| How Does It Work
Penetration Audit | |
|---|
| Abstract | | August is reserved and dedicated to security begining with the penetration audit and culumating with a full compliance audit in accorance with PCI DSS regulation. Payment Card Industry Data Security Standard (PCI DSS) has been chosen as the standard we are measured by as means to conform with ISO 27000 Information Security Management Systems (ISMS). ISMS as ISO 27000 second edition (2012) is part of our committment to Information Technology Infrastructure Library (ITIL) - the framework that defines our method of working. |
| Background | | We are an Application Service Provider (ASP) for commercially viable business solutions. We do not provide applications to the public, we do not provide software, we do not provide hardware. | | We choose to be the foremost ASP in any market sector that we operate by simply providing what the owner wants. We do not have a brand, we do not have a product, we do not mention our customers and we never ask for references. | | As a rule of thumb, we choose to operate business methods that are the total reverse of traditional computer product vendors. To be better than all our competitors we choose to operate in a very different way where we try to be on the side the customer. |
| ITIL Roles | | Every person in the company is totally involved in security, however some are more responsible than others. | | ITIL 2.8 Compliance Manager is responsibile with continually exceeding the PCI DSS regulations and legal framework of EU laws. | | ITIL 2.7 Information Security Manager heads up the ISO 27000 ISMS team that involves the security policy, ISMS scope, risk management, controls and applicability. | | ITIL 2.3 Risk Manager analyses the threats and controls needed to overcome all threats. | | ITIL 1.9 Architect brings together the methods that overcome all risks and deliver a safe solution. |
| Glossary | | PCI DSS Payment Card Industry - Data Security Standard is our regulatory framework for audit purposes. | | ISMS Information Security Management Systems is know as ISO 27000 as the set of practices that are deployed. | | ITIL Information Technology Infrastructure Library creates our organisation structure as what we do and how we do it. | | ASP Application Service Provider is the industry and market sector we choose to dominate. | | Owner is the company that authors the data (intellectual property), owns the reports and owns the application services as specified by the copyright notice on every web page. |
| Journey | | The external penetration test and security audit has a simple mission. To follow the journey made by a criminal to attack the application services - this does not require a vast amount of preparation or planning. Criminals and government agencies can be assumed to be armed with unlimited resources and are challenged to discover vulnerabilities and to exploid those vulnerabilities to steal data. | | This criminal behaviour is sanctioned in writing and approved in advance so everything is done in a legal and respectful way - no data will actually be stolen. Internal testing will follow the journey that may be taken by authorized users to criminally steal data that they should not have access to. The primary contractor will appoint sub-contractors to manage specific and specialist parts of the audit. |
| Schedule | | Security is not a one-off project, but a continual and expensive battle that will never end. Every day criminals from around the world attack our application services, so the scope of the PenTest is not a lot different from daily operations. | | Every month, a possy of reputable security firsm are deployed to try to crack the application, to find points of weekness and to try different tools. Hundreds of automated tools are available in the market and can be of value in the hands of an expert to probe into how the data centers can cope with continual attacks. |
| Relevance | | In July 2013 in the build up to this project, KPMG release a UK survey showing that EVERY fortune 500 company suffered from regular data leaks. The following day, a reputable security firm reported that KPMG had more than 400 data leaks and were actively loosing data to criminals. | | GCHQ and MI5 then invited all Fortune 500 companies to get together to share security experiences and plug the leaks - less than 30% have taken up the invitation. In association with IBM and Lloyds of London, we are involved and provide many hundreds of web services, we have more information about criminal attacks than most companies with just one web service. Attack data from one web service is rapidly used to block similar attacks on other web services. |
| Forecast | | Because UK companies operate with inadequate security and continual data leaks, criminal attacks are evolving to competitor company attacks. It is so easy to silently extract critical data from a company that some companies see a business opportunity to because more competitive with inside information. | | Because companies will obsolete client-server systems are not capable of making them secure, criminal behaviour will increase year on year until these systems are closed down and replaced with cloud-based application services. Most security vulnerabilities involve email because people have not been taught how to use email in a secure way and do not have the tools to be secure. Email must change in a big way in the coming years to improve security - automated communications is a step in that direction. |
