penetration testing as an internal audit activity
TRANSCRIPT
Who am I?
• I’m a hacker
• I’ve hacked applications, networks, trains, lottery machines,
routers, laptops, ATM:s, wireless networks, cell phones,
embedded systems, production plants, stock exchanges and
more…
• …all with permission, which makes me a penetration tester
• a fair share of the penetration tests I’ve performed were as a part
of internal audits.
© T
ran
scen
den
t G
rou
p 2
016
What is penetration testing?
A point-in-time assessment of quality of the implemented
security controls within the scope of testing.
© T
ran
scen
den
t G
rou
p 2
016
Unfortunately, the questions answered
by a penetration test are:
© T
ran
scen
den
t G
rou
p 2
016
How
vulnerable is
application X?
Is detection
and response
effective?
Are our
employees
aware and
alert?
Where are we
most
vulnerable?
Are our
preventive
controls
effective?
Are our user’s
passwords
strong?
quite no no
your
entire
intranet
no no
An analogy: Your house
© T
ran
scen
den
t G
rou
p 2
016
door
sensor
front
door key
alarm
sensors
CCTV
camera
What to ask instead
© T
ran
scen
den
t G
rou
p 2
016
Are we robust, capable, and continuously improving?
• prevention
• detection
• response• organized
• funded
• right competencies
• right tools and data
• aligned to the business
• goal-oriented
• measuring and adapting
to both needs and risks
Internal audit’s role as per TLD
© T
ran
scen
den
t G
rou
p 2
016
The third line of defence – internal audit – is responsible for
ensuring that the first and second lines are functioning as designed.
What to consider
Planning
• audit objective
• sourcing
• engageIT/service provider
Execution
• help the pentesterstranslate technical risk to business risk
Reporting
• do root causeanalysis
© T
ran
scen
den
t G
rou
p 2
016
Planning and scoping
• First: Ask yourself if a pentest is really a good idea?
• Second: What is the question to be answered by the
test?
• Engage and alert your IT security function and service
provider.
• Make sure the consultants understand the high-level
concepts of your business.
© T
ran
scen
den
t G
rou
p 2
016
Planning Execution Reporting
Tips on sourcing
• You’ll get what you pay for.
• Choose a preferred vendor, and stick with it.
• Hire people, not brand: look for experience.
• Certifications to look for: CEH, GIAC certs (GWAPT,
GPEN, etcetera).
© T
ran
scen
den
t G
rou
p 2
016
Planning Execution Reporting
Execution
• Don’t force your pentesters to go through detailed
checklists of what to do/not to do unless absolutely
necessary.
• Help the pentesters escalate issues.
• Set aside time for root cause analysis with the part of
the business that has been audited.
© T
ran
scen
den
t G
rou
p 2
016
Planning Execution Reporting
Reporting
What to expect:
• too technical, unstructured reports
• doom and gloom
• no business risks
• mistaking exploitable technical vulnerabilities for critical business risks
How to manage:
• keep your eye on the audit objective
• make the pentesters rate the difficulty of getting in
• challenge, challenge, challenge
• understand that it is difficult for an external party to gauge your business risk
• uon’t skip root cause analysis
© T
ran
scen
den
t G
rou
p 2
016
Planning Execution Reporting
Example from a pentest: passwords
485 142
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of passwords cracked
Cracked Not cracked
© T
ran
scen
den
t G
rou
p 2
016
• We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop.
• 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
5 whys
Q: Why are our user’s passwords easy to crack?
A: Because they are short and easy to guess.
Q: Why are they short and easy to guess?
A: Users don’t know what constitutes a strong password, and create short and easy to guess ones
because they are also easy to remember.
Q: So why do they have trouble remembering their passwords?
A: Each user have 5+ different passwords they need to remember to perform their job. We also
force them to change their password every 90. days.
Q: Why do we force them to change their password?
A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though…
Q: Why not?
A: Well, everybody just creates systems to avoid forgetting the new password. If your first
password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security
in that.
© T
ran
scen
den
t G
rou
p 2
016
5 why’s
Q: Why did this SQL injection vulnerability occur?
A: Because it’s a legacy back-end application that has been exposed to the Internet.
Q: Why was it exposed to the Internet?
B: To drive and support business initiative X, which requires customer interaction with the system.
Q: So why weren’t the project behind business initiative X aware of the vulnerabilities?
A: Well, we [the dev team] suspected that the application had substandard security, but there was no
one on the team that had the knowledge or time to have an in-depth look.
Q: Why?
A: Because there’s not allocated any resources to security in our project.
Q: Why are there no resources?
A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers
and sysadmins should fix as a part of the job. But no one has been given training, and if you look
at the project plans, there’s not an hour dedicated to security.
© T
ran
scen
den
t G
rou
p 2
016
Internal audit penetration testing can
cause significant security improvement
• Penetration testing does not answer the «Are we secure?»
question, but provides symptoms of internal control failure.
• Pentesting can provide concrete and measurable risk reduction
and spark significant improvement initiatives.
• Engage with your IT function/service provider/preferred
consultants to evaluate the best way to leverage these types of
services for your business.
© T
ran
scen
den
t G
rou
p 2
016