View
795
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Paul VlissidisTechnical Director, NCC Group
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
IT HealthCHECKs: “Your Route To Effective Risk Management”
Paul VlissidisTechnical Director
NCC Group plcemail: paulv@nccgroup.commobile: 07703 501143
IA0817th & 18th June 2008
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Agenda
About NCC Group
The context for IT HealthCHECKs
Where can HealthCHECKs add value?
Planning a HealthCHECK
The HealthCHECK Lifecycle
Effective procurement
A Perfect World
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
NCC Group plc
What we do: provide IT assurance, security & consultancy services to over 15,000 clients globally - including 92 of the FTSE 100
USP: no ties or relationships to hardware or software suppliers - focus on developing intelligent solutions & building partnerships
Background: based in Manchester - offices in London, Surrey, Oxford,
Germany & California 320 staff formed in 1999, listed on LSE
Assurance Testing : Test & monitor system, network & web site performance
to ensure effective, robust & delivering optimum performance
Ethical security testing of networks & applications and security policies in practice to ensure organisations safe from threat of unauthorised access
Largest provider in UK following acquisition of Site Confidence (Jan 07) & SecureTest (Aug 07)
Year Number
2003 25
2004 19
2005 16
2006 25
2007 28
NCC Group: IT HealthCHECK
Project Experience
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Accreditations
ISO 9001:2000All NCC Group services accredited to ISO 9001:2000 - held ISO 9001 status since 1994.
ISO 27001:2005NCC Group Security Consultancy & Testing divisions certified to ISO 27001:2005 (formerly BS7799 part 2). (LRQ 0963077)
CESG CHECKAccredited under the Government’s CESG Check scheme for network penetration and testing services. Classed as a ‘Green’ service provider continuously since 2001, the highest attainable standard.
CESG CLASAccredited under the CLAS (CESG Listed Adviser) Scheme - partnership linking the unique Infosec knowledge of CESG with the expertise and resources of the private sector.
CESG Tailored Assurance Scheme ProviderAccredited as one of the first companies to provide the CESG Tailored Assurance Service (CTAS), which is intended for a wide range of IT products and systems ranging from simple software components to national infrastructure networks.
PCI Approved Scan Vendors/PCI Qualified Security AssessorNCC Group is a Qualified Security Assessor and an Approved Scan Vendor regulated by the PCI Standards Council.
CREST (Council of Registered Ethical Security Testers)NCC Group is an active member of CREST, the standards-based organisation for penetration test suppliers aimed at ensuring the very highest standards of leading-edge security testing.
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
The context for IT HealthCHECKs
Penetration testing (ethical hacking) / IT HealthCHECK is a powerful risk management tool
Addresses categories of risk not covered elsewhere
Provides concrete evidence that your security investment is effective and compliant
But….× It cannot find everything – especially if it’s just a vulnerability
assessment
× It must be used properly as part of a mix of risk controls
× It needs proper specification, planning and execution to be effective
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Where can HealthCHECKs add value?
As a check on external service providers/vendors
A regular risk-based assessment of security
Pre/Post go-live for a new system/application
As part of an incident response
To exercise incident detection and escalation processes
To support audit requirements
To support assessment of compliance
Within the assurance matrix
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Risk assessment / IA needs
Which risks/threats are driving the Heathcheck? Attack from the GSI? Attack from the Internet? Mobile data theft/loss? Attack from an internal user?
This can assist greatly in producing a cost-effective proposal
A blend of tests/reviews is usually required to answer these questions
Reports can then be produced to match the IA needs and might suggest additional tailored assurance techniques are applied (e.g. source code review)
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
The Assurance Matrix
Segment/ Impact Level
Product Assurance
Service Assurance
System Assurance
System Configuration Test
Aware
1CCT Mark, CC EAL1
CCT Mark CCT Mark Commercial Pen Test e.g.
TIGER & CREST
2CCT Mark, CCEAL1-2
CCT Mark CCT MarkCommercial Pen Test e.g.
TIGER & CREST
Deter3 CC EAL 3-4,
CTAS,"CAA (Basic)"
CTAS, "CAA (Basic)"
CTAS, "CAA (Basic)" +
CIDSIT HealthCHECK
Detect and Resist
4CCEAL4+, CTAS, "CAA (Basic)"
CTAS, "CAA (Basic)"
CTAS, "CAA (Basic)" +
CIDS
IT HealthCHECK +Vulnerability Test
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Areas a HealthCHECK might cover
External (from GSI,CJX,Internet)
Server build checking
VPN (Manual V and Manual T)
Procedural (social engineering)
Laptop/PDA/Blackberry
Desktop
Application
Wireless (Manual Y)
Internal
Firewall rule review
Wardial (RAS)
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Planning a HealthCHECK
Start with risk assessment Identify threats where uncertainty existsFocus on medium/high impact outcomes IS1 / IS3Use the Assurance Matrix
Specify rules of EngagementExploit or NotCritical servers vs whole networkBlack box vs Grey Box vs White boxWhat is a fair test that addresses the risks?
