SlideShare uma empresa Scribd logo

VA SCAN 2012: Securing the Future: BYOD and Beyond Penetration Testing Low Hanging Fruit

Transferir como PPTX, PDF
S
syrinxtech

This is a recent presentation I gave at the 2012 VA SCAN conference at VMI.

1 de 50
VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing Bryan Miller Computer Science & Information Systems Virginia Commonwealth University
VA SCAN 2012: Securing the Future: BYOD and Beyond Agenda  Speaker Introduction  What’s the Problem?  Definitions  Security Testing Issues  Lessons Learned  Self-Audit Tools  Wrap Up The Low Hanging Fruit of Penetration Testing 10/9/2012 2
VA SCAN 2012: Securing the Future: BYOD and Beyond Speaker Introduction  B.S. ISY, M.S. CS – VCU  VCU Network Engineer for 5 years  CISSP, former Cisco CCIE in R/S  FTEMS, ISSA, ISACA, IALR, VA SCAN lecturer  Penetration testing for 11 years  Formed Syrinx Technologies in 2007  Published author with 25 years in I.T. The Low Hanging Fruit of Penetration Testing 10/9/2012 3
VA SCAN 2012: Securing the Future: BYOD and Beyond What’s the Problem? The Low Hanging Fruit of Penetration Testing 10/9/2012 4
VA SCAN 2012: Securing the Future: BYOD and Beyond  In many organizations security is seen as a nuisance – a “must do” but not a “must have.”  Despite everything we know about securing systems and applications, there are new data breaches announced every week.  Organizations of every size and complexity are affected, including the government, military, commercial, R&D, banking and education. The Low Hanging Fruit of Penetration Testing 10/9/2012 5
VA SCAN 2012: Securing the Future: BYOD and Beyond  Most of the breaches are caused by issues that would never have existed if available best practice rules had been followed.  Hacking has become commercialized.  Exploit “frameworks” lower the bar in regards to knowledge required to compromise systems. The Low Hanging Fruit of Penetration Testing 10/9/2012 6
VA SCAN 2012: Securing the Future: BYOD and Beyond Definitions The Low Hanging Fruit of Penetration Testing 10/9/2012 7
VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  Penetration Testing  Social Engineering  Wardialing/Wardriving The Low Hanging Fruit of Penetration Testing 10/9/2012 8
VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  “jiggling the handle”  Often required for compliance  Sometimes confused with a risk assessment The Low Hanging Fruit of Penetration Testing 10/9/2012 9
VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing  External vs. internal  Goal is to simulate a real attacker, but with limits  How do those limits affect the testing?  How do you measure success? The Low Hanging Fruit of Penetration Testing 10/9/2012 10
VA SCAN 2012: Securing the Future: BYOD and Beyond  Social Engineering  Three easy words: Hacking the Human  Easy to talk about, extremely difficult to prevent  Policies and education are the front line of defense The Low Hanging Fruit of Penetration Testing 10/9/2012 11
VA SCAN 2012: Securing the Future: BYOD and Beyond  Wardialing/Wardriving  Wardialing – dialing phone numbers to look for modems  Wardriving – scanning for wireless access points  Includes 802.11, Bluetooth, Zigbee, X.10  Legal to scan but not to associate to an AP  Includes warwalking and warchalking The Low Hanging Fruit of Penetration Testing 10/9/2012 12
VA SCAN 2012: Securing the Future: BYOD and Beyond Security Testing Issues The Low Hanging Fruit of Penetration Testing 10/9/2012 13
VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing vs. Vulnerability Assessments  Is one “better” than the other?  Which one is right for my situation?  Thorough requirements definition  Rules of engagement  What constitutes success?  Deliverables The Low Hanging Fruit of Penetration Testing 10/9/2012 14
VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we test?  FERPA, PCI, HIPAA, SOX, FFIEC, NCUA, FIPS  Internal Audit requirements  Baseline the security posture for new management  Mergers & acquisitions  Natural complement to risk assessments The Low Hanging Fruit of Penetration Testing 10/9/2012 15
VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we NOT test?  If you consider security a waste of good money  If you don’t want to know the answers  If you can’t or aren’t going to fix anything  If you really want to be on the local news or have someone write a magazine article about you The Low Hanging Fruit of Penetration Testing 10/9/2012 16
VA SCAN 2012: Securing the Future: BYOD and Beyond  Why don’t we test?  Our employees don’t know how to do bad things.  We already know what’s broken.  We don’t have anything hackers want.  If you tell us what’s wrong, we’ll have to fix it.  We haven’t fixed the things you found last time. The Low Hanging Fruit of Penetration Testing 10/9/2012 17
VA SCAN 2012: Securing the Future: BYOD and Beyond  In-house or outsource?  The first question you have to answer is, “Do I have the staff with the relevant skills/tools/time?”  You might not have a choice due to auditing standards.  A good compromise is to perform internal self-tests followed by a review from a 3rd party.  Knowing something about the process makes you a better consumer. The Low Hanging Fruit of Penetration Testing 10/9/2012 18
VA SCAN 2012: Securing the Future: BYOD and Beyond Lessons Learned The Low Hanging Fruit of Penetration Testing 10/9/2012 19
VA SCAN 2012: Securing the Future: BYOD and Beyond  So, having said all that, what have we learned about data breaches?  They happen to organizations of all sizes and complexity.  Many of them can be prevented using best practice methods.  Many can be categorized as “low hanging fruit.”  The larger your organization, the more LHF. The Low Hanging Fruit of Penetration Testing 10/9/2012 20
VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (1-5) 1. Bad password management 2. Default security controls 3. Incorrect permissions on files, directories, databases, etc. 4. Missing OS and application patches 5. SQL Injection, XSS, cookie, state and URL issues on web sites The Low Hanging Fruit of Penetration Testing 10/9/2012 21
VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (6-10) 6. Lack of security awareness 7. Access to internal systems from the Internet 8. Insecure wireless access points/modems 9. Lack of encryption (laptops, sensitive data & emails) 10. Weak physical security The Low Hanging Fruit of Penetration Testing 10/9/2012 22
VA SCAN 2012: Securing the Future: BYOD and Beyond  #1 – Bad password management The Low Hanging Fruit of Penetration Testing 10/9/2012 23
VA SCAN 2012: Securing the Future: BYOD and Beyond  #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 24
VA SCAN 2012: Securing the Future: BYOD and Beyond  #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 25
VA SCAN 2012: Securing the Future: BYOD and Beyond  #3 – Incorrect permissions on web directory This is how web defacements happen. The Low Hanging Fruit of Penetration Testing 10/9/2012 26
VA SCAN 2012: Securing the Future: BYOD and Beyond  #4 - Missing OS and application patches The Low Hanging Fruit of Penetration Testing 10/9/2012 27
VA SCAN 2012: Securing the Future: BYOD and Beyond  #5 – Cross Site Scripting (XSS) The Low Hanging Fruit of Penetration Testing 10/9/2012 28
VA SCAN 2012: Securing the Future: BYOD and Beyond  #6 – Social Engineering This is what you can access by pretending to be the “Verizon guy.” The Low Hanging Fruit of Penetration Testing 10/9/2012 29
VA SCAN 2012: Securing the Future: BYOD and Beyond  #7 – Access to internal systems from the Internet The Low Hanging Fruit of Penetration Testing 10/9/2012 30
VA SCAN 2012: Securing the Future: BYOD and Beyond  #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 31
VA SCAN 2012: Securing the Future: BYOD and Beyond  #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 32
VA SCAN 2012: Securing the Future: BYOD and Beyond  #9 – Lack of encryption with sensitive script The Low Hanging Fruit of Penetration Testing 10/9/2012 33
