With the developing and rapidly developing technology in recent years, it becomes inevitable to be protected from cyber attacks. In this situation, it is aimed to keep the systems of the institutions as protected as possible, to take care of any data leakage, and to maximize the security as much as possible with the technologies placed in the systems and regular penetration tests.
So what is Penetration Testing, a sub-title that has been underlined so much and is now completely identified with the field of Cyber Security?
Penetration tests are studies to reveal the vulnerabilities of an organization's information systems and employees. With the penetration test, it is aimed to be aware of the vulnerabilities (vulnerabilities) before the attacks occur and to make the systems more secure by closing them.
Considering the current state of technology in today's world and considering that attackers do not have to be at a high level of technical knowledge, the security of their information is in greater danger for individuals and organizations every day.
Regular penetration testing is a proactive measure to learn about potential vulnerabilities before attackers notice them, and to prevent a possible cyber attack by closing this vulnerability. By taking action for vulnerabilities, the possibility of the organization's sensitive data falling into the hands of unauthorized persons is reduced, and the exploitation of unauthorized persons is prevented by closing the vulnerabilities in their systems.
Penetration tests can be carried out in line with the request and need of the organization. However, due to the criticality of information security in some sectors, this work has been made a liability by regulatory agencies.
In the continuation of this article, it is explained which institutions should have a penetration test as stated in the communiqués and regulations.
If you have a scenario about the concept of Penetration Testing in your mind, we will talk about the items of Penetration Testing that may differ according to organizations and have different requirements and capabilities.
First of all, how is this process handled in the Banking Regulation and Supervision Agency?
Banking Regulation and Supervision Agency
- The mmuniqué on the Principles to be Based on the Management of Information Systems in Banks, published on 14 September 2007, covers deposit banks, participation banks, development banks and investment banks. In the section of risk management regarding information systems, it is stated that independent teams should have regular penetration tests performed under the title of establishing and managing the security control process. At the same time, under the title of establishing and managing the security control process in the internet banking department, the requirement for independent teams to have a penetration test for systems within the scope of internet banking activities, at least once a year, is included. This notification will expire on 1 July 2020.
At the same time, the Circular on Penetration Tests of Information Systems, prepared in accordance with this communiqué, was published on July 24, 2012. The minimum scope of penetration tests to be carried out in this circular is given below.
o Communication Infrastructure and Active Devices
o DNS Services
o Domain and User Computers
o Email Services
o Database Systems
o Web Applications
o Mobile Applications
o Wireless Network Systems
o ATM Systems
o Distributed Decommissioning Tests
o Social Engineering Tests
- The Authority published the Regulation on Banks' Information Systems and Electronic Banking Services on March 15, 2020. This communiqué will enter into force on 1 July 2020 and covers deposit banks, participation banks, development banks and investment banks. Independent teams that are not involved in the design, development, implementation or execution of the services provided by the banks in the scope of information systems are required to have a penetration test performed at least once a year.
- The Communiqué on the Principles to be Based on Information Systems Management in Information Exchange, Clearing and Settlement Institutions and the Audit of Business Processes and Information Systems was published on 4 December 2013. This notification; It covers the institutions that exchange information by obtaining an operating license within the framework of Article 4 of the Bank Cards and Credit Cards Law, the institutions engaged in clearing and settlement activities by obtaining an operating license within the framework of Article 4 of the Bank Cards and Credit Cards Law, and the Risk Center. Covered organizations are required to have a penetration test at least once a year.
- The Communiqué on the Management and Audit of Information Systems of Financial Leasing, Factoring and Financing Companies was published on 6 April 2019 and covers financial leasing, factoring and financing companies. In this communique, it is stated that companies within the scope of information security management should have a penetration test every 2 years.
