Pierluigi Paganini July 01, 2012

Article published on The Malta Indipendent

by Ron Kelson, Pierluigi Paganini, David Pace, Ben Gittins

Today, the chief executive officers (CEOs) of many businesses are becoming aware of the need to ensure their IT systems are secured to protect their organisation, their customers, and their stakeholders. According to Brian Snow, former technical director of the US NSA’s Information Assurance Directorate:

“Data breaches and financial losses are now hurting every segment of the community, it’s a wake-up call. They are driving the community to become acutely aware of the (security) weaknesses in current products and systems, and better yet, it forces an increasing awareness of the real need to fix things!”

In an effort to incentivise change in today’s business practices, proposed amendments to the EU Data Protection Law state:

“Companies found to have mishandled any personal data they hold – be it of their customers, suppliers or their own employees – will face “penalties of up to €1 million or up to two per cent of the global annual turnover of a company.”

The ultimate responsibility in the case of a data breach rests with the CEO. The role of the CEO is to ensure that cyber-security issues are adequately addressed within their organisation by ensuring adequate commitment of time and finances to support the process.

According to the UK government’s Cyber Security Review (2011):

“Prevention is key, we will work to raise awareness and to educate and empower people and firms to protect themselves online. Eighty per cent or more of currently successful attacks exploit weakness that can be avoided by following simple best practice.”

As expressed by one of this article’s authors on a recent “Gadgets” TV programme on ‘Cyber Security & Awareness’, to make sure that this and other best practices are routinely applied on a day-to-day basis, someone be responsible for managing this business process. If the organisation (large or small) does not have a Chief Security Officer, the CEO and CFO needs to find someone to fill that role.

The need for this important step was emphasised in a recent report entitled “Risk and Responsibility in a Hyperconnected World – Pathways to Global Cyber Resilience” issued by the World Economic forum last month. The report states that hyper connectivity is drastically changing the way businesses and governments interact, demanding a renewed examination of roles and responsibilities. The report encourages chief executives to commit to a basic set of Principles for Cyber Resilience (“Principles”), and to take the initiative to improve cyber resilience.

Jolyon Barker, managing director, Global Technology, Media and Telecommunications, Deloitte Touche Tohmatsu Limited states:

“The impact of hyper connectivity requires attention from the highest echelons of the corporate world It is imperative for chief executives and boards to protect their enterprises from cyber risks and incorporate cyber security and resilience into their everyday decision-making processes.”

Organisations should consider designating a trusted and technically minded staff member as their in-house “Information Security Champion” and then pay to train their champion: for example through the Malta chapter of the Information Systems Audit and Control Association (ISACA). In parallel, organisations should begin consultation with certified security expert(s) to assess their current security position, and begin remedial action.

Consulting with certified security experts is critical as 1) they bring years of hard-won knowledge and experience to the organisation and 2) they provide the CEO, shareholders and stakeholders third party assurances that an organisation’s security practices are effective in practice.

“Penetration Testing” is a methodology used to assess and evaluate the security levels of a computer architecture or network through the analysis of the effects of (simulated) attacks on system resource. Penetration testing searches for vulnerabilities that could be exploited such as software bugs, improper configurations, hardware flaws.

There are two classifications of penetration testing: 1) Black-box testing, which assumes no prior knowledge of the system to be tested. The attacker has to first locate the target, and establish its technical configuration before starting the vulnerability analysis. 2) In contrast, white-box testing assumes the attacker has complete knowledge of the infrastructure to be tested.

Cyber criminals typically begin with black-box penetration of remote systems. In contrast, certified cyber security experts perform white-box penetration testing to identify vulnerabilities before cyber criminals do so. Clearly the correct selection of a reliable and professional expert to perform penetration testing is crucial. Penetration testers need to think like criminal hackers, and are paid to break computer systems. Certification of penetration testers significantly helps reduce the risk of accidentally hiring cyber criminals.

Additional objectives of penetration testing can include: testing the organisation’s security incident identification and response capability, testing security policy compliance, and testing employee security awareness.

