Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

M Kamens Iia Financial Services Presentation At Disney

539 vues

Publié le

Presentation at IIA Conference at Disney

Publié dans : Technologie
  • Soyez le premier à commenter

M Kamens Iia Financial Services Presentation At Disney

  1. 1. Over 700 Vulnerabilities Reported on My Penetration Test, Now What ? Be confident that the IT Security Assessment you present to the Audit Committee accurately represents your business. Michael Kamens, JD, CISM Accume Partners
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Considerations for Evaluating Vulnerability </li></ul><ul><li>Risk Assessment vs Vulnerability Assessment </li></ul><ul><li>The Need for Vulnerability and Penetration Testing </li></ul><ul><li>Internal Auditors’ Role </li></ul><ul><li>Vulnerability and Penetration Assessment </li></ul>
  3. 3. Introduction <ul><li>Challenges </li></ul><ul><li>Security reports indicate that your network is vulnerable to being exploited by “ hackers” </li></ul><ul><li>On the other hand your IT people tell you how secure your network is </li></ul><ul><li>Most IT Auditors are scared of the Network </li></ul><ul><ul><li>You have limited time to finish your audit </li></ul></ul><ul><ul><li>Even if you go head to head with the IT team would be unproductive </li></ul></ul><ul><ul><li>When the reports detail vulnerabilities, are they explained in a way that will make sense? </li></ul></ul><ul><ul><li>Do you really understand what a “ false positive” is? </li></ul></ul><ul><ul><li>How thorough is your understanding of the technology you are auditing? </li></ul></ul>
  4. 4. Considerations for Evaluating Vulnerability <ul><li>Questions to Ask </li></ul><ul><li>Can a “hacker” breach your network? </li></ul><ul><ul><li>Hint: Absolutely! </li></ul></ul><ul><li>Has the IT Department done everything to make your network more secure? </li></ul><ul><li>Are there Policies and Procedures in place to ensure best practice standards are being practiced? </li></ul>
  5. 5. Considerations for Evaluating Vulnerability <ul><li>Trends Affecting Information Security </li></ul><ul><li>Businesses have a tremendous opportunity to utilize information technology to expand their productivity. </li></ul><ul><li>Many organizations will need to provide easier access by users to selected areas of their information systems, thereby increasing potential exposure. </li></ul><ul><li>In taking advantage of all this increased connectivity, speed and data, securing information within their communications systems has to be a mandatory priority. </li></ul><ul><li>Unfortunately, no one security device or procedure will ensure a risk free environment. </li></ul>
  6. 6. Risk Assessment vs Vulnerability Assessment <ul><li>IT Risk Assessment </li></ul><ul><li>An IT Risk Assessment is designed to give a detailed analysis of how well a business is secured. </li></ul><ul><li>Answers the question: How secure is your organization's information? -- A high-priority issue </li></ul>
  7. 7. <ul><li>Vulnerability Assessment </li></ul><ul><li>A Vulnerability Assessment identifies weaknesses and vulnerabilities on the network that expose the business to risk </li></ul><ul><li>Allows the business to diminish threats and take remedial actions before they occur </li></ul><ul><li>Provides an analysis of businesses security </li></ul><ul><li>Ensures that only authorized employees have access to critical corporate data </li></ul>Risk Assessment vs Vulnerability Assessment
  8. 8. Risk Assessment vs Vulnerability Assessment <ul><li>The Vulnerability Assessment allows the business to utilize their incident response capability by: </li></ul><ul><ul><li>Detailing the vulnerabilities of the business </li></ul></ul><ul><ul><li>Developing response plans and procedures </li></ul></ul><ul><ul><li>Improving capability of crisis management teams </li></ul></ul>
