isaca ethical hacking presentation 10/2011
DESCRIPTION
Mind the gap between business and ethical hacking.TRANSCRIPT
![Page 1: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/1.jpg)
Ethical Hacking...Mind the Gap with Business
ISACA Round Table 10/2011 - Xavier Mertens
![Page 2: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/2.jpg)
$ whoami
• Xavier Mertens
• Security Consultant @ Telenet (C-CURE)
• CISSP, CISA, CeH
• Security Blogger
• Volunteer for security projects:
![Page 3: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/3.jpg)
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not reflect those of past, present or future employers, partners or customers”
![Page 4: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/4.jpg)
Agenda
• You said “ethical hacking”?
• Some frameworks
• The process
• Some tips
![Page 5: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/5.jpg)
You said “Ethical Hacking”?
![Page 6: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/6.jpg)
“Ethic”
“A set of moral principles of right and wrong that are accepted by an individual or a social group”
![Page 7: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/7.jpg)
“Hacking”
“Practice of modifying computer hardware/software or any other electronic device to accomplish a goal outside of the creator’s original purpose. People who engage in computer hacking activities are often called ‘hackers’.”
![Page 8: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/8.jpg)
Hackers are good guysThe term 'hacker' has been misrepresented in popular media for a long time!
“Hacking has nothing to do with criminal activities such as identity theft and electronic trespassing! Rather, it [hacker] has been coined at the Massachusetts Institute of Technology (MIT) as a term for curious individuals for whom every device or piece of software is fullof exciting challenges to develop potential improvements or discover alternative uses."
![Page 9: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/9.jpg)
But some derive...
Hacking can be used to break into computers for personal or commercial gains or for malicious activities.
Those are called “Black Hats”
![Page 10: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/10.jpg)
Can hacking be “ethical”?Yes, of course!
Using the same tools and techniques as bad guys, security vulnerabilities are discovered then disclosed and patched (sometimes ;-)
![Page 11: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/11.jpg)
Ethical Hacking is...
• Legal
• Granted by the target
• Scope clearly defined / NDA
• Non destructive
An individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate computer systems using the same methods as a Hacker.
Ethical hacking is:
![Page 12: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/12.jpg)
Also Known As...
• Pentesting
• White-hat hacking
• Red-teaming
![Page 13: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/13.jpg)
Communities
Security conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers, security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc.....
![Page 14: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/14.jpg)
Security Researchers• Develop tools to understand how attacks
work and how to reproduce it
• Search for software vulnerabilities with the debate of full-disclosure vs. responsible-disclosure
• Prosecuted in some countries
• Research is mandatory!
![Page 15: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/15.jpg)
Why are we vulnerable?Features
Ease of use Security
New features/ease of use reduce the securityor at least increase the attack surface!
![Page 16: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/16.jpg)
Nothing new...
• Confidentiality
• Integrity
• Availability
![Page 17: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/17.jpg)
Some Testing Frameworks
![Page 18: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/18.jpg)
OSSTMM
• “Open Source Testing Methodology Manual”
• Based on a scientific method
• Divided in 4 groups: Scope, Channel, Index & Vector
• http://www.isecom.org/osstmm
![Page 19: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/19.jpg)
ISSAF
• “Information Systems Security Assessment Framework”
• Focus on 2 areas: Technical & Managerial
• http://www.oissg.org/issaf
![Page 20: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/20.jpg)
OWASP Top Ten
• Open Web Application Security Project
• Focus on the application layer (websites)
• http://www.owasp.org/
![Page 21: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/21.jpg)
WASC-TC
• “Web Application Security Consortium Threat Classification”
• Similar to OWASP but deeper
• Help developers and security to understand the threats
• http://projects.webappsec.org/Threat-Classification
![Page 22: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/22.jpg)
PTES
• “Penetration Testing Execution Standard”
• It is a new standard (Alpha) designed to provide both businesses and security service providers with a common language and scope for performing penetration testing
• http://www.pentest-standard.org
![Page 23: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/23.jpg)
Forget the frameworks!
• Ethical hacking is highly technical
• Use your imagination!
• Be “vicious”!
• Think as a “bad boy”!
![Page 24: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/24.jpg)
Let’s use a standard• Check-lists suxx!
• Reporting a list of CVE’s or MS security bulletins is irrelevant
• Need of translation from technical risks into business risks
• Loss of profit
• Loss of confidentiality
• Hit the management!
![Page 25: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/25.jpg)
The Process
![Page 26: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/26.jpg)
Process• Preparation
• Reconnaissance
• Scanning
• Gaining access
• Maintaining access
• Clearing tracks
• Reporting
![Page 27: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/27.jpg)
Preparation• Define a clear scope with the customer
• Contract
• Protection against legal issues
• Definition of limits and danger
• Which tests are permitted
• Time window / Total time
• Key people
• NDA
![Page 28: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/28.jpg)
Some scope examples
• An business application
• Physical security
• Wi-Fi
• DMZ
• A website
• ...
![Page 29: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/29.jpg)
Reconnaissance
• Active / Passive
• Information gathering
• Target discovery
• Enumeration
![Page 30: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/30.jpg)
Scanning
• Based on data collected during the reconnaissance phase
• Searching for vulnerabilities to attack the target
![Page 31: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/31.jpg)
Gaining Access
• “Target Exploration”
• Exploitation of the discovered vulnerabilities
• Privilege escalation
![Page 32: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/32.jpg)
Maintaining Access
• Trying to gain/keep the ownership of the compromised system
• Zombie systems
![Page 33: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/33.jpg)
Covering Tracks
• Clear all trace of the attack
• Log files
• Tunneling
• Steganography
![Page 34: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/34.jpg)
Reporting
• Critical step!
• At all levels, keep evidences (logs, screenshots, recordings)
• Use a mind-mapping software
• Think to the target audience while writing your report
![Page 35: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/35.jpg)
Some Tips
![Page 36: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/36.jpg)
Internet is your friend!
• Google! All the required information is online
• Documents meta-data (FOCA)
• Social engineering (WE’re the weakest link)
• Maltego / Facebook / LinkedIn
• Fuzzing
![Page 37: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/37.jpg)
Build Your Toolbox
• There exists specialized Linux distributions like BackTrack or Samurai
• Physical tools (cables, converters, lock-picking kits
• Software tools(We are all lazy people)
![Page 38: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/38.jpg)
Keep in mind...• Information is never far-away (often public)
• Broaden your mind (react as your victim)
• Everything is a question of time! ($$$)
• Do not criticize customer. If they fail, don’t lauch!
• Use your imagination
• Be vicious!
![Page 39: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/39.jpg)
Conclusions
![Page 40: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/40.jpg)
Why EH is good?
• Address your security from an attacker perspective
• Some audit results might give a false sense of security
• Protect company values
• Preserve corporate image and customer loyalty
![Page 41: ISACA Ethical Hacking Presentation 10/2011](https://reader031.vdocuments.mx/reader031/viewer/2022020122/54b4320e4a79594e598b45a7/html5/thumbnails/41.jpg)
Thank You!Q&A?
http://blog.rootshell.behttp://twitter.com/xme