BE FREE
RISK
IDENTIFY SECURITY RISKS
SERVICE CORE
Vulnerability Assessment Intrusion Testing Compliance Readiness Gap Internal Governance Architecture Assessment
IDENTIFY SECURITY RISKS
In an age when companies are suffering security breaches on a consistent basis,
it is important to ensure the data at your company is as secure as possible.
In addition to external threats from hackers, internal security risks also need to be
identified. All of BestIT’s security assessment offerings include a risk and
impact-based approach to uniquely analyze the risk of finding a gap or
vulnerabilities within the organization. We identify the gaps in your security and
seal them before a data breach of any size hits your business.
77%
of employees leave their computers unattended in the office. 1VULNERABILITY ASSESSMENT
A vulnerability assessment provides a third party independent validation of current security and risk within the environment. The result is an assessment of all security and environment controls with a focus on
vulnerabilities and risks within the enterprise or a specific focused scope of it. Examples of scopes of these assessments include external facing systems such as webservers, websites and applications, internal systems including database servers, application servers, workstations, network devices, wireless access and extranet networks between the organization and business partners.
Regardless of the focus, all vulnerability assessments follow the same approach with four essential phases:
1. Discovery
Essentially a data gathering period to assist testing during enumeration and applied in analysis
for impact, risk and effort ratings.2. Enumeration
Systems are tested during this phase and the results are gathered for analysis. Testing includes system interrogation tools such as Nessus, NMAP, Nexpose, SAINT, Cain, DTsearch, Network Stumbler, ShareScan, SamSpade, AirSnort, RAT, among other tools as well as manual testing processes.3. Analysis
Data gathered from the enumeration is analyzed against relevant industry best practice, business impact, and known risks reported by enumeration tools relative to the organization and observed compensating controls.4. Reporting
A formal report is generated with all vulnerability findings ranked in order of their severity relative to actual risk, business impact and effort to remediate the issue.“Vulnerability assessments are similar to
getting regular checkups at the doctor’s
office. We perceive them as mildly invasive,
they make us feel a little uncomfortable and
we often worry about the results. However,
we find out valuable information that will
enable us to live well, protect from disease
and disablement and the more we get them,
the less we find we have to worry about.”
BestIT will assess the vulnerabilities that could exist within:
• External (Internet facing)
• Internal (private business and production networks) • Wireless (WiFi network access at business facilities) • Extranet (Private B2B networks)
Unsecured wireless Internet access poses a risk to your organization. Make sure only authorized users can connect securely to your network.
1 Ponemon Institute, 2012
Jim Mapes,
Chief Security Officer
INTRUSTION TESTING
Intrusion testing (attack and penetration testing) provides validation of the level of protection applied within the environment/scope by examination of defense in depth control effectiveness in preventing data loss, leakage and/or alteration through tests utilizing current and real-time attacks, vectors and scenarios.
The BestIT approach combines the use of skilled and experienced information security researchers with technology and tools. Whereas some of our tools and technology are privately developed and purchased, the majority of the tools are open source, are freely available
on the Internet and widely used by professional researchers and criminals alike. What differentiates the BestIT service from other “intrusion tests” is that we don’t rely on “script-kiddie” techniques, we don’t trust the tools to find the holes, but we use the tools as intended — that is to check what we already suspect and what may have been overlooked.
Social engineering and physical intrusion require special mention here as they represent special case testing. Although they typically follow the same methodology and approach as the “logical” intrusion
test (as outlined in “Tools and Approach”), the exploit is against human targets to gain information or access to physical locations where information assets reside. Approaches will include phone work, social media, “casing” a facility to determine ingress and egress points, tail-gating into controlled areas, and may involve
disguises to pose as “authorized” visitors/vendors. These tests are mostly about determining the level of security and policy awareness of the workforce.
The External Intrustion Test
There are two variations of the external intrusion test: Gray Box and Black Box. In the
Gray box version, information regarding any of the following may be provided to the hacker team to “speed up” the discovery and subsequent testing process, including: Lists of target IP addresses
List of IP blocks owned by the target entity
Lists of URLs (if only those URLs and apps are to
ooooobe tested)
Login account with basic access (if the customer
wishes to test for Web application or other access control vulnerabilities within a service)
In the black box version, no information or login is given to the hacker team. The team is only provided with the target organizations name. The team must discover all available public information and then determine appropriate targets for follow on enumeration and attacks. All gathered information is then presented to the project sponsor for confirmation prior to any enumeration and attacks (to make sure that unaffiliated- third party or customer targets were not included by mistake).
