www.senseofsecurity.com.au © Sense of Security 2011 Page 1 October 2011

Compliance, Protection & Business Confidence

Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia

Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia

T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455

info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908

Penetration Testing

Cyber Security for Government Conference, 25&26 October 2011, Sydney

How Government Can Achieve Better

Outcomes Delivered by Murray Goldschmidt, Chief Operating Officer

www.senseofsecurity.com.au © Sense of Security 2011 Page 2 October 2011

Penetration Testing

Penetration Testing • is a series of activities with the objective to determine

current technical security posture

• includes testing of effectiveness of protective controls which can be used to [6,7]: • deduce effectiveness of detective & responsive controls

• identify opportunities for improvement in information security governance (in support of ISM/S)

• is one security assessment method

www.senseofsecurity.com.au © Sense of Security 2011 Page 3 October 2011

Why?

Because

"Foolproof systems don't take into account the ingenuity of fools." — Gene Brown.

www.senseofsecurity.com.au © Sense of Security 2011 Page 4 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 5 October 2011

Effectiveness of Outcomes

Dependent on:

CONSTRAINTS

LIMITATIONS

CAPABILITY

DELIVERABLE

www.senseofsecurity.com.au © Sense of Security 2011 Page 6 October 2011

Limitations

• Point in time

• Environmental (test/dev/prod)

• Negative testing (only proves the presence of flaws)

• Funding is finite

• Business Continuity

• Resources to remediate

• Abused as check box testing (compliance)

www.senseofsecurity.com.au © Sense of Security 2011 Page 7 October 2011

Constraints

•Scope

•Time

•Budget

www.senseofsecurity.com.au © Sense of Security 2011 Page 8 October 2011

Capability

•Methodology/approach

•Experience

•Skill

•Tools

www.senseofsecurity.com.au © Sense of Security 2011 Page 9 October 2011

Deliverable

• Ease of use

• Accuracy of findings (no false positives)

• Ability to articulate technical & business risk

• Technical findings should include precise actions to remediate

• Anatomy of attack should incl all details to reproduce the exploit

• Root cause analysis (fix the cause not symptom)

• Exec Summary with adequate info for C Level

• Threat/Risk centric not system centric

www.senseofsecurity.com.au © Sense of Security 2011 Page 10 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 11 October 2011

Where is the Squeeze?

•Time •Budget

•Scope •Capability

time

budget

scope

capability

www.senseofsecurity.com.au © Sense of Security 2011 Page 12 October 2011

Implication on Outcome?

TIME BUDGET

SCOPE CAPABILITY

OUT

www.senseofsecurity.com.au © Sense of Security 2011 Page 13 October 2011

A Good Outcome?

No issues!

www.senseofsecurity.com.au © Sense of Security 2011 Page 14 October 2011

Cookie hijacking SQL injection

Trojan

Client side attack

Man in the middle

File upload

Remote control

User Enumeration

Input validation Click jacking

Buffer overflow

A Good Outcome?

www.senseofsecurity.com.au © Sense of Security 2011 Page 15 October 2011

Cookie hijacking

Social engineering

Cross site scripting

Credit card data

Data breach

SQL injection

Brute forced

Passwords cracked

Root kit

Trojan

Client side attack

Man in the middle

Spoofing

Authentication bypass

Cross site request forgery

File upload

Remote file inclusion

Remote code execution

Remote control

IKE aggressive mode

Stack overflow

Social engineering

Privilege escalation

Cache poisoning

User Enumeration

Zero day exploit

Fingerprinting

Denial of service

Domain hijacking

Eavesdropping

Phishing

Spear phishing

Fragment overlap attack

Input validation

Spoofing Virus

Malware

Zombie Botnet Click jacking

Session fixation

Back door Session hijacking

Buffer overflow

Fuzzing DLL hijacking Binary planting

Metadata leakage RF access

SCADA hacked

A Good Outcome?

www.senseofsecurity.com.au © Sense of Security 2011 Page 16 October 2011

It’s Up to You

The outcome is a function of the inputs

www.senseofsecurity.com.au © Sense of Security 2011 Page 17 October 2011

Before Testing

• Determine what it is that you are protecting

• Determine implication of a breach

• Know your data: • Where is it?

• What is it?

• Risk Assessment – define depth and breadth of scope

www.senseofsecurity.com.au © Sense of Security 2011 Page 18 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 19 October 2011

Breadth & Depth of Scope

www.senseofsecurity.com.au © Sense of Security 2011 Page 20 October 2011

Breadth & Depth of Scope

Application

Client/ServerCustom Off The Shelf (COTS)

Web AppAdmin Interfaces

Content Mgt System (CMS)Web Service

Mobile App

RolesFunctions

Pages

Depth

www.senseofsecurity.com.au © Sense of Security 2011 Page 21 October 2011

Breadth & Depth of Scope

Cloud

Software as a ServicePlatform as a Service

Infrastructure as a ServiceSecurity as a Service

Hardware as a ServiceData as a Service

Everything as a Service

MultitenantVirtualisation

SLAContractExternal Internal

Depth

www.senseofsecurity.com.au © Sense of Security 2011 Page 22 October 2011

Breadth & Depth of Scope

Network

External

Internal

Software as a ServicePlatform as a Service

Infrastructure as a ServiceSecurity as a Service

Hardware as a ServiceData as a Service

Everything as a Service

Head OfficeDatacentre

Remote SitesOther Entry Points (Home n/w, Mobile, Business Partner etc)

Hosting Service Provider

Depth

www.senseofsecurity.com.au © Sense of Security 2011 Page 23 October 2011

Capability

• Define the scope • Information Gathering • Port Scan • Vulnerability Scan • Enumeration • Pen Test • Compile Results • Report