  9. 9. The Need for Vulnerability & Penetration Testing <ul><li>Drivers </li></ul><ul><li>Businesses continue to rely on the Internet to increase revenue, thereby exposing data to potential hackers </li></ul><ul><li>Businesses are inadequately securing customer data </li></ul><ul><li>ID theft is at an all-time high </li></ul><ul><li>Consumers are inadequately educated about securing their own ID data </li></ul>
  10. 10. The Need for Vulnerability & Penetration Testing <ul><li>Challenges </li></ul><ul><li>The demanding pace of business </li></ul><ul><ul><li>The need for speed can take precedence to logical security measures </li></ul></ul><ul><li>Corporate culture </li></ul><ul><ul><li>“ It will not happen to me” attitude </li></ul></ul><ul><ul><li>Focusing resources only where it generates high visibility, high ROI </li></ul></ul><ul><ul><li>Hesitance to commit valuable (human, financial) resources to protect client data </li></ul></ul>
  11. 11. Internal Auditors’ Role <ul><li>Where are you? </li></ul><ul><li>Are you part of your organization’s team in planning the IT Audit and what areas will be in scope? </li></ul><ul><li>Is the attitude – “Well it’s not a key control so let someone else handle it”? </li></ul>
  12. 12. Internal Auditors’ Role <ul><li>What IA gains by being involved with Vulnerability and Penetration Testing </li></ul><ul><li>Assurance that data has not been compromised </li></ul><ul><li>Assurance that administrative rights are properly administered </li></ul><ul><ul><li>Request screenshots of ID login, password, user rights configurations, file shares, </li></ul></ul><ul><ul><li>Process for how admin rights are granted </li></ul></ul><ul><li>Assurance that a Trojan Horse would not be able to take over the network </li></ul><ul><ul><li>Guest Account has no password </li></ul></ul><ul><ul><li>Server has never been hardened </li></ul></ul>
  13. 13. Internal Auditors’ Role <ul><li>What you should know </li></ul><ul><li>Hardened Servers, Guest Accounts and Trojan Horses </li></ul><ul><li>Hardened Servers – </li></ul><ul><ul><li>When new servers are purchased, every service by default has been activated regardless of the use of the server. </li></ul></ul><ul><ul><li>The OS could be Windows/Linux/Unix etc </li></ul></ul><ul><ul><li>Services can include Email/Web/SQL etc </li></ul></ul>
  14. 14. Internal Auditors’ Role <ul><li>What you should know (cont’d) </li></ul><ul><ul><li>If the server is not running Email, Web, SQL why should those services be running? </li></ul></ul><ul><ul><ul><li>Turn them off. </li></ul></ul></ul><ul><ul><li>The Guest Account </li></ul></ul><ul><ul><ul><li>Is normally never used </li></ul></ul></ul><ul><ul><ul><li>Is the most common entry for a Trojan Horse which contains a malicious program </li></ul></ul></ul><ul><ul><li>Just by having a Hardening Policy, the organization can eliminate many vulnerabilities </li></ul></ul>
  15. 15. Internal Auditors’ Role <ul><ul><li>Impact </li></ul></ul><ul><li>TJX lost 200M customers’ PII </li></ul><ul><ul><ul><li>Cause: poor security from their wireless access points </li></ul></ul></ul><ul><li>TSA lost 100K employees’ PII </li></ul><ul><ul><ul><li>Cause: lost laptop </li></ul></ul></ul><ul><li>Fidelity lost 196K customers’ PII </li></ul><ul><ul><ul><li>Cause: lost laptop   </li></ul></ul></ul><ul><li>AIG lost 930K customers’ PII </li></ul><ul><ul><ul><li>Cause: theft of a data-center server </li></ul></ul></ul><ul><li>Bank of America lost 1.2M federal employees’ PII </li></ul><ul><ul><ul><li>Cause: lost laptop </li></ul></ul></ul><ul><li>Texas Guaranteed Student Loan lost 1.3M customers’ PII </li></ul><ul><ul><ul><li>Cause lost computer tapes   </li></ul></ul></ul><ul><li>     </li></ul><ul><li>Q.: Can your organization survive the front page or the 6 o’clock news ? </li></ul><ul><li>Note: PII = Personally Identifiable Information. Includes SSN, birth dates, addresses, drivers license or anything that identifies an individual. </li></ul>
