Expert advocates for better pen tests, less complex security

ORLANDO -- Enterprises are making costly investments in information security technologies that fail to resolve the weaknesses being targeted by attackers, in accordance with a noted security expert and author who urged greater than 2,500 attendees on the InfoSec World Conference and Expo 2012 to rethink their priorities by conducting more

SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all for free of charge. Join me on SearchSecurity.com today!

Michael S. Mimoso, Editorial Director

< align='right' border='0' style='padding-left:10px;' border=0 > effective penetration tests.

We ought to remove a lot of these expensive technologies that enable you calculate how someone in China goes to hack your systems at 2 a.m. with a 0 day. It doesn't work.

David Kennedy, vp, CSO global risk and security, Diebold Inc. 

“We're the one industry i do know of that continues to spend increasingly more money and yet our problems get gradually worse,” said Dave Kennedy, vice chairman and CSO of worldwide risk and security at North Canton, Ohio-based Diebold Inc. “We increase our budgets, increase our spend and we buy regardless of the next buzz word is on the next major conference.”

Kennedy, a penetration tester and author of “Metasploit: The penetration tester's guide,” demonstrated several attacks using software he developed called the Social Engineering Toolkit. In lower than a minute, Kennedy used the tool to clone a domain and use a sound digital signature to focus on a victim's machine. He showed how quickly he could gain full control of the employee's computer and potentially steal data because of purely HTTP communications, by emulating the browser in every way.

“Your security technology doesn't stop this and i am not that groovy relating to this sort of hacking,” Kennedy said. “There are kids getting amazing with this technology; they are not just script kiddies, they're becoming very sophisticated attackers.”

Kennedy said most CISOs and security professionals envision a castle with heavily fortified moats to maintain out external attackers, but compliance and security technologies have added complexity, adding to the weaknesses security was designed to deal with. “Our entire balance is off,” Kennedy said. “The focus is on compliance and purchasing products from vendors when we are not securing what we have to secure.”

Kennedy advocated for the usage of the Penetration Testing Execution Standard (PTES), a typical and maturity model designed two years ago at  the ShmooCon hacker conference. PTES was designed for businesses and security service providers to give a standard language and scope for performing penetration testing. Currently there are 6,000 contributors to PTES and corporations evaluating pen testers can use the quality to create specific requirements, he said.

Penetration testing is not solely concentrated on vulnerability scans, Kennedy said. Instead, strong penetration tests need to have meaningful data designed to point out strategic findings that should address the majority of the underlying issues.  Often enterprises that undergo pen testing turn out with huge reports outlining 1,500 system vulnerabilities, but no possible way to handle the root explanation for the flaws, he said.

“Pen tests are meant to be fluid and emulate an attacker,” Kennedy said. “We have got to remove all this expensive technologies that assist you calculate how someone in China goes to hack your systems at 2 a.m. with a nil day. It doesn't work.”

Penetration tests should incorporate pre-engagement interaction, Kennedy said, during which the pen tester conducts intelligence gathering and learns how the corporate generates revenue. Meanwhile, threat modeling helps decide what attack vector may have the best impact at the company. Vulnerability analysis looks for the weaknesses and the exploitation phase contains a precision hit aimed toward gaining access to the inner network after which the sensitive data so as to cause the most damage to the business, he said.

“This is the way you communicate your message; It is not through a 1,500 page report because 90% of its findings in those reports are garbage,” Kennedy said. “You have to learn what your organization has systemic issues with and the way long the tester could exfiltrate data out of the corporate.”

Conference attendees were generally optimistic about PTES and said it can reduce the typical practice of hiring the bottom bidder for penetration testing projects. Running vulnerability scanners and trying to address the entire results just doesn't work, said D. David Orr, an IT examination analyst within the Division of Risk Management Supervision on the Federal Deposit Insurance Corporation. Orr said he sees some banks and credit unions struggle with 800 page reports and mounting expenses because they lack internal expertise.  “Flipping through these reports you could see that there are lots of false positives,” Orr said. “A standard is something i will recommend as a place to begin to minimize their struggles.”

Dig Deeper

• People that read this also read...