Feature
Jonathan Trull, CISA, CFe,
OSCP, is the deputy state
auditor at the Colorado Office
of the State Auditor (OSA),
primarily responsible for
overseeing complex,
value-added IT audits in
the State of Colorado, USA.
He is also responsible
for overseeing select
performance audits, the
OSA’s internal IT plan and
infrastructure, and the OSA’s
internal report writing and
external communications
functions. With more than
13 years of experience in
governmental auditing and
management, Trull has
established himself as
an innovative leader of
high-quality, objective audits
and reviews.
Security Through Effective Penetration Testing
In the spring and summer of 2010, a team of
eight people was diligently pursuing one common
goal: hacking into the network of the State of
Colorado, USA. The team had spent countless
days, nights and weekends trying to breach
the state’s systems, modems, wireless network
devices and 67,000 Internet Protocol addresses
to gain access to personally identifiable, sensitive
and/or confidential information.
On one particular afternoon, the team
achieved a significant victory. A state agency’s
public-facing web site had been misconfigured,
allowing the team to view the entire site’s
directory of files, including one called “upload.
html.” Within minutes of identifying the file, the
team had uploaded software that allowed them to
gain administrator access to the agency’s internal
network inside the firewall. From there, it was
a matter of how quickly they could access other
connected systems and obtain the information
they sought before moving on to a different target
at a different agency. Figure 1 illustrates how
the agency’s firewall was bypassed to attack the
agency’s internal network.
The good news for the State of Colorado was
that the team was not a group of professional
hackers, but rather three IT auditors employed
by the Colorado Office of the State Auditor
(OSA) and five additional computer security
professionals contracting with the OSA. The
OSA team’s assignment was to conduct a large-scale, covert penetration test that would assess
the state’s risk of being compromised by a
malicious attacker and to recommend steps for
preventing such attacks.
Over a six-month testing period, the
team compromised several state government
networks and systems and gained unauthorized
access to thousands of individuals’ records,
including records containing confidential data
such as US Social Security numbers, income
levels, birth dates and contact information.
The team also gained access to usernames and
passwords belonging to state employees and
other individuals. Based on national averages,
a data breach of this magnitude by a malicious
individual would have cost the state between
US $7 and $15 million to remediate. 1 This
Figure 1—Internal network Breach
Do you have
something
to say about
this article?
Vulnerabilities:
• Exposed file directory
• Identified upload.html
(the code did not filter the
type of file that could be
uploaded)
• Uploaded Hypertext
Preprocessor (PHP)
shellcode
• PHP engine installed and
application running as root
• Default server configuration
Penetration
testing team
exploiting
vulnerable web
server through
firewall
Agency firewall–
Port 80 open to
allow connections
to web server/firewall
blocks connections
to internal network
Exploited web server used to pivot and start
attacking agency’s internal network, which is
otherwise unreachable from the Internet
20 ISACA JOURNAL VOLUME 2, 2012