next generation pentest your company cannot buy
TRANSCRIPT
Next Generation Pentest Your Company Cannot Buy
why both consultants and customers
are doing it
wrong
Vlad Styran
Who’s that guy?
• Security Consultant for BMS Consulting
• Social Engineering researcher
• InfoSec blogger
• Podcaster
Why he is here? • Pentesting since 2006
– Web sites, banking systems, telecom,
• X commercial pre-sale presentations – Saw client’s eyes BEFORE the test
• X-Y pentest reports written – Saw client’s eyes AFTER the test – Writing reports is HELL
• Z pentest reports read – Reading others’ reports is FUN
• CISSP, CEH, CISA… – Because it rarely matters
Why are YOU here?
• This preso is for those who want a great pentest to be done – and someone to benefit from this pentest
• usually it’s a company
• You may be a customer
• Or a consultant
• Or both
• And you should agree that there’s something wrong with pentesting industry
Some definitions
• What is a Penetration Test?
• What is a Vulnerability Assessment?
• What is the difference?
• Why should anyone bother?
• And let’s make it quick and simple
Test
• Testing is deeply interactive
• A test is something a tester and what is tested do both
– We act and see the reaction
– Not just look, measure and record
– We touch, push and kick
– We challenge what we test
• Test has a goal
Penetration Test
• Penetration is getting through obstacles: – Security systems – User awareness – Physical barriers
• The pentest succeeds if we get through – And fails if we don’t
• And this usually means right the opposite to client
• The goal is virtually anything, but – Penetrate a system – Pwnz0r everything: DBA, root, Domain Admin – ‘Get’ the data to show it’s vulnerable – Show that the business might be stopped
Vulnerability Assessment
• Find all vulnerabilities
– Remove false positives (optional)
• And tell us how to fix them
– Usually in couple of deferent ways
• Don’t try to break anything, it might… break!
• Come in few weeks (months?) and check how whether we fixed stuff
The Difference
• Deep interactivity: – Pentest is interactive to the very deep you can get
– Vulnerability Assessment is superficial
• The goal: – Pentest aims at a narrow goal
– Vuln Assessment is as broad as client can pay for
• The PenTest is focused and thorough
• The VA is a mile broad and a feet deep
• You can easily do VA yourself but PT isn’t easy – Not because it’s hard to do, because of conflict of interest
More Difference
• PT not just scans, it exploits
• Most pentest standards do multiple channels – Systems and network
– Wireless and telecom
– Human interaction
– Physical stuff
• VA is purely technical – Systems and network
– And maybe wireless… or telecom…
That was ‘what’ and ‘how’. What about ‘why’?
• And this is the most important and interesting part that everyone should know
• Vulnerability Assessment:
“Let us know how we can fix what is presumably already broken”
• Penetration Test:
“Try to break what is presumably unbreakable”*
*Considering reasonable time and resources available
Now To Work
• Why clients buy pentests?
• How consultants do pentests?
• Why clients get bad pentests?
• What can we do to fix it?
– Clients
– Pentesters
How consultants do pentests?
• We set the scope
– Systems, locations, people, contacts etc.
• We do recon
– Short for ‘reconnaissance’
• We enumerate the targets
– And search for vulnerabilities
• It is pretty much the VA until this point
How consultants do good pentests?
• We validate the vulnerabilities
– ‘Validate’ stand for ‘exploit’ since business people don’t like hacker jargon
• We leverage access gained and pivot further
– Into the network, into the sun, into the cookies…
• We collect evidence of your data compromise
– Without actually compromising the data
– But enough to make your bosses like OMG
How consultants do outstanding Pentest-NG?
• We meet your business people beforehand
– To know how your business lives
– And research on how someone can kill it
• We do all channels and vectors
– We plan for HR interviews and local conferences
– We write custom software and exploit code
• We do virtually anything to make you cry over your spent InfoSec dollars
Why clients buy pentests?
• Want to test the security – The only true reason which is really rare
• Compliance – That mandates pentests
• Want to know the risks – Although there are much better and safer tools
• False compliance – That does not mandate pentests
• We were hacked!! • Have no idea how else to ‘fix it’…
Why clients get/do bad pentests? What clients cannot affect
• Bad pentesters
– Some pentesters just suck
• Most methodologies suck too
– Remember your high school lessons
• Time/cost relation in consulting business models
– Pentests are quick
– ‘Quick’ means ‘cheap’
Why people get/do bad pentests? Clients can and do affect
• Lack of understanding the difference – Most buy a plain VA dressed as a sexy pentest
• Lack of understanding the reason – PCI pentest not to find vulns, you have ASV scan
for that
• Lack of quality assurance – It takes to buy 2-3 bad pentest to understand
they’re bad
• Validation panic
How to clean this s fix this
• Learn and understand the difference – Read the PT standards – there are plenty
• PTES, OSSTMM, NIST, ISACA, ETC.
• Reason which are good for you
– Ask pentesters you know are really good • Twitter, mailing lists, security conferences…
• Learn and understand the reason – Define why are you doing this before posting a PO
– Reason about it and choose the best you need • PT or VA
How else can we fix this? • Change the payment rules
– Create the list of objectives
– Pay a ‘standard’ price for reformatted Qualys report Vulnerability Assessment
– Pay a bonus for each objective in the list
• Choose good pentesters – Ask for papers (sample reports, certs, references)
• NDA excuse is bull s irrelevant
– Arrange demo exercises • (Good) pentesters love exercises
• Honeypots are for free
How else can we fix this? (dirty tricks)
• Have nerve – Stress on the need of PT over VA or vice versa –
based on your need
• Push on compliance – PCI Information Supplement 11.3
• Requires the vulns to be exploited
• Requires channel diversity: social, network, WiFi etc.
• Learn some skill yourself – It really helps
– And it’s really fun
Something to Think About and Discuss
• Vuln Assessment covers a small portion of preventive controls
• PenTest delves into each and every control you have
• Assume you have no need in testing preventive controls… Just assume
• How can you test reactive and corrective controls?