Penetration Testing Is A Bad Idea. Anton Aylward, CISSP, CISA System Integrity

Similar documents
SECURITY. Risk & Compliance Services

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Managing IT Security with Penetration Testing

Defending Against Data Beaches: Internal Controls for Cybersecurity

Information Security Services

LINUX / INFORMATION SECURITY

White Paper. Information Security -- Network Assessment

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Internet Safety and Security: Strategies for Building an Internet Safety Wall

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Nine Steps to Smart Security for Small Businesses

INFORMATION SECURITY STRATEGIC PLAN

External Supplier Control Requirements

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Introduction to Cyber Security / Information Security

Managed Security Monitoring: Network Security for the 21st Century

Penetration Testing Service. By Comsec Information Security Consulting

(Instructor-led; 3 Days)

SECURITY CONSIDERATIONS FOR LAW FIRMS

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Network Security Audit. Vulnerability Assessment (VA)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Information Security Policy

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Presented by Frederick J. Santarsiere

PENETRATION TESTING GUIDE. 1

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

From the Lab to the Boardroom:

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Security Information Management (SIM)

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cybersecurity and internal audit. August 15, 2014

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Security Basic Concepts

The Business Case for Security Information Management

Security aspects of e-tailing. Chapter 7

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Penetration testing & Ethical Hacking. Security Week 2014

Unit 3 Cyber security

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

Information Security for the Rest of Us

Incident Response. Six Best Practices for Managing Cyber Breaches.

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Digital War in e-business

Music Recording Studio Security Program Security Assessment Version 1.1

Italy. EY s Global Information Security Survey 2013

UoB Risk Assessment Methodology

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Information Security Risk Management

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Operational Risk Publication Date: May Operational Risk... 3

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Corporate Incident Response. Why You Can t Afford to Ignore It

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Network Segmentation

FALSE ALARM? Incident Management Case Study. Carlos Villalba

Professional Services Overview

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Risk Assessment Guide

INCIDENT RESPONSE CHECKLIST

Big Data, Big Risk, Big Rewards. Hussein Syed

UF Risk IT Assessment Guidelines

Critical Controls for Cyber Security.

NETWORK SECURITY. 3 Key Elements

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Case Study: Hiring a licensed Security Provider

Penetration Testing in Romania

How To Secure Your Information Systems

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Information Security Specialist Training on the Basis of ISO/IEC 27002

Canadian ISO User Group Conference. Sun Life Financial s Experience with Security Governance & ISO 17799

Web App Security Audit Services

Computer Forensics Preparation

Transcription:

Penetration Testing Is A Bad Idea Anton Aylward, CISSP, CISA System Integrity

What are you trying to test? Can hackers break in? You can t prove a -ve Your firewall works? But is it configured? Your IDS works? Your response system? You ve shown due diligence?

Penetration Testing There s no such thing as Ethical Hacking Would you employ an ethical arsonist to test your home smoke detector? Ethical burglar to test your home security Ethical murderer as a bodyguard Ethical terrorist as an airport guard

Penetration Testing It doesn t simulate a hacker It doesn t simulate their motives It doesn t simulate their timescales It may not simulate their methods A hacker can spend weeks at $0/hr in the intellectual challenge of writing an exploit, positioning it and deploying it. For this, he gets viewed as a security guru! Knowing how to break-in doesn t mean you know how to defend.

Attack Taxonomy Internal structured or unstructured External structured or unstructured Network based Application based Social based Natural/Man-made disasters fire, flood, wind, power, impact, theft

Penetration Testing It addresses less than 5% of security risks It only looks at external interfaces Most security problems are internal Errors and omissions Lack of policy & procedure Disaster Recovery and Business Continuity Insider Threats Fragile Architecture

Penetration Testing It should be the last thing you do After making the changes recommenced by an audit of the perimeter configuration After making the changes recommenced by an audit of the internal configuration Because you need defense in depth Because you DON T want to find any vulnerabilities Because its less risky this way Because its less expensive this way

Penetration Testing It s not cost effective A conventional audit will tell you more for less Use a well established methodology... CobIT SSE-CMM that matches your business processes And audit will tell you about Your internal risks Your IT processes Good Governance & Practices Better ROI

Penetration Testing It focuses on the Technical, not the Business The drama appeals to the media Techies like to show off Most of your security problems aren t technical People Legal and IP DRP/BCP Rights Management Spam Viruses & Worrms E-Mail problems OS Problems Patches & Updates

Penetration Testing Technical or Business? Losses at Enron, WorldCom, Parmlait, Nortel, Royal Dutch Shell, Royal Plastics etc had nothing to do with hackers breaking in Disclosures at XXX YYY ZZZ had nothing to do with hackers breaking in Most of your security problems aren t technical

Penetration Testing It only addresses the known, not the unknown or future exploits Its impossible to predict future InfoSec incidents based on past events Pen-testing doesn t test your processes, only your defenses and only your external, static, boundary defenses

Other Shortcomings Doesn t test forensics needed for possible follow-up (e.g. prosecution of hackers) Doesn t validate that the successful defenses follow the business requirements Doesn t test your hiring, training, dismissal and other human factors procedures Its not a continuous/feedback process

Why is Pen-Testing Popular? The Media Hackers make Headlines Its Dramatic Its Fascinating Its Fun! - techies like it It Opens Doors - salesmen like it Its easy to sell to people who don t understand the real issues Fear Uncertainty Doubt

The Big Downside Penetration testing is avoidance behavior. By focusing attention on outside threats the real and more complex problems, the internal problems of IT governance, business needs and processes, internal controls and oversight, problem, change and configuration management are all avoided.

