Weitere ähnliche Inhalte
Ähnlich wie pentesting-and-buzzwords
Ähnlich wie pentesting-and-buzzwords (20)
pentesting-and-buzzwords
- 2. Copyright © 2015, Clint Bodungen
Increasing high profile cyber security incidents have the market swirling with buzzwords more now than ever before. In
the 90’s, it was all about “firewalls”. Then came “IDS” (intrusion detection systems), followed by “malware”, “vulnerability
assessments”, “APT’s” (advanced persistent threats), and now “penetration testing” (performed by an “Ethical Hacker”).
Oh, and let’s not forget, we don’t just have a new firewall with IDS capabilities… no, it’s a “Next Generation Firewall”.
Brilliant, right? Meh. Even “cyber security”, to many professionals’ dismay, is a relatively new adaptation from good old IT
security, or computer security.
Sure, these terms have been in use by “cyber security professionals” for years. But it’s interesting to see how companies,
and even the media, spin these common industry terms with new catchy phrases in an effort to lure in clients and
consumers to the next big thing in defense against the new [insert buzzword] threat. It’s a fantastical, almost Hollywood‐
like, display of marketing. Especially when combined with media support like the latest blockbuster flop (depending on
what critics you listen to), “Blackhat”, starring Chris Hemsworth (known for his previous role as “Thor”) as the world’s best
hacker, hired to stop a faceless “black hat” hacker from blowing up a nuclear plant. Wow! Who wouldn’t want a hacker
with a god‐like prowess and James Bond style proficiencies protecting their company? Quick! Get a “penetration tester”!
Stat!
So what do companies really need, and how do they achieve it?
Hey, as a “Penetration Tester” myself, I’m actually not complaining. All of this publicity is good for business and for
impressing my friends at parties. But ultimately, my job is to protect my clients’ data, and I’ve never been on an
international, gun toting, Kung Fu fighting adventure to do it. It’s a far cry from Hollywood action thrillers and fancy
marketing campaigns. In fact, even the actual “hacking” part of my job is relatively small compared to the bigger task at
hand. In the end, it’s all about assessing, mitigating, and managing risk, in the most effective and cost efficient manner
possible. It can be a daunting, and at times, tedious endeavor.
Many companies, and the world at large, are often confused about what a proper risk assessment actually is, and how all
these fancy buzzwords like “penetration test”, “vulnerability assessment”, and “threat intelligence” play into it. To further
complicate things, there are numerous risk calculation metrics, formulas, models, and tools that can help, but more often
further complicate things. All of this often leads to a spotty risk assessment process that, in turn, leads to an overly costly,
yet inefficient, “mitigation” solution.
However, if you just take a step back and look at the 30,000 foot view before jumping off into the weeds, you’ll soon
realize that penetration testing shouldn’t just be an ad hoc “hacking” exercise to see if your assets can be compromised,
nor does measuring risk need to involve dizzying complicated formulas and calculations. There is actually a very logical
process to help bring method to the madness. I’ll explain each one of these steps, but first, here it is plain and simple:
1. Identify all of your assets and categorize by criticality (i.e. the highest cost of impact in the event of a compromise).
2. Assess your attack surface, communication paths, vulnerabilities, and threats.
3. Mitigate starting with the most critical assets, with the highest exposure, where the cost to mitigate does not
exceed the cost of an incident.
4. Validate the mitigations deployed.
5. Repeat
Identifying and Categorizing Your Assets
It’s pretty difficult to protect what you don’t know you have. You can deploy broad, comprehensive security controls in
the name of “layered defense” (there’s another buzzword), but in the end that’s not very effective or cost efficient.
Without having a clear understanding of what you are protecting, where it’s at, and how it could be attacked and
compromised, you’re going to miss things. Therefore, it’s absolutely critical that you identify all of your assets as
thoroughly as possible.
- 3. Copyright © 2015, Clint Bodungen
Many companies stop there. But in order to ensure that you are deploying effective, and cost efficient, risk mitigation
strategies, you must understand what the approximate cost of an incident could be for each asset, and prioritize
accordingly. While calculating this cost, be sure to include the intangibles such as incident response time/cost, public
relations costs, legal fees, fines, etc., in addition to lost profit and damaged equipment.
(NOTE: This phase should be completed using a cooperative effort between technical staff and business unit managers.)
Assessing Your Risk: Penetration Test vs. Vulnerability Assessment vs. More Shiny Buzzwords
Give me five different companies, and I’ll show you five different interpretations of a “penetration test”, a “vulnerability
assessment”, and a “risk assessment”. The bottom line is that it doesn’t matter what you call it. It’s all about properly
assessing your risk. What is important is that everyone involved has a clear and mutual understanding of the scope, the
process, and the methods that will be used. That being said, there are several tasks that require varying skill sets and
disciplines, all working in concert with one another, as we will discuss.
