THE CPAs PERSPECTIVE ON PENETRATION STUDIES AND VULNERABILITY ASSESSMENTS

1
THE CPAs PERSPECTIVE ON PENETRATION STUDIES AND
VULNERABILITY ASSESSMENTS

• NEW YORK STATE SOCIETY OF CERTIFIED PUBLIC
  ACCOUNTANTS -
• EMERGING TECHNOLOGIES COMMITTEE
• Joel Lanz, Principal
• JOEL LANZ, CPA, P.C.

2
AGENDA

• Introduction Overview
• Market Overview
• The Market
• Network Security Testing
• Network Mapping
• Vulnerability Scanning
• Penetration Testing
• Common Testing Tools
• Basic Lessons
• Opportunities (and risks) for the CPA
• Available Guidance
• Questions and Answers

3
JOELS PARADIGM

• Over 20 years of IT risk management experience
• Leads a CPA Practice that focuses on Information
  Technology Risk Management
• Prior experience as a Big 5 Technology Risk
  Consulting Partner
• Adjunct faculty member at Pace University
  Graduate School of Computer Science and
  Information Systems
• CISA, CISSP, CFE, CITP
• Various Technology Risk-Related Publications
• etc., etc.

4
WHY THE NEED?

• Identify Vulnerabilities and Repair
• Regulatory Expectations
• Board of Director Due Diligence
• Fulfill Insurance Requirement
• Risk Assessment
• Test a Vendor or Employees
• Impress Customers or Prospects
• Prove a Point

5
PLAYERS TO SATISFY THE NEED

• CPA Firms
• in-house staff
• technology partner
• Non-CPA Audit Corporations
• Security Consultants
• security boutiques
• VARs
• third-party service providers
• other computer businesses
• Software Vendors
• Independents

6
TYPICAL OFFERINGS

• Penetration Testing
• Periodic Vulnerability Analysis
• Security Assessment
• Outsourced Security Services (e.g., CISO)
• Board Due Diligence
• Policy Development and Monitoring
• Privacy
• Managed Security Services
• etc., etc.

7
ENTRY PATHS(source Hacking Exposed 3rd
Edition)

• Misconfigured Routers
• Unsecured/Unmonitored Remote Access
• Excessive Trust Relationships
• Accounts with Excessive Privileges
• Unpatched, Outdated and Default Software
• Poor Policies, Procedures Guidelines
• Excessive File Directory Privileges

8
ENTRY PATHS (cont.)(source Hacking Exposed
3rd Edition)

• Unauthenticated Services (capturing remote
  keystrokes)
• Weak, Easily Guessed User Passwords
• Misconfigured Internet Servers (CGI Scripts)
• Misconfigured Firewall
• Running Unnecessary Services
• Information Leakage
• Inadequate Logging, Monitoring Detection

9
POPULAR NETWORK SECURITY TESTING TECHNIQUES

• Network Mapping
• Vulnerability Scanning
• Penetration Testing
• Security Testing and Evaluation
• Password Cracking
• Log Reviews
• File Integrity Checkers
• Virus Detectors
• War Dialing

10
NETWORK MAPPING

• WHAT IT IS
• Use a port scanner to identify all active hosts
  connected to an organizations network, network
  services operating on the hosts, and the specific
  application running the identified service
• TYPICAL FINDINGS
• Disconnect unauthorized hosts
• Disable or remove unnecessary and vulnerable
  services
• Restrict to limited number of required hosts
• Modify firewalls to restrict access to known
  vulnerabilities

• ACTIONS
• Identify active hosts in the address range
  specified by the user
• Scan for open TCP and UDP Ports that will
  identify the network services operating on that
  host.
• e.g., if host has TCP Port 135 and 139 open, it
  is most likely a NT or W2K host.
• e.g., if host has TCP Port 80 open, it is most
  likely running a web server (however, it may not
  reveal which web server).

