penetration testing as audit tool

8/13/2019 Penetration Testing as Audit Tool

1/13

atsec information security 2010 atsec information security 2010

Penetration Testing as an Auditing Tool

March 1, 2011ISACA Austin Chapter uncheon!eremy Po"ell, Consultant, atsec information security


2/13

atsec information security 2010

atsec information security 2010 2

A#out the Spea$er

Security consultant

%&aluates the security features of'

(perating systems

)et"or$ appliances

Cryptographic modules )et"or$s and "e#sites

*ele&ant Standards'

Common Criteria +IS(I%C 1-.0/

IPS 1.02 cryptographic module &alidation Payment Card Industry 3ata Security Standard +PCI3SS

ead penetration tester in atsec 45S5 #ranch


3/13



Agenda

Assurance and Security

6rea$ing the *ules

Penetration Testing

)et"or$ and 7e# Application

Physical Social %ngineering

%thics and egality

Complimenting Audits


4/13



Assurance and Security

Assurance is esta#lished trust in information

Information might need to #e'

Accurate

Confidential

A&aila#le Trac$ed

8o" is trust esta#lished9

3esign a sound model

Implement the model *egularly audit the implementation against the model

6rea$ the model

ather, *inse, *epeat


5/13



6rea$ing the *ules

Models are often #ased on assumption

All prison guards are trusted5

6ri#es

Planted guards

Impostors )o one $no"s ho" the system is designed

*e&erse engineering

Someone lea$s the plans

)o one can ha&e a "eapon inside airport security Cleaning supplies inside concourse

*estaurant utensils


6/13



Penetration Testing

Controlled rule #rea$ing

Simulated attac$ scenarios

3ifferent Types

)et"or$

7e# application Physical

Social engineering

3ifferent Approaches

7hite #o: ; prior $no"ledge 6lac$ #o: ; no prior $no"ledge

Tests assumptions that may ha&e #een made that are nottrue


7/13

atsec information security 2010 atsec information security 2010 7

)et"or$ and 7e# Applications


8/13


Physical


9/13


Social %ngineering


10/13


%thics and egality

Testers must #e &ery "ell trusted

Contractual *ules of %ngagement

3efines the e:act scope of testing

3efines ho" testers should react if they identify

&ulnera#ilities Constrains the testing to certain limitations

In turn, pro&ides tester a


11/13


Complimenting Audits

Auditors may dra" incorrect conclusions

Audits are #ased on presented +possi#ly incomplete orincorrect e&idence

Auditors often sample the e&idence

Auditors may ma$e assumptions The standard or model may #e #ro$en

Penetration testing co&ers these gaps

Testers ha&e simple yet strong moti&ation

Testers may not ha&e seen the audit, therefore they maynot ha&e made similar assumptions

7ith competent testers, penetration testing re&eals "hatcompetent attac$ers are capa#le of


12/13


urther Information

The Art of 3eception' Controlling the 8uman %lement ofSecurity, Ee&in Mitnic$, 7illiam Simon

The Art of Intrusion' The *eal Stories 6ehind the %:ploits of8ac$ers, Intruders and 3ecei&ers, Ee&in Mitnic$, 7illiamSimon

atsecs "e#site'"""5atsec5com

atsecs ne"s #loghttp'atsecinformationsecurity5#logspot5com
http://www.atsec.com/http://atsec-information-security.blogspot.com/http://atsec-information-security.blogspot.com/http://www.atsec.com/


13/13

atsec information security 2010 atsec information security 2010 1F atsec information security 2010 13

Than$ you5

penetration testing as audit tool

Documents