  16. 16. Vendor Management <ul><li>Selecting a vendor </li></ul><ul><li>Is a Vendor Management policy in place? </li></ul><ul><li>The vendor should be qualified to </li></ul><ul><ul><li>Perform a simulated attack and penetration of your organization’s firewall from the Internet </li></ul></ul><ul><ul><li>Assess your production servers </li></ul></ul>
  17. 17. Vendor Management <ul><li>Selecting a vendor </li></ul><ul><li>Vendor Criteria </li></ul><ul><ul><li>Good business dictates requesting 3 quotes </li></ul></ul><ul><ul><li>Review the financials of prospective vendors to ascertain their solvency </li></ul></ul><ul><ul><li>Review the firm’s history – </li></ul></ul><ul><ul><ul><li>How long has the firm business? </li></ul></ul></ul><ul><ul><ul><li>How long have they been performing vulnerability and penetration Testing? </li></ul></ul></ul><ul><ul><li>Review staffing – </li></ul></ul><ul><ul><ul><li>Does the prospective vendor hire permanent staff or contractors? </li></ul></ul></ul><ul><ul><ul><li>What are their credentials? </li></ul></ul></ul>
  18. 18. Vendor Management <ul><li>Selecting a vendor </li></ul><ul><li>Vendor Criteria </li></ul><ul><ul><li>What insurance do they carry </li></ul></ul><ul><ul><li>Who owns all the data – raw and finished </li></ul></ul><ul><ul><li>Will the same team begin and finish </li></ul></ul><ul><ul><li>Estimated project length </li></ul></ul><ul><ul><li>References within your Industry is critical </li></ul></ul><ul><ul><li>How do they present their evidence (reports) </li></ul></ul>
  19. 19. Vulnerability and Penetration Assessment <ul><li>Testing </li></ul><ul><li>IA should be part of the team that determines the scope of testing </li></ul><ul><li>You will want to be able to read the Vulnerability and Penetration report to be satisfied that the organization is secure </li></ul>
  20. 20. Vulnerability and Penetration Assessment <ul><li>Phase – Assessment Areas </li></ul><ul><li>When looking at areas of an Assessment there are various ways of categorizing the assessment areas </li></ul><ul><li>For example: </li></ul><ul><ul><li>EXTERNAL -- Firewall, DMZ, Email, Web </li></ul></ul><ul><ul><li>INTERNAL -- Hosts/Servers </li></ul></ul><ul><ul><li>INTERNAL -- Network Devices </li></ul></ul><ul><ul><li>INTERNAL -- PCs </li></ul></ul><ul><ul><li>Phone Sweep </li></ul></ul><ul><ul><li>Social Engineering </li></ul></ul>
  21. 21. Vulnerability and Penetration Assessment <ul><li>Phase – Assessment Areas </li></ul><ul><li>There are numerous areas to be considered for assessment </li></ul><ul><li>The number of assessments (scans) increases based on frequency performed throughout the year. </li></ul><ul><li>There are 2 mandatory (scans): </li></ul><ul><ul><ul><li>EXTERNAL IPs -- Firewall, Email, DMZ, WEB </li></ul></ul></ul><ul><ul><ul><ul><li>Semi annual test </li></ul></ul></ul></ul><ul><ul><ul><li>INTERNAL IPs -- Hosts/Servers </li></ul></ul></ul><ul><ul><ul><ul><li>Semi annual test </li></ul></ul></ul></ul>
  22. 22. Vulnerability and Penetration Assessment <ul><li>Phases – Assessment/Scans </li></ul><ul><li>The PC scans </li></ul><ul><ul><li>provide a verification that they are patched and updated </li></ul></ul><ul><ul><li>Identify accounts without passwords and </li></ul></ul><ul><ul><li>Identify vulnerabilities from missing patches </li></ul></ul><ul><ul><li>Usually performed annually </li></ul></ul><ul><li>Phone Sweep/War Dialing </li></ul><ul><ul><li>Scans your PBX to determine that users are not connecting modems to their PCs (optional) </li></ul></ul><ul><li>Social Engineering </li></ul><ul><ul><li>Attempt to gain client data from staff at remote sites (optional) </li></ul></ul>
