Information Security Reports - USALearning Security Reports. ... What is “Ethical Hacking”? ......

Information Security Reports

Table of Contents

Information Security Reports .......................................................................................................... 2

Internet Crime Complaint Center (IC3) ........................................................................................... 3

Data Breach Investigations Report (DBIR) ...................................................................................... 6

DBIR Top 20 Varieties of Threat Actions Over Time ....................................................................... 7

Effects of Hacking on Business ........................................................................................................ 9

What is “Ethical Hacking”? ............................................................................................................ 12

Why perform “Ethical Hacking”? .................................................................................................. 15

Hacking vs. Ethical Hacking ........................................................................................................... 17

The Certified Ethical Hacker (CEH) ................................................................................................ 19

Required Ethical Hacking Skills ..................................................................................................... 20

Notices .......................................................................................................................................... 23

of 23


3


**003 One component we want to talk about is Information Security Reports. Any large security company-- I would say at least 50-million dollars in volume per year-- gets their security people together to write information security reports. I'm going to give you a couple of examples here; but realize that you can go to the industry leaders in security and get their report. Now think about what that report's going to say. It's going to say: Well this is our company right here with all

of 23

of our company's information and here are all the threats that are out there; oh and our product can fix that. But if we just take the "oh the product can fix this" and take the raw information out of it and look at it, maybe even go back to their sources and look at that data, we can get good information from the "state of the hack" is what it's called.

Internet Crime Complaint Center (IC3)

4

Internet Crime Complaint Center (IC3)

Partnership between FBI and National White Collar Crime Center (NW3C): http://www.ic3.gov

Provides means to file Internet-related criminal complaints for deferral to appropriate agencies for investigation

Produces annual state and national Internet Crime Reports

**004 Now one of the ones that I like is the IC3. This is between the FBI and the National White Collar Crime Center, the NW3C; and what

of 23

they do is they say: Okay we're going to take this- all this internet-related criminal complaints, all the ones that we can find out about. Remember, somebody's got to say that they've been hacked in order for this to happen. They're going to roll all that stuff up and then they're going to give us the characteristics of the particular complaints that were that year in a particular order; kind of a Greatest Hits list. If you're familiar with the Open Web Application Security Project, owasp.org, they do a Top 10 Web Threats. This is just a Top 10 crime threats. So when you look at this list here, this is how the attackers are attacking this year. Now past execution does not predict future performance when it comes to attacking. There may be some leap forward in attacking, or there may be some leap forward in security, that in this push me/pull you kind of world what happens is-- well Trojans don't work anymore because somebody came up with a way to solve the Trojan problem today. A classic example of this would be something like boot sector viruses. For a very long period of time boot sector viruses were all the way down at the bottom of the list but then we came up with the portable USB drive; and it had its own boot sector on it.

of 23

And then all of a sudden the attackers said: Well there's this new advance in technology where somebody's booting from an external drive and we're going to attack that; we're going go after that and we're going to figure out ways-- and then boot sectors came back on the ride. So now they weren't called boot sector at that point, they were called USB attacks. But the idea is is that this is in waves and cycles between attack and defense; and so if you're chasing after this, from a security protection standpoint, it's probably not going to work as a defense mechanism. You have to kind of be out in front of it and see what's going to happen next. And that's what we as ethical hackers will do. We will say: Okay we're not going to be reactive; we are going to test for all of those things but we're going to be proactive. What evil thing can I come up with, using my evil powers for good, to figure out exactly what's going to happen next?

of 23

Data Breach Investigations Report (DBIR)

5

Data Breach Investigations Report (DBIR)

Annual study conducted by Verizon RISK Team with cooperation from US Secret Service

2014 Report Highlights:• Shift in targeted information; from geopolitical attacks to large-scale

attacks on payment card systems• Nine out of ten of all breaches can be described by nine basic

patterns:

*source: http://www.secretservice.gov/Verizon_Data_Breach_2014.pdf

**005 You could also look at the Data Breach Investigations Report; and this is a study by Verizon. What's really nice is they give this out to everybody. You'll notice that the link at the bottom: secretservice.gov and then the PDF for 2014. You can look at these highlights, these reports here, and they look at the target information. Where are people being attacked? Who is being attacked? What is the vector, if you will? And when you look at the nine out of ten breaches that are in there, you'll

of 23

look at these patterns that they have pulled up over time. Look at the difference between 2013 and say 2011 when it comes to point of sale. There's a radical fluctuation in this. We as certified ethical hackers have to think about how are we going to project into the future for our client and attack them before the bad guy does?