The discovery phase includes the following efforts: Lists of active hosts on the internet
Services running on the discovered hosts
Determine protective measures (firewalls) List of applications running on targets Tools used include SamSpade, DNS, registration websites such as ARIN, and Limited NMAP scans.
A
B
C
D
A
B
C
D
of all breaches affecting all organizations used some form of hacking
52%
INTRUSTION TESTING
The External Intrustion Test
Phase 2 Enumeration
Enumeration provides a deeper look into the services available and the types of OS of the host and services banners are examined to determine what version of the service is running and whether that version appears in known vulnerability databases. Websites are crawled and directory listings are gathered through both automated and manual means. As much information as possible is gathered on the targets so that attack tests can be planned and executed. Tools used include automated enumeration tools such as NMAP, Nessus, SAINT, BurpSite, Wikto, Nikto, Whisker, Cain, NetStumbler, AirSnort, Kismet, AirMagnet, vidigger, ShareScan, DTSearch, as well as other open source tools as appropriate.
Phase 3 Exploitation
The exploit phase is typically planned to start at a given time and often has specific windows to minimize any accidental down time. Once the data has been analyzed and attacks have been chosen, the exploitation phase begins. Simple exploits may be automated via scripts and others (by necessity) are tested manually. The results are then recorded for inclusion in a report. When an exploit is successful (i.e. it grants access to restricted data or increases privileges) a screen shot is taken as evidential proof of the exploit’s capability within the target environment. These are then presented in the appendix of the report. The exploit phase continues until either of the following conditions are met:
1. The amount of time or number of hours approved for the
intrusion engagement is expired
2. An attack achieves complete control (root level) and access
to the target and additional environments and has been successful to the fullest extent allowed by agreement of the customer. Tools are too numerous for a complete list, but usually include Backtrack, numerous focused rainbow tables, Cain, SAINT exploit and Nexpose scanner with MetaSploit for automated testing with manual scripting using anti-malware cross-compilers where appropriate.
Phase 4 Reporting
The report phase involves final analysis of all data gathered, results of tests performed and notation of compensating controls and/or conditions encountered during the testing. The analysis includes a tier rating of vulnerabilities exploited to gain access along with a ranking of severity, impact and risk and includes recommended remediation actions. The findings are presented to show preferable remediation patterns (based on most urgent to least urgent) and remediation strategies that show which vulnerabilities, if remediated, will most hamper future attacks. Additionally, other vulnerabilities that were discovered, but may not have been used in the exploit phase, are reported as “tested positive, unverified”. The reporting phase concludes with a formal presentation and walk through of the findings with the project sponsor(s).
If there is a hole in your digital defense, we will find it.
What You Should Know
• Intrusion tests aren’t just about finding a
security hole. It’s about testing effectiveness
of the controls to stop an intruder at multiple
layers.
• Many so-called intrusion vendors only run
automated tools, which leads to poor and
inaccurate results.
• Regulatory standards require an annual
intrustion test, however most organizations
should consider more frequent testing.
• Time is everything when considering how
long you want a test to take. Remember,
cyber criminals have all the time they want
and will strike at your worst moment.
• Our intrusion experts are highly trained
and knowledgeable in exploit methodology
and attack vectors.
• Intrusion tests can be a great training
exercise for your security incident response
program.
Visit www.BestIT.com to review case studies on how we’ve helped our clients strengthen their IT
security infrastructure.
What We Cover
Web Service and Applications External Networking Infrastructure
B2B Extranet Internal Network and Host
Wireless Infrastructure Internal Applications and Data Stores
Social Engineering and Awareness (Physical/Logical)
ARCHITECTURE ASSESSMENT
A security architecture assessment examines the security design and configuration of an environments’ infrastructure and can include virtual components. Typically, the assessment focuses on one or more logical architecture areas:
Network Firewalls, load balancers, NIDS/NIPS, routers, switches, remote access (VPN) System Operating Systems, HIDS/HIPS, authentication, authorization, End Point Protection Application Code review, error handling, data filtering, authentication, encryption
Data Classification, data leakage protections, encryption
Physical Security controls at ingress/egress points where data assets reside (Data Center, workstation, servers)
Approaches and Methodologies
Approaches and methodologies vary on the architecture to be assessed. For logical infrastructure reviews, configuration files and benchmark standards with available documentation of the environment are gathered and analyzed. If benchmark standards have not been designed and/or applied to the “in-scope” environment, then appropriate industry standard and/or regulatory standards may be reviewed and agreed to with the project sponsor(s).
