Session Description:
Compliance and Best Practices tell us to do a Penetration Test, but there is not real definition. We are asked to do Vulnerability Scanning, but are the scores relevant? What about this huge audit we went through? All those tests and all those boxes checked.... is our company more secure?
As a tester and defender I am SICK of seeing people pay for testing and have no idea what the tester did, how they did it, or what value it provides. Unless we follow a methodology that is repeatable, understand the business and its assets, and work on both the Red Team AND Blue Team.....we are defending our networks with the same stacks of cash the attackers are trying to steal.
This session will talk about practical testing and defense, getting the most out of your testing dollar, and < surprise face> how to track the growth of your InfoSec program from its management systems all the way out to the magical question "how are we REALLY?"
17. Pain in the arse
Loudmouth
Hacker Punk
Tells lies (professionally)
Is called all sorts of bad words.. That I will likely say
throughout this talk
Cant code well
Talks $hit
Drinks a LOT
Is an overall J3rk
37. A vulnerability assessment is the process of identifying, quantifying,
and prioritizing (or ranking) the vulnerabilities in a system.
http://en.wikipedia.org/wiki/Vulnerability_assessment
38. Reasons to Conduct
Identify potential vulnerabilities
Provide scoring of risk & prioritization
of remediation
Manage environment vulnerabilities
over time to show security program
improvement, defense capability
increase and compliance with ongoing
patch, system and vulnerability
lifecycle
How it’s usually done
Run a bunch of scanners
Generate a report
**Sometimes** Generate a custom
report consisting of copy/paste data
from the Vulnerability scanners and
TRY to make sure you delete the word
Nessus, qualys… and/or the previous
clients name
39. Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results
and overall accuracy*
Do not perform Denial of Service
Do not run thorough checks
Do not run Web checks
Only run ONE brand of scanner
Limit only to known network checks
Only scan once
40.
41. A penetration test is a method of evaluating the security of a computer system or
network by simulating an attack from a malicious source... The process involves an
active analysis of the system for any potential vulnerabilities that may result from poor
or improper system configuration, known and/or unknown hardware or software flaws,
or operational weaknesses in process or technical countermeasures.
http://en.wikipedia.org/wiki/Penetration_test
42.
43. Reasons to Conduct
Identify if attackers can readily
compromise the security of the
business
Identify potential impact to the
business
Confirm vulnerabilities identified
Gain a “Real World” View of an
attackers ability to “hack” the
environment and resolve issues
identified
How it’s usually done
Do all the steps in Vulnerability
Assessment listed previously
Run metasploit/Core/Canvas against
hosts
Try a few other automated tools
Call it “SECURE” If those don’t work
44. Do not allow the exploitation of systems
Restrict testing to non production systems
Restrict the hours of testing
Restrict the length of testing
Improperly scope / fail to include ALL addresses
Only perform externally
Patch/fix BEFORE the test
Only allow directed attacks ( no SE/ Phishing)
Lack of focus on BUSINESS risk and increased focus on technical issue
45.
46. The IT risk management is the application of risk management to
Information technology context in order to manage IT risk.
Information security risk assessment is the process used to identify and
understand risks to the confidentiality, integrity, and availability of
information and information systems. In its simplest form, a risk
assessment consists of the identification and valuation of assets and an
analysis of those assets in relation to potential threats and vulnerabilities,
resulting in a ranking of risks to mitigate. The resulting information should
be used to develop strategies to mitigate those risks.
http://laresconsulting.com/risk.php
47.
48. Reasons to Conduct
Compliance with regulations
Overall health check of the InfoSec
program
Gain understanding of program
Effectiveness
Baseline discovery
To show 3rd parties and customers
they are “Secure”
How it’s usually done
Whip out a checklist
Check stuff off on checklist
Have a TON of interviews
Believe every word
Do a tick mark legend and ask people
to provide “evidence” *which is usually
faked*
Only assess controls that are in scope
of THAT specific assessment *often
information centric*
49. Do not allow ACTUAL/TECHNICAL testing and validation
Rely on all information provided as TRUE
Minimize scope to only include assets and controls that are part of the selected
compliance regulation and NOT the ENTIRE BUSINESS
Allow for “Compensating Controls” to be an answer to most issues
Expect to become compliant through outsourcing
Expect to become compliant through product purchase/implementation
Be unprepared
LIE
55. Skip it!
Do It yourself
Use Scanners to identify Vulns
Figure out a process to track them over
time
Manage the reduction of Vulns over time
Manage the MTTP ( Mean Time To
Patch)
Do the rest and make your testers
WORK hard.
