Penetration Testing and Vulnerability Assessment

2013 CliftonLarsonAllen LLP Penetration Testing and Vulnerability Assessment CLAconnect.com

Presentation overview What is Risk Assessment Governance Frameworks Types of Audits Vulnerability Assessment Penetration Testing

CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.

Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Information Security offered as specialized service offering for over 15 years Largest Credit Union Service Practice* *Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com news release

We need Our board said we need to do an IT Audit To be in compliance with XYZ, we need to do a Risk Assessment

Governance Frameworks Standards for Penetration Testing NIST 800-53 http://csrc.nist.gov/publications/nistpubs/800-53arev1/sp800-53a-rev1-final.pdf OWASP http://www.owasp.org OSSTMM http://www.osstmm

Governance Frameworks Common Frameworks - Matrix Resources: http://net.educause.edu/ir/library/pdf/csd5876.pdf

Types of Risk Assessments and Audits Risk Assessment Enterprise Risk Assessment IT Risk Assessment Compliance Risk Assessment IT Audits Process Audits (ie. ACH) IT Compliance Audits Security Assessment Vulnerability Assessments Penetration Testing Social Engineering

Audit Philosophy and Approach Philosophy: People, Rules and Tools Approach: Understand Test Assess People Rules ` Tools

Risk Assessment Theory Inherent Risk Likelihood vs Impact Control Risk Total Risk IR X CR = TR

Risk Assessment ID Assets Define Threats and Vulnerabilities Classify the likelihood of bad things Quantify the impact Stop here: Residual Risk Continue: Test Effectiveness of Controls (audits)

Traditional IT Audit Broad audits IT General Controls Review Specific/focused audits DRP/IR/BCP audits and testing SDLC and Change Management audits User and group permission audits Vendor management

Traditional IT Audit IT General Controls Review A mile wide and 10 feet deep

Traditional IT Audit PCI DSS 1 2 3 4 5 6

Traditional IT Audit IT General Controls Review Good for broad, high level coverage of IT management, information security program, and compliance requirements Answers the question: Do we have the right standards and are they well documented? Effectiveness testing tends to be light Does not really test the systems or ID exceptions

Traditional IT Audit Focused Audits Common Examples include DRP/IR/BCP audit and testing; user access reviews; SDLC and Change Management; ACH or other application audits More focused audits get to the next level of detail; focus on the process and perhaps application level controls (ie. menus); effectiveness testing tends to be more thorough, but likely still based on sampling These can be Design or Compliance focused

Vulnerability Assessment Port Scans and Vulnerability Scans They are like Radar Pros Cons External and Internal Scanning What are the benefits? Example Monthly scanning for local municipality July nothing new/unusual August nothing new/unusual September - SSH open, and

Penetration Testing External Network Applications Internal Network Wireless Facilities (social engineering)

Penetration Testing Goals and Objectives: Understand, Test, and Assess Validate things behave as expected Find/Identify new things

External Network Penetration Testing Everything that touches the outside 1. Routing devices 2. Remote access 3. Web/applications* 4. Other*:

External Network Penetration Testing Pros Cons

Application Penetration Testing External Network Everything that touches the outside

Application Penetration Testing Pros Cons

Internal Network Penetration Testing Internal Network Everything inside with an IP address.

Internal Network Penetration Testing Pros Cons

Wireless Network Penetration Testing Wireless Network What do we know we have. What do we have that we don t know. Anything else.

Wireless Network Penetration Testing Pros Cons

Social Engineering Tests Pros People Rules Cons Tools `

Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability People Rules ` Tools 29

Questions? 2013 CliftonLarsonAllen LLP

2013 CliftonLarsonAllen LLP Thank you! CLAconnect.com Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal Information Security Randy.romes@CLAconnect.com 888.529.264

Sources for Standards and Guidelines NIST 800-53: Information Security and IT Auditing http://csrc.nist.gov/publications/pubssps.html PCI Requirements https://www.pcisecuritystandards.org/documents/pfi_program_guide.pdf https://www.pcisecuritystandards.org/merchants/self_assessment_form.php HIPAA Security Rule The HIPAA Security Rule Requirements for periodic technical validation testing: Evaluation ( 164.308(a)(8)) Information from Health and Human Services and here