  23. 23. Vulnerability and Penetration Assessment <ul><li>Phases – Data Analysis </li></ul><ul><li>Data analysis is the most critical stage of the assessment </li></ul><ul><ul><li>High vulnerability vs “false positives” </li></ul></ul><ul><li>The vendor has completed their scans </li></ul><ul><ul><li>Data need to be correlated, analyzed and ranked on importance </li></ul></ul>
  24. 24. Vulnerability and Penetration Assessment <ul><li>Phase – Data Rating </li></ul><ul><li>The Rating System is used to evaluate the criticality </li></ul><ul><li>ECHO System </li></ul><ul><ul><li>E = Exposure </li></ul></ul><ul><ul><li>C = Control Concern </li></ul></ul><ul><ul><li>H = Housekeeping </li></ul></ul><ul><ul><li>O = Okay </li></ul></ul>
  25. 25. Vulnerability and Penetration Assessment <ul><li>Phase – Data Rating </li></ul><ul><li>ECHO Rating System </li></ul><ul><ul><li>E – Exposure High </li></ul></ul><ul><ul><ul><li>Immediate corrective attention required </li></ul></ul></ul><ul><ul><li>C – Control Concern Medium </li></ul></ul><ul><ul><ul><li>Corrective action required </li></ul></ul></ul><ul><ul><li>H – Housekeeping Low </li></ul></ul><ul><ul><ul><li>Configuration enhancements recommended </li></ul></ul></ul><ul><ul><li>O – Okay Low </li></ul></ul><ul><ul><ul><li>Controls appear to be adequate </li></ul></ul></ul>
  26. 26. Vulnerability and Penetration Assessment <ul><li>Phase – Deliverables from Vendor </li></ul><ul><li>You should be receive the following from the vendor </li></ul><ul><ul><ul><li>CD/DVD containing all raw scan data from your assessment and supporting their conclusions/reports </li></ul></ul></ul><ul><ul><ul><li>Complete detailed report explaining all vulnerabilities along with remediation and severity level </li></ul></ul></ul><ul><ul><ul><li>Executive Summary which includes a condition of your organization, and managements responses. This is meant for the Audit Committee or Board Members </li></ul></ul></ul>
  27. 27. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports </li></ul><ul><li>The report should identify each device with vulnerabilities. </li></ul><ul><ul><li>Some may have several vulnerabilities that need attention </li></ul></ul><ul><li>Each vulnerability should be defined with a description, reason, and CVE (Common Vulnerabilities & Exposures) note </li></ul><ul><ul><li>A CVE is a list of standardized names for vulnerabilities and other information security exposures </li></ul></ul><ul><ul><li>CVE aims to standardize the names for all publicly known vulnerabilities and security exposures </li></ul></ul><ul><li>Risk rating </li></ul><ul><li>Remediation -- There should be an explanation/ recommendation for how to remediate the vulnerability </li></ul><ul><li>See examples </li></ul>
  28. 28. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports – Typical Detail </li></ul><ul><ul><ul><li>Exchange XEXCH50 Remote Buffer Overflow vulnerability detected on port smtp (25/tcp) </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Description </li></ul></ul></ul><ul><ul><ul><li>This system appears to be running a version of the Microsoft Exchange SMTP service that is vulnerable to a flaw in the XEXCH50 extended verb.This flaw can be used to completely crash Exchange 5.5 as well as execute arbitrary code on Exchange 2000. </li></ul></ul></ul><ul><ul><ul><li>ECHO Rating /RISK ECHO Rating: E – Exposure; Immediate Corrective </li></ul></ul></ul><ul><ul><ul><li>Attention Required Category – Type of Vulnerability SMTP </li></ul></ul></ul><ul><ul><ul><li>Problems Additional Information NA Vulnerable System(s)02x.xxx.xxx.174 </li></ul></ul></ul><ul><ul><ul><li>ServerRecommendation System administrators should apply the security patch to Exchange servers immediately.Refer </li></ul></ul></ul><ul><ul><ul><li>to:http://www.microsoft.com/technet/security/bulletin/MS03-046.mspx </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Reference (CVE/CAN, BID) CVE : CVE-2003-0714 BID : 8838 Other references : IAVA:2003-A-0031, IAVA:2003-a-0016 Nessus ID : 11889 </li></ul></ul></ul>
