Pen Testing and Compliance Making Them Work Together for You

1
Pen Testing and Compliance Making Them Work
Together for You!
2
Compliance Frameworks

• Regulatory Compliance does not mean the system is
  free of vulnerabilities that may lead to
  compromise.
• Compliance forces companies to protect data and
  privacy of its customers.
• Not all areas of security may be covered
  specifically in a compliance framework.

3
Security Testing

• Traditional penetration testing does not
  guarantee compliance unless integrated with a
  compliance framework.
• Pentesting provides machine or code faults not
  necessarily testing complaint system
  configurations.
• Application testing is more efficiently done with
  a pentesting approach.
• Code faults do not necessarily fit into
  compliance frameworks but can compromise system
  and data security

4
Integrated Framework

• Assess Information Content
• Assess Regulatory and Contractual Obligations
  (HIPAA, GLBA, FISMA, Security Breach Notification
  Laws)

• Security Testing
• Test against compliance framework
• Test against best practice
• Penetration testing

• Quantify risk against information exposed by
  vulnerability.

5
Integrated Framework

• Assess Information Content
• Assess Regulatory and Contractual Obligations
  (HIPAA, GLBA, FISMA, Security Breach Notification
  Laws)

• Security Testing
• Test against compliance framework
• Test against best practice
• Penetration testing

• Quantify risk against information exposed by
  vulnerability.

6
Integrated Framework

• Assess Information Content
• Assess Regulatory and Contractual Obligations
  (HIPAA, GLBA, FISMA, Security Breach Notification
  Laws)

• Security Testing
• Test against compliance framework
• Test against best practice
• Penetration testing

• Quantify risk against information exposed by
  vulnerability.

7
Assessing the Information
SSN Drivers License Account Information
Personal Info
First Last Name
Common attributes in Security Breach Notification
Laws
8
Assess Regulatory Obligations

• Wisconsin Stat. 134.98 - Notice of
  unauthorized acquisition of personal information.
• Personal information means an individuals last
  name and the individuals first name or first
  initial, in combination with and linked to any of
  the following elements, if the element is not
  publicly available information and is not
  encrypted, redacted, or altered in a manner that
  renders the element unreadable
• 1. The individuals social security number.
• 2. The individuals drivers license number or
  state identification number.
• 3. The number of the individuals financial
  account number, including a credit or debit card
  account number, or any security code, access
  code, or password that would permit access to the
  individuals financial account.
• 4. The individuals deoxyribonucleic acid
  profile, as defined in s. 939.74 (2d) (a).
• 5. The individuals unique biometric data,
  including fingerprint, voice print, retina or
  iris image, or any other unique physical
  representation.

9
Security Testing(Using HIPAA as a foundation)
Requirements
Security Testing

• HIPAA (Required)
• Unique User Identification
• Person or Entity Authentication
• Audit Controls
• HIPAA (Addressable)
• Automatic Logoff
• Integrity Controls
• Encryption

• Test Cases

10
Security Testing(Using HIPAA as a foundation)
Requirements
Security Testing

• Best Practice
• OWASP
• NIST
• Others

• Test Cases
• Vulnerability Assessment
• Network / Application Scanners
• Penetration Testing

• HIPAA (Required)
• Unique User Identification
• Person or Entity Authentication
• Audit Controls
• HIPAA (Addressable)
• Automatic Logoff
• Integrity Controls
• Encryption

• Test Cases

11
Quantify risk
Breach/ Compliance Penalties
Risk Quantification


12
Compliance versus Security

• Even though compliance is being followed it may
  not actually be secure.
• Penetration testing covers areas not typically
  examined for compliance.

13
PenTesting

• What is a pentesting framework? - How can it
  help?
• Recon -
• Evaluate the target or targets?
• What platform?
• What OS?
• What does the applicaiton do?
• What kind of connecitons or interconnections are
  there?
• Those who have perfected pentesting say that it
  is an art. Critical thinking at its best. Being
  the hacker is always easy. there only has to be
  one hole to find to let you in.

14
Pen Testing at the Perimeter

• Compliance focus on access and default passwords
• Pen Testing at the perimeter has become harder.
  Firewalls and IPS are better managed.
• However, dont totally think you cant be hacked.
  Firewalls let traffic through for business to
  run websites that promote goods and services.

15
Pen Testing at the Application

• Compliance focuses on application transmittal or
  encryption
• Secure code analysis tools like Fortify and Rat
• Application pen testing using automated and
  manual processes
• Becoming more prominent
• Not well protected or understood in the business
  realm.

16
Practical Example

• Health Portal web site audited
• The site was under HIPAA security rule and State
  Regulations.
• Test cases were developed using HIPAA educational
  series by the Centers for Medicaid and Medicare
  services.
• Implement electronic procedures that terminate
  an electronic session after a predetermined time
  of inactivity.
• Finding Session did not time out.

17
Practical Example
18
Practical Example
19
Risk Quantification

• Manipulation of hidden fields allowed for
  disclosure of protected health information and
  personal information (including social security
  number).
• Using security breach notification calculator and
  HIPAA
• Potential losses include regulatory fines
  (50,000 HIPAA) and incarceration (1 year
  HIPAA). The notification costs would be 951,000
  for a full breach of the database (estimated at
  10,000 records).

20
Practical Example 2

• Systems audited for FISMA compliance
• All systems identified were within compliance
• Routine scan with Nmap revealed interconnected
  systems not known to organization.
• What did this mean? Several layers of firewalls
  had rules to allow outbound traffic and systems
  were confirmed to be interconnected.

21
Practical Example 2

• Pen Testing does not have to elaborate to be
  effective
• Think outside the box
• Follow a methodology that helps support your
  means for compliance
• Pen testers have the advantage of trying many
  flaws but only need one to succeed.

22
Practical Example 2
23
Risk Quantification

• No one had ever checked access to verify outbound
  interconnection existed.
• Since compliance was achieved in previous
  assessments verification never occurred.
• Not all system owners knew about interconnection
  risks
• Data compromise was possible due to outbound
  traffic rules.

24
Conclusion

• Understanding the underlying information content
  and regulatory compliance framework allows for
  better risk assessment.
• Integrating compliance frameworks with a security
  testing methodology helps ensure that systems
  have a higher supported posture of security.

25
Links

• Privacy Risk Calculator
• http//www.informationshield.com/privacybreachcalc
  .html
• HIPAA educational series by the Centers for
  Medicaid and Medicare services
• (http//www.cms.hhs.gov/EducationMaterials/04_Secu
  rityMaterials.aspTopOfPage)

26
Questions?