ORLANDO -- Enterprises are making costly investments in information security technologies that fail to solve the weaknesses being targeted by attackers, according to a noted security expert and author who urged more than 2,500 attendees at the InfoSec World Conference and Expo 2012 to rethink their priorities by conducting more effective penetration tests.
We need to remove all these expensive technologies that help you calculate how someone in China is going to hack your systems at 2 a.m. with a zero day. It doesn’t work.
David Kennedy, vice president, CSO global risk and security, Diebold Inc.
“We’re the only industry I know of that continues to spend more and more money and yet our problems get gradually worse,” said Dave Kennedy, vice president and CSO of global risk and security at North Canton, Ohio-based Diebold Inc. “We increase our budgets, increase our spend and we buy whatever the next buzz word is at the next major conference.”
Kennedy, a penetration tester and author of “Metasploit: The penetration tester’s guide,” demonstrated several attacks using software he developed called the Social Engineering Toolkit. In less than a minute, Kennedy used the tool to clone a website and use a legitimate digital signature to target a victim’s machine. He showed how quickly he could gain full control of the employee’s computer and potentially steal data by using purely HTTP communications, by emulating the browser in every way.
“Your security technology doesn’t stop this and I’m not that great in terms of this style of hacking,” Kennedy said. “There are kids getting amazing with this technology; they’re not just script kiddies, they’re becoming very sophisticated attackers.”
Kennedy said most CISOs and security professionals envision a castle with heavily fortified moats to keep out external attackers, but compliance and security technologies have added complexity, adding to the weaknesses security was designed to address. “Our entire balance is off,” Kennedy said. “The focus is on compliance and buying products from vendors when we’re not securing what we need to secure.”
Kennedy advocated for the use of the Penetration Testing Execution Standard (PTES), a standard and maturity model designed two years ago at the ShmooCon hacker conference. PTES was designed for businesses and security service providers to provide a common language and scope for performing penetration testing. Currently there are 6,000 contributors to PTES and companies evaluating pen testers can use the standard to create specific requirements, he said.
Penetration testing shouldn’t be solely focused on vulnerability scans, Kennedy said. Instead, strong penetration tests should have meaningful data designed to show strategic findings that should address the bulk of the underlying issues. Often enterprises that undergo pen testing end up with huge reports outlining 1,500 system vulnerabilities, but no real way to address the root cause of the issues, he said.
“Pen tests are supposed to be fluid and emulate an attacker,” Kennedy said. “We need to remove all this expensive technologies that help you calculate how someone in China is going to hack your systems at 2 a.m. with a zero day. It doesn’t work.”
Penetration tests should incorporate pre-engagement interaction, Kennedy said, in which the pen tester conducts intelligence gathering and learns how the company generates revenue. Meanwhile, threat modeling helps figure out what attack vector will have the greatest impact on the company. Vulnerability analysis looks for the weaknesses and the exploitation phase consists of a precision hit aimed at getting access to the internal network and then the sensitive data that will cause the most damage to the business, he said.
“This is how you communicate your message; It’s not through a 1,500 page report because 90% of its findings in those reports are garbage,” Kennedy said. “You need to learn what your company has systemic issues with and how long the tester could exfiltrate data out of the company.”
Conference attendees were generally optimistic about PTES and said it could reduce the common practice of hiring the lowest bidder for penetration testing projects. Running vulnerability scanners and attempting to address all of the results just doesn’t work, said D. David Orr, an IT examination analyst in the Division of Risk Management Supervision at the Federal Deposit Insurance Corporation. Orr said he sees some banks and credit unions struggle with 800 page reports and mounting expenses because they lack internal expertise. “Flipping through these reports you could see that there are a lot of false positives,” Orr said. “A standard is something I can recommend as a starting point to reduce their struggles.”