VA SCAN 2012: Securing the Future: BYOD and Beyond  The real magic occurs when you get creative  Access the Registry via a blank SA password and run the reg query command to display the VNC password  Use the osql command to turn on Telnet and remotely access the server  Use the osql command to turn on xp_cmdshell  Watch keystrokes remotely via X-Windows with xspy  Download and compile a password cracking program and then run it to crack the machine’s passwords  Spoof a wireless access point and execute a MITM attack The Low Hanging Fruit of Penetration Testing 10/9/2012 34
VA SCAN 2012: Securing the Future: BYOD and Beyond Self-Audit Tools The Low Hanging Fruit of Penetration Testing 10/9/2012 35
VA SCAN 2012: Securing the Future: BYOD and Beyond  Port Scanners  Nmap  Nessus  SuperScan 3,4  RAPS (Remote Access Perimeter Scanner)  GFI The Low Hanging Fruit of Penetration Testing 10/9/2012 36
VA SCAN 2012: Securing the Future: BYOD and Beyond RAPS Output: 192.168.0.187 Port 5900 - VNC, Version 3.8 192.168.0.187 Port 5900 - VNC, NO LOGIN REQUIRED, Version 3.8 192.168.0.9 Port 3389 - Terminal Server 192.168.10.57 Port 5631 - pcAnywhere, Host: A1 192.168.10.56 Port 1720 - NetMeeting 10.2.0.139 Port 1494 – Citrix Server 10.2.1.20 Port 6000 – X Server, Version 11.0 10.2.1.21 Port 6000 – X Server, NO LOGIN REQUIRED, Version 11.0 The Low Hanging Fruit of Penetration Testing 10/9/2012 37
VA SCAN 2012: Securing the Future: BYOD and Beyond  IPSec Configuration  IPSecScan  Identify open IPSec endpoints  IKE-Scan  Display configuration parameters  With “aggressive mode”, dump PSK and brute force The Low Hanging Fruit of Penetration Testing 10/9/2012 15
VA SCAN 2012: Securing the Future: BYOD and Beyond IKE-Scan Output: 192.168.1.254 Aggressive Mode Handshake HDR=(CKY-R=509ca66bcabbcc3a) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds ) VID=12f5f2887f768a9702d9fe274cc0100 VID=afcad713a12d96b8696fc77570100 VID=a55b0176cabacc3a52207fea2babaa9 VID=0900299bcfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.1.254) Nonce(20 bytes) Hash(20 bytes) What 3 items are not best practice? The Low Hanging Fruit of Penetration Testing 10/9/2012 15
VA SCAN 2012: Securing the Future: BYOD and Beyond  Web Applications  Proxies  Burp Suite  Paros  Scanners  Acunetix  Nikto  Nessus  HP WebInspect The Low Hanging Fruit of Penetration Testing 10/9/2012 15
VA SCAN 2012: Securing the Future: BYOD and Beyond  SSL Cipher Strength  SSLDigger  THCSSLCheck  OpenSSL The Low Hanging Fruit of Penetration Testing 10/9/2012 41
VA SCAN 2012: Securing the Future: BYOD and Beyond SSLDigger Output: 192.168.1.1: EXP-RC2-CBC-MD5 – (40) EXP-RC4-MD5 – (40) EXP1024-DES-CBC-SHA – (56) EXP1024-RC4-SHA – (56) DES-CBC-SHA – (56) (X) – Number of bits of encryption This tool is great for checking PCI compliance The Low Hanging Fruit of Penetration Testing 10/9/2012 42
VA SCAN 2012: Securing the Future: BYOD and Beyond  Dial-In  PhoneSweep  Commercial “wardialer” – can identify modems/architecture and perform dictionary-based attacks on accounts  Wireless  802.11  Aircrack-ng  Kismet  Bluetooth  Bluesnarf  BlueAuditor The Low Hanging Fruit of Penetration Testing 10/9/2012 43
VA SCAN 2012: Securing the Future: BYOD and Beyond Why do vendors insist on making it easy for attackers? The Low Hanging Fruit of Penetration Testing 10/9/2012 44
VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing 10/9/2012 45
VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing 10/9/2012 46
VA SCAN 2012: Securing the Future: BYOD and Beyond Rule #1 in Security Ease of Secure Use The Low Hanging Fruit of Penetration Testing 10/9/2012 47
VA SCAN 2012: Securing the Future: BYOD and Beyond Wrap-Up The Low Hanging Fruit of Penetration Testing 10/9/2012 48
VA SCAN 2012: Securing the Future: BYOD and Beyond  Data breaches affect your organization’s reputation and can cost you significant money.  Software is becoming more complex while attacker tools are becoming easier to use.  The majority of data breaches can be prevented by following simple, best practice rules to eliminate low hanging fruit. The Low Hanging Fruit of Penetration Testing 10/9/2012 49
VA SCAN 2012: Securing the Future: BYOD and Beyond Q&A Bryan Miller bryan@syrinxtech.com www.syrinxtech.com 804-539-9154 The Low Hanging Fruit of Penetration Testing 10/9/2012 50