11
NETWORK MAPPING (cont.)

• STRENGTHS
• Fast
• Efficiently scans a large number of hosts
• Many excellent freeware tools available
• Highly automated
• Low cost
• OTHER INFO
• Quarterly
• Medium level of complexity, effort and risk

• WEAKNESSES
• Does not directly identify known vulnerabilities
• Generally used as a prelude to penetration
  testing not as a final test
• Requires significant expertise to interpret
  results
• BENEFITS OF DOING
• Enumerates the network structure and whats
  active
• Ids unauthorized hosts and services
• Identifies open ports

12
VULNERABILITY SCANNING

• WHAT IT IS
• Identifies not just hosts and open ports but any
  associated vulnerabilities automatically instead
  of relying on human interpretation of the
  results.
• TYPICAL FINDINGS
• Upgrade or patch vulnerable systems
• Deploy mitigating strategies
• Tighten configuration management program
• Monitor vulnerability alerts and mailing lists
  and determine applicability to environment
• Modify security policies for updates and upgrades

• ACTIONS
• Identify active hosts on a network
• Identify active vulnerable ports on hosts
• Identify application and banner grabbing
• Identify operating systems
• Identify vulnerabilities associated with
  discovered operating systems and applications
• Testing compliance with host application
  usage/security policies
• Establishing a foundation for penetration testing

13
VULNERABILITY SCANNING (cont.)

• STRENGTHS
• Fairly fast efficient
• Some freeware tools available
• Highly automated for known vulnerabilities
• Often provides advice for mitigating strategies
• Easy to run regularly
• Cost varies by tool used
• OTHER INFO
• Every 2-3 months
• High level of complexity and effort with medium
  risk

• WEAKNESSES
• High false positive rate
• Large amount of network traffic
• Not stealthy (detected)
• Not for rookies
• Often misses new stuff
• Identifies the easy stuff
• BENEFITS OF DOING
• Enumerates the network structure and whats
  active
• Identifies vulnerabilities on a target set of
  computers
• Validate up-to-date patches and software versions

14
PENETRATION TESTING

• WHAT IT IS
• A security test in which evaluators attempt to
  circumvent the security of a system based on
  their understanding of the system design and
  implementation by using common tools and
  techniques used by hackers.
• TYPICAL FINDINGS (Exploits)
• Kernel Flaws
• Buffer Overflows
• Symbolic Links
• Race Conditions
• File Directory Permissions
• Trojans
• Social Engineering

• ACTIONS (Rules of Engagement)
• Specific IP address/ranges to be tested
• Host not to be tested
• A list of acceptable testing techniques and tools
• Time that scanning is to be conducted
• IP addresse(s) of attack machine
• Prevention of false alarms to law enforcement
• Handling of information collected by the testing
  team

15
PENETRATION TESTING (cont.)

• DISCOVERY PHASE
• footprinting, scanning and enumeration
• GAINING ACCESS
• Gather info to make an informed attempt at the
  target
• ESCLATING PRIVILEGE
• The tester seeks to gain additional privileges
  or rights
• SYSTEM BROWSING
• Pilfering Attempt to gain access to trusted
  systems
• LEAVE BEHINDS
• Covering Tracks, Creating Back Doors

16
PENETRATION TESTING (cont.)

• STRENGTHS
• Employ hacker methodology
• Goes beyond surface vulnerabilities to show how
  they can be exploited to gain access
• Shows that vulnerabilities are real
• Social engineering allows for testing of
  procedures and human reactions
• OTHER INFO
• Annually
• High level of complexity, effort and risk

• WEAKNESSES
• Whats a hacker methodology
• Requires great expertise dangerous when
  conducted by rookies
• Due to time requirements not all resources tested
  individually
• Certain tools may be banned or controlled by
  regulations
• Legal complications and organizationally
  disruptive
• Expensive
• BENEFITS OF DOING
• Determines how vulnerable and level of damage
  that can occur
• Tests IT staff response and knowledge of security
  policies

17
COMMON TESTING TOOLS

• Password Crackers
• John the Ripper (Unix)
• L0pht (Windows)
• Nwpcrack (Netware)
• Nmap (port scanner)
• Vulnerability Scanning Tools
• CyberCop, ISS, NESSUS
• War Dialing

18
NETWORK NOT AS IMPORTANT AS PHYSICAL SECURITY

• Terminated Employees or Consultants
• HR policy typically requires
• all keys and cards be turned in
• consider changing locks and combination
• Security policy
• may (not always) mention the need to adjust
  security settings
• vast majority of audit reports cite that
  terminated employees and consultants still have
  access to system resources

19
NETWORK NOT AS IMPORTANT AS PHYSICAL SECURITY
(cont)

• How To Manage The Risk
• Build the responsibility into the corporate
  culture
• approver is always accountable for what they
  approved (user)
• incorporate notifying security as part of the
  termination process (HR and yes it is your
  job!!!)
• question inactivity (security)
• Estimated Cost/Benefit
• Low Cost/High Return