- The Communiqué on the Management and Audit of Information Systems of Payment Institutions and Electronic Money Institutions was published on 27 June 2014 and covers legal entities authorized under the Law to provide and perform payment services, and legal entities authorized to issue electronic money within the scope of the law. Organizations within the scope are obliged to have independent teams not involved in the design, development, implementation or execution of the services they provide through information systems, at least once a year, to have a penetration test.
This text contains a part of the regulation named "Communiqué on the Principles to be Taken as a Basis in Information Systems Management in Banks". This regulation determines the minimum procedures and principles that should be taken into account in the management of the information systems used by banks. The Communiqué also covers the management of risks and security vulnerabilities that bank information systems may be exposed to.
In the section of the Communiqué titled "Risk Management Regarding Information Systems", there are provisions regarding the establishment and management of the security control process. Within the framework of these provisions, in order to ensure that the reliability and consistency of the banks' information systems are regularly examined, it is obligatory to have penetration tests carried out at regular intervals.
Penetration tests are tests conducted to detect the types of attacks that can be carried out in electronic environment against information systems and to identify security vulnerabilities. These tests are performed to detect and fix security vulnerabilities in information systems where unauthorized access or access to sensitive information may be possible.
In accordance with the minimum procedures and principles specified in the Communiqué, penetration tests are carried out to cover the following topics:
- Communication Infrastructure and Active Devices
- DNS Services
- Domain and User Computers
- Email Services
- Database Systems
- Web Applications
- Mobile Applications
- Wireless Network Systems
- ATM Systems
- Distributed Decommissioning Tests
- Social Engineering Tests
The access points determined for performing penetration tests were determined as internet, bank internal network and branch network. Tests progress from these access points and are performed with specific user profiles. User profiles include different profiles such as anonymous user, bank customer, bank guest and bank employee.
If we explain how our other important organizations will operate this process;
Energy Market Regulatory Authority
- As stated in the Information Security Regulation in Industrial Control Systems Used in the Energy Sector, published on 13 July 2017, a guide named EKS (Industrial Control Systems) Security Controls has been published. As mentioned in this guide, it is stated that organizations should perform penetration testing, report and analyze the results at a certain frequency and in a specially determined scope. The organizations within the scope of this guide are the organizations that own the EKS.
On the energy market side, it is observed that there is a little less information and awareness about critical infrastructures compared to other institutions. When it comes to Critical Infrastructures (Natural Gas, Electricity systems, etc.), the damage to the country can be much more permanent, as we have seen examples of these attacks in the past years. Let's consider this topic in more detail to raise awareness and learn more.
The best source we can use for this is the Drying Decision from the Energy Market Regulatory Authority published in the Official Gazette dated 3 May 2019 and numbered 30763;
Purpose, Scope, Legal Basis, Definitions are explained in detail in the source, if we summarize the content in our article;
In the first part, the procedures and principles have been developed to ensure the safety of industrial control systems (ECS) used in the energy sector. The main purpose is to take measures to detect and eliminate security vulnerabilities such as unauthorized access and access to sensitive information and to ensure system continuity. The following activities are included within the scope of these procedures and principles:
- 1. Examination analysis of ICS network and architectural structure: Analysis and evaluation of ICS network and structures in terms of security.
- 2. Social engineering tests for the personnel working in the EKS structures: Testing the personnel working in the EKS systems with social engineering techniques.
- 3. Vulnerability scanning analysis in the EKS network: Scanning and analyzing the security vulnerabilities in the EKS network with scanning tools.
- 4. Malware analysis in EKS network: Detection and analysis of malware in EKS network.
- 5. EKS wireless network and components tests: Security tests of EKS wireless network and its components.
- 6. Exploitation tests on the EKS network: Exploit testing of security vulnerabilities in the EKS network.
These procedures and principles have been prepared on the basis of Article 8 of the Information Security Regulation in Industrial Control Systems Used in the Energy Sector. While the tests are repeated every three years, the tests for the new facilities are made within eighteen months from the activation of the enterprise. Organizations subject to tests have at least one expert personnel and one accompanying personnel during the test. These procedures and principles determine and implement standards and guidelines in order to ensure the safety of industrial control systems used in the energy sector.