The main benefits of well executed penetration testing are:

It provides evidence of the real security status of business systems today through a detailed report to the management of a company.

It identifies and classifies the vulnerabilities of the systems. This is important because many security incidents registered last year were related to mis-configuration of devices and well known types of vulnerabilities that the organisation could have been aware of.

Vulnerability reports can then be used as part of a deeper analysis to assess the potential financial and operational impact of exploitation of vulnerabilities on the business operations of the company.

It helps organisations meet regulatory compliances, while providing assurances of actually achieving improved security in practice.

Having identified the worst vulnerabilities in an organisation’s systems, security experts can advise management on a range of options to begin securing those systems. In consultation with experts, management needs to then commit the necessary financial and human resources to implement agreed security controls. The goal here is not to eliminate all risks, but to quantitatively reduce an organisation’s cyber risk exposure profile year after year. Ideally, penetration testing should be considered during the design phase when considering deployment of new IT systems.

Well-documented penetration test results help management to track the effectiveness of security controls and reduce the company’s risk profile over time. Organisations should consider alternating between two different reputable security experts/organisations on a yearly basis as a technique for auditing the effectiveness of the security process (and experts) they are investing in.

Standard & Regulations

Activities of penetration testing are subject to regulation, and are a mandatory requirement in several standards. For example, the Payment Card Industry Data Security Standard (PCI DSS), and the “Security and auditing standard”, require both annual and ongoing penetration testing. The PCI DSS Requirement 11.3 (https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf) employs penetration testing to determine whether unauthorised access or other malicious activity is possible.

The two most important factors for a successful penetration test are the skills of the expert, and in particular, the adopted methodology. Today, the Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de facto methodology for performing penetration testing and obtaining security metrics.

Pete Herzog, OSSTMM creator said: “The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey’s already meagre security budget; those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers.”

It is a maxim in information security that transparency and an efficient methodology are essential for the study and the assessment of every system.

Additional worldwide standards and methods in penetration testing include:

Standards for Information Systems Auditing (ISACA), introduced in 1967. This ISACA organisation provides one of the most important audit certifications commonly used to demonstrate to stakeholders that the organisation has mastered the concepts of security, control and audit of information systems.

OWASP: The Open Web Application Security Project (OWASP) is an open source community project developing software tools and knowledge based documentation that helps people secure Web applications and Web services.

NSA Infrastructure Evaluation Methodology (IEM)

Special Publication 800-42, Guideline on Network Security Testing published by the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce.

Penetration test a widespread need

In recent years, there has been dramatic growth in attacks perpetrated against commercially successful private companies and government agencies. This is a phenomenon that is a constant and growing concern. Demonstration projects conducted by groups of hacktivists such as Anonymous, warfare operations conducted by foreign governments for purposes of offence and cyber espionage, and an unprecedented increase in cyber criminal activities, have attracted attention to the security requirements of all IT systems. The case of the Stuxnet virus has taught the world how dangerous a cyber weapon capable of exploiting vulnerabilities in a system can be in cyber-physical systems.

One of the best tactics to adopt for known cyber threats is to thoroughly test each individual component of the systems we are going to deploy, and to test them again in their deployed configuration.

The verification of the effectiveness of security controls has become a significant activity that has led to an increased demand for people, such as penetration testers, who are multidisciplinary and multifaceted professionals, with the ability to analyse and study a system, identifying its vulnerabilities.

Military and government organisations prefer to promote a homegrown group of experts, trained to execute penetration tests. In this sector, nations such as China, Russia and the US are at the forefront.

However, both large and small commercial organisations should look to reputable names in information security to provide penetration testing services and to help an organisation train their staff in cyber-security best practices.

In conclusion, penetration tests are a valuable way to protect businesses and critical infrastructures. They need to be universally applied in a more consistent way by organisations, because “Penetration testing protects your enterprise by breaking it”.

Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)

Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.

Ben Gittins is CTO of Synaptic Laboratories Limited.

David Pace is project manager of the ICT Gozo Malta Project and an IT consultant

ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to put their name down on the ICT GM Skills Register to keep abreast of developments, both in cyber security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace on [email protected].