Automated tools may be run to determine deviation in the environment from the documented/agreed
benchmark. Common tools used in these assessments are configuration analysis kits and audit tools, although a manual review of configuration is always performed. The assessment can be performed as part of other BestIT services. For example, the security assessment can be a component of a more comprehensive
operational review and testing such as load testing to include Denial of Service resiliency, high availability, or as part of system acceptance, or included as part of a Compliance Readiness Gap or Internal Governance assessment. The Architecture Assessment concludes with a report that provides an executive summary of high level “roll-up” findings, an overview of the methodology and tools employed during the assessment, detailed technical findings with recommendations for remediation, and a report on any deviations of benchmark standards within the environment.
Data encryption is an important step to take in order to secure your data. BestIT can help your employees put encrpytion barriers in place so that your sensitive data is not easily accessed should it fall into the wrong hands.
THE DATA ENCRYPTION PROCESS
1
2
3
4
5
The Compliance Readiness Gap Assessment
combines our assessment and audit services to focus on a comprehensive assessment solution, which offers an understanding of your organization’s compliance requirements and challenges, identifies gaps and establishes tactical and strategic roadmaps.
As a customized service designed to perform regulatory compliance testing prior to a third-party audit, the gap assessment identifies control gaps and provides audit planning, onsite support, tracking and reporting on control remediation and pre-audit planning meetings with the third party auditors.
As part of an ongoing assessment and remediation life cycle, or as part of compliance monitoring, this service is offered as a stand-alone, quarterly, or ongoing
assessment of an environment and includes compliance experts during the actual audit testing to address auditor support demands and ensures that audit testing remains
within the desired scope by acting as a compliance expert advocate for your organization.
Similar to the other security assessment methodologies
and tools, the Compliance Readiness Gap Assessment
builds on the BestIT Security Assessment approach of combining technology and expert professionals to provide the Gap report. The report includes the same format but is focused on comparing compliance gaps against the appropriate compliance baseline with risk and impact analyzed against the ability of the organization to provide effective evidence to an auditor that proves compliance. Findings on control effectiveness and defects are documented and a report on total compliance is generated. A compliance success plan is also delivered complete with an “ongoing compliance strategy and lifecycle, remediation plans with milestones objectives, and critical timelines. A retesting scope can also be included which provides future control testing as
remediation objectives and timelines are met. Our experts are also available to work directly with the third party auditor to ensure that audit scopes do not unnecessarily change and to ensure that the audit process is streamlined and to provide direct support to your organization as a compliance expert throughout the audit. Specific tools will vary depending on the specific compliance standard, applicable scope, and the complexity of the environment, but usually include the same security assessment tools mentioned above such as Nessus, Nexpose, NMAP, and other discovery and enumeration tools. DTSearch may also be used to discover previously unknown data repositories that are (or should be) governed by the specific compliance requirements. The overall objective is to provide an audit experience devoid of “surprises”.
COMPLIANCE READINESS GAP
Compliance Standards
Federal Information Security Management Act:
FISMA requires various agencies to develop and implement an information security program to protect
government data against security threats.
Sarbanes-Oxley Act:
Protects investors from fraudulent accounting activities by requiring corporations to provide financial disclosure to prevent accounting
fraud.
Gramm-Leach-Bliley Act:
Repeals barriers put in place by the 1933 Glass-Steagall Act among banking insutitions now allowing them to offer financial
services like insurance and investments.
North American Electric Reliability Corporation Critical Infrastructure Protection
State Specific Data Security Regulations
Internal governance is an important aspect of understanding the security risks that exist within your company. Each organization should have policies in place to help
minimize the risk of a major security incident. Employee negligence or malicious insiders are often the source of security breaches for companies. Your company should have these elements in place to reduce the risk:
• Security Policy
• Security Baseline Standards • Security Process and Procedures
Internal Governance Assessments provide a third-party validation that organizational specified security requirements are being met and that the environment reflects documented security baselines. The effort includes examination of security policies, baseline/benchmark standards, process and procedures, diagramsand configurations. Testing is done using automated tool kits, performing interviews with key staff, and observing the environment. The primary objective is to develop an understanding of the organization’s expected security controls effectiveness and match that expectation to the real state within the scope environment. The service is offered as both a stand-alone assessment or can be incorporated into a more comprehensive assessment solution with any or all of the other assessment offerings.
The Internal Governance Assessment follows the same approach, processes and utilizes the same tools as the Compliance Readiness Gap assessment. The deliverables are also identical although the both the scope and the benchmarks would, of course, differ.
