Painpi!! #27 Penetration Testing a business approach

What is “The Pain Pill” ? Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better.

Do you like the plain or the Red logo format? Email me back!

This post  is located here and the video is here.

Free class is Thursday 7:30 – 8:30 Central Time click here.

Recently I have been asked to do more and more penetration tests. A penetration test is a fancy way of saying:  hire someone to attack your systems, hopefully before the attacker, hopefully in all the old ways and some new ways, so that you can improve your defenses.

What a pen test does and doesn’t do:

  • It doesn’t prove you are secure.
  • It doesn’t tell you what controls to install.
  • It doesn’t reveal to what degree you are insecure.
  • It does prove you are insecure, if a true breach is committed.
  • It does tell specifically where your controls failed.

As a tester – I will not tell you that your network is secure. Why? Because the customer sets the scope. If the customer ties my hands behind my back in a test by taking away a vector of attack, then there is no way I can guess the “what if…” A customer is definitely going to tell me I cannot do a denial of service. So right there, I cannot do what attackers do… or could I? (Come to class I will explain how.)

You pay for X number of days, you get those days.  If we can take a few roadblocks to testing down, I can spend more time testing and less time fighting with your business process, your controls, and your people (again more in class). You will get a more detailed test.

An attacker can attack anywhere at anytime and in very new ways. Testers must at least keep up, very good testers get out ahead of the attackers. This is not a skill that many have. Thinking of the next way to attack requires practice. Thinking of a new way to attack that will not take down the service, but will still prove the attack is possible requires more skill.

What can we do to make it better for us, for you?

Most important quality in a tester: Testers must be very trusted advisors. Trust above all else.

Most important quality in a testee: Don’t be embarrassed or defensive when the tester cuts through your defenses like a hot knife through butter. We concentrate so hard on what is in front of us, we forget to turn around and look. A tester’s job is to turn around and look in a new way, not spare our feelings.

Policy:  (this is different than we normally discuss)

  • Policy is general and exceptions are supposed to be rare.
  • Write exceptions process for pen testing, a separate policy that supersedes other exceptions.
  • Write emergency change control for critical flaws found in testing.

Action items:

  • Testers need highest level approval, seek approval first before engagement.
  • Tie internal project management goals for fixes to the end of the report.

Don’t know how to do these activities? Come to our free class! Thursday 7:30 – 8:30 PM Central- Click here

Or http://www.bit.ly/painpill27

PainPi!! #22 Scanning Defense and Attack

Scanning!

Free CEH class Thursday 7:30-8:30 PM central – Click this link, type your name, turn up your speakers.

To see the video version click here

If you take a look at any firewall log today, you will see 100’s of scans per hour. The last report I read said the average time for first port scan of a public IP address was 7- 10 seconds. I thought that was a load of crap designed to scare all of us: so I put it to the test. I built a computer, put it in front of my firewall and turned on the logging for all packets. Sure enough 1,2,3,…15 seconds later ping, ping, port, port, port, BOOM!

My IP address was pinged, my ports were scanned, then the attack.

Most of us would say, “All our ports are closed except our web server and our mail server, so we are safe.”

Wrong! Yes you are safe on the closed ports, but the open ports are still open.

What can we do?

Policy items:

  • Identify or define:
  • The roles and who reviews firewall and IDS log data.
  • The review interval, escalation process and reporting for firewall and IDS data.

Action items:

  • Monitor the open ports and connection attempts from IDS or firewalls on a regular basis.
  • Tar Pit the closed ports on servers that are Internet addressable.
  • If this is just you running the whole show- outsource either the services or the review process.

We have some great deals on a 10-week Live on Line. Click here for CISSP or CEH

If you want someone to subscribe to the pain pi!! Click here

Operations Security study guides

This page is designed to help support the CISSP Operations Security video application for the Iphone.

It will contain:

The study guides for our current CISSP modules that match the video application.

Errata information on the videos.

The ability to give feed back for future videos.

Operations Security quiz overview

Operations Security for the CISSP quiz overview

These are the sub-domains within the domain.

  • Classification
  • Data Backup
  • Privilege Entity Control
  • IDS and IPS

There is too much information on each one of these topics for you to be technically adept in every sub-domain and domain of the CISSP. Your ultimate goal is to know the executive summary level of detail on the core knowledge. You should know this information in enough detail to be able to ask questions of the technical people on your staff. These questions should relate to the security aspects and not the implementation details. It is necessary to know enough technical details to be able to make management decisions about security and technology. The questions in this section should reveal your lack of security knowledge. These questions or answers are not detailed enough to solve a real world problem. You should not study the question; it will not be on your exam. You SHOULD study the core concept discussed in the question and be able to apply generic security measures. You  should know the threats and controls to each technology.

For a course in Operations Security Click Here.

Study Guide for IDS and IPS

Study Guide for IDS and IPS as a part of the Operations Security Domain for the CISSP.

There are many interactive learning opportunities on this site. Navigate to Certification and dig down into the topics for anything from one-hour to ten weeks worth of learning.

PodCasts for Listening (Hear): Crispytopics.com you must register with a real email address, but there are hours of downloads.

Quizzing: Expanding Security offers over 900 practice exam questions. See what Gwen Bettwy says about quizzing. See what Dean Bushmiller says about quizzing.

Glossaries for Flash carding (Touch):

  • Bulk terms –
  • Single definitions –
  • The Wiki –

Best Practices & Short Guides (Look):

Books for reading (Look):

  • _

Study Guide for Backup

Study Guide for Backup as a part of the Operations Security Domain for the CISSP.

There are many interactive learning opportunities on this site. Navigate to Certification and dig down into the topics for anything from one-hour to ten weeks worth of learning.

PodCasts for Listening (Hear): Crispytopics.com you must register with a real email address, but there are hours of downloads.

Quizzing: Expanding Security offers over 900 practice exam questions. See what Gwen Bettwy says about quizzing. See what Dean Bushmiller says about quizzing.

Glossaries for Flash carding (Touch):

  • Bulk terms –
  • Single definitions –
  • The Wiki –

Best Practices & Short Guides (Look):

Books for reading (Look):

  • _

Study Guide for Classification

Study Guide for Classification as a part of the Operations Security Domain for the CISSP.

There are many interactive learning opportunities on this site. Navigate to Certification and dig down into the topics for anything from one-hour to ten weeks worth of learning.

PodCasts for Listening (Hear): Crispytopics.com you must register with a real email address, but there are hours of downloads.

Quizzing: Expanding Security offers over 900 practice exam questions. See what Gwen Bettwy says about quizzing. See what Dean Bushmiller says about quizzing.

Glossaries for Flash carding (Touch):

  • Bulk terms –
  • Single definitions –
  • The Wiki –

Best Practices & Short Guides (Look):

Books for reading (Look):

  • _

Study Guide for Privilege Control

Study Guide for Privilege Control as a part of the Operations Security Domain for the CISSP.

There are many interactive learning opportunities on this site. Navigate to Certification and dig down into the topics for anything from one-hour to ten weeks worth of learning.

PodCasts for Listening (Hear): Crispytopics.com you must register with a real email address, but there are hours of downloads.

Quizzing: Expanding Security offers over 900 practice exam questions. See what Gwen Bettwy says about quizzing. See what Dean Bushmiller says about quizzing.

Glossaries for Flash carding (Touch):

  • Bulk terms –
  • Single definitions –
  • The Wiki –

Best Practices & Short Guides (Look):

Books for reading (Look):

  • _