Penetration Testing and Vulnerability Assessment

Transcription

1 2013 CliftonLarsonAllen LLP Penetration Testing and Vulnerability Assessment CLAconnect.com

2 Presentation overview What is Risk Assessment Governance Frameworks Types of Audits Vulnerability Assessment Penetration Testing

3 CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.

4 Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Information Security offered as specialized service offering for over 15 years Largest Credit Union Service Practice* *Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. news release

5 We need Our board said we need to do an IT Audit To be in compliance with XYZ, we need to do a Risk Assessment

6 Governance Frameworks Standards for Penetration Testing NIST OWASP OSSTMM

7 Governance Frameworks Common Frameworks - Matrix Resources:

8 Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (ie. ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering

9 Audit Philosophy and Approach Philosophy: People, Rules and Tools Approach: Understand Test Assess People Rules ` Tools

10 Risk Assessment Theory Inherent Risk Likelihood vs Impact Control Risk Total Risk IR X CR = TR

11 Risk Assessment ID Assets Define Threats and Vulnerabilities Classify the likelihood of bad things Quantify the impact Stop here: Residual Risk Continue: Test Effectiveness of Controls (audits)

12 Traditional IT Audit Broad audits IT General Controls Review Specific/focused audits DRP/IR/BCP audits and testing SDLC and Change Management audits User and group permission audits Vendor management

13 Traditional IT Audit IT General Controls Review A mile wide and 10 feet deep

14 Traditional IT Audit PCI DSS

15 Traditional IT Audit IT General Controls Review Good for broad, high level coverage of IT management, information security program, and compliance requirements Answers the question: Do we have the right standards and are they well documented? Effectiveness testing tends to be light Does not really test the systems or ID exceptions

16 Traditional IT Audit Focused Audits Common Examples include DRP/IR/BCP audit and testing; user access reviews; SDLC and Change Management; ACH or other application audits More focused audits get to the next level of detail; focus on the process and perhaps application level controls (ie. menus); effectiveness testing tends to be more thorough, but likely still based on sampling These can be Design or Compliance focused

17 Vulnerability Assessment Port Scans and Vulnerability Scans They are like Radar Pros Cons External and Internal Scanning What are the benefits? Example Monthly scanning for local municipality July nothing new/unusual August nothing new/unusual September - SSH open, and

18 Penetration Testing External Network Applications Internal Network Wireless Facilities (social engineering)

19 Penetration Testing Goals and Objectives: Understand, Test, and Assess Validate things behave as expected Find/Identify new things

20 External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*:

21 External Network Penetration Testing Pros Cons

22 Application Penetration Testing External Network Everything that touches the outside

23 Application Penetration Testing Pros Cons

24 Internal Network Penetration Testing Internal Network Everything inside with an IP address.

25 Internal Network Penetration Testing Pros Cons

26 Wireless Network Penetration Testing Wireless Network What do we know we have. What do we have that we don t know. Anything else.

27 Wireless Network Penetration Testing Pros Cons

28 Social Engineering Tests Pros People Rules Cons Tools `

29 Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability People Rules ` Tools 29

30 Questions? 2013 CliftonLarsonAllen LLP

31 2013 CliftonLarsonAllen LLP Thank you! CLAconnect.com Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal Information Security

32 Sources for Standards and Guidelines NIST : Information Security and IT Auditing PCI Requirements HIPAA Security Rule The HIPAA Security Rule Requirements for periodic technical validation testing: Evaluation ( (a)(8)) Information from Health and Human Services and here