Paul Vlissidis Technical Director, NCC Group

Paul VlissidisTechnical Director, NCC Group

Commercial in Confidence - © Copyright 2008 NCC Group plc - all rights reserved

IT HealthCHECKs: “Your Route To Effective Risk Management”

Paul VlissidisTechnical Director

NCC Group plcemail: [email protected]: 07703 501143

IA0817th & 18th June 2008


Agenda

About NCC Group

The context for IT HealthCHECKs

Where can HealthCHECKs add value?

Planning a HealthCHECK

The HealthCHECK Lifecycle

Effective procurement

A Perfect World


NCC Group plc

What we do: provide IT assurance, security & consultancy services to over 15,000 clients globally - including 92 of the FTSE 100

USP: no ties or relationships to hardware or software suppliers - focus on developing intelligent solutions & building partnerships

Background: based in Manchester - offices in London, Surrey, Oxford,

Germany & California 320 staff formed in 1999, listed on LSE

Assurance Testing : Test & monitor system, network & web site performance

to ensure effective, robust & delivering optimum performance

Ethical security testing of networks & applications and security policies in practice to ensure organisations safe from threat of unauthorised access

Largest provider in UK following acquisition of Site Confidence (Jan 07) & SecureTest (Aug 07)

Year Number

2003 25

2004 19

2005 16

2006 25

2007 28

NCC Group: IT HealthCHECK

Project Experience


Accreditations

ISO 9001:2000All NCC Group services accredited to ISO 9001:2000 - held ISO 9001 status since 1994.

ISO 27001:2005NCC Group Security Consultancy & Testing divisions certified to ISO 27001:2005 (formerly BS7799 part 2). (LRQ 0963077)

CESG CHECKAccredited under the Government’s CESG Check scheme for network penetration and testing services. Classed as a ‘Green’ service provider continuously since 2001, the highest attainable standard.

CESG CLASAccredited under the CLAS (CESG Listed Adviser) Scheme - partnership linking the unique Infosec knowledge of CESG with the expertise and resources of the private sector.

CESG Tailored Assurance Scheme ProviderAccredited as one of the first companies to provide the CESG Tailored Assurance Service (CTAS), which is intended for a wide range of IT products and systems ranging from simple software components to national infrastructure networks.

PCI Approved Scan Vendors/PCI Qualified Security AssessorNCC Group is a Qualified Security Assessor and an Approved Scan Vendor regulated by the PCI Standards Council.

CREST (Council of Registered Ethical Security Testers)NCC Group is an active member of CREST, the standards-based organisation for penetration test suppliers aimed at ensuring the very highest standards of leading-edge security testing.


The context for IT HealthCHECKs

Penetration testing (ethical hacking) / IT HealthCHECK is a powerful risk management tool

Addresses categories of risk not covered elsewhere

Provides concrete evidence that your security investment is effective and compliant

But….× It cannot find everything – especially if it’s just a vulnerability

assessment

× It must be used properly as part of a mix of risk controls

× It needs proper specification, planning and execution to be effective


Where can HealthCHECKs add value?

As a check on external service providers/vendors

A regular risk-based assessment of security

Pre/Post go-live for a new system/application

As part of an incident response

To exercise incident detection and escalation processes

To support audit requirements

To support assessment of compliance

Within the assurance matrix


Risk assessment / IA needs

Which risks/threats are driving the Heathcheck? Attack from the GSI? Attack from the Internet? Mobile data theft/loss? Attack from an internal user?

This can assist greatly in producing a cost-effective proposal

A blend of tests/reviews is usually required to answer these questions

Reports can then be produced to match the IA needs and might suggest additional tailored assurance techniques are applied (e.g. source code review)


The Assurance Matrix

Segment/ Impact Level

Product Assurance

Service Assurance

System Assurance

System Configuration Test

Aware

1CCT Mark, CC EAL1

CCT Mark CCT Mark Commercial Pen Test e.g.

TIGER & CREST

2CCT Mark, CCEAL1-2

CCT Mark CCT MarkCommercial Pen Test e.g.

TIGER & CREST

Deter3 CC EAL 3-4,

CTAS,"CAA (Basic)"

CTAS, "CAA (Basic)"

CTAS, "CAA (Basic)" +

CIDSIT HealthCHECK

Detect and Resist

4CCEAL4+, CTAS, "CAA (Basic)"

CTAS, "CAA (Basic)"

CTAS, "CAA (Basic)" +

CIDS

IT HealthCHECK +Vulnerability Test


Areas a HealthCHECK might cover

External (from GSI,CJX,Internet)

Server build checking

VPN (Manual V and Manual T)

Procedural (social engineering)

Laptop/PDA/Blackberry

Desktop

Application

Wireless (Manual Y)

Internal

Firewall rule review

Wardial (RAS)


Planning a HealthCHECK

Start with risk assessment Identify threats where uncertainty existsFocus on medium/high impact outcomes IS1 / IS3Use the Assurance Matrix

Specify rules of EngagementExploit or NotCritical servers vs whole networkBlack box vs Grey Box vs White boxWhat is a fair test that addresses the risks?

