There is an Olympics of penetration testing. It’s called the Olympics.
And arguably the gold medal winner for the last championship in this country, the 2010 Winter Games in Vancouver, was the team lead by Ottawa’s Adrien de Beaupre.
For two and a half years, first as a Bell Canada employee and then as an independent consultant, he captained a squad of six full time and about 30 part time staff who tried to connive, trick and manipulate their way into wired and wireless networks, data centres and applications. Bell was the games’ network provider.
In an interview this week de Beaupre, who holds a string of Global Information Assurance Certification (GIAC) security certificates, talked about penetration testing in this country — organizations don’t do enough of it — and how it was done for the Vancouver games.
Sometimes, the Olympics assignment sounded like a frat-boy’s dream, like getting into data centres and ensuring they were photographed by security cameras as proof they were really there. And, he admits, there might have been tricks like sending a someone a “gift” iPad with password-stealing malware.
Along the way his team discovered previously unknown zero-day vulnerabilities — some in network equipment made by Nortel Networks, which, because the company was being sold off, couldn’t or wouldn’t provide solutions. Other ways of mitigating risk had to be found.
Like Olympic athletes who do anything within the rules to win, de Beaupre and his team did everything within their rules of engagement. “It was a very offensive, very lengthy, and very thorough risk assessment and penetration test,” he said.
De Beaupre ought to know: He’s done pen testing for all levels of government in the country and some of the biggest corporations. Currently about half his time is spent as an instructor for the SANS Institute.
While most security experts believe every organization of any size should have a penetration test done at least once a year, de Beaupre says only the largest of them can afford to have an internal staff knowledgeable and dedicated to doing it.
Have an eager member or two of the IT department who wants to give it a go? Forget it, he argues. As a consultant for hire that might be expected — although some organizations are bound by regulations to have third parties to the testing — but here’s his argument: “It’s a long thought-ought process that requires controls on its testers, support, logistics, project management.”
For those CSOs that want to do it, de Beaupre says the formula is the same for any IT project:
–People with training, experience and creativity to emulate an attacker in a controlled environment and risk managers;
–Process, which includes determining the scope of the project, plus details policies, procedures, methodologies of what attackers can and cannot do.
–Technology. “The tools are the easy part,” he says. “Anyone can download the tools, which are readily available, but in the hands of an unskilled individual they often do a lot of damage, and often do not achieve the objective of identifying risk.”
Asked if Canadian organizations do enough penetration testing, de Beaupre replied, “Definitely not. We are probably — and in most cases this is true for IT maturity as well as information security maturity — we are usually quite a few years behind the curve, anywhere between three and five in some organizations.”
Few mid-sized Canadian organizations do penetration testing, he said, or realize they should. The record for larger companies is better, but they don’t do it consistently, he added.
For those that do their own testing, de Beaupre said their biggest mistake is either not having the right people or not applying the rigorous processes needed. “An organization that performs a pen test incorrectly or has one blow up on them will often never pull one ever again. But they might miss out on the true value-add of identifying risk.”