PREPARED BY: Ms Irene Joseph Facilitator

Transcription

1 REPORT ON CYBERSECURITY- CORPORATE INFORMATION, DATA LEAKAGE AND PENETRATION TESTING FORUM HELD ON 29 TH NOVEMBER, 2012 AT TANZANIA GLOBAL LEARNING AGENGY PREPARED BY: Ms Irene Joseph Facilitator 1

2 Contents PREAMBLE... 3 INTRODUCTION... 4 MAIN BODY... 6 ADVANTAGES OF PENETRATION TESTING... 6 PENETRATION TESTING STRATEGIES... 7 TESTING TYPES... 7 METHODOLOGIES OF PENETRATION TESTING... 7 PENETRATION TESTING COVERAGE... 8 TOOLS TO PERFORM PENETRATION TESTING... 8 PENETRATION TESTING... 9 DISCUSSIONS... 9 CONCLUSION RECOMMNENDATION WAY FORWARD REFERENCES

3 PREAMBLE Many appreciation to Tanzania Country Level Knowledge Network (CLKNET) for organizing the session of Cyber-Security focusing on the Corporate Information, Data Leakage and Penetration Testing and for inviting Mr. Adil Ilyas who had vast knowledge on the issues concerning Cyber-Security. Mr. Adil Ilyas from the Technology Expedition Ltd & Cyber-Crime Consultant shared his knowledge on issues concerning the security of the information of Corporate Companies and means of how the organizations can prevent threats at early stages. The session was attended by participants representing different sectors: Government, Private Sectors, Entrepreneurs and Students. It was also observed that the session was male dominated. The session lasted for 3 hours from 1400 to 1700hrs. 3

4 INTRODUCTION The Government of Tanzania has greatly embraced the advantages brought by the Information and Communication Technology (ICT) in the sense that it has taken efforts to create a suitable environment for the deployment and usage of ICT for the realization of its socio-economic goals. Since the existence of the National ICT Policy (2003), the Government has implemented various projects such as the National ICT Backbone (NICTBB) so as to provide reliable connectivity throughout the country and our neighboring countries which makes Tanzania a hub of Infrastructure. This project has demonstrated the vision of the NICTP (2003) which stated Tanzania to become a hub of ICT Infrastructure and ICT Solutions that enhance sustainable social-economic development and accelerated poverty reduction both nationally and globally. Also the Government has established E-Government Agency which will work hand in hand with the ICT Units established in each Ministry to ensure effective use of ICT in respective Ministries. Currently almost every Ministry has an existing website, Accounting and Human Resource Systems and Internet Connection which facilitate the usage of ICT in communication and storage of the Information. This symbolizes that the Government is in the process of going digital in its operations. Other Government Institutions such as Tanzania Revenue Authority has implemented the Driving License System which stores information of all citizens owning a driver license, same as the Immigration offices which have information of all citizen having passports. Currently the National Identification Agency is in the process of developing digital Identification Cards for the citizens. Moreover the banks operate all the activities in digital manner. It has been observed that the usage if ICT has increased greatly in all spheres of economy. Governments, private sectors, NGOs, SMEs and others are currently implementing systems in their organizations so as to increase and ensure efficiency in their works and eventually provide reliable service delivery to individuals. But, the issue of security has not been observed in detail 4

5 which can lead to loss of money in mobile/bank payments, leakage of data from corporate organization and might lead to disaster if not handled well. The Government has observed the serious issue of security with the existence of cyber-crime and has decided to review the current National ICT Policy (2003) so as to ensure that the issue of security is capture well to ensure e-commerce, security of information at corporate to individual level and create awareness among individuals on the importance of Security which eventually will lead to secure usage of ICTs. 5

6 MAIN BODY The presentation focused on leakage of information from the corporate organization such as banks, Governments, NGOs and other large firms through data theft by Intruder and how to perform penetration testing. Since most organization currently store, process, retrieve and prepare reports digitally, hence all the information in relation to the organization is available on digital basis which if not safely stored intruders can get access and cause great loss to organization information. Data leakage can be defined as an authorized transmission of information from within the organization to an external destination or unauthorized recipients which can lead to harm. ADVANTAGES OF PENETRATION TESTING Penetration testing is a structured approach and series of activities undertaken to identify and exploit security vulnerabilities so as to ensure safety by realizing the effectiveness or ineffectiveness of the security measures that exist. Penetration testing has various advantages to an organization in regard to security of the information of that organization Helps safeguard the organization against failure through preventing financial loss; proving due diligence and compliance to regulators, customers, shareholders; preserving corporate image and rationalize information security investment. Evaluates the effectiveness of the existing security products and provides supporting arguments for future investments or upgrade security technologies. Provides a proof of issue and a solid case for proposal of investment to senior management. Helps shape information security strategy, through quick and accurate identification of vulnerabilities; proactive elimination of identified risks; implementation of corrective measures. Provides detailed information on actual exploitable security threats. 6

