Presented By: Bryan Miller CCIE, CISSP - ISACA Pres... · Presented By: Bryan Miller CCIE, CISSP...

Presented By:

Bryan MillerCCIE, CISSP

Speaker Introduction

Risks

Controls

Why We Should Pen Test

Why We Don’t Pen Test

Tools & Techniques

Low Hanging Fruit

Case Studies

Copyright 2010 Syrinx Technologies 2

Biography B.S. - Information Systems – VCU

M.S. – Computer Science - VCU

CCIE, CISSP

Former Cisco CCNA Instructor at John Tyler & J. Sargeant Reynolds Community Colleges

Lecturer at VCU Fast Track Executive Master of Science (FTEMS) Program

Adjunct Faculty in Information Systems and Computer Science at VCU

President, Syrinx Technologies & Partner at eHealthSecurity


Types of Risks

Reputational – public image

Financial – protecting monetary funds

Strategic – goals of the organization

Compliance – laws and regulations

Dealing with Risk

Avoid – never try anything new

Transfer – buy lots of insurance

Mitigate – better planning

Accept – go ahead and jump


Categories of Controls

Preventative - deter inappropriate events from happening

Separation of duties, proper authorization and physical control over assets

IT – firewalls, anti-virus, encryption

Detective - actions that are taken to detect and correct undesirable events that have already occurred

Physical inventories, reconciliations and audits

IT – vulnerability scan, Intrusion Detection System


Types of Controls

Physical – physical security of a server

“Hardware keyboard logger”

Technical – password complexity enforcement through an operating system setting (GPO)

“ophcrack”

Administrative – written policies, reviews

“Social Engineering”


Satisfy legal/governmental/industry requirements (HIPAA, GLBA, SOX, FISMA, PCI).

Often required by internal/external auditors.

Validate existing technological controls.


Raise overall security awareness.

Test Intrusion Detection/Prevention Systems, including incident handling procedures.

New management: Provides a great security baseline.

Mergers/Acquisitions: Evaluate their security before integrating systems.


A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker.

A vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. No actual system compromises occur.


Two types of pen tests: "white box“ - uses vulnerability assessment and

other pre-disclosed information

"black box“ - performed with little or no knowledge of the target systems

Which one do we choose? Vulnerability assessments answer the question:

"Where are our weaknesses?“

Penetration tests answer the question: "Can someone break in and what can they access?"


If you tell us what’s wrong, we’ll have to fix it.

We already know where everything is broken.

We don’t have anything that hackers want.


Our employees aren’t smart enough to do that kind of thing.

We trust our employees.

We can’t afford it.

We’re too small to matter.


Start with a proven methodology.

Reconnaissance

Scanning

Verification

Use a variety of tools and don’t trust any tool too much.

Test everything with an IP address.

Every device is important, otherwise disconnect it.


Categories of tools: Research

Port/Vulnerability Scanners

Wardialing/Wardriving

Application-specific scanners Web Servers

OS specific

Database

Password cracking

Frameworks (Metasploit, BackTrack, Samurai)

Social Engineering


Policy & Procedures:

Lack of proper physical security.

Sensitive data stored without encryption.

Sensitive data transmitted/stored in email.

Common passwords across different platforms and/or architectures.


Patch Management:

Verify that patches are actually applied.

Make sure to patch desktops and servers.

It is important to patch operating systems andapplications.

Don’t forget appliances and other network infrastructure devices.


Password Management:

Default Simple Network Management Protocol (SNMP) community strings.

Default database passwords (MS SQL, Oracle, MySQL).

Default passwords in Compaq Insight Manager (CIM).

Default passwords on infrastructure devices.


Each of these 4 cases are real. There are many more.

The names and specifics have been changed to protect the innocent and the clueless.

Each case provides an example of the “domino effect”.

Note that in each case nothing alerted the client to what was going on.


Large non-profit company running Lotus Notes with many branch offices.

One branch had a blank administrator password.

The Virtual Network Computing (VNC) password was the domain admin password.

Same password provided access to network-attached storage (NAS).

While examining file systems a file was found with backup Cisco configurations.


During wardialing at a law firm, a Shiva LanRover was found using Novell authentication.

Oracle servers were accessed using default passwords.

Cisco infrastructure compromised due to default read-write SNMP community string.

Connected via FTP to Novell server, viewing sensitive configuration files.

Accessed many UNIX machines, decrypting several password files.


Large financial company in multiple states.

Accessed several internal applications using default login credentials.

Accessed configuration file left by a developer containing database login credentials.

Using these credentials, accessed sensitive client data including SSN, CC #’s.

Several devices compromised by downloading manuals from Internet.


Large non-profit organization.

Several PC’s missing “old” patches.

Default SNMP community strings.

Blank database passwords allowed access to donor database.

Connected to another database and discovered credit card data.

Social engineering provided access to 5 buildings/server closets.


What did we learn? The 3 P’s

Policies & Procedures

Patch Management

Password Management The majority of the remediation efforts are not costly in

resources (human, technology, financial).

The biggest changes have to occur with users, systems administrators and developers.


Thank You Very Much for Your Time and Attention!


Presented By: Bryan Miller CCIE, CISSP - ISACA Pres... · Presented By: Bryan Miller CCIE, CISSP...

Documents

Transcript of Presented By: Bryan Miller CCIE, CISSP - ISACA Pres... · Presented By: Bryan Miller CCIE, CISSP...