Upload
dangnhan
View
218
Download
0
Embed Size (px)
Citation preview
www.senseofsecurity.com.au © Sense of Security 2011 Page 1 October 2011
Compliance, Protection & Business Confidence
Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia
Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia
T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455
[email protected] www.senseofsecurity.com.au ABN: 14 098 237 908
Penetration Testing
Cyber Security for Government Conference, 25&26 October 2011, Sydney
How Government Can Achieve Better
Outcomes Delivered by Murray Goldschmidt, Chief Operating Officer
www.senseofsecurity.com.au © Sense of Security 2011 Page 2 October 2011
Penetration Testing
Penetration Testing • is a series of activities with the objective to determine
current technical security posture
• includes testing of effectiveness of protective controls which can be used to [6,7]: • deduce effectiveness of detective & responsive controls
• identify opportunities for improvement in information security governance (in support of ISM/S)
• is one security assessment method
www.senseofsecurity.com.au © Sense of Security 2011 Page 3 October 2011
Why?
Because
"Foolproof systems don't take into account the ingenuity of fools." — Gene Brown.
www.senseofsecurity.com.au © Sense of Security 2011 Page 4 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 5 October 2011
Effectiveness of Outcomes
Dependent on:
CONSTRAINTS
LIMITATIONS
CAPABILITY
DELIVERABLE
www.senseofsecurity.com.au © Sense of Security 2011 Page 6 October 2011
Limitations
• Point in time
• Environmental (test/dev/prod)
• Negative testing (only proves the presence of flaws)
• Funding is finite
• Business Continuity
• Resources to remediate
• Abused as check box testing (compliance)
www.senseofsecurity.com.au © Sense of Security 2011 Page 7 October 2011
Constraints
•Scope
•Time
•Budget
www.senseofsecurity.com.au © Sense of Security 2011 Page 8 October 2011
Capability
•Methodology/approach
•Experience
•Skill
•Tools
www.senseofsecurity.com.au © Sense of Security 2011 Page 9 October 2011
Deliverable
• Ease of use
• Accuracy of findings (no false positives)
• Ability to articulate technical & business risk
• Technical findings should include precise actions to remediate
• Anatomy of attack should incl all details to reproduce the exploit
• Root cause analysis (fix the cause not symptom)
• Exec Summary with adequate info for C Level
• Threat/Risk centric not system centric
www.senseofsecurity.com.au © Sense of Security 2011 Page 10 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 11 October 2011
Where is the Squeeze?
•Time •Budget
•Scope •Capability
time
budget
scope
capability
www.senseofsecurity.com.au © Sense of Security 2011 Page 12 October 2011
Implication on Outcome?
TIME BUDGET
SCOPE CAPABILITY
OUT
www.senseofsecurity.com.au © Sense of Security 2011 Page 14 October 2011
Cookie hijacking SQL injection
Trojan
Client side attack
Man in the middle
File upload
Remote control
User Enumeration
Input validation Click jacking
Buffer overflow
A Good Outcome?
www.senseofsecurity.com.au © Sense of Security 2011 Page 15 October 2011
Cookie hijacking
Social engineering
Cross site scripting
Credit card data
Data breach
SQL injection
Brute forced
Passwords cracked
Root kit
Trojan
Client side attack
Man in the middle
Spoofing
Authentication bypass
Cross site request forgery
File upload
Remote file inclusion
Remote code execution
Remote control
IKE aggressive mode
Stack overflow
Social engineering
Privilege escalation
Cache poisoning
User Enumeration
Zero day exploit
Fingerprinting
Denial of service
Domain hijacking
Eavesdropping
Phishing
Spear phishing
Fragment overlap attack
Input validation
Spoofing Virus
Malware
Zombie Botnet Click jacking
Session fixation
Back door Session hijacking
Buffer overflow
Fuzzing DLL hijacking Binary planting
Metadata leakage RF access
SCADA hacked
A Good Outcome?
www.senseofsecurity.com.au © Sense of Security 2011 Page 16 October 2011
It’s Up to You
The outcome is a function of the inputs
www.senseofsecurity.com.au © Sense of Security 2011 Page 17 October 2011
Before Testing
• Determine what it is that you are protecting
• Determine implication of a breach
• Know your data: • Where is it?
• What is it?