7 PENETRATION TESTING STRATEGIES If the organization decides to perform penetration testing, there are three methods that can be applied: 1. Black Box: In this method the tester is not aware of anything or does not have any knowledge/ information of the organization he/she is about to perform the task. The tester has to figure out everything from scratch. 2. White Box: The tester is given all the necessary information about the client s organization which will assist him to perform the testing task. 3. Grey Box: The tester gets less information and has to figure out the rest of the information so as to be able to perform the task. TESTING TYPES The tester performing the penetration testing has to consider 3 areas in order to identify the exploits and vulnerabilities in the scope of network, applications and social engineering: The physical structure of the system The logical structure of the system The response workflow of the system METHODOLOGIES OF PENETRATION TESTING In every penetrations testing there are two known testing methodologies which can be applied 1. ISSAF Penetration testing methodology which covers major information technology platforms most high level IT related operational processes and is intended to be applicable to major industry vector. 7

8 2. OSSTMM Open Source Security Testing Methodology is divided into five channel which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunication networks, wireless devices, mobile processes and physical location such as buildings, perimeters and military bases. PENETRATION TESTING COVERAGE The tester can choose either of the methodologies depending on the task provided but in both methodologies the following has to be covered: Test preparation phase Test phase Information gathering Vulnerability analysis Vulnerability exploits Test analysis phase/ Reporting TOOLS TO PERFORM PENETRATION TESTING There are so many tools available out there for performing penetration testing it could be open source or proprietary. Examples of the tools are as follows: Core impact- Commercial Skybox Security- Commercial CANVAS- Commercial Nessus- Commercial Open VAS, a fork of Nessus, still free and very powerful Immunity Canvas- Some versions are free, some are commercial Security Forest- Old but free Metasploit Framework Free BackTrack5 - Free and huge collection of tools within Nmap Free and powerful 8

9 PENETRATION TESTING The presentation was followed by a practical penetration testing of a website built using Joomla platform. The BackTrack5 tool was used for the testing and it was discovered that out of 600 the website had 5 vulnerabilities which could be accessed by hackers. DISCUSSIONS After the presentations and testing, Questions and Answers session followed whereby the participants had an opportunity to ask the presenter the questions. During the discussion it was concluded that: 1. Most of the threats in organizations occur through software or applications. 2. It is more save to do the penetration testing offline, only go online if it is an urgent need. 3. It was also observed that not all the time if the faults found during the penetration testing can be blocked by the pen- tester. At some point the vendor or developer of the system/application is asked to solve the threat. 4. It was also suggested that in an organization the employees to access the computer/internet form domain access. 5. It was also observed that most of the proprietary softwares are more secure. 6. The participants discussed on what could be done to ensure the safety of the Government s websites since most of them are built on Joomla platform. 7. Is it possible to be doing penetration testing activity as much as the way financial auditing is been done. Is there a need of regulation that will enforce the need for penetration testing to ensure the safety of information in Corporate Organizations. 8. It was also discussed that the penetration testing has to be conducted by a person/firm outside of that organization that need the testing. 9. To have a forum on discussion the EPOCA Law to understand the legal issues the Government has set in terms of usage of ICT. 9

10 CONCLUSION During the session it was concluded that pentesting is a professional task that assist the organization to identify exploits and find ways to secure them so as to ensure safety of the organization s information. Hence, it is essential for organizations to perform such tests often bearing in mind that it is not an alternative measure for security but a way to avoid threats at an early stage. The organization needs to hire an external organization to perform the penetration testing. 10

11 RECOMMNENDATION Penetration testing to be treated as part of the necessary procedure to be undertaken by corporate organsation so as to ensure the organization prevents itself from attackers sooner by identifying security exploits and vulnerabilities earlier. This will ensure that the organization is aware of any of the existing loopholes and takes measures against them. If penetration testing is done regularly then measures that can be taken soon to prevent security threats. WAY FORWARD To conduct technical/practical forums whereby experts in security perform different security measures using different tools to provide a more practical learning to students, clients and security officers of different organizations. REFERENCES 1. Ilyas,.A. (2012) Presentation on Corporate Information Security 2. National Information and Communication Technology Policy (2003) 11