[BreachExchange] A pen test a day keeps hackers away

Inga Goddijn inga at riskbasedsecurity.com
Sun Jul 3 17:24:11 EDT 2016


http://www.csoonline.com/article/3089325/application-security/a-pen-test-a-day-keeps-hackers-away.html

Besides the fact that there is no other way to really test your network,
The PCI Security Standards Council finally released version 3. 2 and it now
states, “To ensure resilience, service providers are now required to
perform penetration testing on segmentation controls at least every six
months," according to a new sub-requirement 11.3.4.1. The PCI SSC also
added a testing procedure 11.3.4 to ensure that penetration testing is
performed by a qualified internal or external third party.

So the once a year PEN test is gone and rightly so, some PEN testers like
ShoreBreak Security offer continuous PEN testing. Shore Break CEO Mark
Wolfgang says "PEN testing once a year is like mowing your lawn once a
year, it does not keep up with reality."

Wolfgang says he developed their continuous penetration testing
service *Lifeguard
*to provide his customers with a continuous risk snapshot, rather than a
once-a-year view of risk.

I asked him his definition of a Pen test to which he answered……..A
penetration test is a security test where a specific threat actors and
threat actions are emulated to determine the risk to specific assets*, *and
the resultant impact to the organization.

We like to rephrase VERIS’, “*who did what to what (or whom) with what
result?*”, to *who **could do** what to what (or whom) with what result?. *

A good penetration test
<http://www.csoonline.com/article/2125972/network-security/vulnerability-management-basics--pen-testing-techniques.html>
emulates a variety of threat actors and threat actions, targeting specific
assets, and answers questions like:

   - How secure is my network/application/data from…
      - my partners that have internal network connectivity?
      - my remote employees?
      - my employees?
      - my system and network administrators?
      - physical intruders?
      - my users or customers?

Risk can be evaluated at multiple layers, but here are the most common
layers we evaluate.

   - Risk to assets – what is the risk posed to my assets?
   - Risk to data – what is the risk posed to my data?
   - Risk to organization or business – what is the risk posed to my
   business or organization?

A good penetration test team will seek to understand the organization or
business drivers so they can properly determine and convey business risk.

The result of a penetration test is an enlightenment of sorts. The client
will know the risk posed to their assets, data, and business at the time of
testing.

They will know how their networks, computers, and applications withstand
and detect real-world attacks. It does not necessarily feel good for those
on the receiving end, but it shines a necessary light on organizational
weaknesses and results in improved security.

Let’s use the PCI DSS model to explain a few important things about pen
testing. Even if you are not required to be PCI DSS compliant; it’s a great
data security standard to base your pen testing on as long as you are not
in the US DoD or other environment that has mandated other specific
frameworks for your organization.

PCI DSS is a well-documented data security standard to help secure the
retail credit card environment, the losses from credit card theft and
breaches have been huge. Just think about the Target
<http://www.csoonline.com/article/2601021/security0/11-steps-attackers-took-to-crack-target.html>,
Home Depot
<http://www.csoonline.com/article/2686192/data-protection/home-depot-confirms-breach-impacted-56-million-customers.html>,
Neiman Marcus
<http://www.csoonline.com/article/2954615/cyber-attacks-espionage/neiman-marcus-case-a-reminder-to-check-your-cyber-coverage.html>
data breaches to begin to see the scope of losses. PCI DSS understands the
importance of a pen test and therefore mandates it.

You might say if it’s a good standard then why all the losses? First No
Compliance framework will prevent all breaches, it’s the foundation for
security, it won’t replace dynamic, intelligent and proactive security.
Second according to the Verizon PCI DSS report in 2015, 80 percent of
companies required to be PCI DSS compliant fail their interim assessment.
Verizon further states: Of all the companies investigated by our forensics
team over the last 10 years following a breach, not one was found to have
been fully PCI DSS compliant at the time of the breach.

PCI DSS is well documented and could apply to a non card holder
environment, just replace card holder environment with your company’s most
confidential data. If your company is required to be FISMA, or HIPAA
compliant you use that framework, but to do some short and sweet risk
analysis you could start with PCI DSS as an initial assessment. A PCI DSS
rule for all to live by is:

*Three simple rules about confidential data:*

   - If you don’t need it, don’t store it.
   - If you really need it, protect it when stored.
   - If you do store it, securely delete it when you’re done with it.

The following are the basics of PCI DSS and good data security framework.
Penetration Test vs a Vulnerability Scan

There is a huge difference in running a vulnerability scanner and actually
having the hacking skills to pen test and break applications and networks,
all without disrupting the business or its operations.

We see too many clients that either don’t pen test due to cost or they
think internal or external scanning alone is the same. As mentioned above
pen testing requires lots of skill and experience and each network and
application is different. Let’s now look more closely at a pen test. Pen
testing is organization and system specific. Ask yourself what is my
company trying to protect? How is it all connected? How could a potential
cyber-criminal get to our data? A good pen tester can answer these
questions better than anyone else in the world. Some areas a pen tester
looks at are:

   - web application penetration testing
   - network penetration testing
   - application penetration testing
   - hardware penetration testing
   - modem “war dial” penetration testing
   - social engineering
   - physical penetration testing

What are the core competencies of a professional pen tester?

My colleague and CEO of Shore Break security states it like this:

*Expertise in at least one operating system*

A pen tester must be knowledgeable in as many operating systems as
possible, but must be an expert in at least one. What good would it be for
the tester to compromise a Solaris server and not know what to do with it?
Or if he doesn’t understand where the passwords are located, how services
are managed, where the log files are, etc. Expertise in one operating
system will provide a solid foundation for others.

A competent penetration tester is the master of at least one operating
system but can find his way around all of them.

*Expertise in networking and protocols*

It seems obvious that a pen tester must be experts in networking and
protocols, as those are the mediums on which he conducts his attacks.

A competent penetration tester should know the service that operates on
pretty much any port, on every protocol. They should be intimately familiar
with all layers of the stack. They should be equally comfortable analyzing
layer 2 and layer 7 traffic, and everything in between.

They should have a solid understanding of Intrusion Detection/Prevention
Systems, routing, and firewalls.

A competent penetration tester is an expert in networking and protocols.

*Expertise in information security*

Operating systems and networking are the foundational elements for
information security. Without this solid foundation, a penetration tester
could not be competent.

A pen tester must be an expert in Information Security. Not from an
attacker’s perspective, but from a defender’s perspective. After all, how
could a pen tester make a recommendation if he can’t relate to the
defender’s job? From specific technologies to best practices, a proficient
pen tester must be a master of his field.

*Expertise in information security testing tools*

Perhaps the easiest skill to develop these days is competency in
penetration testing tools. Long ago, before exploit frameworks and GUI
tools for *everything*, one had to know how to find reliable, trustworthy
exploit code. Then read it, compile it, test it, and run it from the
command line.

Not so, any more. Just about anyone can download and run Kali linux
<http://www.kali.org/>, metasploit <http://www.metasploit.com/>, and fire
away.

Compromising vulnerable systems is easy – it’s what comes after that’s the
hard part.

Compromising systems without wreaking havoc on the target systems/network
requires the foundational knowledge and specific tool expertise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/942bc46b/attachment.html>


More information about the BreachExchange mailing list