56. DON’T RUSH IT
PLAN FOR INTERACTION
ALWAYS “Ride Along”
Connect to the REAL impact (shells don’t matter)
GO FULL SCOPE
Don’t use firms that have “SECRET” processes or can not
explain every step of the test and HOW they do it
Attack like AN ATTACKER not like a script kiddie
Use a repeatable methodology
57. IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER
Recon Scan Enumerate Exploit
Post-
Exploit
Write
Report
60. Common misconceptions
We will get owned, what's
the point
It will offend our users
Doesn’t provide enough
value
How it’s usually done
Send a 419 scam style
email
Track clicks
Write a report to show who
clicked
62. MAKE IT BUSINESS FOCUSED NOT IT FOCUSED
Use multiple standards
Remove silo’s and scope restrictions
TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT)
A sample set does not show the ability to secure. I crack in certain parts of the
defense chain allow for the compromise of the ENTIRE COMPANY
ALWAYS interview each and every executive to understand THEIR concerns and build
the solutions to address THEM and not always “just for the audit”
Discuss the VALUE of systems in relevance to the business and re-weight scores
NEVER allow a compensating control on a BUSINESS critical system. EVER
68. The term originated within the military to describe a team whose purpose is to penetrate
security of "friendly" installations, and thus test their security measures. The members
are professionals who install evidence of their success, e.g. leave cardboard signs
saying "bomb" in critical defense installations, hand-lettered notes saying that “your
codebooks have been stolen" (they usually have not been) inside safes, etc.
Sometimes, after a successful penetration, a high-ranking security person will show up
later for a "security review," and "find" the evidence. Afterward, the term became
popular in the computer industry, where the security of computer systems is often tested
by tiger teams.
How do you know you can put up a fight if you have never
taken a punch?
69. Electronic
• Network Pentesting
• Surveillance/ plants
Social
• In Person Social
Engineering
• Phone Conversation
• Social Profiling
Physical
• Lockpicking
• Direct Attack
EP Convergance
• Attacks on physical systems
that are network enabled
ES Convergance
• Blackmail
• Phishing
• Profiling
• Creating moles
PS Convergance
• Tailgaiting
• Impersonation
RED
TEAM
70. Reasons to Conduct
Real world test to see how you will hold up against a highly skilled, motivated and funded
attacker
The only type of testing that will cover a fully converged attack surface
Impact assessment is IMMEDIATE and built to show a maximum damage event
This IS the FULL DR test of an InfoSec Program
71.
72. Reasons to Conduct
Exercises in evaluating WHO your top5 most likely attackers are
Full OSINT profiling on the Attackers and their capabilities
Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving
attacks that are the MOST likely to happen
Testers are forced to use the capabilities of the likely attackers and train the team how to
be cool under fire
The most relevant attacks are dealt with FIRST, you are not defending against the
pentester… you are prepping to the battle that WILL happen
73.
74. What is it?
Evaluate threat and risk from
employee/staff/contractor/executive/etc..
Use company provisioned asset/standard access model (limited
priv’s)
Identify what data/assets can be accessed through authorized
channels
Identify elevation of privilege scenarios (exploit AND non-exploit
methods)
75. Why do it?
Provides visibility into “what could happen”
A user WILL be compromised at some point
Evaluate security posture of corporate asset
External testing doesn’t always provide accurate measurement of
internal sourced threats
Identify insecure internal communication channels
Evaluate covert channel resistance/prevention
External assessments usually only measure (1) of these (if you’re lucky)
Measure defense capabilities internally (beyond perimeter)
System to system communication
Level of “noise” detection
Data leakage/exfil abilities
Log/data correlation
Incident response/forensics team’s level of knowledge/expertise
76.
77. Reasons to Conduct
Targeted at working BOTH sides of the test
Active analysis on defense capability and impreovements / feedback can be real time
Direct understanding of where process,policy and procedure break down in a REAL LIFE
EVENT
Identification of Defensive Technology effectiveness
78.
79. Reasons to Conduct
Targeted at working on identifying BUSINESS vulns
How much can/do partners hurt you
Where can you better defend against Partners and 3rd parties
Who what where when and why…. Of how the business works and how it can be
materially effected by relationships