• Scoping; Rules; Contacts; Goals

• Information and Intelligence Gathering

• Threat Modelling • Vulnerability analysis • Exploitation • Post Exploitation • Reporting • Remediation • Regression/Re-Testing

Methodology Experience

Tools Skill

www.senseofsecurity.com.au © Sense of Security 2011 Page 24 October 2011

Time & Budget

• Risk Assessment should define scope

• Budget buys you time

• Time dependent on scope (breadth & depth) and capability

• An underestimated budget will impact: • Time

• Scope

• Capability

• Outcome is affected

www.senseofsecurity.com.au © Sense of Security 2011 Page 25 October 2011

Time & Budget

Interdependencies, aligned with commonly accepted methodologies: PRINCE2 and PMBOK

www.senseofsecurity.com.au © Sense of Security 2011 Page 26 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 27 October 2011

Depth of Testing vs Time

• Short timeframe – limited expectation: • Run scan tools

• High-level research specialised tools and techniques

• Execute and validate findings

• Write report – some findings might be generic without detailed technology specific fixes

• Reasonable Timeframe – Value oriented outcome • Do all above

• Familiarise with new technology

• Download and install software and look for bugs or potential mis-configuration options that can be set by user

• Write custom tools and exploit code

• Write detailed report with technology specific recommendations that can be implemented without the customer having to do any additional research

www.senseofsecurity.com.au © Sense of Security 2011 Page 28 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation, AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 29 October 2011

Cloud & Regulation – AU Govt

• WoG policy position on Cloud Computing: “Agencies may choose cloud-based service where they demonstrate value for money and adequate security”[1]

• … take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal and/or external auditors and specialist organisations where required [2]

• … have an obligation to protect the personal information that they hold from loss or misuse and unauthorised access, modification or disclosure [5]

• DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is publicly available.[4]

• Applicability of the Protective Security Policy [3]

www.senseofsecurity.com.au © Sense of Security 2011 Page 30 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 31 October 2011

Where Does Pentesting Fit In?

Plan Conduct Initial Pen test

( System before first use or a significant

change)

Do

Analyse and treat

Security risks identified

Check Undertake Technical

Compliance check (Regularly conduct

Pen test on Systems/Networks)

Act Determine cause of non-compliance and

take necessary corrective action

Information Security Monitoring

Requirements from

Standards and Regulatory

Frameworks AUS Gov - ISM ISO 27001/2

PCI DSS

Compliance with security

standards and regulatory

requirements thereby

improving the Security Posture

www.senseofsecurity.com.au © Sense of Security 2011 Page 32 October 2011

Agenda

• Effective Outcomes: • Dependencies

• Getting the Balance Right • Balance - Making Informed Decisions

• Depth of Testing vs Time

• Cloud & Regulation - AU Govt

• Pen Testing – The Broader Picture

• Conclusions

www.senseofsecurity.com.au © Sense of Security 2011 Page 33 October 2011

Conclusion

• Know your data; think data centric not system centric

• Know what you need to test – Risk Assessment to define scope

• Breadth & Depth of scope; work effort (cost) should reflect

• Due to sophistication of attacks, increased requirement for expertise; cannot rely on tools

• Make informed decisions – outcome related to inputs

• Capability a function of methodology + skill + heritage + reporting

• Quality of reporting should be evaluated (Tech+Exec); affects ability to remediate; need to be able to act on the outcome

• Comprehensive testing will cost more than a check box test

• Cloud is an extension of your organisation; risks must be evaluated and treated accordingly

• Use the pentest as an opportunity to evaluate/tune your detection + response capability

www.senseofsecurity.com.au © Sense of Security 2011 Page 34 October 2011

References

References:

[1] Australian Government Cloud Computing Strategic Direction Paper, Dept of Finance,

April 2011 Version 1. http://www.finance.gov.au/e-government/strategy-and-governance/docs/final_cloud_computing_strategy_version_1.pdf

[2] Australian Government Protective Security Policy Framework, AGD, Jan 2011, V1.2 http://www.ema.gov.au/www/agd/agd.nsf/Page/ProtectiveSecurityPolicyFramework_Contents

[3] Securing Government Business. Protective Security Guidance for Executives, AGD,

June 2010 http://www.ag.gov.au/www/agd/agd.nsf/Page/ProtectiveSecurityPolicyFramework_ProtectiveSecurityPolicyFrameworkDownloads

[4] Cloud Computing Considerations. DSD, April 2011 http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf

[5] Privacy and the Cloud – speech to Cloud Computing Conference and Expo – 9/9/2010

Office of the Privacy Commissioner. http://www.privacy.gov.au/materials/types/download/9572/7133

[6] Western Australian Auditor General’s Report. Information Systems, Report 4, June

2011. www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf

[7] Victorian Auditor-General’s Report Security of Infrastructure Control Systems for

Water and Transport, October 2010 download.audit.vic.gov.au/files/20100610_ICT_report.pdf

[8] Analyzing the Accuracy and Time Costs of Web Application Security Scanners, Larry

Suto, Feb 2010

www.senseofsecurity.com.au © Sense of Security 2011 Page 35 October 2011

Questions?

www.senseofsecurity.com.au © Sense of Security 2011 Page 36 October 2011

Thank you

Recognised as Australia’s fastest growing information security and risk management consulting firm through the Deloitte Technology Fast 50 & BRW Fast 100 programs

Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. This presentation will be published at http://www.senseofsecurity.com.au/research/presentations Whitepaper will be published at http://www.senseofsecurity.com.au/research/it-security-articles

Sydney, Melbourne T: 1300 922 923 info@senseofsecurity.com.au www.senseofsecurity.com.au