Recomendados

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
Seguridad y Control de Acceso de las Bases de Datos
Seguridad y Control de Acceso de las Bases de DatosSeguridad y Control de Acceso de las Bases de Datos
Seguridad y Control de Acceso de las Bases de DatosLork Ederwin
 
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI BUDI DAYA TANAMAN LENGKENG SECARA OKULASI
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI ripto atmaja
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
BYOD Trends, Challenges, Pitfalls and Tips
BYOD Trends, Challenges, Pitfalls and TipsBYOD Trends, Challenges, Pitfalls and Tips
BYOD Trends, Challenges, Pitfalls and TipsAxios Systems
 
Innovate your Planning Process
Innovate your Planning ProcessInnovate your Planning Process
Innovate your Planning ProcessSteve Johnson
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 

Recomendados

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
Seguridad y Control de Acceso de las Bases de Datos
Seguridad y Control de Acceso de las Bases de DatosSeguridad y Control de Acceso de las Bases de Datos
Seguridad y Control de Acceso de las Bases de DatosLork Ederwin
 
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI BUDI DAYA TANAMAN LENGKENG SECARA OKULASI
BUDI DAYA TANAMAN LENGKENG SECARA OKULASI ripto atmaja
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
BYOD Trends, Challenges, Pitfalls and Tips
BYOD Trends, Challenges, Pitfalls and TipsBYOD Trends, Challenges, Pitfalls and Tips
BYOD Trends, Challenges, Pitfalls and TipsAxios Systems
 
Innovate your Planning Process
Innovate your Planning ProcessInnovate your Planning Process
Innovate your Planning ProcessSteve Johnson
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantJohn Bedrick
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareMarie-Michelle Strah, PhD
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpValery Boronin
 
Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Ulf Mattsson
 
Coexisting with Vulnerabilities
Coexisting with VulnerabilitiesCoexisting with Vulnerabilities
Coexisting with VulnerabilitiesDennis Chaupis
 
BYOD = Bring Your Own Device
BYOD = Bring Your Own DeviceBYOD = Bring Your Own Device
BYOD = Bring Your Own DeviceGovLoop
 
Key Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP DiscoverKey Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP DiscoverCapgemini
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012jvangombos
 
Sunrise presentation
Sunrise presentationSunrise presentation
Sunrise presentationBarbara G Gibney
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Online identity management workshop
Online identity management workshopOnline identity management workshop
Online identity management workshopJISC SSBR
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Securityinside-BigData.com
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasBlack Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasTripwire
 
The year that shook the world
The year that shook the worldThe year that shook the world
The year that shook the worldTrend Micro (EMEA) Limited
 
Cases
CasesCases
CasesAlexandra
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Eturnti Consulting Pvt Ltd
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD Infrastructure Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD InfrastructureMelissa Andrews
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT Worldsyrinxtech
 
Infrastructure Auditing
Infrastructure AuditingInfrastructure Auditing
Infrastructure Auditingsyrinxtech
 

Mais conteúdo relacionado

Semelhante a VA SCAN 2012: Securing the Future: BYOD and Beyond Penetration Testing Low Hanging Fruit

The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantJohn Bedrick
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareMarie-Michelle Strah, PhD
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpValery Boronin
 
Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Ulf Mattsson
 
Coexisting with Vulnerabilities
Coexisting with VulnerabilitiesCoexisting with Vulnerabilities
Coexisting with VulnerabilitiesDennis Chaupis
 
BYOD = Bring Your Own Device
BYOD = Bring Your Own DeviceBYOD = Bring Your Own Device
BYOD = Bring Your Own DeviceGovLoop
 
Key Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP DiscoverKey Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP DiscoverCapgemini
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012jvangombos
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Online identity management workshop
Online identity management workshopOnline identity management workshop
Online identity management workshopJISC SSBR
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Securityinside-BigData.com
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasBlack Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasTripwire
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD Infrastructure Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD InfrastructureMelissa Andrews
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 

Semelhante a VA SCAN 2012: Securing the Future: BYOD and Beyond Penetration Testing Low Hanging Fruit (20)

The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being Compliant
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
 
Humans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can HelpHumans Are The Weakest Link – How DLP Can Help
Humans Are The Weakest Link – How DLP Can Help
 
Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6Isaca e symposium understanding your data flow jul 6
Isaca e symposium understanding your data flow jul 6
 
Coexisting with Vulnerabilities
Coexisting with VulnerabilitiesCoexisting with Vulnerabilities
Coexisting with Vulnerabilities
 
BYOD = Bring Your Own Device
BYOD = Bring Your Own DeviceBYOD = Bring Your Own Device
BYOD = Bring Your Own Device
 
Key Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP DiscoverKey Findings from the World Quality Report 2012-13 at HP Discover
Key Findings from the World Quality Report 2012-13 at HP Discover
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012
 
Sunrise presentation
Sunrise presentationSunrise presentation
Sunrise presentation
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
Online identity management workshop
Online identity management workshopOnline identity management workshop
Online identity management workshop
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasBlack Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
 
The year that shook the world
The year that shook the worldThe year that shook the world
The year that shook the world
 
Cases
CasesCases
Cases
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD Infrastructure Executive Summary: Considering a BYOD Infrastructure
Executive Summary: Considering a BYOD Infrastructure
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 

Mais de syrinxtech

Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT Worldsyrinxtech
 
Infrastructure Auditing
Infrastructure AuditingInfrastructure Auditing
Infrastructure Auditingsyrinxtech
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Securitysyrinxtech
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Securitysyrinxtech
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Focus Your Business
Focus Your BusinessFocus Your Business
Focus Your Businesssyrinxtech
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?syrinxtech
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 

Mais de syrinxtech (10)

Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT World
 
Infrastructure Auditing
Infrastructure AuditingInfrastructure Auditing
Infrastructure Auditing
 
Virtual CSO
Virtual CSOVirtual CSO
Virtual CSO
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
Focus Your Business
Focus Your BusinessFocus Your Business
Focus Your Business
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing tool
 
PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 

VA SCAN 2012: Securing the Future: BYOD and Beyond Penetration Testing Low Hanging Fruit

