Penetration Testing

1
Penetration Testing

• PCIE/ECIE Conference
• March 25, 2003

2
Becoming More Routine

• Per the IT Roundtable Survey
• 19 of 26 agencies conduct pen tests
• IGs oversaw 18 of the 19 tests

3
What Is Penetration Testing?

• Testing the security of systems and architectures
  from a hackers point of view
• A simulated attack with a predetermined goal

4
Access Points to Your Network

• Internet gateways
• Modems
• Wireless networks
• Physical entry
• Social engineering

5
Penetration Testing Is Not

• An alternative to other IT security measures it
  complements other tests
• Expensive game of Capture the Flag
• A guarantee of security

6
Limitations

• Its only valid for the period tested
• Time to perform

7
Benefits Why Do It?

• According to the 2002 CSI/FBI Survey
• 90 of respondents detected security breaches
  within the last 12 months
• 80 acknowledged financial losses due to security
  breaches
• Average loss 2 million

8
Benefits Why Do It?

• Gets managements attention
• Illustrates how a combination of factors can lead
  to a BIG security breach
• Great educational opportunity for audit staff

9
Two TestsSame Basic Approach

• Two stages (did not want sensitive information to
  go across Internet)
• External view (hacker)
• Internal view (disgruntled employee or
  contractor)

10
External View

• Stopped if firewalls were penetrated
• Conducted from vendors office
• Used only publicly available information

11
Internal view

• Stopped when password file obtained
• Did not crack password files
• Conducted from TIGTA/IRS offices
• IRS participated

12
Two TestsDifferences

• Vendor selection/expertise
• Level of cooperation with the IRS

13
Lessons Learned

• Research prospective vendors no guarantees
• Hire hackers?
• Give the vendor time to get their experts
  backgrounds cleared
• Know their tools
• COTS
• Shareware/Freeware

14
Lessons Learned

• Check out the vendors offices and make sure the
  physical security is appropriate.
• Use government computers when possible and ensure
  that the data remains the governments property.

15
Lessons Learned

• Detailed agreements/scope
• Anything off limits?
• Hours of testing?
• Social Engineering allowed?
• War Dialing?
• War Driving?
• Denials of Service?
• Define the end point

16
To Tell or Not to Tell?

• Telling too many people may invalidate the test
• However, you dont want valuable resources
  chasing a non-existent intruder very long
• And, elevation procedures make not telling risky

17
Contact Information

• stephen.mullins_at_tigta.treas.gov
• (916) 408-5573
• (925) 210-7024