This page contains a Flash digital edition of a book.
TECHNICAL CORNER with Stephen Sims


EXECUTIVE INVOLVEMENT


With the incidences of data breaches on the rise, properly conducted penetration tests are a must-have for many companies, but only if technology personnel and C-suite executives are on the same page


s your company secure? That’s a far-too- familiar question for many organizations today and, unfortunately, regulators and compliance officers are not the only ones asking it.


I


Each time the compromise of a large or- ganization makes headlines, customers and shareholders become uneasy and rightfully so. From their perspective, the solution is easy, “Just secure our data!” We have an obligation to consumers, employees and shareholders alike to ensure their data is protected and handled properly. However, today’s technology leadership is faced with making the right decisions as to where limited security funding is most ef- fectively allocated to address these issues. As most attacks are becoming increasingly sophisticated, how can leadership know where to best spend limited resources to get the most bang for their buck? There needs to be a cohesive relationship and trust between an organization’s most senior technical resources and manage- ment, along with a clean line of articulation straight up to the executive level. Without this cohesion, limited funds dedicated to se- curity will almost certainly be inappropriately allocated. This misallocation could ultimately result in a massively damaging compromise that could have been avoided.


PENETRATION TESTS VS. AUDITS & VULNERABILITY ASSESSMENTS In-depth penetration testing is one of the most powerful tools a security team has to identify potential vulnerabilities and assess overall risk. However, to maximize the value of penetration testing, one must first understand there are significant differ- ences between a security audit, a vulner- ability assessment and a penetration test. Security audits and vulnerability as- sessments are often based on limited


16 SECURITY MATTERS • FALL 2011


assumptions and risks, and findings are often not validated. Some techniques may involve the use of checklists to ensure var- ious systems are in compliance with the company’s security policy or audit re- quirements, while other companies may run a vulnerability scan through the use of third-party software. Such practices cer- tainly have their place within an organiza- tion, especially when and where penetration testing is not possible, how- ever, penetration testing works to validate the findings of auditing and vulnerability assessment by attempting to exploit the potential areas of risk, giving a more de- tailed view of what a real-world attacker could accomplish.


From a statistical perspective this helps to reduce uncertainty and margin of error. One could argue that if properly done, se- curity auditing, architectural assessment and vulnerability scanning should achieve the same results as a penetration test. Un- fortunately, attackers use many sophisti- cated techniques to break into a system or network that aren’t often modelled out- side of penetration tests. It is only through validation that a more accurate and real- istic risk rating can be applied.


THE MISSING LINK


Many penetration testers focus on a certain predefined set of vulnerabilities. The vul- nerabilities tested typically address the most common misconfigurations and concerns that lead to a compromise. Often, much of this testing is performed by automated tools, as well as third-party companies, some of whom may have commoditized the service.


There are some companies who want a “real” penetration test, while others simply want to be told they are fine so they may satisfy a regulatory requirement. A skilled


penetration tester must be polished and consider all areas of business risk, one of which is information technology. Most im- portantly, a skilled penetration tester must think outside of the box and find solutions to problems where others have failed. Believe it or not, many security profes- sionals do not have programming experi- ence. Although it is not a requirement for all positions in the relative space, a pro- gramming background is an extremely powerful tool to a penetration tester. Many of the successful large-scale attacks are a result of the discovery of an undisclosed vulnerability, paired with a previously un- known exploit, also known as a zero-day exploit. The understanding of common programming languages, reverse engi- neering, bug discovery and exploit writing, as well as the overall security development life cycle, is increasingly important for penetration testers to master.


This is due to the fact that the low- hanging fruit is most often a thing of the past and newer attack methods are often extremely complex. Well-balanced penetration testers should also have experience in testing many types of organizations and sce- narios. This includes network devices, Windows and Linux/UNIX domains, client- side attacks, social engineering, code re- view and bug discovery, as well as the ability to pivot their way around an initial compromised system.


In the end, all penetration testers must follow clear and well-articulated rules of engagement, scoping document, state- ment of work, as well as all local, federal and international laws.


Stephen Sims is a senior in- structor with the SANS Insti- tute (www.sans.org).


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40