  • 1. VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing Bryan Miller Computer Science & Information Systems Virginia Commonwealth University
  • 2. VA SCAN 2012: Securing the Future: BYOD and Beyond Agenda  Speaker Introduction  What’s the Problem?  Definitions  Security Testing Issues  Lessons Learned  Self-Audit Tools  Wrap Up The Low Hanging Fruit of Penetration Testing 10/9/2012 2
  • 3. VA SCAN 2012: Securing the Future: BYOD and Beyond Speaker Introduction  B.S. ISY, M.S. CS – VCU  VCU Network Engineer for 5 years  CISSP, former Cisco CCIE in R/S  FTEMS, ISSA, ISACA, IALR, VA SCAN lecturer  Penetration testing for 11 years  Formed Syrinx Technologies in 2007  Published author with 25 years in I.T. The Low Hanging Fruit of Penetration Testing 10/9/2012 3
  • 4. VA SCAN 2012: Securing the Future: BYOD and Beyond What’s the Problem? The Low Hanging Fruit of Penetration Testing 10/9/2012 4
  • 5. VA SCAN 2012: Securing the Future: BYOD and Beyond  In many organizations security is seen as a nuisance – a “must do” but not a “must have.”  Despite everything we know about securing systems and applications, there are new data breaches announced every week.  Organizations of every size and complexity are affected, including the government, military, commercial, R&D, banking and education. The Low Hanging Fruit of Penetration Testing 10/9/2012 5
  • 6. VA SCAN 2012: Securing the Future: BYOD and Beyond  Most of the breaches are caused by issues that would never have existed if available best practice rules had been followed.  Hacking has become commercialized.  Exploit “frameworks” lower the bar in regards to knowledge required to compromise systems. The Low Hanging Fruit of Penetration Testing 10/9/2012 6
  • 7. VA SCAN 2012: Securing the Future: BYOD and Beyond Definitions The Low Hanging Fruit of Penetration Testing 10/9/2012 7
  • 8. VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  Penetration Testing  Social Engineering  Wardialing/Wardriving The Low Hanging Fruit of Penetration Testing 10/9/2012 8
  • 9. VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  “jiggling the handle”  Often required for compliance  Sometimes confused with a risk assessment The Low Hanging Fruit of Penetration Testing 10/9/2012 9
  • 10. VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing  External vs. internal  Goal is to simulate a real attacker, but with limits  How do those limits affect the testing?  How do you measure success? The Low Hanging Fruit of Penetration Testing 10/9/2012 10
  • 11. VA SCAN 2012: Securing the Future: BYOD and Beyond  Social Engineering  Three easy words: Hacking the Human  Easy to talk about, extremely difficult to prevent  Policies and education are the front line of defense The Low Hanging Fruit of Penetration Testing 10/9/2012 11
  • 12. VA SCAN 2012: Securing the Future: BYOD and Beyond  Wardialing/Wardriving  Wardialing – dialing phone numbers to look for modems  Wardriving – scanning for wireless access points  Includes 802.11, Bluetooth, Zigbee, X.10  Legal to scan but not to associate to an AP  Includes warwalking and warchalking The Low Hanging Fruit of Penetration Testing 10/9/2012 12
  • 13. VA SCAN 2012: Securing the Future: BYOD and Beyond Security Testing Issues The Low Hanging Fruit of Penetration Testing 10/9/2012 13
  • 14. VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing vs. Vulnerability Assessments  Is one “better” than the other?  Which one is right for my situation?  Thorough requirements definition  Rules of engagement  What constitutes success?  Deliverables The Low Hanging Fruit of Penetration Testing 10/9/2012 14
  • 15. VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we test?  FERPA, PCI, HIPAA, SOX, FFIEC, NCUA, FIPS  Internal Audit requirements  Baseline the security posture for new management  Mergers & acquisitions  Natural complement to risk assessments The Low Hanging Fruit of Penetration Testing 10/9/2012 15
  • 16. VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we NOT test?  If you consider security a waste of good money  If you don’t want to know the answers  If you can’t or aren’t going to fix anything  If you really want to be on the local news or have someone write a magazine article about you The Low Hanging Fruit of Penetration Testing 10/9/2012 16
