featurefeature Planning for Information Security Testing—A Practical Approach Once approval to perform an information security • Security assessment—This builds upon the audit and, most likely, a penetration test (pen-test) vulnerability assessment by adding manual Do you have of an organization’s networks and systems has been verification of controls to confirm exposure by something obtained, then what? Where to start? Planning it reviewing settings, policies and procedures. It to say about requires a great deal of thought and consideration has a broader coverage. Assessment of physical this article? and, for first timers, this task can be quite daunting. security safeguards would be covered here. Visit the Journal Poor planning can have serious consequences for • Penetration test—This happens one step ahead pages of the ISACA the network, causing unwanted business disruption of a vulnerability assessment. It takes advantage web site (www.isaca. and, in the worst-case scenario, permanent harm. of the known and unknown (e.g., zero-day org/journal), find the Depending on the risk appetite of the organization, article and click on attacks) vulnerabilities. It also makes use of social the scope of the pen-test could be drastically the Comments link to engineering techniques to exploit the human different. share your thoughts. component of cybersecurity. Note that vulnerability assessment is included in pen-testing. Vulnerability The first thing one needs to understand is that assessment is the starting activity that would be information security auditing is not a one-size-fits-all scheduled to look for vulnerabilities. It is called the type of engagement. It is reasonable to start small discovery phase (or reconnaissance) of the test and slowly progress to more complex engagements. cycle. Penetration testers must run a vulnerability It is also important to note that different networks scan to identify weak points to be exploited. and applications can progress in different stages. • Social engineering—Although social engineering For example, if an organization has a supervisory is actually a pen-test technique, many companies control and data acquisition (SCADA) system not yet ready for a pen-test might opt to only that has never been tested, nor even scanned for deploy a phishing email campaign, for example, vulnerabilities, one might want to consider not to verify how many of their users are vulnerable to starting the information security testing by deploying this technique and require further training. Results a full-blown pen-test. It would be prudent to start with a vulnerability assessment to test the waters and use the results to harden the system for a future Karina Korpela, CISA, CISM, CRISC, CISSP, PMP pen-test. Is the IT audit manager at AltaLink, a Berkshire Hathaway Energy Company and Alberta, Canada’s largest transmission provider. Korpela The model in figure 1 proposes a guideline for has more than 15 years of international experience with IT audits, maturing testing activities by correlating different cybersecurity assessments, performing data analytics and developing combinations of the “rules of engagement,” which continuous controls monitoring applications for many different business will be covered in detail in this article, with risk processes. She began her career at Coopers & Lybrand as a system tolerance. These preset combinations can be used administrator and she was later invited to join its Computer Audit as a starting point. Assistance Group (CAAG) as an IT auditor. She can be reached at [email protected]. Before considering the rules of engagement, it is Paul Weatherhead, CISSP important to know the types of information security Is the vice president and chief technology officer at Digital Boundary testing: Group, an information technology security assurance services firm • Vulnerability scan—This scan examines the serving clients throughout North America. He is frequently called upon to advise North American clients in the financial services, law enforcement, security of individual computers, network municipal and provincial government, utilities, and professional services devices or applications for known vulnerabilities. sectors on corporate IT security and network intrusion investigations. Vulnerabilities are identified by running a Over the past 17 years, Weatherhead has focused on network security scanner, sniffers, reviewing configurations, etc. and threat management consulting, having performed more than 400 Vulnerabilities identified are never exploited. IT security assessments in Canada, the United States and the United This test tends to be less disruptive and also Kingdom. He regularly conducts network security training courses and inexpensive when outsourced. has instructed at the Canadian Police College. ISACA JOURNAL VOL 5 1 Figure 1—Information Security Testing Maturity Model Information Security Testing— • Pen-test • Black box Maturity Model • IT staff unaware • Destructive techniques allowed • Social engineering allowed • Pen-test • All systems Lower • Black/white box • IT staff unaware • Destructive techniques not allowed • Social engineering allowed l • Medium-high risk systems e • Pen-test v • Grey box e L • IT staff aware n o • Destructive techniques not allowed ti • Social engineering allowed la Realistic • Medium-high risk systems u • Pen-test im • Grey box S • IT staff aware • Destructive techniques not allowed Risk Tolerance • Social engineering not allowed Practicable • Vulnerability • Low-medium risk systems or Security Assessment Abstract Higher Less mature Most mature Source: K. Korpela. Reprinted with permission. are reported, but information gathered is never vulnerability scan and pen-tests can be performed used to penetrate the network. against the internal and external systems and network devices. They both can be general in scope or focused on specific areas.Figure 2 shows areas of focus and their applicability. Ideally, pen-tests can be run Rules of Engagement just once a year while vulnerability These rules should be thought of as the sound assessments should be performed adjustment knobs in a home theater system. One more frequently. combination might be better for a smaller room in which cable TV is being watched, while another combination might be better for a bigger room where a DVD is being played. Once these rules are understood, it gets easier to decide the objectives An assessment is not better than a pen-test or vice and scope for testing. versa. They provide different outcomes and value. Their applicability will depend on the organization’s A different set of combinations can be applied to risk tolerance, systems’ sensitivity and the security each system within the scope. In one highly sensitive infrastructure maturity. But, ideally, pen-tests can be network, one may only run a vulnerability scan and in run just once a year while vulnerability assessments other, more robust networks, one might run a more should be performed more frequently. Both the realistic pen-test. Or, the sound can be tuned as the 2 ISACA JOURNAL VOL 5 Figure 2—Focus Areas Vulnerability Security Social Focus Areas/Types Scan Assessment Pen-test Engineering Routers and switches I I I - Firewall I I I I Intrusion detection system (IDS); intrusion prevention I I I I system (IPS) Wireless network I I I - Denial of service (DoS) O O O - Password cracking - O I - Social engineering - O I I Stolen mobile devices - I I - Application I I I - Physical I I I I Database I I I - Voice Over Internet Protocol (VoIP) O I I - Virtual private network (VPN) I I I - Email security I I I I Security patches I I I - Data leakage - I I I Telecommunication and broadband communication I I I - I = Included | O = Optional | - = Generally not included Source: K. Korpela and P. Weatherhead. Reprinted with permission. testing occurs. For example, when the tester does the highest maturity level and, as a consequence, not succeed in penetrating the first line of defense, becoming complacent can be dangerous. the test can be considered completed or additional information, or even access, can be provided to Even though a higher maturity level is required to enable the tester to bypass it and restart testing from perform the most realistic testing, it comes with a price there. In this way, additional vulnerabilities can be as it can give a false sense of security. A full-blown identified should a future attacker manage to breach black box allows the tester to assess only the first line the first level of defense. of defense at the time of testing. But what if a zero-day attack that exploits vulnerabilities behind that first line The combination chosen depends on the risk of defense occurs? How would the internal systems tolerance and the maturity of a company’s respond? Andy Grove’s quote on complacency is very cybersecurity processes. Nevertheless, these much applicable to information security: “Success rules allow for flexibility in adjusting the test plan breeds complacency. Complacency breeds failure. according to the systems and networks in scope. Only the paranoid survive.”1 It is important to keep in mind that in the always- It is essential to apply a cyclical approach to evolving world of information security, reaching information security testing as suggested in figure 3. ISACA JOURNAL VOL 5 3 Figure 3—Testing Cycle can be run internally when the goal is to simulate what would happen if a company’s own employee attempted to carry out an attack from within or if Pen-test Vulnerability an attacker