Embed Size (px)
DESCRIPTION
LAZgroup SA - Business and Technology Solutions www.lazgroup.com [email protected] +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland IT risks associated with outsource of Penetration Testin g (Ethical Hacking) Written by Dr.Kretov Kirill from LAZgroup SA Introduction Presently, the idea that information governs the world is not anything new.
Citation preview
LAZgroup SA - Business and Technology Solutions
www.lazgroup.com [email protected] +41794822839
Rue du Cendrier 15, 1211 Geneva, Switzerland
IT risks associated with outsource of Penetration Testing
(Ethical Hacking)
Written by Dr.Kretov Kirill from LAZgroup SA
Introduction
Presently, the idea that information governs the world is not anything new. The swifter and
quicker business develops its technological and information framework, the higher is the risk
of malicious access to the information. Commercial, financial, managerial, HR and other
information is of interest not only for the company where it is created and used, but also for
its competitors, and for people who can take hold of it for the purpose of further unauthorized
usage and resale. The need for data security is always growing.
Data security is a state of data protection when their integrity, availability and confidentiality
are ensured. Information integrity means that the information does not change when it is
stored or transmitted; availability means that authorized persons can use the information and
access it at any time; confidentiality means unavailability of information for those who are not
authorized for sufficient and lawful access to it.
Information audit can be used to ensure data security. Generally, audit is performed to
estimate the current level of data security, to assess possible risks during information storage
and use in the company, and also to determine high-priority measures that will minimize the
risks and information leakage threat. During audit, we reveal the security level provided in the
automated system, and collected statistics helps determine further steps to reach complete
information security in the company.
Security audit types include penetration tests (or "pentests") aimed at determination of various
vulnerability search methods and ways for intrusion into company' information systems from
the outside, for example, via the Internet. Penetration tests are mainly performed to estimate
the overall company level of protection from external threats and directed attacks, and also to
document the actions and to create a report on them.
In most cases, the testing procedure consists of three steps, and each of the steps includes a
number of quite specific jobs. The first step covers operations planning and preparation. The
second step includes penetration into the automated system itself, and the third step is report
creation and, possibly, recommendations to improve data security.
More often, a company admits penetration testing when it needs to evaluate possible damage
from malicious activities, to estimate the security level of specific company information
assets, to determine the most vulnerable places in the information security system or to assess
the measures taken by the company staff members in case of penetration attempts.
However, one must not think that the testing procedure guaranties complete security for the
company. Sometimes this is not true, as long as any penetration attempt may cause
unexpected and crucial results for the audited company. This article is intellectual property
lazgroup.com. There are two major groups of risks we should always keep in mind.
LAZgroup SA - Business and Technology Solutions
www.lazgroup.com [email protected] +41794822839
Rue du Cendrier 15, 1211 Geneva, Switzerland
Risks due to the Testing Company
The first group of risks is caused directly by the company that performs the security audit in
the customer company. In other words, a company wishing to have reliable data security
checks whether the information is accessible from the outside by intentionally making it
accessible, because a lot of vulnerabilities are usually revealed during pentests and testers
access the protected data.
Is it actually so bad? If the customer wishes to have penetration tests performed, the Customer
signs a non-disclosure agreement with the testing company. Despite that the most of
companies think this is enough, each penetration test brings additional risks. We should keep
in mind that each auditor group consists of persons, and the human factor cannot be ignored.
First of all, it is the human factor that makes different penetration testing companies perform
pentests differently. Thus, vulnerabilities that can be revealed by one group will remain
unknown for another group, and vice versa. That is why, logically, you cannot completely
rely on the results of penetration tests to ensure information security. Real penetration threat
exists anyway, as long as different groups and different hackers can apply various methods to
the revealed vulnerabilities. In other words, such testing will not fully guarantee security in
the customer company.
