Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations


Presentation on theme: " Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,"— Presentation transcript:

1

2

3  Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram, Director, Emagined Security  Scott Johnson, Senior Consultant, Emagined Security  Mike Weber, Labs Director, Coalfire Systems

4  Schedule  Breaks  Bathrooms  Protocol for asking questions  Experiment

5  To provide a forum for auditors to learn about penetration testing and how such testing, when applied properly, improves the security of the people, processes, and systems that run governments.  Cautionary Note: You will NOT be a competent penetration tester as a result of this course!  How do I become a competent penetration tester?

6

7  In 2010, the Colorado Office of the State Auditor conducted a performance audit of the Governor’s Office of Cyber Security. The audit included:  A review of the Office of Cyber Security’s progress in implementing the Colorado Cyber Security Program.  A system-wide, covert or “Red Team” penetration test of the State of Colorado’s information systems. ◦ All attack types, except DoS or DDoS, were within scope.  The assessment was performed covertly to test the State’s incident detection & response capabilities.

8  Colorado Statutory Requirements  National Institute of Standards and Technology Requirements  Industry Best Practices  Primary Tenet: The State should protect citizen data from unauthorized access!

9  Breach the security of the State of Colorado’s network and gain access to personally identifiable, sensitive, and/or confidential information.  Identify security weaknesses in systems or web applications that, if exploited, would provide an attacker with significant visibility, confidential data, or the ability to attack the site’s users— Colorado’s citizens and businesses.  Test monitoring, detection, and incident response capabilities.

10  A penetration test is NOT the same as an audit or security assessment!! ◦ Penetration tests simulate real world attacks ◦ Penetration tests will NOT identify all vulnerabilities in a system ◦ Penetration tests will NOT identify all internal threats ◦ Penetration tests will NOT be able to determine the cause or reason for the existence of the vulnerability exploited – This is where state auditors came in handy!  What is large-scale? ◦ 67,000 public facing IP addresses (each with potentially 65,000 + ports) ◦ All state buildings in the Denver metro area ◦ All state-owned telephone numbers

11  Colorado Office of the State Auditor, IT Audit Division  Colorado Office of Information Security  Coalfire Systems – OSA Prime Contractor (Experts in Network and Physical Security Testing)  Emagined Security – OSA Sub-Contractor (Experts in Web Application Penetration Testing)

12  Ongoing and unresolved vulnerabilities identified during routine audits/assessments  Lack of executive level support for information security  Untested information security staff ◦ You will fight like you train!!!  Systemic or Enterprise-wide changes made to the IT environment  Lack of funding for information security

13  Overall, we concluded that the State is at serious risk of a system compromise and/or data breach by malicious individuals.  Total of 9 public recommendations and 2 confidential recommendations.  Identification of 100s of specific vulnerabilities, including specific remediation steps.  Compromise of agency networks and systems and access to thousands of confidential citizen and state employee records.

14

15  Greater transparency into Colorado information security practices  Additional money and personnel for the Office of Information Security  Authority for our office to perform routine penetration tests  Skill development of state staff in the conduct of penetration tests  Identification and remediation of serious vulnerabilities within state government information systems  Increase oversight by the General Assembly

16

17  Colorado Risk, Incident, Security, Compliance (CRISC) application ◦ Open source application – OpenFISMA  Vulnerability management lifecycle tracking  Standardized risk assessment for each finding  Mitigation planning  Evidence of remediation  Identification of systemic organizational issues

18  Communicate, communicate, and communicate!  Social Engineering – Demonstrate why security awareness is critical.  Ensure risk and impact of findings are demonstrated – e.g., steal lots of sensitive information.  Use methodical approach to identify “targets” early in reconnaissance phase.  Ensure are well defined and agreed upon.  Modify reporting to meet the needs of different audiences

19  Dianne Ray, CPA, State Auditor ◦ Dianne.ray@state.co.us Dianne.ray@state.co.us ◦ 303-869-2801  Jonathan C. Trull, Deputy State Auditor ◦ Jonathan.trull@state.co.us Jonathan.trull@state.co.us ◦ 303-869-2859

20  A copy of the public report is available at the Colorado Office of the State Auditor’s website: http://www.leg.state.co.us/OSA/coauditor1.nsf /Home?openform The report is located under the Governor’s Office link, report # 2068A.


Download ppt " Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,"

Similar presentations


Ads by Google