20
NOT ENFORCING NEED TO HAVE ACCESS

• it wont happen here
• the security group (or user admin) doesnt have
  the time or resources
• we need the flexibility for cross-training or
  backup
• Marys been with us for over 30 years so she
  deserves to be designated a security
  administrator
• we only need to worry about external hackers

21
NOT ENFORCING NEED TO HAVE ACCESS (cont)

• Consider these issues
• 60-70 of unauthorized system break-ins are from
  internal sources
• Based on forensic experience, this worst-practice
  is a primary contributor to internal fraud and
  facilitates the circumvention of management
  designed controls (including organizational chart
  responsibilities)
• Prime Directive
• Many professionals believe that it is impossible
  to maintain a control environment that satisfies
  stakeholders expectation while using this
  worst-practice
• Estimated Cost/Benefit
• Low Cost/High Return

22
LEAVING FACTORY DEFAULT SETTINGS UNCHANGED

• Operating systems are often shipped with default
  users with default passwords to make setting up
  easier. If the systems administrator doesnt
  know about the default accounts, or forgets to
  turn them off, then anyone who can get hold of a
  list of default accounts and passwords can log
  into the target computer
• Page 66
• Anyone who knows how to do basic research using
  the internet can get hold of these lists
• Joel Lanz

23
NOT APPYING SECURITY PATCHES

• Finding the low-hanging fruit should always be
  your top priority mainly because it is the
  attackers first priority. Devastating web
  vulnerabilities still exist after years of being
  publicly known
• Page 596
• Typically this is what kiddie scripts use and
  results in embarrassment for the organization
• Joel Lanz

24
NOT MONITORING SECURITY-RELATED ADVISORIES
UPDATES

• Respected organizations (e.g., CERT, SANS)
  distribute free newsletters providing guidance on
  recent and projected security threats. For
  example,
• SANS/FBI released a Top 20 vulnerability list
  with appropriate tools (free) to detect if a
  particular organization is exposed.
• CISECURITY.ORG provides generally accepted
  benchmarks to effectively manage technology risk.
• These warnings/guidance are typically ignored in
  worst-practices organizations

25
WERE SAFE, RIGHT?

• We engage an outside firm to conduct a
  penetration test. Last year we didnt have any
  major findings. This review proves that were
  safe right?
• WRONG!!!!!!!!

26
WHERES THE RISK?
27
HOW MUCH TO FIX?

• Not as much as you would expect
• You dont necessarily need to purchase advanced
  technology
• 80 of the problems can be resolved very
  cost-effectively
• Organizational culture and behavior modification
  require the greater efforts

28
AND WHAT OF THESE PATCHES WE KEEP HEARING ABOUT?

• Create an organizational software inventory
• Identify newly discovered vulnerabilities and
  security patches (remember the free emails?)
• Prioritize patch application
• Create an organization-specific patch database
• Test patches
• Distribute patches and vulnerability information
  as appropriate
• Verify patch installation through network and
  host vulnerability scanning
• Train system administrators in the use of in
  vulnerability databases

29
HOW THE CPA CAN HELP?

• Who is responsible for security and how is
  accountability enforced?
• Does everyone in the organization understand the
  importance of security?
• How is information used?
• How effective and relevant is the security
  policy?
• What is the ROI on security investments?
• How is security integrated into daily business
  processes?
• Is information shared with outside entities?

30
OFFERING THE SERVICE

• Risk Management
• Expectations vulnerability vs. penetration
• Legal liability especially with outsourcers and
  other service providers
• Skills
• Some type of technololgy-related certification
• Strong networking skills and understanding
• Keeping up to date
• Ethics
• Tools
• Practice Lab
• Interrogation Tools

31
KEEPING UP (good guys only!)

• www.njisaca.org
• csrc.nist.gov
• www.securityfocus.com
• www.sans.org
• www.computer.org
• www.computerworld.com
• www.ciso.com
• www.cert.org
• Counter Hack by Ed Skoudis

32
SECURITY CONCLUSION

• A team sport that doesnt necessarily require
  the most fancy equipment to win - but does
  require you to understand the fundamentals of the
  game and that you and your team must provide best
  efforts to win!
• Otherwise
• you are playing to just give the ball to the
  other side.

33
IN CASE YOURE IN A RUSH TO LEAVE AND HAVE A
QUESTION

• Joel Lanz
• Principal
• Joel Lanz, CPA, P.C.
• P.O. BOX 597
• Jericho, NY 11753-0597
• (516) 637-7288
• www.itriskmgt.com
• jlanz_at_itriskmgt.com