Cyber-Security

Cyber-Security Risk and Controls Assessments

The SANS Consensus Audit Guidelines outlines 20 Critical Security Controls developed by a variety of security experts from domestic and foreign government agencies, including the Federal Bureau of Investigation (“FBI”); the Department of Defense; and private industry experts, such as penetration testers and incident handlers. Using information obtained from numerous cyber attacks over several years, the 20 Critical Security Controls that either prevented an attack or limited the damage of an attack (or could have done so, if implemented) were identified.  The end result is a set of controls that can greatly improve an organization’s security posture, even in the absence of a detailed risk assessment specific to the organization, thus reducing the risk posed by an Advanced Persistent Threat (“APT”).

Several high-profile attacks in recent years have been both targeted and persistent. Other data disclosures, including the classified information extracted from the National Security Administration (“NSA”) by Edward Snowden, have been the result of broad administrative access granted without a specific business need.  The SANS 20 Critical Security Controls address these weaknesses and provide recommendations for preventing similar security incidents.  In fact, Verizon’s Data Breach Investigations Reports and Symantec’s Internet Security Threat Reports generally include a mapping from the most common types of incidents to the SANS Critical Security Controls that could help to prevent such incidents.

Because of these recent trends within the IT security landscape, Incendio often uses the 20 Critical Controls as a basis for a Cyber-Security assessment or audit.  This approach adds value because it generally has not been taken previously by our new clients, and because it provides a perspective that is different than the common approach of reviewing compliance with the traditional information security frameworks.

Although the SANS 20 Critical Controls are now the CIS 20 Critical Controls, we continue to use the SANS version because its licensing allows us to customize framework to incorporate controls we recommend as a result of our experience with client penetration tests.

Penetration Testing & Vulnerability Assessments

There are many benefits to penetration testing and vulnerability assessments.  If done properly, such testing can provide a view of your IT infrastructure and application from the perspective of an attacker, identifying both areas of strength and weakness in your security posture, and a corresponding root-cause analysis can provide insight into the cause of any discovered weaknesses.

As a general approach, we use automated scans as merely the first step of many in the process. Our approach relies heavily on manual testing that mirrors the approach taken by attackers in a targeted attack, in which stealth is a key component of the attack. A positive “side effect” of this approach is a drastic reduction of the risk to availability of production systems during testing versus the heavy use of automated tools. The end result is a safe, comprehensive assessment from the perspective of an attacker rather than a commercial scanning tool.

The terms “vulnerability assessment” and “penetration test” have become a bit muddled, but we still view them as two distinct types of assessments. A vulnerability assessment is meant to identify a comprehensive list of security issues to assist an organization with improving its defenses, while a penetration test is meant to evaluate those defenses and the impact of a breach by exploiting vulnerabilities the way an attacker would and gaining access to sensitive information and systems. Many organizations, however, require a combination vulnerability assessment and penetration test to provide the best of both worlds, which we are happy to provide. Our general approach to each type of assessment is detailed below, which will be combined and customized to fit your needs.

• Common testing scopes include a combination or all of the following:
• External-facing hosts
• Web applications
• Internal hosts and network devices
• Wireless access
• Social engineering
  – Email phishing
  – Spear phishing
  – Information disclosure
  – Physical access

We pride ourselves on communication and keeping our clients informed of all activities, including the beginning, pausing and restarting, and completion of testing.  At any point in the testing, we immediately notify our client, based on a pre-established communication protocol, of any critical findings requiring immediate attention.  While external testing is always performed remotely, we are able to perform internal testing onsite, or remotely by shipping our scanning appliance to the client location to keep costs to a minimum. Most clients prefer to perform testing during business hours when IT staff is available in the rare event of a technical issue, but we are also able to accommodate any testing windows, including nights and weekends.

Web and Mobile Application Assessments

We will assess the security of the designated web applications, including the front-end, back-end, and underlying hosting architecture. Our approach to web and mobile application penetration testing is modeled around the Open Web Application Security Project (OWASP) testing methodology and therefore follows the current OWASP recommendations and best-practices. We built our proprietary testing methodology specifically around the OWASP testing guide, the definitive resource for web application penetration tests, using a balanced methodology of both code review and penetration testing. Using this approach allows us to be creative in our approach while staying within a secure and proven framework.