  29. 29. Vulnerability and Penetration Assessment <ul><li>Vulnerability Reports – Typical Detail </li></ul><ul><li>Vulnerability Description </li></ul><ul><li>The Terminal Services are enabled on the remote host. </li></ul><ul><li>Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access n the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. </li></ul><ul><li>ECHO Rating /RISKECHO Rating: O – Okay; Controls appear to be adequate Category – Type of Vulnerability Useless Services </li></ul>
  30. 30. Vulnerability and Penetration Assessment <ul><li>How Could There Be 700 Vulnerabilities? </li></ul><ul><li>Count each vulnerability once and not against each server </li></ul><ul><li>For example, if you have 12 hosts that have not been patched, the scanner might generate 25 “ double buffer overflows” </li></ul><ul><li>Once the server is patched, 25 vulnerabilities go away </li></ul>
  31. 31. Vulnerability and Penetration Assessment <ul><li>Four Most Common Causes of Vulnerabilities </li></ul><ul><li>Lack of Housekeeping </li></ul><ul><li>Not Hardening Servers </li></ul><ul><li>Not updating/patching servers and PCs </li></ul><ul><li>No follow up on previous Vulnerability and Penetration Assessments </li></ul>
  32. 32. Vulnerability and Penetration Assessment <ul><li>Additional Causes of Vulnerabilities </li></ul><ul><li>Our tendency is to utilize scarce resources on the most publicized vulnerabilities rather than investing the effort on the vulnerabilities that pose the greatest risk to the enterprise. </li></ul><ul><li>If we had unlimited resources and budgets, our first step would begin before a computer network becomes operational so that no flawed computers are introduced into the network. </li></ul><ul><ul><li>The network could then be probed for security vulnerabilities. </li></ul></ul><ul><ul><li>Finally, the external network defense, the firewall, could be verified before any connection to the public network is allowed. </li></ul></ul><ul><li>In reality, we are under staffed, under budgeted and pressured for time to meet deadlines. This single step is the cause of the most significant number of known vulnerabilities. </li></ul>
  33. 33. Vulnerability and Penetration Assessment <ul><li>Sample Report Conclusion </li></ul><ul><li>“ We have reviewed ACME Bank’s IT Policies and Procedures for safeguarding their network systems having an Internet presence.” </li></ul><ul><li>“ Our vulnerability testing identified six vulnerabilities and security configuration issues. We recommend that ACME review their network patch management policies and procedures. Effective patch management policies, detailed procedures, and processes will improve the Bank’s overall security posture and provide adequate protection against known vulnerabilities and intruder attacks.” </li></ul><ul><li>“ It is important to remember that security is a process, not a destination. New vulnerabilities are discovered on a daily basis, and without keeping abreast of the latest security information any network, regardless of how secure it is at present, has the potential to be compromised in the future.” </li></ul>
  34. 34. Vulnerability and Penetration Assessment <ul><li>Internal Audit Responsibilities </li></ul><ul><li>Review report to ascertain just how secure your organization is </li></ul><ul><li>Ensure that the vulnerabilities discovered and that agreed upon action plans and time frames for remediation are included as part of your audits (critical) </li></ul><ul><li>Ensure remediation's are addressed within the set timeframe </li></ul>
  35. 35. Question and Answers <ul><li>Remember: </li></ul><ul><ul><li>Before you argue with someone, walk a mile in their shoes, that way you are a mile away and have their shoes. </li></ul></ul><ul><ul><ul><ul><ul><li>Author “ who knows “ </li></ul></ul></ul></ul></ul>
  36. 36. Michael Kamens, JD, CISM Director, Information Technology mike@mikaassociates.com