DBIR Top 20 Varieties of Threat Actions Over Time

6

DBIRTop 20 Varieties of Threat Actions Over Time

*source: http://www.secretservice.gov/Verizon_Data_Breach_2014.pdf

**006 Now here's a list over time, where we talk about the top 20 varieties of threat actions over a period of time. When you look at this

of 23

diagram right here, you can see that some things rise and fall, sometimes very rapidly; and that's because vendors all figure out a way to protect against it. Or they increase radically-- like use of stolen credit cards went- from 2010 to 2011, it went way up the list. The variety of threats and actions over time from these data breach reports here tells us that the attackers are going in different areas over time; and as penetration testers well we need to do that exact same thing. We need to say: Hey you know what? I'm going to try something new. Remember, surround yourself with a group of people-- and don't think that you can all do it all at once-- and say: Hey what are you working on? I think that, you know, this particular attack or this particular technology-- and continually learn the new technologies that are going to be put into the enterprise. And learn how those things are administrated; how administrators become lazy, complacent or forgetful or don't realize the unintended consequence of putting that tool on this particular environment; and figure out how they do those things; and then as a penetration tester attack in those areas to say: Yes not only did we test on everything that we did last year of the Top 20 but we attacked- we attacked in this new way over here; and here's how you protect yourself.

of 23

Effects of Hacking on Business

7

Effects of Hacking on Business

Loss of Competitive Advantage• Theft of Intellectual Property, bid information, or other strategic

information

Loss of Revenue• DDOS attack against a major online store, like amazon.com• Customers don’t trust your systems, choose competitors

Embarrassment• Website defacement or loss of customer information

Negative Reputation• Customer Social Security Numbers or other PII stolen from a

“trusted” company• Target point-of-sale breach in 2013 impacted holiday sales, CEO

was fired

**007 When we look at the effects of hacking on business, what could be the problem? Because that's what business wants to know. They want to know: Okay it's great that you can do a buffer overflow on us. We don't really know what that means. So, you know, what's in it or against us, for us, if you will. And the first thing that happens is in a business the business is moving along. It's trying to go ahead and optimize its resources and doing its investments. They do a risk analysis on a- on a protection basis and on an attack of the market; in other words, spending money on new technology

of 23

so that they can move forward so that they can gain competitive advantage for a period of time. Now this can flow over; this competitive advantage, loss of revenue, this embarrassment can flow over into a negative reputation. When we look at negative reputation, sometimes this can drive customers away, future customers away from that organization; and there are plenty of examples of negative reputation out there where you're not as secure. Negative reputation has a real effect, in some cases. Now in other cases people aren't paying attention. Let's talk about two cases where negative reputation really hurts based on time and attention in the market and really doesn't hurt. So if you look at TJX and their very public attack that has happened to them. They did have to pay a lot of fines. But if you go into any TJX outlet at this point, are people still shopping there? Yes they are. They're doing their thing. They're going in there and saying: Yes I need a cheap umbrella; let me go ahead and buy one. Are they using their credit card? Yes they're using their credit card. I watch them swipe their credit cards over and over and over again; especially at the holiday season.

of 23

So it did cost TJX a lot of money but it was mostly on the punitive data images side. Let's look at something that has no problem- that had no real hack in a market but from a reputation standpoint really, really hurt an organization. And about seven or eight years ago what happened was there was a contractor that they had contracted to refresh laptops for them and service laptops. The contractor had insurance; the contractor had an agreement. They were supposed to follow the agreement. They didn't follow the agreement and what happened? Well six laptops were stolen out of the trunk of one of the service people's car. Were there any records exposed? Well it's unknown. But at that particular time it was a slow news day. So what happens? Well they get their name splashed all over the front page; and it hurt their stock price for a full quarter. They did nothing wrong-- the vendor did something wrong-- and there was no proof of a true hack.

of 23

What is “Ethical Hacking”?

8

What is “Ethical Hacking”?

Ethical Hacking - The learning, developing, and use of tools and techniques to exploit vulnerabilities in systems or networks with the purpose of hardening and securing a system or network.

CEH Definition - To help organizations take preemptive measures against malicious attacks by attacking systems themselves, all the while staying within legal limits.

**008 Okay so I've been throwing around the term "ethical hacker". Well what is ethical hacking? It's doing what the adversary would do before they do it so that the organization can create defenses to protect against that attack. It's doing all of the different possible attacks within the scope of an engagement that the organization has the time to actually pay you to do; or if you're an internal person actually give you that time and space project wise. And then also more importantly in ethical hacking we want to give them actionable things. We can't-- we can

of 23

say: Well Martians could land on the building. You'd say: Well what are we going to do about Martians landing on the building? There isn't anything really that we can do about that. So an ethical hacker is that person that does it before the attacker does for the company so the company can protect themselves. Now a couple of things. If you look at the definition here it says "while staying within the legal limits." In all cases, as an ethical hacker, here's the rule. First get it in writing. Make sure that you have your clear scope and that that scope has been signed off on by the people that are working in the organization. Make sure that you have a process. If this is internal to your organization and you're doing ethical hacking for somebody that you work for, make sure that they have the right to do that; because it may be that I'm in charge of the Human Resources Department and I'm the senior leader in that particular location and I give you authority to do this; but the system that you're attacking is the network services or the payroll system that's not under Human Resources and it's guided by somebody else. So when you do your scoping documents and when you talk to them, make sure that they have the authority to allow you to go and do that attack over there.

of 23

This is a very sticky thing. One of the things that's not talked about in penetration testing is the checking in. So we're going to talk very technically about each one of the 20 different things that we're doing. But we need to say: Okay this is the step that I've done in reconnaissance, these are the things that I have found. And in that reconnaissance, are we ready to go forward? And checking back in with the customers. Now some customers don't want to do that, they want to say: Hey go off into your evil lair, figure out this thing and come back and tell us what's going on. Well that's fine; but then realize the repercussions of that if your scope goes too wide. Make sure that you have a very clearly defined scope; within the legal limits. Now there are a lot of things that are not very nice that are very legal. When we get to the social engineering aspect of this course, realize that there are a lot of things that you can do legally that will, from a reputation standpoint internally to the company, really hurt the company with its employees if you're not careful. So there are plenty of things that are legal that are still off limits and still outside the scope.

of 23

Why perform “Ethical Hacking”?

9

Why perform “Ethical Hacking”?

Just as non-malicious tools can be used for malicious purposes

• Using psexec.exe to open a shell on a remote box, done by an administrator…perfectly harmless, done by a hacker with malicious intent, very harmful…

Malicious tools can be used by network administrators to harden their networks

• Using an attack framework, like Metasploit, to ensure a patch really fixes a known vulnerability…

**009 Okay so why do we do this, why do we do the ethical hacking? Well because what we want to do is we want to say: Hey look, do you realize that there's a tool out here that could be used for evil but also could be used for good? As network administrators we may do packet traces to analyze the data that's flowing across. An attacker would say: I'm going to do packet traces or packet captures; and then analyze the traffic to see that there's a clear text password that's being passed back and forth on this network.

of 23

The network administrator goes: Oh I'm not supposed to see that password. Oh well we need to fix this protocol, this mechanism, because it's not working for us; because we need to make sure that we don't pass clear text because I know that we're regulated by this regulation or that regulation and that regulation says no clear text passwords and here I'm seeing one that says the username is User and the password is Password. Okay that's probably inappropriate. We do it then before the attacker does it. So we use those tools; and some of these tools are really, really evil. When I use Metasploit, I don't say that Metasploit is evil. I say Metasploit is a tool that will allow the attacker to do a series of attacks against unpatched boxes with little or no effort. They don't actually have to code the buffer overflow, the buffer overflow is loaded into their framework.

of 23

Hacking vs. Ethical Hacking

10

Hacking vs. Ethical Hacking

Hackers are defined by intentions.

Hacking without the system owner’s permission is illegal.

Ethical hackers are employed either through contracts or direct employment to test the security of an organization.

Ethical hackers gain permission from the system owner beforecarrying out their attack against the system.

An ethical hacker does not reveal the weaknesses of an evaluated system to anyone other than the system owner.

Ethical hackers work under contract for a company or client, and their contracts specify what is off-limits and what they are expected to do.

**010 Okay now let's break off hacking and ethical hacking. Hacking used to be thought of as a really nice, clean, neat term, which was tinkering with or playing with. As a child I always took apart my toys after- after I played with them for a little while I took them apart and tried to figure out how they worked and then I tried to put them back together again; and you know what happens when you try to put it back together again, there's always parts left over. It still works but those parts-- why is it that those- why does it still work when I don't

of 23

have those parts? Sometimes I'd put it back together and it wouldn't work. That used to be the old way to talk about it. Now when we talk about hacking and ethical hacking, we'll say that hacking has a negative connotation and ethical hacking has a positive connotation. So when we talk about legally versus illegal, hacking today is inappropriately testing against a network for some sort of negative intention: I want to steal from you. And we'll talk about the motivations in a second. Ethical hacking says: I want to do this now as a contractor for the company, as a worker for the company under the scope and authority of the company so that I can protect the organization.

of 23

The Certified Ethical Hacker (CEH)

11

The Certified Ethical Hacker (CEH)

The purpose of the CEH credential is to• Establish and govern minimum standards for credentialing

professional information security specialists in ethical hacking measures.

• Inform the public that credentialed individuals meet or exceed the minimum standards.

• Reinforce ethical hacking as a unique and self regulating profession.

**011 Certified Ethical Hacker says: Okay you want to test? We believe that you want to test and you want to use your skills for good. We need to create a minimum standard. Now this is not the pinnacle. If you are a certified ethical hacker, you are not the tip of the spear, as it were, but you have the minimum understanding of all the different 20 areas so that you can understand and communicate and convey that to somebody else. I don't know that the EC Council has that tip of the spear kind of

of 23

certification out there. That's for you to check out and decide for yourself. For us, what we're doing is we're going to say: Here, here's the minimum standard-- when we get that blessing like I have from version 6 all the way up through version 8. That I understand the components of penetration testing,

Required Ethical Hacking Skills

12

Required Ethical Hacking Skills

Must be well versed in computer programming, networking and operating system concepts.

Beneficial to understand more than one OS (Windows, Linux or Unix).

Familiar with network protocols/services.

Familiar with vulnerability research.

**012 Okay what do you need to do this? Okay well you need to do a little bit of programing. I would say that you at a minimum have to be able to

of 23

be able to do scripting. So learn a scripting language. Now we talked about Metasploit before. Metasploit, the framework, is written with respect to Ruby; and so if I had to pick one language that I would learn as far as scripting and programing is concerned, I think Ruby would be a really good idea. But it's more than just scripting. You also have to know different operating systems. Now you can specialize in a particular operating system. I have people that specialize in just the Mac OS; even though some people would say well underneath a Mac it really is BSD and underneath of BSD that's really Unix and it all comes back to Unix. Beyond that, they have to know the programs that are used. For instance, when we're talking about web application programing they probably should know the Linux operating system, the Apache, My SQL and PHP, what's sometimes referred to as the LAMP. They need to know that suite of tools that makes up webservers today for the open source side of things. You should also know your protocols. Now going back to the introduction, one of the things I said is learn your packet captures; use packet captures to be scientific. And what I will say to you is the only way to really know

of 23

your network protocols is to actually capture packets, capture conversations and look at what transpires between them from source to destination. Remember, do that in your testing environment; don't do that on your production environment. Be familiar with those network protocols and how they work. What's the setup and teardown of those protocols? What is normal traffic versus what's abnormal traffic? This will also help you when you're dealing with sniffing or you're doing any kind of evasion for intrusion detection systems. Intrusion detection systems, they look at that what's normal communication going back and forth; and this is abnormal. So what you need to do is you need to attack in a way that is abnormal that gets you access but not too abnormal so that you get detected by intrusion detection systems. So you've got to know your protocols pretty deep. You also want to look at vulnerability research. Now one of my favorite places to go for vulnerability research is osvdb.org-- Open Source Vulnerability Database. The reason why I like it is not only does it have a list of all the stuff from MITRE, CVE and the National Vulnerability Database-- it respects that and actually maps to that-- but it goes beyond that. It goes into the uncharted area of we think that this

of 23

is an exploit but we haven't seen any exploit code for it; and it starts tracking it early. So you have to know the vulnerability research that's out there.

Notices

2

Notices© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

of 23

Information Security Reports - USALearning Security Reports. ... What is “Ethical Hacking”? ......

Documents

Transcript of Information Security Reports - USALearning Security Reports. ... What is “Ethical Hacking”? ......