Penetration Testing as an Auditing Tool

March 1, 2011 ISACA Austin Chapter uncheon !eremy Po"ell, Consultant, atsec information security
atsec information security 2010
atsec information security 2010

A#out the Spea$er

Security consultant %&aluates the security features of'

(perating systems )et"or$ appliances Cryptographic modules )et"or$s and "e#sites Common Criteria +IS(,I%C 1-.0/0 1IPS 1.022 cryptographic module &alidation Payment Card Industry 3ata Security Standard +PCI23SS0

*ele&ant Standards'

ead penetration tester in atsec 45S5 #ranch

atsec information security 2010
atsec information security 2010 2

Agenda
Assurance and Security 6rea$ing the *ules Penetration Testing

)et"or$ and 7e# Application Physical Social %ngineering

%thics and egality Complimenting Audits

atsec information security 2010

atsec information security 2010 3

Assurance and Security

Assurance is esta#lished trust in information Information might need to #e'

Accurate Confidential A&aila#le Trac$ed 3esign a sound model Implement the model *egularly audit the implementation against the model 6rea$ the model ather, *inse, *epeat
atsec information security 2010
atsec information security 2010 4

8o" is trust esta#lished9

6rea$ing the *ules

Models are often #ased on assumption All prison guards are trusted5

6ri#es Planted guards Impostors *e&erse engineering Someone lea$s the plans Cleaning supplies inside concourse *estaurant utensils
atsec information security 2010
atsec information security 2010 5

)o one $no"s ho" the system is designed

)o one can ha&e a "eapon inside airport security

Penetration Testing
Controlled rule #rea$ing Simulated attac$ scenarios 3ifferent Types

)et"or$ 7e# application Physical Social engineering 7hite #o: ; prior $no"ledge 6lac$ #o: ; no prior $no"ledge

3ifferent Approaches

Tests assumptions that may ha&e #een made that are not true
atsec information security 2010
atsec information security 2010 6

)et"or$ and 7e# Applications

<oal' *emotely access a host system and'

<ain control o&er the host *ead and change sensiti&e information 4se this host to access other hosts Port scanners >ulnera#ility scanners %:ploitation engines Scripting languages S? In@ections 6uffer o&erflo"s Cross site scripting attac$s atsec information security 2010
atsec information security 2010 7

Techni=ues

Common attac$s

Physical
<oal' <ain access to restricted areas of a facility +through technical means0 Tools

oc$ pic$s Scre" dri&ers aser pointers +for motion sensors0 7ireless tools Pic$ing loc$s A&oiding camera site lines 4sing $ey logger to steal pass"ords 1inding alternate entrances Installing rogue access points atsec information security 2010
atsec information security 2010 8

Attac$s

Social %ngineering
<oal' <ain access to restricted areas of a facility +through social means0 Tools and techni=ues

)on2pu#lic #ut non2secret information Tail2gating through restricted doors Ta$ing ad&antage of social norms Posing as maintenance "or$ers Acting confident Acting irritated Acting 555

atsec information security 2010

atsec information security 2010 9

%thics and egality

Testers must #e &ery "ell trusted Contractual *ules of %ngagement

3efines the e:act scope of testing 3efines ho" testers should react if they identify &ulnera#ilities Constrains the testing to certain limitations In turn, pro&ides tester a A<et (ut of !ail 1reeB card State of Te:as re=uires testers to #e licensed Similar la"s around the country

Pri&ate in&estigation licenses

3isclosure of any disco&ered &ulnera#ilities is at the customerCs discretion onlyD

atsec information security 2010
atsec information security 2010 10

Complimenting Audits
Auditors may dra" incorrect conclusions

Audits are #ased on presented +possi#ly incomplete or incorrect0 e&idence Auditors often sample the e&idence Auditors may ma$e assumptions The standard or model may #e #ro$en Testers ha&e simple yet strong moti&ation Testers may not ha&e seen the audit, therefore they may not ha&e made similar assumptions 7ith competent testers, penetration testing re&eals "hat competent attac$ers are capa#le of
atsec information security 2010
atsec information security 2010 11

Penetration testing co&ers these gaps

1urther Information
The Art of 3eception' Controlling the 8uman %lement of Security, Ee&in Mitnic$, 7illiam Simon The Art of Intrusion' The *eal Stories 6ehind the %:ploits of 8ac$ers, Intruders and 3ecei&ers, Ee&in Mitnic$, 7illiam Simon atsecCs "e#site' """5atsec5com atsecCs ne"s #log http',,atsec2information2security5#logspot5com,

atsec information security 2010

atsec information security 2010 12

Than$ you5

atsec information security 2010

1F
atsec information security 2010 13