monday, september 23, 2013 - information technology - … · 2015-05-02 · real-world we45 case...

Monday, September 23, 2013

About we45

Focused Information Security Testing, Consulting and Training firm

Accredited with NASSCOM and Data Security Council of India (DSCI)

Showcased as one of Karnataka’s Top 20 Startups in 2010

Dedicated Security Professionals who have performed over 200 Information Security Assessments

Application / Product Security methodologies agnostic of Platform and Programming Language

Specialized in Compliance engagements and certifications like ISO 27001, PCI-DSS,PA-DSS, HIPAA, Indian IT Act etc


we45 service lines

weEquip Training Services

weConsult Consulting Services

weAssure Security Testing Services


Our Session today....

Information on a $40 million cardholder data breach

Real-world we45 Case Study on Security Testing

Stories on Information Security and Security Testing


A recent data breach...

Leading bank in the MENA region

Over $40 million stolen - Card Fraud

Bank’s card processing infrastructure breached

Effective Web Application Attack


Anatomy of the Attack

Attacker utilized a technique called “Forced Browsing”

Accessed a privileged application console page

Gained Access to the Database containing Prepaid Card Data

Increased limits on 12 prepaid cards

Duplicated the cards - over 1000

Withdrawals Galore!! $$$$


The Sad Part.....

Common Attack Vectors that we see and use every day in our security tests.

Basic Things were missed

Simple, but Effective Attack Vectors were missed


Case in Study - ABC Manufacturing Co


Critical R&D Information

Multiple Locations - Mature IT Deployment

Custom Web Apps and SAP Deployment

Private MPLS Cloud with multiple Network deployments

Tested multiple times over for security, but IT Management unsatisfied with results

Some facts - ABC Manufacturing


Our goal

Get access to critical R&D Information of ABC Manufacturing - externally AND/OR Internally

Use all methods to gain access to critical R&D Information

Simulate EVERYTHING close to an real attacker as possible


The Incursion...

Client’s Custom Web App - HR

Backend Database - HR

The Database was running as ‘root’

Some interesting features were enabled.....

SQL Injection


The attack...

Compromising the public facing web application and database

MSSQL - XP-CMDShell

Root Access on the Windows Server

Using exploits to elevate privileges to Domain Administrator

Logging into the R&D Server with “Domain Admin” Credentials

Complete Compromise of Critical R&D Information


The ‘Professional’ Testing Company

Seamless Contact - ‘Seamless’

A SMS Gateway Application for several companies including Fortune 500 companies

Tested for three years by a Information Security Testing Company

Clean Reports were the norm.....


The Problems we saw....

No Method to the Madness

The VA as PT

The river runs shallow....

All those fancy tools....

The Tales from the Cryptic Report


What’s Methodology?

We asked our client - “Did you check for methodology?”

There didn’t seem to be one

Not enumerated in the report

That was a BIG problem


Methodology - Some Examples


Methodology - The Benefits

Consistent!

Repeatable!

Comprehensive!

Qualitative!


Good Questions - Methodology

What Methodology do you use for testing?

PTES, OSSTMM and others

Explain multiple steps in the methodology.

How do you ensure that you dont miss results?


The VA as the PT

Vulnerability Assessment - Structured Process for IDENTIFYING Vulnerabilities and Reporting on them

Penetration Test - Structured Process for IDENTIFYING Vulnerabilities, EXPLOITING them as feasible


Benefits of a Penetration Test

Proof of Concept! Deeper Access!

Test of Compensating controls!

Simulating Real Attackers!


Good Questions

How do you execute Penetration Tests?

Give me some examples of some Penetration Attempts that you have performed.


Are you testing for this?

Information Leakage

Looking Deeper....


All those fancy tools...


Skills, NOT Tools....

Tools - Limited in their scope and capability

Tools - Must be used to enhance. NOT Primary Factor

Multiple tools - for multiple dimensions of a test

Hybrid Method WORKS!


Tales from a Cryptic Report


Cryptic Reports

Security Testing Reports - LONG and BORING

They are like reference books that are never used

Executive Summaries - Laboured and Highly ‘Jargonized’

Findings - Wrong or Different Company

IT Teams - Unable to focus and prioritize

Lost in Translation


What are Great Reports?

Simple, Action Oriented

Multiple Recommendations

Business Impact - Exec Summary

Prioritized Findings - MetricsClosure Trackers


Our Approach - Presentation

Presentation to IT and Senior Management

Greater Interaction

Deeper Engagement

Greater Confidence


Good Questions - Reporting

What is your reporting structure?

Show me some sample Security Test Reports


Conclusion

Good Security Testing - Exponentially increases security posture

The best way to evaluate security implementation

Provides great value and insight


monday, september 23, 2013 - information technology - … · 2015-05-02 · real-world we45 case...

Documents