• Risk Assessment – define depth and breadth of scope
www.senseofsecurity.com.au © Sense of Security 2011 Page 18 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 20 October 2011
Breadth & Depth of Scope
Application
Client/ServerCustom Off The Shelf (COTS)
Web AppAdmin Interfaces
Content Mgt System (CMS)Web Service
Mobile App
RolesFunctions
Pages
Depth
www.senseofsecurity.com.au © Sense of Security 2011 Page 21 October 2011
Breadth & Depth of Scope
Cloud
Software as a ServicePlatform as a Service
Infrastructure as a ServiceSecurity as a Service
Hardware as a ServiceData as a Service
Everything as a Service
MultitenantVirtualisation
SLAContractExternal Internal
Depth
www.senseofsecurity.com.au © Sense of Security 2011 Page 22 October 2011
Breadth & Depth of Scope
Network
External
Internal
Software as a ServicePlatform as a Service
Infrastructure as a ServiceSecurity as a Service
Hardware as a ServiceData as a Service
Everything as a Service
Head OfficeDatacentre
Remote SitesOther Entry Points (Home n/w, Mobile, Business Partner etc)
Hosting Service Provider
Depth
www.senseofsecurity.com.au © Sense of Security 2011 Page 23 October 2011
Capability
• Define the scope • Information Gathering • Port Scan • Vulnerability Scan • Enumeration • Pen Test • Compile Results • Report
• Scoping; Rules; Contacts; Goals
• Information and Intelligence Gathering
• Threat Modelling • Vulnerability analysis • Exploitation • Post Exploitation • Reporting • Remediation • Regression/Re-Testing
Methodology Experience
Tools Skill
www.senseofsecurity.com.au © Sense of Security 2011 Page 24 October 2011
Time & Budget
• Risk Assessment should define scope
• Budget buys you time
• Time dependent on scope (breadth & depth) and capability
• An underestimated budget will impact: • Time
• Scope
• Capability
• Outcome is affected
www.senseofsecurity.com.au © Sense of Security 2011 Page 25 October 2011
Time & Budget
Interdependencies, aligned with commonly accepted methodologies: PRINCE2 and PMBOK
www.senseofsecurity.com.au © Sense of Security 2011 Page 26 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 27 October 2011
Depth of Testing vs Time
• Short timeframe – limited expectation: • Run scan tools
• High-level research specialised tools and techniques
• Execute and validate findings
• Write report – some findings might be generic without detailed technology specific fixes
• Reasonable Timeframe – Value oriented outcome • Do all above
• Familiarise with new technology
• Download and install software and look for bugs or potential mis-configuration options that can be set by user
• Write custom tools and exploit code
• Write detailed report with technology specific recommendations that can be implemented without the customer having to do any additional research
www.senseofsecurity.com.au © Sense of Security 2011 Page 28 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation, AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 29 October 2011
Cloud & Regulation – AU Govt
• WoG policy position on Cloud Computing: “Agencies may choose cloud-based service where they demonstrate value for money and adequate security”[1]
• … take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal and/or external auditors and specialist organisations where required [2]
• … have an obligation to protect the personal information that they hold from loss or misuse and unauthorised access, modification or disclosure [5]
• DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is publicly available.[4]
• Applicability of the Protective Security Policy [3]
www.senseofsecurity.com.au © Sense of Security 2011 Page 30 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 31 October 2011
Where Does Pentesting Fit In?
Plan Conduct Initial Pen test
( System before first use or a significant
change)
Do
Analyse and treat
Security risks identified
Check Undertake Technical
Compliance check (Regularly conduct
Pen test on Systems/Networks)
Act Determine cause of non-compliance and
take necessary corrective action
Information Security Monitoring
Requirements from
Standards and Regulatory
Frameworks AUS Gov - ISM ISO 27001/2
PCI DSS
Compliance with security
standards and regulatory
requirements thereby
improving the Security Posture
www.senseofsecurity.com.au © Sense of Security 2011 Page 32 October 2011
Agenda
• Effective Outcomes: • Dependencies
• Getting the Balance Right • Balance - Making Informed Decisions
• Depth of Testing vs Time
• Cloud & Regulation - AU Govt
• Pen Testing – The Broader Picture
• Conclusions
www.senseofsecurity.com.au © Sense of Security 2011 Page 33 October 2011
Conclusion
• Know your data; think data centric not system centric
• Know what you need to test – Risk Assessment to define scope
• Breadth & Depth of scope; work effort (cost) should reflect
• Due to sophistication of attacks, increased requirement for expertise; cannot rely on tools
• Make informed decisions – outcome related to inputs
• Capability a function of methodology + skill + heritage + reporting
• Quality of reporting should be evaluated (Tech+Exec); affects ability to remediate; need to be able to act on the outcome
• Comprehensive testing will cost more than a check box test
• Cloud is an extension of your organisation; risks must be evaluated and treated accordingly
• Use the pentest as an opportunity to evaluate/tune your detection + response capability
www.senseofsecurity.com.au © Sense of Security 2011 Page 34 October 2011
References
References:
[1] Australian Government Cloud Computing Strategic Direction Paper, Dept of Finance,
April 2011 Version 1. http://www.finance.gov.au/e-government/strategy-and-governance/docs/final_cloud_computing_strategy_version_1.pdf
[2] Australian Government Protective Security Policy Framework, AGD, Jan 2011, V1.2 http://www.ema.gov.au/www/agd/agd.nsf/Page/ProtectiveSecurityPolicyFramework_Contents
[3] Securing Government Business. Protective Security Guidance for Executives, AGD,
June 2010 http://www.ag.gov.au/www/agd/agd.nsf/Page/ProtectiveSecurityPolicyFramework_ProtectiveSecurityPolicyFrameworkDownloads
[4] Cloud Computing Considerations. DSD, April 2011 http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf
[5] Privacy and the Cloud – speech to Cloud Computing Conference and Expo – 9/9/2010
Office of the Privacy Commissioner. http://www.privacy.gov.au/materials/types/download/9572/7133
[6] Western Australian Auditor General’s Report. Information Systems, Report 4, June
2011. www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf
[7] Victorian Auditor-General’s Report Security of Infrastructure Control Systems for
Water and Transport, October 2010 download.audit.vic.gov.au/files/20100610_ICT_report.pdf
[8] Analyzing the Accuracy and Time Costs of Web Application Security Scanners, Larry
Suto, Feb 2010
www.senseofsecurity.com.au © Sense of Security 2011 Page 36 October 2011
Thank you
Recognised as Australia’s fastest growing information security and risk management consulting firm through the Deloitte Technology Fast 50 & BRW Fast 100 programs
Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. This presentation will be published at http://www.senseofsecurity.com.au/research/presentations Whitepaper will be published at http://www.senseofsecurity.com.au/research/it-security-articles
Sydney, Melbourne T: 1300 922 923 [email protected] www.senseofsecurity.com.au