jonathan trull, deputy state auditor, colorado office of the state auditor travis schack,...
TRANSCRIPT
Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor
Travis Schack, Colorado’s Information Security Officer
Chris Ingram, Director, Emagined Security
Scott Johnson, Senior Consultant, Emagined Security
Mike Weber, Labs Director, Coalfire Systems
Introductions
To provide a forum for auditors to learn about penetration testing and how such testing, when applied properly, improves the security of the people, processes, and systems that run governments.
Cautionary Note: You will NOT be a competent penetration tester as a result of this course!
How do I become a competent penetration tester?
Learning Objectives
Colorado Office of the State Auditor, Office
of Cyber Security Performance Audit
(Statewide PenTest)
In 2010, the Colorado Office of the State Auditor conducted a performance audit of the Governor’s Office of Cyber Security. The audit included:
A review of the Office of Cyber Security’s progress in implementing the Colorado Cyber Security Program .
A system-wide, covert or “Red Team” penetration test of the State of Colorado’s information systems.◦ All attack types, except DoS or DDoS, were within scope.
The assessment was performed covertly to test the State’s incident detection & response capabilities.
Scope
Colorado Statutory Requirements
National Institute of Standards and Technology Requirements
Industry Best Practices
Primary Tenet: The State should protect citizen data from unauthorized access!
Criteria
Breach the security of the State of Colorado’s network and gain access to personally identifiable, sensitive, and/or confidential information.
Identify security weaknesses in systems or web applications that, if exploited, would provide an attacker with significant visibility, confidential data, or the ability to attack the site’s users—Colorado’s citizens and businesses.
Test monitoring, detection, and incident response capabilities.
Test Objectives
A penetration test is NOT the same as an audit or security assessment!!◦ Penetration tests simulate real world attacks◦ Penetration tests will NOT identify all vulnerabilities in a system◦ Penetration tests will NOT identify all internal threats◦ Penetration tests will NOT be able to determine the cause or
reason for the existence of the vulnerability exploited – This is where state auditors came in handy!
What is large-scale?◦ 67,000 public facing IP addresses (each with potentially 65,000
+ ports)◦ All state buildings in the Denver metro area◦ All state-owned telephone numbers
What is a large-scale penetration test?
Colorado Office of the State Auditor, IT Audit Division
Colorado Office of Information Security
Coalfire Systems – OSA Prime Contractor (Experts in Network and Physical Security Testing)
Emagined Security – OSA Sub-Contractor (Experts in Web Application Penetration Testing)
Participants
Ongoing and unresolved vulnerabilities identified during routine audits/assessments
Lack of executive level support for information security
Untested information security staff◦ You will fight like you train!!!
Systemic or Enterprise-wide changes made to the IT environment
Lack of funding for information security
Why did we perform this audit/penetration test?
Overall, we concluded that the State is at serious risk of a system compromise and/or data breach by malicious individuals.
Total of 9 public recommendations and 2 confidential recommendations.
Identification of 100s of specific vulnerabilities, including specific remediation steps.
Compromise of agency networks and systems and access to thousands of confidential citizen and state employee records.
Findings
Greater transparency into Colorado information security practices
Additional money and personnel for the Office of Information Security
Authority for our office to perform routine penetration tests
Skill development of state staff in the conduct of penetration tests
Identification and remediation of serious vulnerabilities within state government information systems
Increase oversight by the General Assembly
Positive Outcomes
Colorado Risk, Incident, Security, Compliance (CRISC) application◦ Open source application – OpenFISMA
Vulnerability management lifecycle tracking
Standardized risk assessment for each finding
Mitigation planning
Evidence of remediation
Identification of systemic organizational issues
Management of Findings by OIT
Communicate, communicate, and communicate!
Social Engineering – Demonstrate why security awareness is critical.
Ensure risk and impact of findings are demonstrated – e.g., steal lots of sensitive information.
Use methodical approach to identify “targets” early in reconnaissance phase.
Ensure are well defined and agreed upon.
Modify reporting to meet the needs of different audiences
Lessons Learned
Dianne Ray, CPA, State Auditor◦ [email protected]◦ 303-869-2801
Jonathan C. Trull, Deputy State Auditor◦ [email protected]◦ 303-869-2859
Contacts
A copy of the public report is available at the Colorado Office of the State Auditor’s website:
http://www.leg.state.co.us/OSA/coauditor1.nsf/Home?openform
The report is located under the Governor’s Office link, report # 2068A.
Audit Report