Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Penetration testing as an internal audit activity

1 303 vues

Publié le

Penetration testing as an internal audit activity, at the ECIIA conference in Stockholm, October 6th 2016.
Speaker: Carsten Maartmann-Moe

Publié dans : Business
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Penetration testing as an internal audit activity

  1. 1. Penetration testing as an internal audit activity ECIIA conference, Stockholm, October 6th 2016
  2. 2. Who am I? • I’m a hacker • I’ve hacked applications, networks, trains, lottery machines, routers, laptops, ATM:s, wireless networks, cell phones, embedded systems, production plants, stock exchanges and more… • …all with permission, which makes me a penetration tester • a fair share of the penetration tests I’ve performed were as a part of internal audits. ©TranscendentGroup2016
  3. 3. What is penetration testing? A point-in-time assessment of quality of the implemented security controls within the scope of testing. ©TranscendentGroup2016
  4. 4. The burning question ©TranscendentGroup2016 Are we secure?
  5. 5. Unfortunately, the questions answered by a penetration test are: ©TranscendentGroup2016 How vulnerable is application X? Is detection and response effective? Are our employees aware and alert? Where are we most vulnerable? Are our preventive controls effective? Are our user’s passwords strong? quite no no your entire intranet no no
  6. 6. An analogy: Your house ©TranscendentGroup2016 door sensor front door key alarm sensors CCTV camera
  7. 7. The burning question, modified ©TranscendentGroup2016 Are we secure enough?
  8. 8. What to ask instead ©TranscendentGroup2016 Are we robust, capable, and continuously improving? • prevention • detection • response• organized • funded • right competencies • right tools and data • aligned to the business • goal-oriented • measuring and adapting to both needs and risks
  9. 9. Internal audit’s role as per TLD ©TranscendentGroup2016 The third line of defence – internal audit – is responsible for ensuring that the first and second lines are functioning as designed.
  10. 10. What to consider ©TranscendentGroup2016
  11. 11. What to consider Planning • audit objective • sourcing • engage IT/service provider Execution • help the pentesters translate technical risk to business risk Reporting • do root cause analysis ©TranscendentGroup2016
  12. 12. Planning and scoping • First: Ask yourself if a pentest is really a good idea? • Second: What is the question to be answered by the test? • Engage and alert your IT security function and service provider. • Make sure the consultants understand the high-level concepts of your business. ©TranscendentGroup2016 Planning Execution Reporting
  13. 13. Tips on sourcing • You’ll get what you pay for. • Choose a preferred vendor, and stick with it. • Hire people, not brand: look for experience. • Certifications to look for: CEH, GIAC certs (GWAPT, GPEN, etcetera). ©TranscendentGroup2016 Planning Execution Reporting
  14. 14. Execution • Don’t force your pentesters to go through detailed checklists of what to do/not to do unless absolutely necessary. • Help the pentesters escalate issues. • Set aside time for root cause analysis with the part of the business that has been audited. ©TranscendentGroup2016 Planning Execution Reporting
  15. 15. Reporting What to expect: • too technical, unstructured reports • doom and gloom • no business risks • mistaking exploitable technical vulnerabilities for critical business risks How to manage: • keep your eye on the audit objective • make the pentesters rate the difficulty of getting in • challenge, challenge, challenge • understand that it is difficult for an external party to gauge your business risk • uon’t skip root cause analysis ©TranscendentGroup2016 Planning Execution Reporting
  16. 16. A word on reporting ©TranscendentGroup2016
  17. 17. Root causes ©TranscendentGroup2016
  18. 18. Example from a pentest: passwords 485 142 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percentage of passwords cracked Cracked Not cracked ©TranscendentGroup2016 • We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop. • 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
  19. 19. 5 whys Q: Why are our user’s passwords easy to crack? A: Because they are short and easy to guess. Q: Why are they short and easy to guess? A: Users don’t know what constitutes a strong password, and create short and easy to guess ones because they are also easy to remember. Q: So why do they have trouble remembering their passwords? A: Each user have 5+ different passwords they need to remember to perform their job. We also force them to change their password every 90. days. Q: Why do we force them to change their password? A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though… Q: Why not? A: Well, everybody just creates systems to avoid forgetting the new password. If your first password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security in that. ©TranscendentGroup2016
  20. 20. 5 why’s Q: Why did this SQL injection vulnerability occur? A: Because it’s a legacy back-end application that has been exposed to the Internet. Q: Why was it exposed to the Internet? B: To drive and support business initiative X, which requires customer interaction with the system. Q: So why weren’t the project behind business initiative X aware of the vulnerabilities? A: Well, we [the dev team] suspected that the application had substandard security, but there was no one on the team that had the knowledge or time to have an in-depth look. Q: Why? A: Because there’s not allocated any resources to security in our project. Q: Why are there no resources? A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers and sysadmins should fix as a part of the job. But no one has been given training, and if you look at the project plans, there’s not an hour dedicated to security. ©TranscendentGroup2016
  21. 21. Summary ©TranscendentGroup2016
  22. 22. Internal audit penetration testing can cause significant security improvement • Penetration testing does not answer the «Are we secure?» question, but provides symptoms of internal control failure. • Pentesting can provide concrete and measurable risk reduction and spark significant improvement initiatives. • Engage with your IT function/service provider/preferred consultants to evaluate the best way to leverage these types of services for your business. ©TranscendentGroup2016
  23. 23. www.transcendentgroup.com