When assessing risk, your ultimate goal is to (Starting with your most critical assets first!):
1. Identify your attack surfaces, entry points, and communication paths. Hackers will be looking for entry points on
all of your attack surfaces, so you need to identify them quickly and assess the largest exposures first. Your attack
surface is any asset or information that could be exposed in a way that could be obtained, used, or attacked by a
hacker. This could be internet facing systems, products, and even exposed sensitive information (e.g. employee
Facebook posts) that could be used to aid an attacker. Internet facing systems and products would be considered
a large attack surface, while isolated computers (e.g. lab computers) would be a small attack surface.
Entry points can be thought of as methods by which assets receive data or communications. This is ultimately how
a hacker will attempt to attack your asset.
Communication paths are an often over looked, critical point of the assessment. For example, while an internet
facing asset might be considered to have a low criticality rating, it might have a communication path to a more
critical asset. Therefore, a hacker could potentially compromise the lower rated asset and “pivot” (i.e. use that
system as a way to access other internal systems) into your network in order to access more critical systems.
(NOTE: Typically possessing the same skill, and mindset, as a malicious hacker would, this is an area where a true
“penetration tester” (i.e. “ethical hacker”) could be employed to help significantly.)
2. Starting with your most exposed, and most critical, assets first, identify as many potential vulnerabilities as you
can within your assets (e.g. systems, networks, products, or anything else “in scope”). This is where many
companies get confused and leave gaps due to a misunderstanding in scope, often interchanging the terms,
“penetration test” and “vulnerability assessment”. Again, nomenclature doesn’t matter nearly as much as a
proper, thorough approach. Whether you are assessing a single product or an entire network, three major things
need to be considered. 1.) Known vulnerabilities, 2.) Unknown “zero‐day” vulnerabilities, and 3.) Information
disclosure (e.g. login credentials).
While there are varying methods and a multitude of tools, identifying known vulnerabilities (i.e. vulnerabilities in
products that have been publicly disclosed) and information disclosure are relatively straightforward concepts.
Most mid to senior level cyber security professionals are quite capable of performing these tasks.
Although discovering and managing known vulnerabilities does reduce a significant portion of your risk exposure,
zero‐day vulnerabilities can often prove to be the most costly. Such vulnerabilities are used by more advanced
malware and hackers, and there are often no patches, IDS signatures, or anti‐virus signatures available for exploits
that take advantage of these vulnerabilities. Zero‐day vulnerability discovery methods (e.g. static reverse
- 4. Copyright © 2015, Clint Bodungen
engineering, debugging, “fuzzing”, code review, etc.), on the other hand, are a much more specialized skill set,
which only a relatively small percentage of cyber security professionals actually possess. In order to ensure this
aspect of your risk assessment is covered, you will need these specialized individuals, often referred to as
“vulnerability researchers” or the famed label, “penetration tester”.
It should be understood that every aspect of the assessment phase should be a reoccurring and on‐going process,
and zero‐day vulnerability discovery typically takes significantly more time than an assessment of known
vulnerabilities.
(NOTE: While “penetration testers” are typically more specialized in offensive tactics than a traditional cyber
security professional, not all penetration testers possess zero‐day vulnerability discovery skills. When performing
this phase of your risk assessment, it is important to verify that the person assigned this task is experienced with
actual zero‐day vulnerability discovery.)
3. Assess the likelihood of a compromise. Now that you have identified your assets (and rated them in terms of
criticality), your attack surfaces, and vulnerabilities, it’s time to begin gauging the likelihood of a compromise.
Identify the potential threat sources along with their motives, means, and capabilities. If there was no
one to attack you, then you wouldn’t have to worry about your vulnerabilities. But let’s face it, there is
always at least some degree of a threat source. The types of threat sources that could be targeting your
assets are directly proportional to your level of risk exposure. For example, if you are a small, relatively
unknown services company, then you most likely have a lower number of threat sources trying to attack
you than a well‐known multi‐million dollar corporation. So, things to consider: Who are your potential
attackers, why would they want to attack you, and how? Are you a large software products company with
loads of hackers just itching to find the latest bug in your products? Could you have “hactivists” (there’s
another buzzword) trying to deface your website? Or are you a major financial institution or energy
producer with critical infrastructure to protect? Answers to each of these questions will provide clues as
to where you need to focus your assessment and defensive strategies first.
