Download presentation
Presentation is loading. Please wait.
Published byDorcas Nicholson Modified over 9 years ago
3
Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor Travis Schack, Colorado’s Information Security Officer Chris Ingram, Director, Emagined Security Scott Johnson, Senior Consultant, Emagined Security Mike Weber, Labs Director, Coalfire Systems
4
Schedule Breaks Bathrooms Protocol for asking questions Experiment
5
To provide a forum for auditors to learn about penetration testing and how such testing, when applied properly, improves the security of the people, processes, and systems that run governments. Cautionary Note: You will NOT be a competent penetration tester as a result of this course! How do I become a competent penetration tester?
7
In 2010, the Colorado Office of the State Auditor conducted a performance audit of the Governor’s Office of Cyber Security. The audit included: A review of the Office of Cyber Security’s progress in implementing the Colorado Cyber Security Program. A system-wide, covert or “Red Team” penetration test of the State of Colorado’s information systems. ◦ All attack types, except DoS or DDoS, were within scope. The assessment was performed covertly to test the State’s incident detection & response capabilities.
8
Colorado Statutory Requirements National Institute of Standards and Technology Requirements Industry Best Practices Primary Tenet: The State should protect citizen data from unauthorized access!
9
Breach the security of the State of Colorado’s network and gain access to personally identifiable, sensitive, and/or confidential information. Identify security weaknesses in systems or web applications that, if exploited, would provide an attacker with significant visibility, confidential data, or the ability to attack the site’s users— Colorado’s citizens and businesses. Test monitoring, detection, and incident response capabilities.
10
A penetration test is NOT the same as an audit or security assessment!! ◦ Penetration tests simulate real world attacks ◦ Penetration tests will NOT identify all vulnerabilities in a system ◦ Penetration tests will NOT identify all internal threats ◦ Penetration tests will NOT be able to determine the cause or reason for the existence of the vulnerability exploited – This is where state auditors came in handy! What is large-scale? ◦ 67,000 public facing IP addresses (each with potentially 65,000 + ports) ◦ All state buildings in the Denver metro area ◦ All state-owned telephone numbers
11
Colorado Office of the State Auditor, IT Audit Division Colorado Office of Information Security Coalfire Systems – OSA Prime Contractor (Experts in Network and Physical Security Testing) Emagined Security – OSA Sub-Contractor (Experts in Web Application Penetration Testing)
12
Ongoing and unresolved vulnerabilities identified during routine audits/assessments Lack of executive level support for information security Untested information security staff ◦ You will fight like you train!!! Systemic or Enterprise-wide changes made to the IT environment Lack of funding for information security
13
Overall, we concluded that the State is at serious risk of a system compromise and/or data breach by malicious individuals. Total of 9 public recommendations and 2 confidential recommendations. Identification of 100s of specific vulnerabilities, including specific remediation steps. Compromise of agency networks and systems and access to thousands of confidential citizen and state employee records.
15
Greater transparency into Colorado information security practices Additional money and personnel for the Office of Information Security Authority for our office to perform routine penetration tests Skill development of state staff in the conduct of penetration tests Identification and remediation of serious vulnerabilities within state government information systems Increase oversight by the General Assembly
17
Colorado Risk, Incident, Security, Compliance (CRISC) application ◦ Open source application – OpenFISMA Vulnerability management lifecycle tracking Standardized risk assessment for each finding Mitigation planning Evidence of remediation Identification of systemic organizational issues
18
Communicate, communicate, and communicate! Social Engineering – Demonstrate why security awareness is critical. Ensure risk and impact of findings are demonstrated – e.g., steal lots of sensitive information. Use methodical approach to identify “targets” early in reconnaissance phase. Ensure are well defined and agreed upon. Modify reporting to meet the needs of different audiences
19
Dianne Ray, CPA, State Auditor ◦ Dianne.ray@state.co.us Dianne.ray@state.co.us ◦ 303-869-2801 Jonathan C. Trull, Deputy State Auditor ◦ Jonathan.trull@state.co.us Jonathan.trull@state.co.us ◦ 303-869-2859
20
A copy of the public report is available at the Colorado Office of the State Auditor’s website: http://www.leg.state.co.us/OSA/coauditor1.nsf /Home?openform The report is located under the Governor’s Office link, report # 2068A.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.