So as we draw to a close of 2011, we draw to close of the biggest year yet for data breaches, here in Australia data breaches doubled in 2011 on the previous year.

In the year up until August alone, we endured through over 100 very high profile breaches.

This doesn’t include all the breaches that didn’t make the news.

See the above spreadsheet for details. This week alone, Chinese hackers gave the US a Christmas present by penetrating the US Chambers of commerce via a supposed spear phishing attack.

2012 is due to be even bigger, and with even more attacks predicted, companies need to start asking themselves some serious questions, and start preparing themselves for what’s to come.

 

The questions you should think about for 2012

What would a data breach cost my company?

Not just a financial impact, but the loss in customer confidence, the business image/reputation and flow on effects from word of mouth, not to mention if you make the news as being breached, you will be hard pressed to find both partnerships and continued growth of your business.

Research from Symantec and the Ponemon Institute earlier this year has found the average cost of each record of data lost in a security breach is about $128

The study also found the average cost of “significant” data breaches reported by 19 Australian companies was $2 million in 2010. The size of these specific incidents ranged from the breach of 3,200 to 65,000 individual records.

Of course you need to take into play the loss of profits from lack of consumer/customer confidence.

Imagine if your website was defaced and pornographic material was published on all the pages. Not a website you want your customers accessing.

Have I performed a risk assessment?

I perform a large number of assessments each year and it’s startling to find that most companies have never performed any sort of risk assessment. (I personally work off the ISO27x for risk assessments).

This is a dangerous place to be in, because if you do not analyse the risk to your network, how do you hope to protect yourself from them. Sure we have firewall’s, IDS, and we disable USB drives on our workstations, but what if a user opens up a spreadsheet received via an email from a sender that looks legitimate, the answer, your network is backdoored and all your controls subverted. Only through a thorough risk assessment can you list down and protect your assets accurately.

 

 

Am I compliant?

Whether you deal with payment systems, and need to be PCI-DSS, or maybe NIST, FISMA, HIPAA,OWASP or the myriad of other compliance systems and regulatory requirements or just want to be compliant with Microsoft or the remainder of the industry to be known to be using the most secure environment possible. To be compliant, an external assessment is required.

 

 

 

 

What about insider threats?

Again, in most of my assessments, I find that companies do a great job of securing their externally facing devices or websites, but most always have a large amount of weaknesses and vulnerabilities from insider attacks.

There is no point putting gates, armed guards, dogs and locks on the front door, when the back door is left wide open.

Whether it be a malicious employee, through to accidental damage through elevated rights, a contractor or temp or similar, or a user that finds a USB drive in the car park and decides to plug it into their work computer, insider threats pose the biggest threats to business today.

 

 

How do I know my systems are secure?

The answer, you don’t. The only way you can test this is by getting a Penetration Test done by a security professional.

 

 

 

 

 

 

 

 

What is a pentest and what should my pentester do?

A penetration test (or pentest) is the method of actively evaluating the security of an information system or network by simulating an attack from a malicious source.

A pentester will review your security as a whole and in particular answer the following questions:

  • What can the intruder see on the target system?

     

  • What can an intruder do with that information?
  • Does anyone at the target notice the intruder’s attempts or successes?
  • WHY!!!! not just look at the vulnerabilities, but why they are there? for a business reason, misconfiguration etc.

A good pentester will be a Licensed pentester and find out your goals of the assessment and what you are trying to achieve.

Is it compliance, or ‘we just installed new infrastructure’, ‘we just bought a new router’, ‘we are concerned about our website being defaced’, ‘we do not want to have any unexpected downtime for the business’… or any other goals.

The pentester should then customise an assessment to meet your needs and goals, and weigh that up against your budget to find the right fit.

I provide a number of different customised assessment types to my clients, but you should engage a pentester that at least has the following options for assessments:

Internal Assessments – Assessment from a disgruntled employee, contractor, or accidental attacks from employees

External Assessments – Temporary or permanent attacks from malicious user, generally targeting externally facing devices

Web Sites / Web applications assessments – Perform advanced assessment of web sites and web applications including testing for OWASP top 10.

Vulnerability Assessment – Assessment of known/common security weaknesses within a network

Security Assessment – Audit of organisation policies & procedures related to IT security

Wireless Leakage Analysis / Wireless Security Assessment – Assessment of Wireless security including access points, encryption methods, denial of Service and security controls

Corporate Security Culture Assessment – Observing the security awareness of agency personnel, May include social engineering.

Denial of Service Testing

Testing of availability of services and devices

Penetration Testing / Ethical Hacking

Overall security assessment of an organisation’s security standpoint, from the position of a malicious attacker.

Combination of the above / custom assessment – May contain some, or all of the above assessments

Mobile Device Assessment – Review of mobile device weaknesses and exploitation

The pentester should provide you with an industry accredited mark of assurance that your customers / clients can see and take confidence in.

Personally, I am an EC-Council Licensed Penetration Tester and once a client has been assed they are provided with the following to use on their websites, signatures and for other purposes:

LPT-Audited-1LPT-Audited-3

Nessus Monkeys

Nessus monkeys are ‘security professionals’ that get paid to perform pentests but only perform a base vulnerability assessment and provide the client a 1 or 2 page spreadsheet as to the findings.

In the security industry, unfortunately there are a large amount of these type of people and are frowned upon by us legitimate pentesters.

A pentester should thoroughly test your network and if a vulnerability or weakness is detected, actively exploit the system to prove the vulnerability exists and demonstrate the cause and effect of the weakness.

Companies who engage a pentester should expect a certain amount of documentation back on the assessment.

For example, with my clients, they get 1 massive report listing, the good, the bad and the ugly, the positives in the environment, what could be improved, the weaknesses and how that would affect the environment, plus all the screenshots, evidence and demonstrated confirmed vulnerabilities, and of course an executive overview that is easily understandable by all levels of the organisation.

They may also receive a separate remediation document depending on the type of assessment and recommended security policies to be implemented.

Along with this I provide my clients a 1 page spreadsheet, based on the ISO2700x risk assessment with all the vulnerabilities, the threat level, mitigation strategies etc as per the ISO standard. This can be used as a type of ‘checklist’ for remediation.
And finally, they get a presentation of the findings to key stakeholders.

If your pentester is not providing you all of the above, its time to start asking why and shopping around for a pentester that does.

If you are considering a move from your current pentest provider or looking to have your first one done in 2012, feel free to drop me a line at securityservices@kiandra.com for a confidential discussion.

Why don’t I just do some research and do a pentest myself?

There are a few reasons why this is a really bad idea, first of all it does not meet compliance requirements. Secondly, your systems do not receive an industry accredited assessment by a trained security professional.

Thirdly, Customers/clients do not hold the same confidence in security assessments when it is performed internally vs an external party assessment.

Especially when assessments are performed by internal staff, vulnerabilities tend to get missed or overlooked, or internal politics get in the way.

No 4, If performed by internal staff, you cannot test the responsiveness of the IT security staff or support personnel, nor accurately perform social engineering based attacks as you are known to internal staff.

No 5, skills. A sysadmin’s security skills vs a dedicated pentester or ethical hacker’s skills in security will be massively different.

The amount spent on a Penetration Test vs the costs associated with a breach really is minimal.

To finish off… Happy holiday season..

I hope this post has given you all some food for thought for the upcoming year ahead.

I would like to wish all my Clients, colleagues and followers a very merry xmas and an awesome new year. Thanks for all your continued support and opportunities throughout the year.

I will be off until the 3/1 spending time with my family.

Here’s to a great 2012 Party smile