Finished reading ISACA Journal Vol 2, 2012 titled "Security Through Effective Penetration Testing" beginning on page 20. This is the kind of "real world" article that I would like to see more of in the ISACA journal.
The article states: "It was one of the first times that an entire state government had undergone such a large-scale assessment to identify security vulnerabilities across various critical resources and to evaluate how well IT staff at different state agencies responded to simulated attacks." What strikes me are the words "first", "entire state government", "IT staff", and "critical" and makes me question: "WHY". Why is this the first time? Why did the state of Colorado do this? I do not know the answer to the first "why is this the first time" but I will get to that later. In answer to the second "why" I am believing that Mr. Jonathan Trull, CISA, CFE, OSCP, Deputy State Auditor of Colorado had something to do with getting this project off the ground. You see that he is a CISA and more importantly an OSCP, Offensive Security Certified Penetration Tester and this may have had something to do with Mr. Trull convincing Mr. Travis Schack, State of Colorado CISO and then the two of them convincing upper management to allow them to carry out a covert penetration test--they would have to justify the cost, the risk of system disruption, and the politics involved with IT staff personnel if findings are positive and feathers are ruffled. The entire test was carried out covertly by 8 persons and the system was hacked into and sensitive data ex-filtrated and they estimated a real breach of the nature of the penetration hack would cost the State of Colorado between $7 and $15 million. The root cause was preventable and resulted from a lack of the most basic security best practices.
A discussion of "why is this the first": One could also apply this question not only to state governments but the federal and local governments and other organizations including businesses and it has to do with education. There is an overall lack of awareness at the upper management levels because those decision makers do not have the training that Mr. Trull had and they do not view the risk like Mr.Trull did.
I will speculate that a similar outcome would occur in the vast majority of government agencies and I would suggest that the internal auditors, inspector's general, and IT staffing obtain the necessary education to become aware of what needs to be done to secure the nation's IT infrastructure.
The State of Colorado Performance Audit is public information and is available at:
http://www.leg.state.co.us/OSA/coauditor1.nsf/All/BD6BC417A140102C872577F3005B9705/$FILE/2068A%20IT%20Pentest%20Gov%20Office%20Nov%202010.pdf
http://www.nasact.org/conferences_training/nsaa/conferences/ITWorkshopConferences/2011ITWorkshopConference/PresentationsHandouts/Trull_Jonathan.pdf
https://myexploit.wordpress.com
No comments:
Post a Comment