Even when the testing is finished and vulnerabilities have been found in the customer
automated system, the testing company can simply save the obtained information on the
software, network structure, etc. or conceal some vulnerabilities from the customer. Also, the
tested company will now be open to all risks of the auditing company.
The point is that it is too hard to maintain security within the company. And the risk that
employees of the testing company – for example, after they're fired – will use the information
to their own benefit or to the benefit of competitors. This is not a rare situation, and the
statistics for such cases, unfortunately, do grow.
Often, client information leaks from companies that trust too much to their IT service
providers (the latter can be outsourcing companies, processing centers, security audit
companies). According to the American telecommunication company Verizon
Communications, more then a half of all known information leaks in restaurant and retail shop
networks and other organizations that, for whatever reasons, cannot afford high-grade IT staff,
are due to unfair partners from the outside or the companies offering information security
audit services.
Here is a specific example. In 2009, the owner of a large IT company in the USA engaged in
information audit and outsourcing services was accused of theft of confidential data of more
than 8 million people. All information was coming from large serviced companies, and the
investigation revealed that the created database was intended for sale to competitors. Details
of what data had been stolen, and the list of the aggrieved organizations were not published in
the interests of the investigation, but it was known for sure that during the audit, information
on the organizations network operation was carefully gathered for the purpose of further
illegal use and theft.
As illustrated by the examples, unfair companies among those who can render information
audit services are not a rare exception. And though data leakage due to own company
employees or insiders seems the most probable, it usually does not make sense to impose the
company to additional risks for the sake of false safety feeling.
LAZgroup SA - Business and Technology Solutions
www.lazgroup.com [email protected] +41794822839
Rue du Cendrier 15, 1211 Geneva, Switzerland
Even when you do need penetration testing from the outside, you must first carefully examine
reputation of the company to conduct the research. But the company's reputation is not
enough. Find out as much as possible about the company management and technicians.
Because even a perfect-reputation company that provides high-quality security audit services
might employ persons who secretly help competitors with the main intention of accessing the
protected information without testing interruption.
Part of information being used internally by the company has a long lifespan, meaning that if
such information becomes available to anyone else even after a few months, the company will
still suffer essential losses. Thus, one must be very careful when attracting external human
resources and pay attention not only to their skills, cost and quality, but also to potential
consequences of granting them access to the company information assets.
Another threat during penetration tests is the investigation of various attack scenarios.
Employees of the auditor company can document only some of the vulnerabilities revealed in
the information protection system, while the remaining vulnerabilities can still be used by
hackers.
Technical Risks
Even when penetration tests bring good results, eliminating lots of vulnerabilities, they still do
not guarantee that information will remain inaccessible in a few days, weeks, or months. The
point is that new vulnerabilities arise every day, new types of attack are used, and even some
old vulnerabilities can be utilized a-new with the course of time. No information security
organization can possess the complete information on all vulnerabilities. That is why
vulnerabilities that will be used tomorrow may strongly differ from the existing ones.
By providing fast operation in data networks and using the Internet in daily activities,
companies make their business more effective and flexible, on the one hand, but at the same
time, increase the risks, because absolutely secure systems do not exist. Failures of network
protocols and services, faults in network equipment operation may cause not only direct
financial losses to the company, but also loss of reputation, the latter being a more serious
harm for many large companies means as compared to financial losses. Information security
becomes more and more important, since more and more services allow maintaining customer
relations directly via the Internet.
Usually, vulnerability means that the malicious user can make the application perform
operations for which user has insufficient or no rights at all by issuing a corresponding
command. And though there are detection tools for different types of vulnerabilities, they can
never substitute a person's experience during information security research.
In the attempts of security provision, management of many companies often makes severe
errors that may result in further serious consequences for the company. Among them are:
The company's staff is excessively confident in reliability of the security technologies used.
Accurate technical information on the security level does not exist.
There is no clear information security policy.
IT department staff qualification is insufficient.
