Posts Tagged ‘data at rest’


Five things any business owner should know about penetration testing

March 17, 2010

Penetration testing is part mystique, part business tool. Tell people at the local watering hole that you are an ethical hacker, and that you hack networks at their owner’s request to identify security vulnerabilities and assist them with remediation, and they start looking at you funny. Go ahead, try it sometimes. It’s fun. You’ll also notice that they never quite hear the word “ethical” on the first try!

But beyond this, a penetration test is a very useful business tool, yet there are still many misunderstandings about it. So without further ado, let’s quickly review the five things that any business owner should know about penetration testing.

1. What is a penetration test?

A pen test is a business tool through which you can evaluate the point-in-time security posture of a target host or environment. In plain English, it means that you can define how secure a computer or a network would be against a malicious hacker’s attacks. Because the pen tester will use real world tools and tactics against the target scope, it replicates what real attacks would put your network through and provides realistic and valuable test findings.

2. Not all pen tests are created equal.

The pen test is only as valuable as the pen tester who conducted it is experienced. While there are many script kiddies out there – i.e. malicious hackers who use ready-made tools they downloaded from the Internet with little understanding of what they do or how they do it – there are also very powerful and knowledgeable hackers whose techniques, dedication, skills and intelligence are remarkable. For the pen test to have any meaning, and therefore any business value, you want to make sure that the pen tester is also someone whose talents and skills in the trade are well documented.

A “bad pen test” with results that shouldn’t be trusted is probably more dangerous to an organization than no pen test at all!

Another important difference between pen tests in terms of value resides in the quality and usefulness of the deliverables. Simply put, the report with which you are presented should be a useful business tool. Make sure that it addresses all the relevant audiences in your organization, that it is not an unwieldy 100-pound, 1000-page behemoth and that it contains actionable remediation information.

3. How often should penetration tests be conducted?

The short answer is at least once a year, you should have both an internal and an external penetration test done.

Note that many organizations fall under different mandates, some at the state and/or federal level, others at the commercial level, that may dictate the actual regularity of when penetration tests should be conducted.

The reasonable, cost-effective solution seems to be to have one full-out pen test a year, followed by a smaller test 6 months later to verify that the remediation activities that took place after the large test were successfully carried out.

4. What are the different types of penetration tests?

A quick overview would single out the following types:

a. External Pen Test: because some of your computers are directly facing the Internet, they can be accessed both legitimately and maliciously from anywhere in the world, and are therefore more in danger than the computers that reside in your internal network. Typically, an external pen test will target your firewall(s), your web and mail servers, maybe a remote access server such as a VPN concentrator, etc… the idea here is that anyone, anywhere can at anytime probe these servers to determine whether they are plagued by vulnerabilities and can be taken over. If such vulnerabilities exist, you need to be aware of them as fast as possible so that you can proceed with appropriate remediation to remove the risk these vulnerabilities represent to your business.

b. Internal Pen Test: the FBI famously published statistics several years ago that showed that around 80% of all hacking attacks originated from inside companies, not outside. With that in mind, it’s important to make sure that those computers that are critical to the business are tested regularly.

c. Application Test: an app test is a security test that targets an application or program. The idea is to make sure that the data is always protected, whether it is at rest, in transit or being processed, that unauthorized users can’t get access to the data, and that authorized users cannot gain more access to the application and the data it contains than their security profile should allow.

d. Vulnerability Assessment: a VA is basically a Pen Test with a reduced scope. Indeed, the very first stage of a pen test includes all of the activities that make up a VA. The large difference is that the vulnerabilities that are identified in a VA are not tested, and therefore the report created to sum up the findings may include false positive findings. Note that because a VA takes a lot less time to be conducted than a pen test, they tend to also be a lot less expensive – but provide less value.

5. What business value can I expect to derive from a penetration tests?

There are several answers to this question – and they may not all be pertinent to all organizations.

a. Compliance: simply put, many organizations are mandated to have pen tests done every year.

b. Peace of mind: critical assets to your business should be tested. It allows you to not worry about being front page news as the next victim of a data breach.

c. Due diligence: if a breach does occur despite your best efforts, it is always productive to be able to show due diligence! Proving that reasonable efforts had been made prior to a hacking event always lowers the cost of dealing with the breach – and may also lower the actual loss of goodwill and reputation to the business.

d. Legal liability: your clients trust you with their information. If this information falls into the wrong hands, especially because of a data breach, you can expect law suits to be filed against your organization. As noted above, being able to demonstrate due diligence and reasonable security measures is always a plus. Furthermore, a federal regulation such as HITECH includes the possibility of criminal charges against negligent entities and their representatives in case of non-compliance.