| Financial Plan | | Security consultants with the applicable tools and networks charge a standard £1500 per day to run a PenTest. This project has been cut down to only 10 working days with a fixed external budget of £15,000.00. This fee includes reports, audit trails, correction advice and in the event of a dispute, a degree of retesting may be involved by both parties. | | Internal costs will include three full time engineers and a possy of developers who are keen to learn the secrets of white-hat security hackers. Lessons learned will be applied to oher parts of the application that cannot be tested in the time available. |
| Planned Scope | | Bespoke application services consists fo 1485 doumented functions that should be tested in many different ways. Import has 332 functions; Gateway has 49 functions, quotes has 110 function, concerns has 72 function; assets (and skill inventory) has 151 functions. Private reusable function count is 279, public function count is 293 and ASP has 129 function. | | External security testing will be directed to where the risk is greatest and where criminal behavious could cause most damage. All the functions not tested by external consultants will be tested by internal engineers using similar tools and methods. |
| Denial of Service (DoS) | | Testing is Denal of Service attacks cannot be undertaken oon www.ups-ties.com because it is operational 24*7. DoS testing can be undertaken on www.ups-ties.net as a near identical data center. A target is to exceed 30,000 requests per hour with no significant reduction in normal operational services. | | While www.ups-ties.net is undergoing such DoS testing, www.ups-ties.co.uk shall be used as the hot standby in case of a real attack on www.ups-ties.com or a failure of that data center. The DoS attack will be operated from the Context Ltd site in Central London to the data center in Uxbridge using BT fibre high speed networking of up to 10 Gbps. This data center did experience transient traffic overload on the morning when Olympic tickets went on sale - improvements have been made and need to be tested. |
| Honey Traps | | Within applications, honey traps are placed where criminals are likely to look. When any criminal behaviour is identified, that person is stopped and blacklisted. Blacklisting means they cannot sign in again and try again. | | Criminal behaviour involves a lot of trial and error - guessing how things work and guessing where a vulnerability may exist. Security monitoring is designed to prevent guessing, to prevent trial and error and to identify those that may deliberatly try to find a vulnerability using criminal tricks. By monitoring the tricks that criminals use and then building honey traps where it appears that such criminal tricks may work, then criminals can be detected and stopped. |
| Persistance | | Security reports that it took a state sponsored team of hundreds of people almost five years to crack the RSA dongle password generator. But when they had the password formula, they gained silent access to many of the worlds leading companies and were able to copy data for many years before it became apparent that the RSA dongle was no longer safe to use. A problem with this kind of device is that it is cost effective for criminals to crack its secrets because it can then be used silently for many years to copy data without any witnesses. | | Lessons have been learnt from such criminal behaviour and as a result all authentication requests are monitored 24*7. Passwords are too important to be assigned by a user and until each and every person can be uniquely identified, many layers of security protection are integrated into the most effective sign in procedure that the world has been able to design. |
| Obfuscation | | The places that criminals look to see how best to attack an application include the specification of the hardware and software architecture. To be secure, the specification of such matters is continually revolving and is never correct. In the good old days, visitors would be invited to look at the very expensive computer room to see all the flashing lights. This gave the visitor a wealth of knowledge of the architecture and how best to attack it. | | For example; any software version number will always reference a future version that has not yet been releasd. The criminal has a database of known vulnerabilities in older software - so the release number of wrong and the vendor name is wrong. | | Where the web server may be running Apache version 12, the web server may say that it is running Microsoft IIS version 3.5. When the criminal tries an attack using Microsoft version 3.5 known vulnerabilities, Apache is immune to such attacks and it is easy to detect such behaviour and have the criminal blacklisted. | | As a policy, the exact specification of all system software deployed in each data center is a confidential trade secret that will not be published or will be published stating what it may have been some years ago. |