LAZgroup SA - Business and Technology Solutions
www.lazgroup.com [email protected] +41794822839
Rue du Cendrier 15, 1211 Geneva, Switzerland
This article is intellectual Property of Dr. Kretov Kirill, the founder of LAZgroup SA
The personnel wrongly think that there is no important information for hackers in the company's information system.
The personnel wrongly think that company's web site/server cracking will not result in serious losses.
Based on of last-year statistics gathered during analysis of almost 12 thousand of various
programs and web applications, more than 97 thousand vulnerabilities has been found. They
differ in their threat level, but more than a half of them are urgent and critical, the data from
13% of systems can be automatically compromised. In the course of detailed testing, the
probability of revealing critical vulnerabilities reaches extreme rates – from 80% to 96%.
Any company can suffer from cyber attacks regardless of its business. Of course, hackers are
mainly interested in large organizations, but small companies usually suffer more severe
damages from such illegal activities. Small companies, as well as mid-sized businesses, often
suffer from harmful software and viruses, which are becoming harder to neutralize. Note that
data security companies themselves are often the target for directed network attacks.
Interesting statistics has been published by Ponemon Institute. The research, in which the
information received from 45 large American companies had been used, showed how great
are the losses of a company from attacks using the vulnerabilities in the information system.
On the average, companies lose a little less than four million dollars per year due to such
faulty conditions, and this figure ranges from one million for medium-scale companies to 52
million dollars. Struggle against network data leakages, attacks of companies' web sites and
online services, and also harmful software distribution, constitutes the lion share of costs for
information security maintenance. But nevertheless, the studied companies had been exposed
to more than 50 successful attacks per week during which hackers could have plundered the
data.
As proved by the above impressive statistics, hackers do their criminal business with
impunity. While competition in this field grows, prices for computer network cracking and
information theft fall, but hackers' proficiency continues to increase. Among all hackers, no
more than ten persons are exposed to criminal liability a year, and for some frauds with a
mullions-strong turn the hackers are subject to conditional prison sentence. Experts think that
such avalanche-like growth of criminality in information technologies is a considerable threat
for any business.
Conclusion
In conclusion, we have to emphasize the fact that the situation in the field of information
protection is rapidly changing, and a company must response to each change as promptly as
possible. Any new vulnerability revealed, any weakness of an anti-penetration system may
result not only in direct financial losses, but also in irrevocable loss of partner reputation,
which is often much more important.
Hackers' arsenal grows with new complicated software and hardware, and their proficiency
has long ago advanced the proficiency of an average employee in an IT or information
security department. A company can protect itself from possible threats only by constantly
paying attention to network and other resources integrity and security. As for now,
LAZgroup SA - Business and Technology Solutions
www.lazgroup.com [email protected] +41794822839
Rue du Cendrier 15, 1211 Geneva, Switzerland
vulnerabilities have been found out in all operating systems. Once again, this is to prove that
no absolute security can be guaranteed, and will not be guaranteed in the nearest future.
But you can keep your risks at a minimum. For this purpose, prompt staff response in case of
threat detection is crucial, as well as timely installation and update of anti-virus software and
firewalls, installation of all critical and essential operating systems updates. Staff overall
awareness on the recent known vulnerabilities, viruses and harmful software is also important.
Many organizations resort to penetration tests as the last possible measure. But now, this
measure is expensive and ineffective. During such test, only part of existing vulnerabilities
will be discovered, meanwhile new methods for information security breaks appear almost
every day. One must understand that even a large company providing computer audit services
may be exposed to its own internal data leakage risks. Entrusting such company with detailed
information about network structure, operations and protocols basically means taking and
covering all risks of the company. So, penetration tests usually grant you false, illusory safety.
Internal network audit methods are more effective than penetration testing. A company must
use software for access restriction, user activity monitoring and data encryption, and also
network activity logs must be monitored on a regular basis. This is a necessary condition for
keeping the information loss risk at an acceptable minimum.
Written in January 2010 by Dr.Kretov Kirill specially for LAZgroup SA
