Thursday, 5 June 2008

Musings

Compliance and security are related.

I would split off "compliance" and "perception of compliance". Passing an audit is evidence that a system could be compliant. A compromise of a system using a know vulnerability is strong evidence that it is not compliant.

A system that is breached due to a complex password and secured key that was "guessed" is possible, though unlikely. This would one of the few examples of a compliant system that is also breached. Basically, it will be rare to find a compliant system (to any jurisdiction) that is easily compromised.

What I learnt completing my LLM was how few systems are complaint. How little knowledge there is of the law and legal frameworks already in place (even with politicians) and the lack of due care. An ABSOLUTE baseline for a compliant system that has not other effect other than being owned by a company would be the CISecurity.org baselines at 100%.

The combination of technical people with no knowledge of the legal system, laws and processes with lawyers who can not turn on a PC is an issue here.

"I would agree with Adriel that finding a worthwhile auditor is difficult". Actually so would I. Finding an staff with half a brain provides enough difficulty to want to give up on the whole idea.

"The problems are analyzed from a primarily financial and business risk avoidance perspective"
Here I have to disagree. I work with financial auditors and I am yet to meet one who understands risk and have met very few who have the faintest comprehension of finance. Audit and finance are NOT the same thing. I did finance at a masters level and I think audit is wacky for the most part. For the rest, there is an approach of try to find nothing wrong or it will upset the client.

I have developed statistically based continuous audit programs for financial systems. These have a significantly lower cost and deliver more. What I get back is "Craig, we are watch dogs and not blood hounds. Please try not to find so much". So I use these with the Insolvency teams and on forensic audits, but it is a hard sell to audit teams. Clients seem to love it though.

"I'm curious as to what vulnerable points you're thinking of." Pen Testing is by nature externally focused. Many of the biggest issues are in the system. Static analysis of code, business process reviews and system walkthroughs all add additional layers of testing.

Many controls are not tested using Pen testing ion any effective manner. Take a banking application. Pen tests look at the system from a software and protocol implementation aspect. They do not go into the business process controls. In this case I would be asking, how do I get the money off the system. This requires an understanding of the controls in the application. This is not something a pen test will provide.

An attacker can do this by compromising the system and modelling the application functions. Or the attacker could be internal and know them. This takes time, it can take months or longer. The same process can be done in a matter of weeks with a cryptal box and business process approach. The pen test provides valuable information as to a known vulnerability, but this is where it stops.

When there are no obvious points of access that may be exploited, a pen test does nothing to state a system is secure, just that it failed to determine the state of the system and was unable to determine if a system was secure or not.

Prof. Cohen developed the concept of protection testing over a decade ago. This mitigates many of the problems with a pen test methodology (that where noted as far back as 1977 by Distraka). The issue is that the tester needs more knowledge than a pen tester.

Protection testing really requires a combination of technical and business process skills. Teams can do this, but this increases cost and also requires a co-ordination factor with knowledge.

"what if the economics aspect were ignored"
Not my world. We live in a world where EVERTHING is subject to economic constraints and interrelationships.

Time for instance is a economic constraint. They only way to remove it is to have an instantaneous pen test. A detective control that reports faster than a pen test is more effective. The lengthy of the pen test is one factor, but also the frequency. 1 test a quarter is detection every 3 months at best.

No comments: