white hats and ethical hacking: what you’ve been doing wrong€¦ · white hats and ethical...
TRANSCRIPT
White Hats and Ethical Hacking:What You’ve Been Doing Wrong
FocusOn CyberSecurity30 March 2016
Overview
• Vulnerability assessments and penetration
testing
• What goes wrong
• The future of penetration testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 2
Show of Hands …
• Have you ever requested a penetration test and
been disappointed with the results?
• Have you ever completed a penetration test for a
customer and felt that it “went nowhere”?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 3
Vulnerability Assessments and
Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 4
Vulnerability Assessments
• Tool-based
• Automated signature-based
scans for known
vulnerabilities
• Follows defined methodology
• Catches ~ 60% of vulnerabilities
• High false positive rates; value comes from
interpretation of results, root cause analysis
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 5
Penetration Testing
• Intelligence-based testing; human intelligence
and experience drive results
• Identifies security weaknesses, vulnerabilities
• Goal is to exploit weaknesses
• Victory conditions:
– Compromise a system;
launch successful attacks
– Gain root access
– Even 1 compromise is a victory
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 6
Vulnerability Assessments and Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 7
What Goes Wrong?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 8
Customer Quote
“I’m only doing this testing because it’s a
requirement for PCI.
I find it’s too expensive, you guys have a license to
print money!
Sure, you found lots of little vulnerabilities, but I
knew about those before you even got here. For
the money I’m paying you, I expect you to have
root access within an hour. Come on – impress
me!
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 9
Customer Quote
“We’ve just started doing a security review so we
can qualify for new work from our client.
I’d like you to do a penetration test against my
network.
We’ll knock that off while the rest of the team
works on the other stuff like writing policies …”
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 10
Customer Quote
“We want you to test our production network of
800 (+) servers. Some of the servers are flaky, so
make sure that you don’t crash them.
We need the testing to be completed by the end of
the week (reconciliation time is coming).
Because we do financial services, you can only
test at night, after midnight and end testing by 6:00
AM.
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 11
Customer Quote
“You can only bid on this project if the testers have
actual experience in testing _______ plants of this
type, and have demonstrated that they can write
their own protocols to test the Zigbee radio
systems.
The following will be out of scope: physical
security, social engineering (including USB keys,
hostile phishing emails, and impersonating the
FedEx guy), insider attacks, attacks against the
NT4 servers we know are still there ….
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 12
Consultant and Client
Consultant: “Here are the test results”
Client: “Thanks, I’ll make sure that IT against them
when we’re done the review”
Consultant: “I couldn’t help noticing that most of
the report is the stuff that we found last year …
and the year before that … and the year before
that one ….”
Client: “Yeah, well … we’ve been kinda busy”
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 13
Summary of Findings
• Lack of executive support
• Misalignment of financial and liability versus risk
• Don’t understand impact of testing on network
• Unrealistic scope – tester
• Scope does not reflect reality – adversary type,
attack methodologies
• No accountability for responding to results
• No resolution tracking, change control
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 14
Effective Vulnerability Scanning
• Credentialed scans
• Continuous scanning frequency
• Use at least 2 different scanning tools
• Feed results to trouble ticket system
• Accountability for remediation
• Verify remediation
• Scan devices (printers, power bars, etc)
• Build scanning into operational programs
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 15
Effective Penetration Testing
• Define the goal - why are you testing?
• Align testing with risk, documented security policies
• Threat modelling
• In testing, follow the (critical) data
• Skilled testers + good reports = win
• Monitor
• Measure progress
• Don’t rely on a single tester
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 16
The Future of Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 17
Change Your Testing Methodology 1
• Risk-based approach – what data are you trying
to protect?
• This data defines the tester’s goal
– It’s not about getting root, it’s about confirming
that you’ve protected the most important
corporate data
– Scoping will allow physical, logical tests
– Scope may include supply chain, 3rd parties
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 18
Change Your Testing Methodology - 2
• What is the adversary doing? What “rules” dothey obey?
• What is their attackmethodology?
• If the attackers are usingsocial engineering, are you training to counteract that?
• Train as you fight
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 19
Attack Methodologies You MUST Include
• Physical attacks against data systems (theft of
devices, key loggers, “road apples”)
• Wireless, VoIP networks
• Hostile MS Word, Excel documents with
PowerShell macros
• APT simulations
• Exfiltration simulations
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 20
Change Your Testing Methodology - 3
• Blue Team - defenders
• Red Team – attackers, vulnerability scanners,
penetration testers
• Purple Team = Blue + Red
• Meaningfully exercise the
internal defences
• Doubles the value of a test
(at least)
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 21
Questions?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 22
DigitalDefence (www.digitaldefence.ca)
• Specialize in penetration
testing, incident
response, data forensics
• Training provider
Robert W. Beggs, CISSP
• 15+ years experience in
all aspects of data
security
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 23
Contact Me
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 24
519-771-8808
https://ca.linkedin.com/in/robertbeggs