REAL SECURITY IS DIRTY

Similar documents
How To Test For Security On A Network Without Being Hacked

What is Penetration Testing?

Vulnerability management lifecycle: defining vulnerability management

AUTOMATED PENETRATION TESTING PRODUCTS

Cyber Security Management

15 Principles of Project Management Success

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

2011 Forrester Research, Inc. Reproduction Prohibited

Corporate Incident Response. Why You Can t Afford to Ignore It

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

AUTOMATED PENETRATION TESTING PRODUCTS

How to Instrument for Advanced Web Application Penetration Testing

HOW TO PREPARE FOR A PCI DSS AUDIT

How to Get from Scans to a Vulnerability Management Program

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Todd: Kim: Todd: Kim: Todd: Kim:

FIVE PRACTICAL STEPS

PENETRATION TESTING GUIDE. 1

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

Big Data and Security: At the Edge of Prediction

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

For DUI Can Be What Gets You Off.

Protect Your Business

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

White Paper. Information Security -- Network Assessment

Psychic Guide 101 Written by: Jennifer A. Young

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

Solving the Unique Challenges of IT Recruiting

Seven Things You Must Know Before Hiring a Plumber

The USA Mortgage Smart-Loan Guide

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

INTRODUCTION TO PENETRATION TESTING

Mental Health Role Plays

NERC CIP VERSION 5 COMPLIANCE

THREE FEET from SEVEN FIGURES

2 nd - Watch My Online Neighborhood Video: online- neighborhood

Information Technology Security Review April 16, 2012

Why You Need to Test All Your Cloud, Mobile and Web Applications

Internet Safety Guide for Parents

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Course Title Penetration Testing: Procedures & Methodologies

If Your In Debt And In Financial Distress Don t Do Anything Until You Read This Special Report That Reveals

What Do You Mean My Cloud Data Isn t Secure?

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Seven Things You Must Know Before Hiring a DUI Lawyer

A Love Affair: Cyber Security, Big-data and Risk

THE THREE Es OF MODERN SECURITY FOR PHISHING

ROLES TO ASSIGN. 1. Judge. 2. Courtroom Deputy. 3. Prosecutor 1 opening statement. 4. Prosecutor 2 direct of Dana Capro

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PCI-DSS Penetration Testing

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

PCI Compliance for Healthcare

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Chapter 3: Approaches to Creating Personas

How To Get A Werewolf

How To Manage A Network Security Risk

How To Find A Job

QUESTION # 1 As a sales person, what do YOU sell FIRST on a sales call?

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Information Security Services

From the Lab to the Boardroom:

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

you are here 10 Questions to Ask About Your Web Design Project a product of the

The need for Security Testing An Introduction to the OSSTMM 3.0

Welcome! You ve made a wise choice opening a savings account. There s a lot to learn, so let s get going!

THE PROJECT MANAGER S ROLE IN BUSINESS DEVELOPMENT

Seven Things You Must Know Before Hiring a DUI Attorney

Key Components of a Risk-Based Security Plan

SWAT PRODUCT BROCHURE

Managed Security Monitoring: Network Security for the 21st Century

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

[ INTRODUCTION ] A lot has changed since 1992, except for everything that hasn t. We come from a place you ve probably never heard of.

Moving on! Not Everyone Is Ready To Accept! The Fundamental Truths Of Retail Trading!

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

How to Justify Your Security Assessment Budget

The 2014 Bottleneck Report on Enterprise Mobile

STOP. THINK. CONNECT. Online Safety Quiz

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Penetration Testing Service. By Comsec Information Security Consulting

Best Practices for PCI DSS V3.0 Network Security Compliance

Transcription:

REAL SECURITY IS DIRTY

INFORMATION SECURITY AND RISK MANAGEMENT ARE PURSUITS OF BRUTAL SELF- REFLECTION.

The most logical business decisions come from facing ugly truths. Before any business spends a dime on infosec or risk management, company leadership should start with honesty right from the get-go. Whether you re a line-of-business executive, a CIO or a CISO, ask yourself truthfully: How secure do you really want to be? The knee-jerk reaction is usually, Of course I want to be very secure! But true security is far from a foregone conclusion. If they re being honest, many executives will admit that what they really want is to adhere to the legally acceptable minimum standard of security. Or they might admit they want to at least appear secure to customers. If those are your answers to how secure you want your business to be, that is fine it is even the norm today. But that means this e-book is probably not for you. There are plenty of compliance regimes and checklists out there already that can walk you down that path. This e-book is meant for those who really, truly want to secure what matters most to their businesses.» If you are serious about IT security, you need to hear this message: It is time to stop being so prissy about how your security department analyzes your threats. Real security tests are messy. They take time. And they re not bound by hundreds of restrictions because actual attackers aren t bound by rules, either. The truth is that real security is dirty because dirty is the only path to honest assessment. And honest assessment is how businesses make better decisions about how to invest in protections that defend their highest value assets.