  • 17. VA SCAN 2012: Securing the Future: BYOD and Beyond  Why don’t we test?  Our employees don’t know how to do bad things.  We already know what’s broken.  We don’t have anything hackers want.  If you tell us what’s wrong, we’ll have to fix it.  We haven’t fixed the things you found last time. The Low Hanging Fruit of Penetration Testing 10/9/2012 17
  • 18. VA SCAN 2012: Securing the Future: BYOD and Beyond  In-house or outsource?  The first question you have to answer is, “Do I have the staff with the relevant skills/tools/time?”  You might not have a choice due to auditing standards.  A good compromise is to perform internal self-tests followed by a review from a 3rd party.  Knowing something about the process makes you a better consumer. The Low Hanging Fruit of Penetration Testing 10/9/2012 18
  • 19. VA SCAN 2012: Securing the Future: BYOD and Beyond Lessons Learned The Low Hanging Fruit of Penetration Testing 10/9/2012 19
  • 20. VA SCAN 2012: Securing the Future: BYOD and Beyond  So, having said all that, what have we learned about data breaches?  They happen to organizations of all sizes and complexity.  Many of them can be prevented using best practice methods.  Many can be categorized as “low hanging fruit.”  The larger your organization, the more LHF. The Low Hanging Fruit of Penetration Testing 10/9/2012 20
  • 21. VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (1-5) 1. Bad password management 2. Default security controls 3. Incorrect permissions on files, directories, databases, etc. 4. Missing OS and application patches 5. SQL Injection, XSS, cookie, state and URL issues on web sites The Low Hanging Fruit of Penetration Testing 10/9/2012 21
  • 22. VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (6-10) 6. Lack of security awareness 7. Access to internal systems from the Internet 8. Insecure wireless access points/modems 9. Lack of encryption (laptops, sensitive data & emails) 10. Weak physical security The Low Hanging Fruit of Penetration Testing 10/9/2012 22
  • 23. VA SCAN 2012: Securing the Future: BYOD and Beyond  #1 – Bad password management The Low Hanging Fruit of Penetration Testing 10/9/2012 23
  • 24. VA SCAN 2012: Securing the Future: BYOD and Beyond  #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 24
  • 25. VA SCAN 2012: Securing the Future: BYOD and Beyond  #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 25
  • 26. VA SCAN 2012: Securing the Future: BYOD and Beyond  #3 – Incorrect permissions on web directory This is how web defacements happen. The Low Hanging Fruit of Penetration Testing 10/9/2012 26
  • 27. VA SCAN 2012: Securing the Future: BYOD and Beyond  #4 - Missing OS and application patches The Low Hanging Fruit of Penetration Testing 10/9/2012 27
  • 28. VA SCAN 2012: Securing the Future: BYOD and Beyond  #5 – Cross Site Scripting (XSS) The Low Hanging Fruit of Penetration Testing 10/9/2012 28
  • 29. VA SCAN 2012: Securing the Future: BYOD and Beyond  #6 – Social Engineering This is what you can access by pretending to be the “Verizon guy.” The Low Hanging Fruit of Penetration Testing 10/9/2012 29
  • 30. VA SCAN 2012: Securing the Future: BYOD and Beyond  #7 – Access to internal systems from the Internet The Low Hanging Fruit of Penetration Testing 10/9/2012 30
  • 31. VA SCAN 2012: Securing the Future: BYOD and Beyond  #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 31
  • 32. VA SCAN 2012: Securing the Future: BYOD and Beyond  #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 32
  • 33. VA SCAN 2012: Securing the Future: BYOD and Beyond  #9 – Lack of encryption with sensitive script The Low Hanging Fruit of Penetration Testing 10/9/2012 33
  • 34. VA SCAN 2012: Securing the Future: BYOD and Beyond  The real magic occurs when you get creative  Access the Registry via a blank SA password and run the reg query command to display the VNC password  Use the osql command to turn on Telnet and remotely access the server  Use the osql command to turn on xp_cmdshell  Watch keystrokes remotely via X-Windows with xspy  Download and compile a password cracking program and then run it to crack the machine’s passwords  Spoof a wireless access point and execute a MITM attack The Low Hanging Fruit of Penetration Testing 10/9/2012 34
