what did we just buy? - dallas chapter of the iia · what did we just buy? ... • gpen –...
TRANSCRIPT
![Page 1: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/1.jpg)
What did we just buy?Getting the most from Security Assessments
March 31, 2017
![Page 2: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/2.jpg)
Trip Hillman
• Manager, IT Advisory Services @ Weaver
• IT auditor, specializing in all things security related
• Methodology coordinator for Weaver’s IT Security
Services
• 5+ years experience in IT auditing and consulting
• CISA – Certified Information Systems Auditor (ISACA)
• CEH – Certified Ethical Hacker (EC‐Council)
• GPEN – Certified Penetration Tester (GIAC)
• GSNA – Systems and Network Auditor (GIAC)
• BBA in MIS from Baylor University
2
![Page 3: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/3.jpg)
Agenda
• Level Setting• Top Definitions• Deliverables and Output• Recap Considerations• Q&A
3
![Page 4: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/4.jpg)
Level Setting
• What we are talking about– Issues that can arise when
organizing a security assessment and a path to success
– Lessons learned• What we aren't talking about
– A detailed playbook for conducting every type of assessment
4
![Page 5: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/5.jpg)
Scenario
• Internal IT audit department has been asked by the Board of Directors to select a vendor and conduct a security assessment.
• Need an update at the next BoDmeeting and the results presented at the following meeting.
• What do you do?
5
![Page 6: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/6.jpg)
Buzz Words Got Us Here
6
![Page 7: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/7.jpg)
7
Security Assessment
![Page 8: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/8.jpg)
Security Assessment…
• Risk Assessment & Security Governance– Policy & Procedure, Org & Training, Network Topology
• Vulnerability Assessment (Scanning)• Penetration Test (Pen Test)• Social Engineering & Security Awareness Training• Access Reviews • Infrastructure & Configuration– Review & Validation
– Firewalls, Wireless Networks, Virtualized (Hypervisor), Mobile Device Management, Application
8
![Page 9: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/9.jpg)
Professional Skepticism
• Unstructured technical procedures masquerading as a security assessment– What _____ (standard,
framework, requirement, guidance, etc.)are you basing this against?
• “Proprietary technology”• Compliance = best practices?
9
![Page 10: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/10.jpg)
Who is Shopping?
• Any and All!– Small (5 person Co.) to Large
• Boards concerned about Security• Financial Institutions • Public Companies• Holders/Processors of PII or PHI
– Customers, Patients, Students
• Organizations that value proprietary, sensitive, or confidential information & data
10
![Page 11: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/11.jpg)
Why me?
• IT audit is a good go between• Understand Organizational Risk• Bridge Relationships
11
![Page 12: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/12.jpg)
Vulnerability Assessment• Vulnerability Scan vs Assessment?
– What does the deliverable look like?– Value is in Analysis and Assessment of Results for Applicable Business Risk
• Internal (on‐site) vs External (remote)• Credentialed? Timing? Announced?• Entire network or sample?• Why do it?
– Verify: Baselining & Inventory of Issues– Inform: Blueprint from an attacker’s perspective– Assess: Good Indicator of Security Posture and Patch Mgmt. 12
![Page 13: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/13.jpg)
Penetration Test• Methodology, Approach• Rules of Engagement / Scope• Certifications vs Testing• Personnel ‐ Contractor• Internal (on‐site) vs External (remote)• Notification and Detection• Why do it?
– Best way to test the locks is to try them– More accurate assessment of risk to organization
• Should we do it? Jump in vs ease in 13
![Page 14: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/14.jpg)
Pentest Coverage
• Scope– What is being tested?– What is winning?
• May not be domain admin• Availability may be enough
• Rules of Engagement– Timing, Shunning, Status, Communication– PoC – “Batphone” – Limitations
• DoS – Oh, you want every thing?14
![Page 15: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/15.jpg)
Social Engineering• E‐mail Phishing• Baiting (Media/USB Drops)• Phishing Calls (Vishing)• Tailgating (Physical Access)• Methods Allowed
– Spear Phishing, prohibited premises / schemes
• Sampling• Metrics• Data Capture, Storage, Retention
15
![Page 16: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/16.jpg)
Deliverables
• What do you get?– Raw Data Output– Issues List– Executive Summary– Board Presentation– Internal Audit Report
• Responses– Some Include It, Some Don’t. Does it Matter?
• Participation16
![Page 17: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/17.jpg)
Considerations for Practitioners
![Page 18: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/18.jpg)
Practical Considerations• Define terminology for clear communications• Understanding of approach / methodology• Authorization for procedures• Ownership of data• Use of third parties• Necessary deliverables and participation• Beware of “proprietary” technology & masquerading procedures
18http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800‐115.pdfhttp://www.pentest‐standard.org/
![Page 19: What did we just buy? - Dallas Chapter of the IIA · What did we just buy? ... • GPEN – Certified Penetration Tester (GIAC) • GSNA –Systems and Network Auditor (GIAC)](https://reader031.vdocuments.mx/reader031/viewer/2022022606/5b81adc57f8b9ae97b8ccb5a/html5/thumbnails/19.jpg)
Wrap-up & QuestionsTrip Hillman, CISA, CEH, GPEN, [email protected]