Considering the potential attacker’s means and capabilities will also play a large part in the level of effort
and financial commitment required to counter these threats. Are you simply the target of random, lower
skilled “script kiddies” getting into mischief or random malware? Or, could you be the target of an
organized crime syndicate, possibly even a nation state, with the resources to hire highly skilled hackers
and produce advanced malware?
Simulate potential attacks using “penetration testers” (a.k.a. “red team” exercises). Knowing what your
vulnerabilities are, who might attack you, and how, is the first step in understanding where you need to
begin focusing your efforts. However, performing red team exercises with qualified penetration testers
will give you a much clearer understanding, and expectation, of how feasible an attack really is on any
given attack surface. The catch here is that a local, or even contracted, red team most likely won’t be able
to match the time and resources of an organization such as a nation state. But, with a quality team and a
well‐organized, and properly executed, process, this effort will still provide you with the most significant
returns when it comes to developing a risk mitigation strategy that is focused and efficient. Obviously, the
more time and resources you are able to dedicate to building or hiring a red team, the better your results
will be.
Many organizations perform red team tests at multiple phases during a risk assessment. It is common to
perform a “black box” penetration test (i.e. no knowledge of the assets) at the beginning of the project, a
“white box” test (i.e. full disclosure and knowledge of the assets, which could also include a source code
review) during the project, and then a final validation test after mitigations have been deployed. The final
- 5. Copyright © 2015, Clint Bodungen
test is usually a black box test by a team that was not involved with the white box test, or a “gray box”
test, performed by the same team that performed the white box test but has no knowledge of the
mitigations that have been put in place.
Putting it all Together
At this point, you should have a good understanding of your assets, where they are, their criticality rating, their
vulnerabilities, and your overall attack surface. You should also now have a relatively good idea about who could pose a
threat, why they might want to attack you, what methods they could use, where they are most likely to hit you, and to
what level of success. We can now use all of this information to begin building a mitigation strategy that is focused first
on the threats that are most likely to hit us, and where they are most likely to strike.
Trying to cover even a fraction of mitigation strategies and techniques is enough to warrant an entire series of books
(which exist). So, it’s obviously beyond the scope of this article. Therefore, let’s take a look at the overall formula.
Throughout the entire assessment process, the assessment team should be working with your security department or
product development teams, whichever the appropriate case may be, to discuss results and mitigation strategies. This
should also include estimated mitigation costs. Armed with all of the information needed, informed business decisions
can now be to be made about which mitigations to deploy, where, and when. Here is a quick outline of the steps involved
in the mitigation planning phase:
1. Research and estimate the cost of each proposed mitigation solution.
2. Starting with the most critical and most exposed assets, compare the mitigation cost with the impact/cost of a
potential compromise.
3. Create your mitigation strategy, based on the given data, by answering the following questions:
a. What is my total budget?
b. What are my most critical, most exposed assets?
c. What is the total cost/impact of a compromise?
d. What is the likelihood of a compromise?
e. Does the cost to mitigate outweigh the risk?
4. Deploy mitigations according to budget and strategy.
(NOTE: There are several sources of information out there, which provide formulas that get into official sounding
terms like “estimated rate of occurrence”, “single loss expectancy”, “annualized loss expectancy”, etc. This level of
technicality is beyond the scope of this article and, quite frankly, often proves to be useless in many corporate
business decisions regarding risk mitigation. The bottom line is, you just need to focus on mitigating the risks that
have the highest impact first, and work down from there in a way that meets your budget.)
5. Validate mitigations. As mentioned before, mitigations should be validated by performing another penetration
test/red team exercise here.
6. Repeat. Risk management is an ongoing process. At a minimal, this entire process should be repeated at least
once or twice a year, depending on which standard you are referencing. In reality it should be as often as your
budget can support. The best case scenario would be to have an internal team that performs these tasks on an
ongoing basis. Finally, at least some form of risk assessment should be included in your change management
policy, and executed each time there is a change (especially a significant change) to your assets.
- 6. Copyright © 2015, Clint Bodungen
In Summary
An influx of loosely defined, marketing hyped industry buzzwords, combined with media dramatization and overly complex
risk assessment standards, have produced a long list of convoluted, often incomplete, “risk assessment” methodologies.
As a result, many companies have fallen victim to inefficient and overly costly mitigation strategies. However, using a
logical approach and understanding the steps involved, companies can achieve a much more accurate and comprehensive
risk assessment that leads to a much more effective and cost efficient mitigation strategy.
Clint Bodungen is a career Penetration Tester and IT Security Analyst with 20 years of experience in penetration testing,
vulnerability research, security application development, and information security program management.
www.securingics.com | cbodungen@outlook.com