Network Device Configuration Assessments

Despite the value a penetration test or vulnerability assessment provides in evaluating the security of a network infrastructure from the perspective of an attacker, there is great value to be had in performing an assessment of network device configurations by auditing the actual configuration files themselves. We perform an assessment of network device configurations, including switches, routers, firewalls, and IDS/IPS appliances, by auditing the actual configuration files themselves. We begin the assessment by using a commercial or custom written automated tool to parse the configuration file and provide a preliminary list of potential configuration issues and firmware vulnerabilities. We then use this output as a starting point for our manual investigation in which we identify false positives, assess the level of risk of identified issues within the context of the client’s network, and perform additional manual analysis from the perspective of an attacker to identify weaknesses that could be exploited by traditional or emerging attack techniques.

In many instances, particularly for clients who wish to use the assessment as part of a formal audit plan, Incendio will also obtain relevant policies, procedures, and device configuration standards against which we compare the assessment results to evaluate compliance with organizational controls. This modular approach allows for assessments ranging from a network device configuration health check to a detailed network device configuration management audit that has received favorable feedback from multiple regulatory bodies.

Wireless Networking Assessments

Our wireless security assessment methodology consists of two parts, manual and automated, and it generally involves five steps. The first step is the discovery of APs, the identification of targets to be made a part of the assessment, and triggering the traffic leaked outside the set boundaries. The second step deals with inspecting access control, identifying vulnerabilities, and determining security settings. The third step involves investigation of additional encryption architecture. The fourth step involves enabling user, device, and manual authentication. The final step involves assessing the physical location of APs.
A general overview of the attacks and audits performed during a typical assessment are as follows:

• Access Control Attacks
• Wireless Integrity Attacks
• Wireless Confidentiality (Intercept Confidential Information)
• Wireless Availability
• Wireless Authentication
• Wireless Networking Leading Practices Review

Email Phishing Assessments

Our social engineering testing methodology tests users for their susceptibility to one of the favorite tactics of malicious hackers. For our email phishing campaigns, we can either mine the internet for email addresses, as a malicious hacker would, we can be provided a list by the client, or we can use a combination of both approaches. We send our emails in stages, starting with untargeted, spam-type emails and progressing to highly-targeted spear phishing emails. We modify and alter our techniques and strategies based on results as the testing occurs to ensure the best results, and we use information obtained during the other assessments to create very targeted, custom emails, for example, purporting to be from the actual document scanners on the client’s network, containing actual documents available to employees on the client’s intranet, or from the client’s IT department requesting a “validation” of remote access credentials using a web page based on the actual client’s login page. This allows us to not only assess whether your users will fall victim, but the level of sophistication of attack at which this would occur. As alluded to in the examples above, the emails will attempt to get the user to either visit a ‘malicious’ website, open a ‘malicious’ attachment (perhaps needing to enable macros as well), or respond to us and provide confidential information and/or credentials. We provide a complete report of the results, including overview graphics, composite totals, and granular results for all individuals tested.

Physical Security Assessments

Like email phishing, social engineering is sometimes used by attackers to bypass technical security and gain physical access to sensitive locations. Many systems are configured with the assumption that physical access is limited to trusted parties, making them vulnerable when that is not the case. Our “attackers” are skilled at identifying weaknesses in physical security and exploiting them to gain access. The results of our assessments can be used to improve physical security controls and to provide additional impact when training employees.

Incident Response Management

The National Institute of Standards and Technology (NIST) has developed recommendations for establishing a Computer Security Incident Handling Capability in its Special Publication 800-61.  It explains the importance of this capability by stating:

Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.  An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.

Our experience indicates that many companies are not prepared to handle an incident, or possibly worse, do realize they are not prepared.  Incendio has the expertise to assist our clients with developing an incident response capability, or to review and assess an existing one.  This is often an important part of regulatory compliance, as multiple organizations including the SEC and NY DFS have begun sending questionnaires to their regulated entities inquiring about cyber-security defenses, included incident response management.  We can ensure you have a risk-based, comprehensive plan in place to identify and manage a security incident before it occurs.