Posted by John Verry on Mon, Aug 30, 2010 @ 12:39 PM
To an "old school" infosec practitioner (like myself) confidentiality is the most emphasized element of the CIA triad (integrity/availability) because the risks associated with the failure to provide confidentiality are usually the biggest and the regulations can be the stickiest (e.g., PII, PCI, HIPAA).
"New school" practitioners are likely to view things a bit differently. When you have grown up with "where you are/what you did/who you did it with" posted for the world to see on MySpace/ Facebook ... the boundaries between private and public are pretty thin. Rather than ramp back, many are continuously broadcasting their whereabouts and activities using Four Square and Twitter. GenY folks are just not all that concerned about confidentiality ... because they are not that concerned about privacy.
My conversations with GenY have altered my views on privacy quite a bit. So has my work as a social engineer. So has the fact that I have had my Personally Identifiable Information disclosed by multiple retailers and a mortgage company. In short, the Genie is already out of the bottle and there is no way to get the cork back on. If you don’t agree with me, Google yourself, and take a look at tools like pipl.com, paterva.com, and jigsaw.com. If you’re anyone who has at least partially embraced the internet -- birthdates, mortgages, judgments, addresses, your work history, your military records (including serial number), Social Security Numbers, purchases you made on Amazon, your woeful performance in your fantasy football league, posts you made on the dementia message boards -- are all just a click away.
So if our "private" information is now "public" do we really need confidentiality? Does it really matter if someone knows my Social Security Number? Driver’s License Number? Address?
Sadly it probably still does -- because those items are often inappropriately used as a form of authentication. However, as GenY folks take more prominent roles in politics and information security I would not be surprised to see some big changes. Most notably a de-emphasizing of confidentiality and an emphasizing of authentication and authorization.
I'm ready ...
Posted by John Verry on Tue, Dec 15, 2009 @ 04:25 PM
Last week I bemoaned Axe Shower Gel's packaging and noted that we were working on some changes to our Penetration Testing service offerings to better meet our client's assurance objectives.
Over the last 9 years we have found you can generally divide our Penetration Testing clients up into a few broad "stereotypes", clients who:
-
View a penetration test as a necessary evil (e.g., small banks and smaller SAAS providers who conduct them to satisfy a regulatory or customer requirement).
-
Are pretty confident that they have things "screwed down tight" but just want a quick test to make sure.
-
Have a business driver (e.g., regulations, client attestation) and consider penetration testing to be integral to their security program (e.g., larger banks and SAAS providers).
-
Operate in a high threat/high impact environment where penetration testing is viewed as critical (e.g., critical infrastructure, law enforcement, eGovernment).
Recognizing that "one size" doesn't fit all, we have tried to align our Penetration Testing offerings to provide assurance consistent with our clients' varying objectives:
-
An Investigative Pen Test - emulates an attacker that doesn't have a lot of time, and doesn't have a lot of tools, and may not even be targeting you specifically. He may stumble upon an interesting portion of your infrastructure during a broader sweep and will leave relatively quickly if he doesn't find an obvious security problem. Attackers that get in through a blank or default password on an administrative account are Investigative Attackers.
-
An Intentioned Pen Test - emulates an attacker that has more time, and a few more tools than the Investigative attacker. More importantly, she has intent. She is targeting you and wants to find a weakness in your network. Attackers that get in by exploiting an unpatched vulnerability in an operating system or network service are Intentioned Attackers.
-
A Tenacious Pen Test - emulates an attacker that has time, tools, intent, and determination. She is willing to go the extra mile to make it past your defenses. She may even attempt social engineering to find a way beyond your perimeter defenses. She will do it quietly, though, and take care to go unnoticed. Attackers who convince your help desk to reset an account password for them are Tenacious Attackers.
-
A Zealous Pen Test - The primary difference between a Tenacious Attacker and a Zealous Attacker is that a Zealous Attacker won't try to stay under the radar. He will do things that get noticed. He may even intentionally disable access to services to see what happens. More than intent and determination, he has a belief that he needs to breech or damage your systems, one way or another. If he has any worries about covering his tracks, they are secondary to the success of the attack itself. Attackers who crash your mail server and deface your website are Zealous Attackers.
Just as packaging matters when it comes to shower gel, we 
believe it also matters when it comes to security testing. So choose wisely, and dispense exactly what you need. Remember, "one size does not fit all!"
Posted by John Verry on Fri, May 08, 2009 @ 01:12 PM
It wouldn't be a stretch to say that Windows 2000 and all the Windows Iterations before it were insecure by default and that Windows 2003 and forward are secure by default. So why is it that Windows 2003 may make your environment more secure while at the same time it makes your environment less trustworthy?
I believe there are two predominant reasons:
- As we become more confident in Windows security we become less vigilant in our due diligence to validate that Windows is actually operating as intended.
- Even when we are vigilant, a network penetration test, the defacto "gold standard" for substantiative testing that an environment as a whole is operating is intended is no longer sufficient.
Windows 2003 is significantly more secure by default than Windows 2000, however, it is not immune to less than optimal configuration and vulnerability patch management issues. Further, there are often other "less important" (and likely less secure) older platforms, network devices, or older applications that may denigrate the security (and trustworthiness) of the environment as a whole. So Trust the environment, but remain diligent and verify by appropriate activities.
That segues directly to point two, the "appropriate" activities have changed. As an environment becomes more technically secure there is an implicit and incorrect assumption that the probability that it will be "hacked" definitely goes down. In fact, I would argue that if the attacker is intentioned, that it does not go down at all. An intentioned attacker will just alter his attack vector to seek the "new" weakest link (e.g., Social Engineering). There is an old adage that professionals don't hack systems they hack people (think Kevin Mitnick).
So as your environment grows more secure the tests that you use to measure its security/trustworthiness need to change as well. Many of our more risk averse clients are adding social engineering and/or physical penetration testing into their "verify" activities. Should you?
 |
Our “slidepaper” on Network Vulnerability Assessment: Key Decision Points, will help broaden your knowledge on VAPT. Find this and more on our Penetration Testing resource page. |