©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

©2013 C

lifto

nLars

onA

llen L

LP

CLAconnect.com

Penetration Testing and

Vulnerability Assessment

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Presentation overview

• What is Risk Assessment

• Governance Frameworks

• Types of “Audits”

• Vulnerability Assessment

• Penetration Testing

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

CliftonLarsonAllen – Started in 1953 with a goal of total client service

– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Our perspective… CliftonLarsonAllen – Started in 1953 with a goal of total

client service

– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.

– Information Security offered as specialized service offering for over 15 years

– Largest Credit Union Service Practice*

*Callahan and Associates 2014 Guide to Credit Union CPA Auditors.

CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including

more than 20 principals. The group focuses on audit, assurance, consulting and advisory,

information technology, and human resource management for credit unions across the country.

www.larsonallen.com – news release

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“We need…”

• “Our board said we need to do an

IT Audit…”

• “To be in compliance with XYZ, we

need to do a Risk Assessment…”

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Governance Frameworks

• Standards for Penetration Testing

• NIST 800-53

• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf

• OWASP

• http://www.owasp.org

• OSSTMM

• http://www.osstmm

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Governance Frameworks

• Common Frameworks - Matrix Resources:

http://net.educause.edu/ir/library/pdf/CSD5876.pdf

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Types of Risk Assessments and Audits • Risk Assessment

– Enterprise Risk Assessment

– IT Risk Assessment

– Compliance Risk Assessment

• IT Audits

– Process Audits (ie. ACH)

– IT Compliance Audits

• Security Assessment

– Vulnerability Assessments

– Penetration Testing

– Social Engineering

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Audit Philosophy and Approach Philosophy:

• People, Rules and Tools

Approach:

• Understand

• Test

• Assess

People Rules

`

Tools

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Risk Assessment” Theory

• Inherent Risk – Likelihood vs Impact

• Control Risk

• Total Risk

IR X CR = TR

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Risk Assessment”

• ID Assets

• Define Threats and Vulnerabilities

• Classify the likelihood of bad things

• Quantify the impact

– Stop here: Residual Risk

– Continue: Test Effectiveness of Controls (audits)

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Traditional IT Audit”

• Broad audits

– IT General Controls Review

• Specific/focused audits

– DRP/IR/BCP audits and testing

– SDLC and Change Management audits

– User and group permission audits

– Vendor management

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Traditional IT Audit” • IT General Controls Review

“A mile wide and 10 feet deep”

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Traditional IT Audit” • PCI – DSS

1

2

3

4

5

6

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Traditional IT Audit”

• IT General Controls Review

– Good for broad, high level coverage of IT management,

information security program, and compliance

requirements

– Answers the question: “Do we have the right standards

and are they well documented?”

– Effectiveness testing tends to be light

– Does not really test the systems or ID exceptions

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

“Traditional IT Audit” – Focused Audits

• Common Examples include DRP/IR/BCP audit and

testing; user access reviews; SDLC and Change

Management; ACH or other application audits

– More focused audits get to the next level of detail; focus on

the process and perhaps application level controls (ie.

menus); effectiveness testing tends to be more thorough,

but likely still based on sampling

– These can be Design or Compliance focused

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Vulnerability Assessment • Port Scans and Vulnerability Scans

– They are like Radar…

– Pros

– Cons

• External and Internal Scanning

– What are the benefits?

• Example – Monthly scanning for local municipality

– July – nothing new/unusual

– August – nothing new/unusual

– September - SSH open, and…

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Penetration Testing

• External Network

• Applications

• Internal Network

• Wireless

• Facilities (social engineering)

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Penetration Testing

• Goals and Objectives:

• “Understand, Test, and Assess…”

• Validate things behave as expected…

• Find/Identify new things…

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

External Network Penetration Testing Everything that touches the outside 1. Routing devices

2. Remote access

3. Web/applications*

4. Other*:

___________________

___________________

___________________

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

External Network Penetration Testing

• Pros

• Cons

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Application Penetration Testing External Network

Everything that touches the outside

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Application Penetration Testing

• Pros

• Cons

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Internal Network Penetration Testing Internal Network

Everything inside with an IP address.

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Internal Network Penetration Testing

• Pros

• Cons

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Wireless Network Penetration Testing Wireless Network

What do we know we have.

What do we have that we don’t know.

Anything else.

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Wireless Network Penetration Testing

• Pros

• Cons

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Social Engineering Tests

• Pros

• Cons

People Rules

`

Tools

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Definition of a Secure System

29

People Rules

`

Tools

“A secure system is one we can depend on to

behave as we expect.” Source: “Web Security and Commerce”

by Simson Garfinkel with Gene Spafford

• Confidentiality

• Integrity

• Availability

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Questions?

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

©2013 C

lifto

nLars

onA

llen L

LP

CLAconnect.com

Thank you!

Randy Romes, CISSP, CRISC, MCP, PCI-QSA

Principal

Information Security

Randy.romes@CLAconnect.com

888.529.264

©2

01

3 C

lifto

nLa

rso

nA

llen

LLP

Sources for Standards and Guidelines

• NIST 800-53: Information Security and IT Auditing http://csrc.nist.gov/publications/PubsSPs.html

• PCI Requirements https://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf

https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

• HIPAA Security Rule The HIPAA Security Rule Requirements for periodic technical validation

testing: Evaluation (§ 164.308(a)(8))

Information from Health and Human Services and here