Audits and Assessments

Audits and Assessments

Not just for taxes

  • There are good reasons to audit your technology

Cybersecurity audit

  • Examines the IT infrastructure, software, devices, etc.
  • Checks for effectiveness of policies and procedures
  • Find vulnerabilities before the attackers
  • Can be performed internally or by a third party

Attestation

  • Provides an opinion of truth or accuracy of a company’s security positioning
  • An auditor will attest to a company’s cybersecurity posture

Internal Audits

Audits aren’t just for third-parties

  • You should also have internal audits

Compliance

  • Is your organization complying with regulatory or industry requirements?

Audit committee

  • Oversees risk management activities
  • All audits start and stop with the committee

Self-assessments

  • Have the organization perform their own checks
  • Consolidate the self-assessments into ongoing reports

External Audits

Regulatory requirements

  • An independent third-party may be required to perform the audit
  • Audit type and frequency are often based on the regulation

Examinations

  • Audits will often require hands-on research
  • View records, compile reports, gather additional details

Assessment

  • Audit will assess current activities
  • May also provide recommendation for future improvements

Penetration Tests

Physical Penetration Testing

OS security can be circumvented by physical means

  • Modify the boot process
  • Boot from other media
  • Modify or replace OS files

Physical security is key

  • Prevent access by unauthorized individuals

Assess and test physical security

  • Can you enter a building without a key?
  • What access is available inside?
  • Doors, windows, elevators, physical security processes

Pentesting Perspectives

Offensive

  • The red team
  • Attack the systems and look for vulnerabilities to exploit

Defensive

  • The blue team
  • Identify attacks in real-time
  • Prevent any unauthorized access

Integrated

  • Create an ongoing process
  • Identify and patch exploitable systems and services
  • Test again

Working Knowledge

How much do you know about the test?

  • Many approaches

Known environment

  • Full disclosure

Partially known environment

  • A mix of known and unknown
  • Focus on certain systems or applications

Unknown environment

  • The pentester knows nothing about the systems under attack
  • “Blind” test

Reconnaissance

Need information before the attack

  • Can’t rush blindly into battle

Gathering a digital footprint

  • Learn everything you can

Understand the security posture

  • Firewalls, security configuration

Minimize the attack area

  • Focus on key systems

Create a network map

  • Identify routers, networks, remote sites

Passive Reconnaissance

↻ Learn as much as you can from open sources

  • There’s a lot of information out there
  • Remarkably difficult to protect or identify

↻ Social media

↻ Corporate website

↻ Online forums, Reddit

↻ Social Engineering

↻ Dumpster diving

↻ Business organizations

Active Reconnaissance

↻ Trying the doors

  • Maybe one is unlocked
  • Don’t open it yet
  • Relatively easy to be seen

↻ Visible on network traffic and logs

↻ Ping scans, port scans

↻ DNS scans, OS fingerprinting

↻ Service scans, version scans