Penetration testing as

an internal audit

activity

ECIIA conference, Stockholm, October 6th 2016

Who am I?

• I’m a hacker

• I’ve hacked applications, networks, trains, lottery machines,

routers, laptops, ATM:s, wireless networks, cell phones,

embedded systems, production plants, stock exchanges and

more…

• …all with permission, which makes me a penetration tester

• a fair share of the penetration tests I’ve performed were as a part

of internal audits.

© T

ran

scen

den

t G

rou

p 2

016

What is penetration testing?

A point-in-time assessment of quality of the implemented

security controls within the scope of testing.

© T

ran

scen

den

t G

rou

p 2

016

The burning question

© T

ran

scen

den

t G

rou

p 2

016

Are we

secure?

Unfortunately, the questions answered

by a penetration test are:

© T

ran

scen

den

t G

rou

p 2

016

How

vulnerable is

application X?

Is detection

and response

effective?

Are our

employees

aware and

alert?

Where are we

most

vulnerable?

Are our

preventive

controls

effective?

Are our user’s

passwords

strong?

quite no no

your

entire

intranet

no no

An analogy: Your house

© T

ran

scen

den

t G

rou

p 2

016

door

sensor

front

door key

alarm

sensors

CCTV

camera

The burning question, modified

© T

ran

scen

den

t G

rou

p 2

016

Are we secure enough?

What to ask instead

© T

ran

scen

den

t G

rou

p 2

016

Are we robust, capable, and continuously improving?

• prevention

• detection

• response• organized

• funded

• right competencies

• right tools and data

• aligned to the business

• goal-oriented

• measuring and adapting

to both needs and risks

Internal audit’s role as per TLD

© T

ran

scen

den

t G

rou

p 2

016

The third line of defence – internal audit – is responsible for

ensuring that the first and second lines are functioning as designed.

What to consider

© T

ran

scen

den

t G

rou

p 2

016

What to consider

Planning

• audit objective

• sourcing

• engageIT/service provider

Execution

• help the pentesterstranslate technical risk to business risk

Reporting

• do root causeanalysis

© T

ran

scen

den

t G

rou

p 2

016

Planning and scoping

• First: Ask yourself if a pentest is really a good idea?

• Second: What is the question to be answered by the

test?

• Engage and alert your IT security function and service

provider.

• Make sure the consultants understand the high-level

concepts of your business.

© T

ran

scen

den

t G

rou

p 2

016

Planning Execution Reporting

Tips on sourcing

• You’ll get what you pay for.

• Choose a preferred vendor, and stick with it.

• Hire people, not brand: look for experience.

• Certifications to look for: CEH, GIAC certs (GWAPT,

GPEN, etcetera).

© T

ran

scen

den

t G

rou

p 2

016

Planning Execution Reporting

Execution

• Don’t force your pentesters to go through detailed

checklists of what to do/not to do unless absolutely

necessary.

• Help the pentesters escalate issues.

• Set aside time for root cause analysis with the part of

the business that has been audited.

© T

ran

scen

den

t G

rou

p 2

016

Planning Execution Reporting

Reporting

What to expect:

• too technical, unstructured reports

• doom and gloom

• no business risks

• mistaking exploitable technical vulnerabilities for critical business risks

How to manage:

• keep your eye on the audit objective

• make the pentesters rate the difficulty of getting in

• challenge, challenge, challenge

• understand that it is difficult for an external party to gauge your business risk

• uon’t skip root cause analysis

© T

ran

scen

den

t G

rou

p 2

016

Planning Execution Reporting

A word on reporting

© T

ran

scen

den

t G

rou

p 2

016

Root causes

© T

ran

scen

den

t G

rou

p 2

016

Example from a pentest: passwords

485 142

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Percentage of passwords cracked

Cracked Not cracked

© T

ran

scen

den

t G

rou

p 2

016

• We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop.

• 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).

5 whys

Q: Why are our user’s passwords easy to crack?

A: Because they are short and easy to guess.

Q: Why are they short and easy to guess?

A: Users don’t know what constitutes a strong password, and create short and easy to guess ones

because they are also easy to remember.

Q: So why do they have trouble remembering their passwords?

A: Each user have 5+ different passwords they need to remember to perform their job. We also

force them to change their password every 90. days.

Q: Why do we force them to change their password?

A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though…

Q: Why not?

A: Well, everybody just creates systems to avoid forgetting the new password. If your first

password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security

in that.

© T

ran

scen

den

t G

rou

p 2

016

5 why’s

Q: Why did this SQL injection vulnerability occur?

A: Because it’s a legacy back-end application that has been exposed to the Internet.

Q: Why was it exposed to the Internet?

B: To drive and support business initiative X, which requires customer interaction with the system.

Q: So why weren’t the project behind business initiative X aware of the vulnerabilities?

A: Well, we [the dev team] suspected that the application had substandard security, but there was no

one on the team that had the knowledge or time to have an in-depth look.

Q: Why?

A: Because there’s not allocated any resources to security in our project.

Q: Why are there no resources?

A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers

and sysadmins should fix as a part of the job. But no one has been given training, and if you look

at the project plans, there’s not an hour dedicated to security.

© T

ran

scen

den

t G

rou

p 2

016

Summary

© T

ran

scen

den

t G

rou

p 2

016

Internal audit penetration testing can

cause significant security improvement

• Penetration testing does not answer the «Are we secure?»

question, but provides symptoms of internal control failure.

• Pentesting can provide concrete and measurable risk reduction

and spark significant improvement initiatives.

• Engage with your IT function/service provider/preferred

consultants to evaluate the best way to leverage these types of

services for your business.

© T

ran

scen

den

t G

rou

p 2

016

www.transcendentgroup.com