2011 NSAA IT Pre-Conference WorkshopPenetration Testing For Maximum Benefit

September 27, 2011

WELCOME TO DENVER!

Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor

Travis Schack, Colorado’s Information Security Officer

Chris Ingram, Director, Emagined Security

Scott Johnson, Senior Consultant, Emagined Security

Mike Weber, Labs Director, Coalfire Systems

Introductions

Schedule

Breaks

Bathrooms

Protocol for asking questions

Experiment

Logistics

To provide a forum for auditors to learn about penetration testing and how such testing, when applied properly, improves the security of the people, processes, and systems that run governments.

Cautionary Note: You will NOT be a competent penetration tester as a result of this course!

How do I become a competent penetration tester?

Learning Objectives

Colorado Office of the State Auditor, Office

of Cyber Security Performance Audit

(Statewide PenTest)

In 2010, the Colorado Office of the State Auditor conducted a performance audit of the Governor’s Office of Cyber Security. The audit included:

A review of the Office of Cyber Security’s progress in implementing the Colorado Cyber Security Program .

A system-wide, covert or “Red Team” penetration test of the State of Colorado’s information systems.◦ All attack types, except DoS or DDoS, were within scope.

The assessment was performed covertly to test the State’s incident detection & response capabilities.

Scope

Colorado Statutory Requirements

National Institute of Standards and Technology Requirements

Industry Best Practices

Primary Tenet: The State should protect citizen data from unauthorized access!

Criteria

Breach the security of the State of Colorado’s network and gain access to personally identifiable, sensitive, and/or confidential information.

Identify security weaknesses in systems or web applications that, if exploited, would provide an attacker with significant visibility, confidential data, or the ability to attack the site’s users—Colorado’s citizens and businesses.

Test monitoring, detection, and incident response capabilities.

Test Objectives

A penetration test is NOT the same as an audit or security assessment!!◦ Penetration tests simulate real world attacks◦ Penetration tests will NOT identify all vulnerabilities in a system◦ Penetration tests will NOT identify all internal threats◦ Penetration tests will NOT be able to determine the cause or

reason for the existence of the vulnerability exploited – This is where state auditors came in handy!

What is large-scale?◦ 67,000 public facing IP addresses (each with potentially 65,000

+ ports)◦ All state buildings in the Denver metro area◦ All state-owned telephone numbers

What is a large-scale penetration test?

Colorado Office of the State Auditor, IT Audit Division

Colorado Office of Information Security

Coalfire Systems – OSA Prime Contractor (Experts in Network and Physical Security Testing)

Emagined Security – OSA Sub-Contractor (Experts in Web Application Penetration Testing)

Participants

Ongoing and unresolved vulnerabilities identified during routine audits/assessments

Lack of executive level support for information security

Untested information security staff◦ You will fight like you train!!!

Systemic or Enterprise-wide changes made to the IT environment

Lack of funding for information security

Why did we perform this audit/penetration test?

Overall, we concluded that the State is at serious risk of a system compromise and/or data breach by malicious individuals.

Total of 9 public recommendations and 2 confidential recommendations.

Identification of 100s of specific vulnerabilities, including specific remediation steps.

Compromise of agency networks and systems and access to thousands of confidential citizen and state employee records.

Findings

OUTCOMES

Greater transparency into Colorado information security practices

Additional money and personnel for the Office of Information Security

Authority for our office to perform routine penetration tests

Skill development of state staff in the conduct of penetration tests

Identification and remediation of serious vulnerabilities within state government information systems

Increase oversight by the General Assembly

Positive Outcomes

Media Frenzy

Colorado Risk, Incident, Security, Compliance (CRISC) application◦ Open source application – OpenFISMA

Vulnerability management lifecycle tracking

Standardized risk assessment for each finding

Mitigation planning

Evidence of remediation

Identification of systemic organizational issues

Management of Findings by OIT

Communicate, communicate, and communicate!

Social Engineering – Demonstrate why security awareness is critical.

Ensure risk and impact of findings are demonstrated – e.g., steal lots of sensitive information.

Use methodical approach to identify “targets” early in reconnaissance phase.

Ensure are well defined and agreed upon.

Modify reporting to meet the needs of different audiences

Lessons Learned

Dianne Ray, CPA, State Auditor◦ Dianne.ray@state.co.us◦ 303-869-2801

Jonathan C. Trull, Deputy State Auditor◦ Jonathan.trull@state.co.us◦ 303-869-2859

Contacts

A copy of the public report is available at the Colorado Office of the State Auditor’s website:

http://www.leg.state.co.us/OSA/coauditor1.nsf/Home?openform

The report is located under the Governor’s Office link, report # 2068A.

Audit Report