There is a saying in the industry that the cost of having a pen test done is always lower than the risk of being in business without having one done regularly. While I could be perceived as a biased entity, I cannot help but agree. Not only because my firm provides ethical hacking services, but also because that statement is firmly grounded in common sense.

So… when’s the last time your network was tested? By an ethical hacker, that is…


Five things you should know about encryption… for non geeks!

March 3, 2010

When most people wake up in the morning, somehow, encryption is not the premier thought on their mind. I know, I know, this statement may come as a shock to you.

Most people probably even believe that they could go an entire lifetime without ever thinking once about what encryption is, and what it can do for them.

Some people, I tell you.

The truth is simple: if you are in business, you don’t have to be an encryption expert, but there are 5 things that you should know about encryption.

Before we proceed, here’s a quick primer on how to think about your data.

Understanding data states.

Data resides in different states, including at rest, in transit, or in use.

An example of data “at rest” is a Word document not currently open, but saved to the hard drive on your laptop.

An example of data in transit is that same Word document, attached to an email, on its way to your sister-in-law’s email inbox after you clicked on “send”.

An example of data in use is a computer program that processes information that resides in a backend database.

Understanding threats to the data.

Each state includes inherent risk to the data being used:

That data could be pilfered by an unauthorized third-party (a loss of data confidentiality.)

The data could be corrupted by a virus (a loss of data integrity.)

This data could be erased by malware or a malicious internal user (loss of data availability.)

Protecting the confidentiality, integrity and availability of data assets is what information security is all about.

Understanding data classification.

Data classification is the concept of assigning a confidentiality rating to all data assets. This is the concept to which all the “TOP SECRET” stuff you see in movies is linked. The idea is simple:

Look at each data asset your organization owns, and then decide:

1. “I don’t care who or what sees this information.” It’s safe to say that this data asset can be classified as “Public” as no harm will come to you or your organization if this information were to be read by a third-party.

2. “I want some of my business partners and some of my internal resources to see this information, but not everybody out there.” In this case, the data asset can be classified as “Confidential – Third Party”.

3. “I don’t want anyone but my internal resources to see this information.” This calls for a data classification level of “Confidential”.

Why bother with doing all this work? Tagging each data asset with a classification rating allows you to simply decide during the course of doing business whether an asset should be shared or not – and with whom. For example, you could decide that all Word document titles will from now on be assigned a suffix of C, C3 or P. If a document used to be called 2010_financial_statements.doxc, you could rename it to C_2010_financial_statements.doxc. That way, even if you do not directly know the contents of this document, you will be able to tell, just by seeing the file name, whether it should be shared freely or not. This is a simple and effective control to protect you against inadvertent data breaches.

Five things you should know about encryption:

1. Confidential and Confidential/3rd-Party data should be protected – i.e. encrypted – regardless of the state in which it currently finds itself. Hackers are equal-opportunity criminals. If your data is encrypted at rest, but not in transit, they will go after it while in transit.

2. Rule of thumb: encryption strength is related to the amount of bits. Therefore, 256-bit encryption is stronger and more difficult to defeat than 128-bit encryption. You never want to use an encryption solution with a strength lower than 128 bits.

3. You should have a clear, realistic, enforced and published corporate encryption policy – and supporting procedures – that dictate how data is to be protected. Then you should train your users and make sure that the policy reinforces your business processes – as opposed to hinder them – so as to maximize employee adoption.

4. When in doubt, ENCRYPT! Many encryption solutions are free, there is no reason NOT to encrypt.

5. Confidential data should never be placed on a mobile device – laptop, phone, PDA, etc… But if the organization has a legitimate business needs that requires that this would happen, then said confidential data MUST be encrypted.

In conclusion…

Data should be classified in terms of its criticality/confidentiality status. Confidential should be encrypted regardless of which state it finds itself into. Understand that the state of the same data item may change over time!

Encryption should not be seen as a security control that is “nice to have”, but as a “must have.” This is a perfect example of a control that reinforces your business goals. It is a simple, best-practice control that is required by many regulatory mandates such as HITECH, the Massachusetts Data Breach Notification Law, the PCI standards, etc… so, when’s the last time your organization reviewed its encryption policy and its effectiveness?

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!