| System Software Policy | | As a policy, no software is every provided to a client - software is of no consequence. | | As a policy the system software used on each server is of little consequence and will change from time to time. | | An open source software policy may be used on some data centers while Microsoft, IBM and Oracle may be used in other data centers. | | A server may use any edition of Linux as virtually no unique system software services are deployed. | | Each server does one and only one job and is configured for one and only one service. This may be an expensive software policy, but it is safe and secure - the reason that others have security failures is because they did not take these fundamental precautions. |
| Information Engineering | | Every business requirement is broken down and expressed as a set of data and functional specifications using the Information Engineering Methodology (IEM) that was devised in the 1980's. | | Each business owner has legal title and ownership of their business requirement expressed as data and functions - the application provider owns the hardware infrastructure, but does not own the business data or the functions. | | As business requirements evolve, continual improvements are applied to the data and functions so the specifications evolve as the owners intellectual property. | | Open source libraries of JavasScript and CSS that are hosted by Google and Amazon are reused as needed to provide some internal functions, but the scope is tiny. Information engineering creates a flexible environment where it becomes cost effective to deliver continual improvements. |
| Mobile Device Management | | MDM is in the news as a major shift from desktop to mobile computing devices. Ten years ago, support for mobile devices was added to our support for desktop devices, so the big change to MDM has very little impact. | | Bring Your Own Device (BYOD) is a new trend, but it has been incorporated into our mission statement for many years. The type of tablet or smart phone used with application services is of little significance, save only yhat the screen has adequate resolution and that the on-screen keyboard is fit-for-purpose. | | MDM Rules: | | 1. No business software needs to be installed, no software needs to be downloaded. | | 2. No business data is every stored on a mobile device that will be lost and stolen. | | 3. Only secure encrypted HTTPS communications is used - data on the network will be copied but encrypted data cannot be read. | | 4. Every type of mobile device with every type of browser may be used and will change year-on-year. | | 5. Every user has a unique experience profile that will enable them to be the only person who can choose what is best for them. | | 6. Any attempt by IT to try to "standardize" or specify what every user needs for the next 20 years is doomed to fail. | | 7. An iPad may cost £800 while an equivalent Androyd tablet may cost £80 - is the iPad worth ten times as much? | | 8. Why does the mobile device need to run Windows when rule 1 demands that no software must be installed? | | 9. Mobile devices have a very short life cycle, whatever you choose today will be obsolete next year and unworkable the year after - capital fixed asset management does not apply. | | 10. Mobile device maintenance and repair does not apply - these are as disposible as a printer ink toner, but thay may have a high insurance replacement costs. |
| Two-Factor Authentication | | The current authentication service has at least 10 factors that are verified before a user can sign in. The role of an external dongle or mobile device has been assessed and shown to offer no additional benefit. | | A one-time password that is generated and sent to your mobile phone has proved to be effective for public applications but is less attractive for business applications. The first issue it that it would demand that every user in all branches have a mobile phone that they must use to sign in. Where a user does not have a mobile phone with them one day, then they cannot sign in that day - is this a valid business principal? | | Man-in-the-middle trojans can intercept and copy a one-time password just as easy as they can capture a reusable password, so where is the extra benefit to sustain the need for all users to have a mobile phone. People change their mobile phone from time to time, people have more than one mobile phone and phone numbers change from time to time. This creates a vast empire of additional management costs and delays while users cannot sign in because their mobile phone number has been changed. Can a criminal pretend to be a user and request a change of their phone number so the real user can no longer sign in - security problems have been created where they did not exist. | | The RSA dongle password generator was used by all the top accounting firms, then criminals discovered the internal formula and were able to sign in as any user with a one-time password. Two-factor authentication can give the appearance of increased security when in fact its just an expensive extra security layer that can have more problems than a well managed pass phrase service. |
|
|