any gaps identified?
  • Did you have the visibility to respond to the attackers? What steps can be taken to increase that visibility?

2. Map the engagement to your security controls and evaluate their effectiveness. Ask questions about how and why the controls succeeded or failed.

  • Did your IDS system detect or prevent the access? Why or why not? Do the rules need to be tuned? Do additional rules need to be created? Was it monitoring the correct networks?
  • Did your firewall stop the intruders? Why or why not? Do the rules need updating or tuning?
  • Did your log monitoring solution alert the right personnel? Were the right logs captured for your incident response? What logs did you need?
  • Did your file-integrity monitor perform as expected? Did it detect or prevent the compromise?
  • Were your policies and procedures properly followed? Did they provide meaningful guidance and direction?
  • Were your employees properly trained? What training areas need to be addressed or refreshed?

These questions and activities are just a sampling of the benefits that can be obtained from participating in your penetration test. At the end of the day, many clients only view the penetration test from a vulnerability standpoint. They want to know what vulnerabilities were discovered so they can patch and move on. While correcting vulnerabilities is always an important remediation step, by playing an active role and custom tailoring the testing to your organization, you can get the most value from your next penetration test.

Michael Oglesby

Posted in Compliance, Security | No Comments »

Microsoft’s banned function calls

Thursday, May 21st, 2009

After reading Michael’s earlier post about SDL, I started digging a bit deeper into Microsoft’s SDL documentation and came across this pretty cool page.  I wonder if anyone has a similar page for Unix-like OSes?

Posted in Compliance, SDLC | No Comments »

Avoid Becoming a Data Loss Victim

Monday, May 4th, 2009

With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.

The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.

Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.

Tags: , , ,
Posted in Compliance, Security | No Comments »

Acquiring target… NOW!

Friday, May 1st, 2009

Walt Conway has some interesting commentary [treasuryinstitute.org] on the recently released Verizon data breach report [verizonbusiness.com].

All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting.  We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.

While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending.  Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.

Tags: , , ,
Posted in Compliance | No Comments »