In the second part,
The existing network structure where the EKS is located is examined and evaluated in terms of security practices. The scope of the analysis includes the following topics:
- 1. Topology analysis: The IP addresses of the servers, network components and field equipment in the EKS network are determined and their configurations are examined. In this analysis, the location of the components in the network and the current topology drawing are evaluated.
- 2. Configuration analysis: The configurations of network and security devices such as backbone switch, firewall, IDS/IPS are evaluated. Topics such as redundancy configurations, firewall SSL inspection, and segmentation are explored.
- 3. ICS border security analysis: The measures taken to prevent the elements that threaten ICS are evaluated. Issues such as replacing insecure services with secure alternatives, not having systems serving the internet, presence of IDS/IPS systems and connection control are audited.
- 4. Access analysis: Accesses between KBS and EKS networks are examined. It is evaluated whether mandatory connections are configured correctly, unnecessary access of users is prevented, and the appropriateness of existing access permissions.
- 5. Other analyzes: Analyzes are made on issues such as authorized account management, location of assets in the infrastructure, examination of assets that can and can be accessed from the internet, use of SSL and business continuity analysis.
This analysis is carried out through question-and-answer interviews with the organization's personnel, examining the configurations of network and security devices, and using automated analysis tools. Social engineering tests, on the other hand, are carried out for the personnel working in the EKS structures. In these tests, the safety behaviors and awareness levels of the personnel are analyzed. Tests can be administered as black boxes or white boxes. For black box testing, the team that will perform the test collects information about the personnel and determines the scope of the test. White box testing is performed on the scope determined by the organization.
Personal Data Protection Authority
- The Personal Data Security Guide (Technical and Administrative Measures), published in January 2018, included this issue under the article on monitoring personal data security.
In this article, it is stated that in order to protect information systems against known vulnerabilities, regular vulnerability scans and penetration tests should be carried out and an evaluation should be made according to the results of the tests regarding the security vulnerabilities. In addition, the penetration test is included in the table showing the technical measures that can be taken by the data controllers in the guide. Real and legal persons who process personal data, who are obliged to comply with the Law on the Protection of Personal Data No. 6698, should consider the precautions in this guide.
Capital Markets Board
- The Board published the Information Systems Management Communiqué on January 5, 2018. Under the heading of information systems risk management, it is stated that they are subjected to penetration test at least once a year by real or legal persons holding national or international documents on penetration testing. The minimum tests to be performed within the scope of penetration tests are given below.
o Communication Infrastructure and Active Devices
o DNS Services
o Domain and User Computers
o Email Services
o Database Systems
o Web Applications
o Mobile Applications
o Wireless Network Systems
o Distributed Decommissioning Tests
o Social Engineering Tests
President of revenue management
- E-Document Private Integrators Information Systems Audit Manual, published on 19 November 2019, covers Private Integrator organizations that have / will receive permission from the RA. It is stated that a penetration test should be performed at least once a year, covering the assets and information systems defined in the guideline. The scope of penetration testing in the guide is given below.
o Network and Communication Infrastructure Tests
o Operating System and Platform Tests
o Practice Tests
o Database Tests
o Web Applications Tests
o Mobile Application Tests
Ministry of Transport and Infrastructure
- The Ministry has published the Communiqué on the Procedures and Principles on Connecting to the KamuNet Network and Supervision of the KamuNet Network on 21 June 2017. As stated in this communiqué, public institutions that will be included and are included in KamuNet are required to carry out penetration/penetration tests on the systems to which KamuNet is connected, and work to eliminate the vulnerabilities detected.