Chances are you re probably lying to yourself and to your board about how secure you really are. They re not necessarily intentional lies, but they re lies nevertheless. And they re being told because the types of tests your business uses to assess weaknesses in technology and processes aren t nearly thorough enough. Out in the world of security consulting, we run into a lot of business executives and even security executives who are aghast at the idea of a penetration tester taking a month to assess their clients weak spots. But here s the reality: One-day penetration tests aren t going to find out much about an organization s vulnerabilities. The same goes for tests that limit where penetration testers can go within certain buildings, what IT assets they can touch, which employees they can target and so on. Lies TODAY S PENETRATION TESTS ARE NOT EVERY PENETRATION TEST IS CREATED EQUAL. A lack of industry standards has caused many tech service providers to market simpler tests as true penetration tests. Here are some ways to distinguish the pretenders from the defenders: Features Deliverables Marketed Value What It Really Is Not Really A Pen Test Automated scan that identifies network and application weaknesses 100-page listing of thousands of vulnerabilities with little remediation guidance Awareness of all potential internal/ external vulnerabilities VULNERABILITY SCAN Not Really A Pen Test Automated scan, plus manual analysis to verify weaknesses 50-page report with vulnerabilities categorized into three to four criticality ratings, along with some remediation advice Awareness of technical vulnerability priorities, with remediation advice based on those VULNERABILITY ASSESSMENT A True Pen Test Advanced analysis of vulnerabilities that include pivoting and extending through a network and social engineering probes Simple-to-understand report categorized with executive summary and methodology, along with prioritization of remediation based on business impact Awareness of business risk priorities, with remediation steps based on those PENETRATION TEST

Boards of directors, internal audit committees, CEOs and CFOs all trust their IT and security teams to honestly tell them how likely their organizations could be be successfully targeted and attacked by real-life bad guys. That kind of honesty requires penetration testers to go about their business very similarly to the way bad guys would. To be sure: The bad guys don t take a day to probe a target, and they certainly don t limit themselves to which assets or employees they go after. Limited penetration tests offer a false sense of security. This is why one-day tests that throw infected thumb drives in the parking lot are actually worse than doing no test at all. They tell upper-level executives that everything is A-OK when they are not. As a result, they accept risk based on flawed assumptions. Attackers Fight Below The Belt Attackers don t limit themselves to who they attack, when they attack or how they attack. For example, true story, we ve witnessed manufacturing companies that have gone to great lengths to disguise prototype models that leave their R&D facility doors because spies with telephoto lenses might take pictures to steal their designs prior to launch. In infosec, dirty tactics they use include: Standing up a fake access point near executive homes to identify porn sites, and gain access to social media and smart home systems. Disrupting pacemakers or family medical devices while loved ones are in hospitals to blackmail executives into espionage participation. Taking over a smart car or smart home system as a proof of power to gain similar cooperation for external insider attacks.

TAKING THE HANDCUFFS OFF This is why the industry needs to get over its fear and take the handcuffs off security pros inside and outside of the organization. Right now, IT and information security teams are not providing reasonable assurance of security postures they re providing false comfort based on a fantasy. Now, granted, no penetration test should put employees in danger or damage physical property above given thresholds certain lines should not be crossed. Nevertheless, these dirty security techniques may make people uncomfortable. And nearly 100 percent of the time they re probably going to result in a successful penetration. The end game of dirty security isn t necessarily to prove 100 percent penetration rate or to make people look foolish. Taking the gloves off is the means to making people think. It will provide the kind of brutal honesty that drives mature risk management. The methods exist to understand exactly where vulnerabilities await so decision-makers can act on that information. DIRTY SECURITY TECHNIQUES MAY INCLUDE: Mailing contestwinning interview requests based on social media interests Gaining employment on help desks, IT administration or janitorial staff for long-term data theft Utilizing dating sites or chance romantic encounters to gain corporate credentials

GETTING THE MOST OUT OF DIRTY SECURITY: HERE S WHAT A DIRTY SECURITY TEST MIGHT LOOK LIKE, BASED ON A REAL-LIFE ENGAGEMENT AT ROOK: In this particular example, our testers developed a special, homegrown badge-cloning device that could steal digital information wirelessly from RFID door keys. We were testing a high-tech company s data center, so we conducted online research ahead of time to find photos and information about key staffers who would be entering and leaving this high-value facility. Our testers then hung around in the parking lot to spot those people and get close enough to clone their cards. From there, we used these clones to badge-in right after our targets so as not to arouse suspicion; instead, it would look like the person just badged-in twice. We d also performed reconnaissance about engineering team behavior and entered at a time when most of the team would be out of the office. At that point, it was trivial to enter the facility, locate hardware with sensitive data and leave with the hardware. THE TAKEAWAY Post-mortem analysis of the successful penetration and recommendations after the test is where the rubber meets the road for true risk posture improvements. Providing the right analysis of what went wrong and suggestions to move forward can be a delicate challenge, though. Take the dirty penetration test in our example, above. The organization could have responded to the information about the incursion in several ways. They could have installed expensive network access control in the engineering lab, but that wouldn t have been financially feasible. So our recommendations laid out some simple and affordable risk mitigation measures, including making sure people are not sitting around in cars in high-value facility parking lots, improving badge verification processes and updating badge technology so that it is less susceptible to cloning. The point of all of this is that this company would never have even known about the issue or these potential remedies if the penetration test hadn t been allowed near that high-value facility. This is why dirty security is so important. It provides valuable knowledge. And it lets business leaders accept or mitigate risks based on nothing but the truth.

888.712.9531 info@rooksecurity.com rooksecurity.com facebook.com/rookconsulting linkedin.com/company/rook-security twitter.com/rooksecurity

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information