MARCUS.MURRAY @ TRUESEC.COMBlog: Truesecurity.se Twitter: marcusswede

Whoami?

2

MVP – Enterprise Security

Security Team Manager Truesec

Security Assessments/Penetration Testing

Design secure infrastructure

Speaking engagements

Incident responce

Session Goal

• Make you start thinking about testing your security

• Give some EXAMPLES of things you can test

• Provide some tools/methods/ideas on testing

Why do wee need to care about threats?

4

Sony PSN

5

16

8 Deadly sins in IT-Security

1. Unpatched systems2. Weak passwords3. Weak exposed client applications (Hardening/configuration)4. Weak exposed server services (Hardening/configuration)5. Weak local applications (Hardening/configuration)6. Sensitive network traffic exposure7. Weak access control to protect sensitive data8. System dependencies

18

Unpatched systems

• 2 different approaches to choose from

• Patch inventory platforms • MBSA• Shavlic • Etc..

• Vulnerability scanners/attack testing platforms • Core Impact• Nessus• Metasploit• Etc...

19

Unpatched systems

20

Weak passwords

• Many places to test• Active Directory• User accounts• Computer accounts!

• Local SAM• Other services (SQL/Webapplications/VNC etc., etc.)

• 2 main methods• Active testing (Brute force/dictionary)• WARNING – don’t forget password lockout policys!

• Passive testing

21

Weak passwords

22

Weak exposed client applications (Hardening/configuration)

• Common issues:• Macro Security!• Outdated versions of applications• Browser plugins• Acrobat reader (over and over again...)• Java

• Tools:• https://browsercheck.qualys.com/

23

Weak exposed client applications (Hardening/configuration)

Weak exposed server services (Hardening/configuration)

• Most common:• WEB• SQL

• Testing:• Web/sql is challenging to test• There are automated tools out there• Often misses weaknesses• False positives common

• Manual testing by experienced tester is recommended• Common weaknesses: Injections/XSS/shared passwords

embedded in client application etc. etc.25

Weak exposed server services (Hardening/configuration)

Weak local applications (Hardening/configuration)

• Anything that is run in admin privs and writable with user privs• Registry• File system• Services• Scheduled Tasks• Processes

27

Weak local applications (Hardening/configuration)

28

Sensitive network traffic exposure

• Weak protocols:• SMB• http• telnet• Snmp• ftp• RDP• Etc..

• Tools:• Wireshark/Cain etc.

29

Sensitive network traffic exposure

30

Weak access control to protect sensitive data

• Very often high privileges are stored in files accessible by domain users or even everyone!• Scripts• Backups• Webconfigs• Password reaminder docs• Config files

31

Weak access control to protect sensitive data

System dependencies

• Very often the privileged accounts are stored on systems with lowers security demands• Local admin reuse• Exposed Domain admin logons• Reused service accounts• Tools:• Gsecdump• Lslsass• parallelltask

33

System dependencies

34

Process of testing

• Decide what tests you want to run• For each test:

• Set up a test goal• Identify targets• Find the right tools• Identify risks• Define and try methology to manage risks

• Backup/restore/Rollback/Failover/Point of contact• Set up a test methology• Test in a controlled environment• Get acceptance from system owners!!• Perfom test• Analyse result• Take actions

Some resources • Open Source Security Testing Methodology Manual

http://www.isecom.org/osstmm/

• Microsoft Baseline Security Analyzer 2.2http://technet.microsoft.com/en-us/security/cc184923

• Nessushttp://www.nessus.org/products/nessus

• Truesec.comwww.truesec.com

Stay up to date with TechNet Belux

Register for our newsletters and stay up to date:http://www.technet-newsletters.be

• Technical updates• Event announcements and registration• Top downloads

Join us on Facebookhttp://www.facebook.com/technetbehttp://www.facebook.com/technetbelux

LinkedIn: http://linkd.in/technetbelux/

Twitter: @technetbelux

Download MSDN/TechNet Desktop Gadget

http://bit.ly/msdntngadget

TechDays 2011 On-Demand

• Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/

http://technet.microsoft.com/nl-be/edge/• Download to your favorite MP3 or video player• Get access to slides and recommended resources by the speakers

Security Training event! Understand how hackers attack Microsoft platforms

• 3 days with Marcus Murray

• Hands on labs

• Understand how hackers attack Microsoft platforms

• The tools & methods they use

• Amsterdam, Netherlands June 20-22, 2011

Register at www.truesec.com

THANK YOUMarcus.Murray @ Truesec.com