For large applications consider modelling the threats
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
IT HealthCHECK Lifecycle
rectification /remediation
reporting
results analysis
testing test planning
project initiation
procurement
scope definition
risk assessment
IT HealthCHECK
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Scope definition - networks
ADS contains useful information but is generally too much
As a minimum vendors would like…..Overall network diagram showing security
domains and network connectionsNumber and types of servers in each subnet /
domain An understanding of the physical locations
that will need to be visited – how many and what level of Protective Marking will be encountered
Number of server builds to be reviewedAny wireless components likely to be
encounteredAny third party service providers with whom
agreements will be needed
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Scope definition - workstations
Number of desktop builds to be reviewedVariety of builds to be checkedRoughly how many of each build there are –
this allows sample sizes to be chosen
Number of laptop / PDA types/builds to be reviewed
What policies are in place regarding use of USB ports, wireless etc?
How do remote clients connect?
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Scope definition - applications
Is application accessed via a browser or via a dedicated client?Approaches differ fundamentally so this is very importantDifferent access methods require different testing
Brief description of the application and some idea of the information being protected
How many user types/roles are there?
Which roles need testing?Potential Attacker Groups
Some idea of the complexity e.g :-Number of screens, menus, functionsAny metric will do provided it clearly differentiates a big complicated
application from a small simple one!
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Specification (1)
A typical, ineffective RFI:
The firm which wins this tender will be awarded a contract to carry out a single health check on the XXX network
In addition to the penetration test, the firm will be expected to be able contribute towards the security posture of the network as follows – Knowledge transfer of information
security testing techniques Advice on technical aspects of
information security Advice or quality assurance on internal
security testing exercises
Problems:
× Far too vague
× Insufficient definition of requirement
× Lack of detail of network and infrastructure
× Seem unclear as to what winning provider should actually do!
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Specification (2)
Slightly better:
STATEMENT OF REQUIREMENT (SOR) – Network Penetration Test Background to Requirement
Problems:
× But how many?
× Where are they?
× How connected?
× PM Level?
1.4 XYZ has the following internet facing services:
ABC Online public internet service PQR extranet service
Remote Access Server authenticated dial-in GSi Government Internet and e-mail services Extranet registry services to partners 1.5 In order to support these services, XYZ uses equipment which
includes the following:
IBM zOS Mainframe systems running WebSphere servers IBM DB2 backend database Windows ISA server Nokia Checkpoint firewall enforcement points Cisco PIX firewall enforcement points Entrust Identity management system (for ABCt) Cisco network infrastructure, including content management
hardware Microsoft Windows 2003 Server with AD Microsoft Exchange Servers Oracle 9i running on Sun 4810 Systems
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Specification (3)
Better yet:
The test shall comprise of FOUR threat simulations which will be aimed against our information resources in XXX. The chosen targets and “grey-box” intelligence shall be given to the Contractor during the initial briefing at the start of the testing period
The nature of the testing should require the use of internet hacking, insider hacking, social engineering and other penetration techniques. The use of these will be at the Contractors discretion and according to the available intelligence
Rules of Engagement for the HealthCHECK
Positives:
Precisely defines what is to be tested
Defines types of testing to be used
Explains expectations from providers
Rules of engagement already decided
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Effective procurement
Much Better:
Basic scope Test the perimeter, the Internet facing interfaces. Test the GSI interfaces. Firewall configuration and rule-set analysis. Internal network assessment, switches and router
configurations. Desktop & laptop build/lockdown security
vulnerability assessment. Server build/lockdown vulnerability assessment. RAS Laptop/PSTN vulnerability assessment. Produce a report which consists of a management
summary (high level view) and a more detailed report.
Attend an end of test meeting in which to discuss the report and make recommendations.
Basic scope (technical) External Internet penetration test against three
separate leased lines with distinct blocks of IP addresses.
Full (internal) test of 10.x.x.x LAN. Specific detailed server testing of up to 20
servers of varying functionality e.g. Oracle/SQL applications, local site servers etc..
Basic scope (technical) – continued.. Desktop build/lockdown review of 3
workstations. Laptop build/lockdown review of 3 laptops. Active Directory review. Primary domain controllers x 6
build/lockdown. External GSI penetration testing. Firewall rule review of 6 firewall pairs for
both the GSI and non GSI interfaces. “Back to back” router configuration review
x 4 links. GSI DMZ network based testing of 3 x
network segments at <LOCATION>. RAS end-to-end security testing.
Positives:
No room for misinterpretation
Best possible start
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Tailored assurance services
System security testing: analyse security of networks, servers & infrastructure, considering potential for internal / external attack
Architecture & design review: review build & deployment of systems into specific environments, assessing against relevant Infosec & CESG standards /guidelines
Installation and operational procedures review: develop & implement effective & appropriate policies, procedures & working arrangements to manage information security
Software & application security testing: Functionality & design assessment Development procedures review Security function testing Source code analysis Product vulnerability analysis and testing
Remote access & remote worker security: ensure your organisation is equipped to manage security risks arising from remote & home working
Social engineering: 'human element' of risk addressing real threats such as unauthorised physical entry into buildings, obtaining sensitive information, impersonation and deception
Business continuity & disaster recovery: comprehensive business continuity and disaster recovery planning services
Risk management: assessment of risks & regulatory requirements surrounding IT, information security & corporate governance, including implications of non-compliance
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Summary
IT HealthCHECKs can provide valuable information on the risks to IT assets and how they are being managed
They can deliver a lot more than a ‘tick in the box’
Some time on their specification pays dividends
HealthCHECKs are just one part of the assurance and need to be considered along with other elements such as CTAS
Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved
Recommended