  • 35. VA SCAN 2012: Securing the Future: BYOD and Beyond Self-Audit Tools The Low Hanging Fruit of Penetration Testing 10/9/2012 35
  • 36. VA SCAN 2012: Securing the Future: BYOD and Beyond  Port Scanners  Nmap  Nessus  SuperScan 3,4  RAPS (Remote Access Perimeter Scanner)  GFI The Low Hanging Fruit of Penetration Testing 10/9/2012 36
  • 37. VA SCAN 2012: Securing the Future: BYOD and Beyond RAPS Output: 192.168.0.187 Port 5900 - VNC, Version 3.8 192.168.0.187 Port 5900 - VNC, NO LOGIN REQUIRED, Version 3.8 192.168.0.9 Port 3389 - Terminal Server 192.168.10.57 Port 5631 - pcAnywhere, Host: A1 192.168.10.56 Port 1720 - NetMeeting 10.2.0.139 Port 1494 – Citrix Server 10.2.1.20 Port 6000 – X Server, Version 11.0 10.2.1.21 Port 6000 – X Server, NO LOGIN REQUIRED, Version 11.0 The Low Hanging Fruit of Penetration Testing 10/9/2012 37
  • 38. VA SCAN 2012: Securing the Future: BYOD and Beyond  IPSec Configuration  IPSecScan  Identify open IPSec endpoints  IKE-Scan  Display configuration parameters  With “aggressive mode”, dump PSK and brute force The Low Hanging Fruit of Penetration Testing 10/9/2012 15
  • 39. VA SCAN 2012: Securing the Future: BYOD and Beyond IKE-Scan Output: 192.168.1.254 Aggressive Mode Handshake HDR=(CKY-R=509ca66bcabbcc3a) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds ) VID=12f5f2887f768a9702d9fe274cc0100 VID=afcad713a12d96b8696fc77570100 VID=a55b0176cabacc3a52207fea2babaa9 VID=0900299bcfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.1.254) Nonce(20 bytes) Hash(20 bytes) What 3 items are not best practice? The Low Hanging Fruit of Penetration Testing 10/9/2012 15
  • 40. VA SCAN 2012: Securing the Future: BYOD and Beyond  Web Applications  Proxies  Burp Suite  Paros  Scanners  Acunetix  Nikto  Nessus  HP WebInspect The Low Hanging Fruit of Penetration Testing 10/9/2012 15
  • 41. VA SCAN 2012: Securing the Future: BYOD and Beyond  SSL Cipher Strength  SSLDigger  THCSSLCheck  OpenSSL The Low Hanging Fruit of Penetration Testing 10/9/2012 41
  • 42. VA SCAN 2012: Securing the Future: BYOD and Beyond SSLDigger Output: 192.168.1.1: EXP-RC2-CBC-MD5 – (40) EXP-RC4-MD5 – (40) EXP1024-DES-CBC-SHA – (56) EXP1024-RC4-SHA – (56) DES-CBC-SHA – (56) (X) – Number of bits of encryption This tool is great for checking PCI compliance The Low Hanging Fruit of Penetration Testing 10/9/2012 42
  • 43. VA SCAN 2012: Securing the Future: BYOD and Beyond  Dial-In  PhoneSweep  Commercial “wardialer” – can identify modems/architecture and perform dictionary-based attacks on accounts  Wireless  802.11  Aircrack-ng  Kismet  Bluetooth  Bluesnarf  BlueAuditor The Low Hanging Fruit of Penetration Testing 10/9/2012 43
  • 44. VA SCAN 2012: Securing the Future: BYOD and Beyond Why do vendors insist on making it easy for attackers? The Low Hanging Fruit of Penetration Testing 10/9/2012 44
  • 45. VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing 10/9/2012 45
  • 46. VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing 10/9/2012 46
  • 47. VA SCAN 2012: Securing the Future: BYOD and Beyond Rule #1 in Security Ease of Secure Use The Low Hanging Fruit of Penetration Testing 10/9/2012 47
  • 48. VA SCAN 2012: Securing the Future: BYOD and Beyond Wrap-Up The Low Hanging Fruit of Penetration Testing 10/9/2012 48
  • 49. VA SCAN 2012: Securing the Future: BYOD and Beyond  Data breaches affect your organization’s reputation and can cost you significant money.  Software is becoming more complex while attacker tools are becoming easier to use.  The majority of data breaches can be prevented by following simple, best practice rules to eliminate low hanging fruit. The Low Hanging Fruit of Penetration Testing 10/9/2012 49
  • 50. VA SCAN 2012: Securing the Future: BYOD and Beyond Q&A Bryan Miller bryan@syrinxtech.com www.syrinxtech.com 804-539-9154 The Low Hanging Fruit of Penetration Testing 10/9/2012 50