For large applications consider modelling the threats


IT HealthCHECK Lifecycle

rectification /remediation

reporting

results analysis

testing test planning

project initiation

procurement

scope definition

risk assessment

IT HealthCHECK


Scope definition - networks

ADS contains useful information but is generally too much

As a minimum vendors would like…..Overall network diagram showing security

domains and network connectionsNumber and types of servers in each subnet /

domain An understanding of the physical locations

that will need to be visited – how many and what level of Protective Marking will be encountered

Number of server builds to be reviewedAny wireless components likely to be

encounteredAny third party service providers with whom

agreements will be needed


Scope definition - workstations

Number of desktop builds to be reviewedVariety of builds to be checkedRoughly how many of each build there are –

this allows sample sizes to be chosen

Number of laptop / PDA types/builds to be reviewed

What policies are in place regarding use of USB ports, wireless etc?

How do remote clients connect?


Scope definition - applications

Is application accessed via a browser or via a dedicated client?Approaches differ fundamentally so this is very importantDifferent access methods require different testing

Brief description of the application and some idea of the information being protected

How many user types/roles are there?

Which roles need testing?Potential Attacker Groups

Some idea of the complexity e.g :-Number of screens, menus, functionsAny metric will do provided it clearly differentiates a big complicated

application from a small simple one!


Specification (1)

A typical, ineffective RFI:

The firm which wins this tender will be awarded a contract to carry out a single health check on the XXX network

In addition to the penetration test, the firm will be expected to be able contribute towards the security posture of the network as follows – Knowledge transfer of information

security testing techniques Advice on technical aspects of

information security Advice or quality assurance on internal

security testing exercises

Problems:

× Far too vague

× Insufficient definition of requirement

× Lack of detail of network and infrastructure

× Seem unclear as to what winning provider should actually do!


Specification (2)

Slightly better:

STATEMENT OF REQUIREMENT (SOR) – Network Penetration Test Background to Requirement

Problems:

× But how many?

× Where are they?

× How connected?

× PM Level?

1.4 XYZ has the following internet facing services:

ABC Online public internet service PQR extranet service

Remote Access Server authenticated dial-in GSi Government Internet and e-mail services Extranet registry services to partners 1.5 In order to support these services, XYZ uses equipment which

includes the following:

IBM zOS Mainframe systems running WebSphere servers IBM DB2 backend database Windows ISA server Nokia Checkpoint firewall enforcement points Cisco PIX firewall enforcement points Entrust Identity management system (for ABCt) Cisco network infrastructure, including content management

hardware Microsoft Windows 2003 Server with AD Microsoft Exchange Servers Oracle 9i running on Sun 4810 Systems


Specification (3)

Better yet:

The test shall comprise of FOUR threat simulations which will be aimed against our information resources in XXX. The chosen targets and “grey-box” intelligence shall be given to the Contractor during the initial briefing at the start of the testing period

The nature of the testing should require the use of internet hacking, insider hacking, social engineering and other penetration techniques. The use of these will be at the Contractors discretion and according to the available intelligence

Rules of Engagement for the HealthCHECK

Positives:

Precisely defines what is to be tested

Defines types of testing to be used

Explains expectations from providers

Rules of engagement already decided


Effective procurement

Much Better:

Basic scope Test the perimeter, the Internet facing interfaces. Test the GSI interfaces. Firewall configuration and rule-set analysis. Internal network assessment, switches and router

configurations. Desktop & laptop build/lockdown security

vulnerability assessment. Server build/lockdown vulnerability assessment. RAS Laptop/PSTN vulnerability assessment. Produce a report which consists of a management

summary (high level view) and a more detailed report.

Attend an end of test meeting in which to discuss the report and make recommendations.

Basic scope (technical) External Internet penetration test against three

separate leased lines with distinct blocks of IP addresses.

Full (internal) test of 10.x.x.x LAN. Specific detailed server testing of up to 20

servers of varying functionality e.g. Oracle/SQL applications, local site servers etc..

Basic scope (technical) – continued.. Desktop build/lockdown review of 3

workstations. Laptop build/lockdown review of 3 laptops. Active Directory review. Primary domain controllers x 6

build/lockdown. External GSI penetration testing. Firewall rule review of 6 firewall pairs for

both the GSI and non GSI interfaces. “Back to back” router configuration review

x 4 links. GSI DMZ network based testing of 3 x

network segments at <LOCATION>. RAS end-to-end security testing.

Positives:

No room for misinterpretation

Best possible start


Tailored assurance services

System security testing: analyse security of networks, servers & infrastructure, considering potential for internal / external attack

Architecture & design review: review build & deployment of systems into specific environments, assessing against relevant Infosec & CESG standards /guidelines

Installation and operational procedures review: develop & implement effective & appropriate policies, procedures & working arrangements to manage information security

Software & application security testing: Functionality & design assessment Development procedures review Security function testing Source code analysis Product vulnerability analysis and testing

Remote access & remote worker security: ensure your organisation is equipped to manage security risks arising from remote & home working

Social engineering: 'human element' of risk addressing real threats such as unauthorised physical entry into buildings, obtaining sensitive information, impersonation and deception

Business continuity & disaster recovery: comprehensive business continuity and disaster recovery planning services

Risk management: assessment of risks & regulatory requirements surrounding IT, information security & corporate governance, including implications of non-compliance


Summary

IT HealthCHECKs can provide valuable information on the risks to IT assets and how they are being managed

They can deliver a lot more than a ‘tick in the box’

Some time on their specification pays dividends

HealthCHECKs are just one part of the assurance and need to be considered along with other elements such as CTAS


Documents

Paul Vlissidis Technical Director, NCC Group