What Should You Do? Perform a simplified Risk Assessment WHY? Dealing with higher risk issues has better ROI Identifies YOUR real vulnerabilities Puts YOU in control of what gets fixed first Avoid One Size Fits All

What Should You Do First? Identify your assets Computing assets including the ones you didn t know you had Communication assets including the ones you didn t know you had Data Assets Assign Values Monetary Business Process Criticality

What Should You Do Next? Identify your business processes rate them by criticality various metrics Cross correlate assets & processes matrix Identify what can go wrong What is the impact? What is the likelihood? How can it be mitigated? Define a baseline So you can show & measure improvements

Now you have the information Plan Do What controls to put in place? Put them in place Check Do they work? What is missing? Correct Keep doing it

Now you have the information

Things to Consider You only have control over your inside Most security problems are on the inside Configuration Change management Awareness of the issues of events of what action to take

Inside or Outside Attacks

Inside Risks & Threats Finger Trouble Typos Too hurried to check Other Distractions Ignorance Miscommunication Frustration Malice Espionage Ames, Walker, Hansen

Insiders: Advantages Insiders have many advantages over outsiders They are already behind the firewall They know where everything is They can cover their tracks better They may have very personal motives They are already trusted Penetration Testing Doesn t Test Your Highest Risks

Insiders: Hidden Threats Management Lack of commitment Lack of demonstration of commitment Poor communication Ignorance of risks and issues Users Subverting security controls to get the job done The IT Department Obsession with technology Lack of understanding/respect for Business Issues End Users

Insiders: The BIG problem Security? That s not my job OH YES IT IS! Board of Directors Executive management Line management Planners Auditors Financiers Project managers Supervisors Programmers Clerks Cleaners Janitors

How to Approach Security Assurance Understand what you mean by Security Focus on Business not on Technology Think in terms of Processes & Controls Decide what Risks you can live with

What do we mean by Security Its important to have a clear understanding of the objectives We DON T Mean Keep the hackers out Install firewalls and IDS and biometrics Run risk assessments Don t Confuse Motion With Action - Hemmingway

What do we mean by Security We DO Mean Preserve the INTEGRITY of the resources & assets of the enterprise. Keeping key resources & assets CONFIDENTIAL Ensuring the resources & assets are AVAILABLE for the business functions of the enterprise and be able to show we have done this to the Auditors.. Peace, Order and Good Governance

The Business of Security Baseline Things to put in place to start with High Risk Situations Things that need heightened awareness How to Manage for Security Making it work day by day How to Hire For Security The right people These are all management issues

Management: Baseline You must have a baseline in place Good Practice and Due Diligence Policy & Procedures define expectations define escalation procedures define remedial action (rewards/punishment) Communication, Awareness & Training Is Ignorance an excuse? Yes. Reinforcement Attitude People matter Quality matters

Why Policies & Procedures are Important Define what is: Expected behaviour Acceptable and unacceptable behaviour Consistency of Action Basis for Budget Disciplinary Action Avoiding liability/negligence Economy of scale Measuring progress Demonstrate Compliance Quality Don t wait until an incident occurs and try to figure out how to deal with it on the fly

Why Policies & Procedures are Important Policies and Procedures are the basis for all processes and controls that determine that short and medium term operation of the organization

Management: High Risk Situations Employee Termination Exit Interview Recover property - physical and intellectual Change Access Codes Mergers Disputes Creativity For some people, ideas matter most!

Management: How to Manage for Security Security is a Management issue Without commitment from the board and executive there is no belief that security matters Security is NOT an IT issue Training & Orientation Monitoring Enforcement All this means BUDGETING for security

Management: How to Hire For Security DO s Check references Check reputation Have all the legal documents NDA Sign-off on understanding P&P DON T s Hire hackers Ethical Hacker = Ethical Thief or Ethical Joyrider

Management: How to Fire for Security Have a formal termination procedure Exit Interview Recover property - Physical & Intellectual Change access codes, passwords Building, parking, voice-mail, alarm Cancel outside accounts and memberships Gartner, health-club, credit reports Sign Non Disclosure and other releases

Solutions: POLICIES Yes, you MUST have Policies! Yes, you MUST communicate the policies & promote understanding of them Yes, you MUST enforce the policies. Don t Confuse Motion With Action - Hemmingway

Solutions: POLICIES Yes, you MUST have Policies! Yes, you MUST communicate the policies & promote understanding of them Yes, you MUST enforce the policies. You MUST conduct security awareness training BUT.

Recommended Reading Fighting Computer Crime - Donn Parker ISBN 0-471-16378-3 If I have to recommend just one book on Information Security it is this one.

Recommended Reading Trust & Betrayal in the Workplace ISBN 1-576-750-70-1 Managing expectations & boundaries Practical exercises

Who do you Trust? Web sites

Who do you Trust? Professional Certification Recognition Professional Ethics Accountability Methodology

Who do you Trust? Professional Certification Recognition By Community of Peers By Means of Process Professional Ethics Accountability Methodology Professional Process Communication

Contact Information Security is not something that comes in a self-contained box. It requires a conscientious an continuous commitment that permeates every aspect of your enterprise and strategies. It is about understanding risks and managing them Anton J Aylward, CISSP CISA aja@si.on.ca http://www.si.on.ca (416) 497-0201

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information