Upload
ngotram
View
228
Download
0
Embed Size (px)
Citation preview
Information Security Testing How Do AMCs Ensure Your Networks are Secure
June 22, 2015
Ray Hillen, Dennis Schmidt, Adam Bennett
11th AMC Conference on
Securely Connecting Communities for Improved Health
Session Objectives • Participants should gain:
• Understanding what the vendor must do to adequately prepare and perform a penetration test - what information is needed, what precautions should be taken, and how to do the test.
• Knowledge of what the AMC customer should expect - AMC concerns, precautions to identify and provide for to reach an agreement with the vendor, and expected results and applicability of the test
• Practical insight of the necessary steps to optimize the efficiency and effectiveness of the entire process
2
Ray Hillen Director, Security Consulting Practice
Agio
Technical Security Testing: What You Should Know & Ask About the Vendor’s Offering
Vulnerability Scan or Penetration Test
• Vulnerability Scan • Identifies vulnerable systems • Automated tools • Network and application layer • Short duration
A Good Penetration Test Should Evaluate the People, Processes, & Technologies That Safeguard e-PHI
• Penetration test • Identifies methods to exploit system vulnerabilities, workflows, user
awareness • Attempts to gain unauthorized access and/or privilege escalation • Automated tools and manual checks. • Network & application layer • Social engineering
• Phishing • USB drive baiting • Pretexting
• Wireless security review • Physical security review
Assessor Organization’s Qualifications
• Past experience • Years of experience • Network layer • Application layer • Social engineering • Assessments similar in size/scope
• Industry experience • Methodology
Security Assessor’s Qualifications
Certifications • Global Information Assurance Certification (GIAC) Certifications
-GIAC Certified Penetration Tester (GPEN) -GIAC Web Application Penetration Tester (GWAPT) -GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• Certified Ethical Hacker (CEH) • Offensive Security Certified Professional (OSCP)
Pre-Engagement
• Scoping • Documentation • Network diagrams depicting all segments in scope
• Key/critical systems • Data flows
Rules of Engagement • Communication during engagement, e.g., issues, questions, updates • Define appropriate time window for testing • Identify legacy systems that may not respond well to automated tools and
determine best method for evaluating • Security devices: evaluate “as is,” “whitelist,” hybrid • Compromised passwords • Data (incidental e-PHI) discovered, BAA? • Identification of previously compromised system/s • Third-party-hosted / cloud environments
• Approval
• Web-management portals • Security assessor’s equipment; threat?
Success Criteria
• Remember the goal: simulate real-world attack in order to determine how far an attacker could penetrate the environment, but..
• Set the parameters and limits, e.g., access to root folder, establish administrative account on X system/s, no access gained, etc.
• Establish prior to testing!!! • Different for every environment
The Test (Engagement)
• Application layer • Network layer • Segmentation • What to do when e-PHI is encountered • Post-exploitation
Post-Engagement
• Reporting • Remediation best practices (Adam Bennett will cover this) • Retesting identified vulnerabilities • Cleaning up the environment
Penetration Testing from The Customer’s Point of View
Dennis Schmidt Assistant Dean for Information Technology
HIPAA Security Officer
University of North Carolina • Nation’s first public university, chartered 1789
• 29,000 students
• 3,600 faculty
• Number of servers: Unknown, but it’s a lot!!!
• 5% or campus is protected by firewall ‒Block 87 million unwanted connections weekly
• IPS blocks 5.1 million malicious threat events
14 Managing the Integrated Information Environment
UNC School of Medicine
• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff
Managing the Integrated Information Environment 15
What Is Our Goal?
• NIST 800-42: “security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system”.
• Locate weaknesses in our network and systems before the bad guys do.
• Educate our users and our technicians • Test our social engineering weaknesses
• Phishing, Phone calls, etc.
How do we start?
• Setting Up Rules of Engagement • Potential impact on systems • Hours of operation • How much system information to provide penetration team • How much initial access to give to the penetration team • What type of attacks will be used
• Zero Knowledge (Black Box test) • Partial Knowledge (Grey Box test) • Full Knowledge (White Box test)
• Coordinate with other entities to prevent collateral damage • Central IT Security
• What authorizations and legal waivers do we need beforehand?
Concerns during the testing
• How do we know it’s the test and not a real penetration? • Correlating testing activity with SIEM
• Will we cause an unexpected Denial of Service? • Will we cause any unexpected reboots? • What if we find exposed sensitive data?
Non-Electronic Testing (Social Engineering) • Phishing test • Lost USB Drive Test • Phone calls
• “Hi, I’m from Microsoft…….” • “This is your IT support, I need to remotely log into your machine
to test…..” • Dumpster diving
Practical Next Steps After a Penetration Test
Adam Bennett Vice President
Cloudburst Security
Cloudburst Security
• Cloudburst founded by Adam Bennett in 2006
• 100% cybersecurity-focused company
• Federal government (DoD, civilian, homeland security, intelligence) and commercial clients (healthcare, banking/finance, non-profit)
• Have conducted over 400 vulnerability assessments and penetration tests
• Leading provider of managed security monitoring, incident response, malware analysis, forensics, and cyber threat intelligence services
21 Managing the Integrated Information Environment
We conducted a pen test, now what?!
Common mistakes, challenges, & trends
• Pen Tester didn’t succeed—’we must be totally secure!’ • Pen Tester succeeded—’the sky is falling!’ • Security issue ‘hot potato’ • Lack of organization and remediation planning • Lack of follow up & integration with SOC/Incident
Response • Budget & Human Resource Challenges • Security awareness • Educating Leadership
Tips for Post-Security Testing Success
• Develop a formal remediation plan with milestones • Display a team attitude, no matter how serious the test results—the
common goal is to improve security posture • Present Executive Summary of Remediation Plan to Management—
get their buy-in! • Form a committee of stakeholders to track remediation progress • Leverage high-risk findings to ‘move the ball’ on security projects and
budget items • Track organization & team performance metrics annually
Group Discussion