Cracking the tax code
Having an IT organisation large enough to afford around-the-clock penetration testing may be the envy of many government agencies. Being able to claim zero staff turnover in a highly competitive field is the icing on the cake.
And that is what the Australian Taxation Office’s Trusted Access branch has been able to do. Its Director of Penetration Testing and Vulnerability Management, Leonard Kleinman, shared his experience with information technology professionals from the private and public sectors at the AusCERT 2011 security conference on the Gold Coast, in May 2011.
Kleinman is responsible for penetration testing (pen testing), IT security incident response and threat intelligence at the agency that arguably holds the most sensitive – and valuable – information on all Australians.
Pen testing or ethical hacking is the practice of evaluating the security of computer systems by formally attempting to break into them. It has enjoyed steady growth in popularity in the last 12 months.
High-profile breaches at Sony, RSA, Epsilon and Lockheed Martin – not to mention unreported attacks on government systems – have fuelled awareness of cyber threats and an increase in demand for validated pen testing.
Several Australian-based firms have reported an increased level of enquiries by the public and private sectors for their services. Many are hiring to cope with the extra workload.
Kleinman’s 12-strong team is comparable in talent and experience to those seen assembled in the cross-border computer labs of global Internet security companies. And it is no wonder.
The ATO has more than 21,000 employees spread over 61 sites around the country. In the words of Michael D’Ascenzo, Commissioner of Taxation, its business model relies increasingly on online and information technology strategies.
Last financial year, it completed its largest – and possibly most publicly criticised – change program involving the deployment of a new integrated core processing system for income tax.
The program moved 32 million accounts and 282 million forms in what the Commissioner admitted was a high-risk endeavour.
“Most of our people have their work streamed to them electronically, use the same systems across the country and, importantly for taxpayers, have a more complete and richer view of taxpayer details,” the Commissioner said in the agency’s Annual Report.”
Cyber security is thus as large a priority for the ATO as the taxation services it provides to 27 million individual and business taxpayers.
Kleiman’s mission is clear. “We do IT security,” he says, not quite over-stating the obvious. “We develop security analysis tool kits, we have an innovation team, we have a database of threats and we do (immediate) incidence response. (Our people) are all technical people, all certified.” His job is to oversee the team’s regular testing of the ATO’s systems. Average penetration tests cost about $30,000 in internal resources and take around two weeks to complete. More complex tests, such as the evaluation of the change program in 2009-10, took nearly five weeks and used eight people.
“It was an insane scope. But that is the way things are going these days; we need to embrace integration and convergence. There’s no point fighting it.”
Central to the success of the team and the safeguarding of the institution’s systems, says Kleinman, is the ability to manage the expectations of non-IT stakeholders.
Without buy-in from a system’s owner – the department whose IT system or application is being evaluated – there is little the Vulnerability Management and Research team can do.
Security rectification always depends on the owner’s willingness to understand the identified vulnerabilities and their commitment to fixing them.
That’s why Kleinman often finds himself putting up the ‘what’s a pen tester?’ slide in meetings. “The more we educate our executives, the more their commitment to our recommendation for remediation. There’s continual marketing and communication from our point of view and it bears a lot of fruit.” He is also forever explaining that pen testing is not an audit or a health tick of approval.“It’s hard to explain to business what it actually is, what we actually do. They can use the results as part of some sort of assurance program, but as itself, it’s just another testing activity.” The branch uses its own risk matrix, which incorporates the Microsoft DREAD model and others, to rate the identified vulnerability. “The final sign-off by them is acknowledging the vulnerability and committing to fixing it. It then flows on to compliance.” Often the system will then be re-tested to check it has been fixed and that the fix did not introduce additional weaknesses.
Education is an essential element of the team’s work, as security threats evolve quickly. Kleinman’s team of ethical hackers therefore attend regular professional refresher and certification courses and the ultimate hacker gatherings: the annual Black Hat and DefCon conferences in Las Vegas.
The trips are part incentive, part training. “Last year we sent three guys. We have a blanket go-ahead (from management) to send three or four people every two years. It makes it easier to retain staff,” he says.
The team also takes one or two graduates from the ATO’s annual intake to train in penetration testing and incidence response.
Even though the department may seem like a great training ground for a ‘white hat’ to later seek employment in the private sector, Kleinman claims he has only lost one trained-up member in six years. And it was for personal reasons.
“We’ve had these conversations where they’ve been offered $30,000 a year more, but have stayed because of the culture. I’ve never lost a staff member to a penetration testing firm.” He cheekily admits the team’s “seriously insane” gadget budget contributes to that. “We have a unique culture. The team has a lot of liberties. We get to play with the latest toys. We have a seriously insane budget for our own lab. We can spend in excess of seven digits on laptops, notebooks and stuff.”
Method prevents madness
So how does the team do it? Kleinman can’t reveal all the secrets, but recommends pen testing be done from an external and internal perspective and only after a system has gone into pre-production.
“You can’t do updates while they are implementing it. It becomes a mess, constantly in a state of flux. It’s a nightmare, don’t do it,” he emphasises.”
He has no fixed framework for the tests, favouring an intuitive approach to a rigid approved scope. “Any decent hacker would say to hell with your scope! You must follow your nose when certain results indicate where you should be going.” The testing is all hands-on with the team only using automated tools in the initial phases. “The guys actually write script to circumvent the controls. As part of our routine, we do actually execute social engineering and physical breaches as well, but we go until the (breakpoint) line. We use a reasonable judgement to determine where that is.” He says in one test, he even assembled a hacking team at a remote location to penetrate an application using only publicly available information.This, he says, helped sell the case internally, as it negated the argument that the team was able to identify vulnerabilities because it had inside knowledge of the system. “We do all the documentation to prove the argument can’t be used against us. We’re very conscious of that.” All tests are fully documented and status updates are given during testing of major live systems. The incident response team is used as a default control mechanism, detecting breaching attempts as they occur, without prior knowledge of scheduled tests.
Kleinman’s team earned the ATO the AusCERT 2011 Award for Organisational Excellence in Information Security for its proactive work in protecting Australians from fraudulent activities.
Experts warn that the major cyber attack targeting Australian governments and businesses...
The NSW Government, AustCyber and Standards Australia have created a new task force aimed at...
The Cyber Security Vulnerability Management Centre will provide ongoing and automated...