In addition to the regulations mentioned above, organizations that are required to have ISO/IEC 27001 certificate are required to have regular penetration tests within the scope of A.12.6.1 Technical Vulnerabilities Management in the A.12.6.1 Management of Technical Vulnerabilities in the Annex-A security controls section of the standard or to detect technical vulnerabilities regularly with their own resources in accordance with this check. . Obligations to have ISO/IEC 27001 certificate are given below.
- Electronic certificate service providers within the scope of the Communiqué on Electronic Signature Processes and Technical Criteria published by the Information Technologies and Communications Authority,
- Registered e-mail service providers within the scope of the Communiqué on the Processes and Technical Criteria Regarding the Registered Electronic Mail System published by the Information Technologies and Communications Authority,
- Capital companies that provide electronic communication services and/or provide electronic communication networks and operate their infrastructure within the scope of the Communiqué on the Implementation of the TS ISO/IEC 27001 Standard within the Scope of Electronic Communication Security published by the Information Technologies and Communications Authority. The operators whose certificate of conformity is sought are below:
o Operators who have signed a mandate contract
o Operators that have signed a Concession Agreement
o Operators Providing Satellite Communication Services
o Operators Providing Infrastructure Operation Services
o Fixed Telephone Service Operators
o Operators Providing GMPCS Mobile Phone Service
o Virtual Mobile Network Service Operators
o Internet Service Providers
o Operators Providing GSM 1800 Mobile Telephone Service in Aircraft
- Institutional information system and industrial control systems operated by the legal entities that carry out the transmission activities within the scope of the Natural Gas Market License Regulation published by the Energy Market Regulatory Authority (EMRA), and the distribution licensees responsible for establishing a shipment control center,
- Institutional information system and industrial control systems for all generation facilities with an installed power of 100MW and above and provisionally accepted, excluding the OIZ generation license holders within the scope of the Electricity Market License Regulation published by EMRA,
- Corporate information system and industrial control systems of refinery licensees within the scope of Petroleum Market License Regulation published by EMRA,
- Legal entities who want to have the authorized obliged party certificate (YYS) within the scope of the Regulation on Facilitation of Customs Transactions published by the Ministry of Customs and Trade.
Digital Transformation Office Information and Communication Security Guide.
A Presidential Circular containing Information and Communication Security Measures has been published in order to determine the security steps to be followed by public institutions and businesses serving on the critical type data side, within the scope of reducing the security risks encountered in information systems, protecting a possible data loss or critical data that may threaten national security. In line with the Presidential Circular dated 06.07.2019 and numbered 2019/12, which includes information and communication security measures, the preparation of the Information and Communication Security Guide was completed by the Presidency of the Republic of Turkey (DDO) and approved on 24.07.2020.
While it is stated as a necessity in the said guide that penetration tests should be performed within the scope of Network and System Security, especially within the scope of the controls for asset groups (Art. 3.1.11. Penetration Tests and Security Audits), a total of 117 substances are related to the performance of penetration tests.
Art. 3.1.11. External and internal penetration tests and security audits should be carried out at regular intervals to identify the vulnerabilities and attack surface of enterprise systems.
To summarize, regular penetration tests are very important for organizations to protect their sensitive information. As can be seen in the regulations, it is striking that it is necessary to be more cautious in this regard, especially for organizations in the energy and finance sector. Even if it is not legally required, it is a great opportunity for organizations to have a penetration test, be aware of their vulnerabilities and take appropriate steps to make their systems more secure.
Penetration testing is an important security measure for organizations and plays a critical role in protecting against potential attacks. The penetration test revealed the deficiencies and weaknesses of your organization's information security. The results of this test will help you determine the measures to be taken to strengthen your organization's defense mechanisms, close security vulnerabilities, and prevent potential attacks.
Source:
Pentest Requirement Legislation
SAFETY ANALYSIS AND TEST PROCEDURES AND PRINCIPLES FOR INDUSTRIAL CONTROL SYSTEMS USED IN THE ENERGY SECTOR
Penetration Test Requirements and Scope of BRSA Affiliates
