Nets Information Security
Risikoanalyse og testing: med perspektiv fra frontlinjen
Stig Torsbakken – Nets SIRT
C
l
i
c
k
t
o
e
d
i
t
Agenda
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Nets
Nets threat landscape
Nets security testing
Seurity testing and security incidents
2
C
l
i
c
k
t
o
e
d
i
t
Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
3
Three lines of defence
C
l
i
c
k
t
o
e
d
i
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Risk management in Nets is organized around the 3 lines of defence model
(Ref. ECIIA & FERMA “Guidance on the 8th EU Company Law Directive”)
1
1st Line of Defence
2
3
2nd Line of Defence
Operational
management
Control, policy and
framework
3rd Line of Defence
Audit
Board of Directors
Executive Management
Group Management (GM)
Reporting
Reporting
Reporting
1
2
Information Security,
BUs/GUs &
Management Control
Activities
Requirements
Reporting
Risk management
(Risk, Security, Compliance,
Quality, Continuity)
Reporting
& advising
Requirements
Reporting
3
Internal
Systems
Audit
External
Audit
Coordinating
efforts
Customers
4
C
l
i
c
k
t
o
e
d
i
t
Nets security
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Simplified
1
Information Security,
BUs/GUs &
Management Control
Activities
Orientation
Threat
Technical
Operational
2
Risk management
(Risk, Security, Compliance,
Quality, Continuity)
Orientation
Compliance
Business
Risk
5
C
l
i
c
k
t
o
e
d
i
t
Nets SIRT security incidents 2013
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Critical
2
High
11
Medium
81
Low
27
Category
Malicious code
infection
Exposed to
malicious code
Vulnerability
121
Reconnaissance
DDoS
Service
Client
Suspicious user
activity
Perimeter
Policy violation
User
Exercise or
network defense
testing
Access
NemID
Phishing
Guest
network
6
C
l
i
c
k
t
o
e
d
i
t
Nets SIRT security incidents 2013
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
7
C
l
i
c
k
t
o
e
d
i
t
DDoS attack April 10
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
NemID down for 7 hours
Gruppe tager ansvar
for NemID-angreb:
Vil forsøge at slå til igen
En gruppe, der via Twitter har taget
ansvaret for torsdagens angreb mod
NemID, siger, at de vil forsøge at få
login-tjenesten til at gå ned igen.
8
C
l
i
c
k
t
o
e
d
i
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
C
l
i
c
k
t
o
e
d
i
t
Security testing in Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
In numbers – Nets Norway
Vulnerability scanning
External: 4
Internal: 4+
Scanningless scanning: 365
Pentesting
New applications/systems: approx. 1 every week(!)
Yearly pentests: 20
Risk analysis
Yearly risk analysis of all infrastructure
Risk analysis of new services
How is this possible?
1 FTE (to be 3-4) dedicated to pentesting
25-30 security officers in Nets in total
Heavy use of consultants and 3rd party vendors
Narrowing scope
10
C
l
i
c
k
t
o
e
d
i
t
Security testing in Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Vulnerability scanning
Quarterly external scan
Quarterly internal scan
Scanningless scanning
11
C
l
i
c
k
t
o
e
d
i
t
Security testing in Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
Typical findings
Input validation
Application vulnerabilities
Default passwords
Vulnerable/unsecure protocols
Missing authentication/source verification
Design flaws
60% of findings through manual tests
Narrow scope
Narrow scope
Narrow scope
12
C
l
i
c
k
t
o
e
d
i
t
Security testing in Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
How to narrow scope?
Tool-support
Nessus
Nmap
AppScan
Metasploit
soapUI
Burp Suite
ZAP (Zed Attack Proxy)
13
C
l
i
c
k
t
o
e
d
i
t
Security testing in Nets
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
How to narrow scope?
Risk analysis involving pentest team
Business side priorities
Structured walk-through of functionality
Thorough system presentation
Pentest team involved in software development phase
Pentest team involved in security arcitechture design
14
C
l
i
c
k
t
o
e
d
i
t
Security testing and security incidents
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Threat
intelligence
Risk
analysis
Vulnerability
scans
Pentests
Vulnerability
management
Patch
level
Security
incident
Inventory
control
15
C
l
i
c
k
t
o
e
d
i
t
Security testing and security incidents
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Nets SIRT vulnerability management procedure
Nets pentest/vulnerability scan findings
Priority:






Major
1&2

affect production systems
remote exploitable
would cause a Major 1 or 2 incident if exploited
do not affect production systems
not remotely exploitable (only internally)
would cause a Major 1 or 2 incident if exploited after
system is released
do not require immediate actions
3
4
16
C
l
i
c
k
t
o
e
d
i
t
Security testing and security incidents
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Threat
intelligence
Security
incident
Risk
analysis
Vulnerability
scans
Pentests
Vulnerability
management
Inventory
control
Patch
level
17
C
l
i
c
k
t
o
e
d
i
t
Fully implemented DDoS protection
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Project «DDoS Shield»
18