monday, september 23, 2013 - information technology - … · 2015-05-02 · real-world we45 case...
TRANSCRIPT
Monday, September 23, 2013
About we45
Focused Information Security Testing, Consulting and Training firm
Accredited with NASSCOM and Data Security Council of India (DSCI)
Showcased as one of Karnataka’s Top 20 Startups in 2010
Dedicated Security Professionals who have performed over 200 Information Security Assessments
Application / Product Security methodologies agnostic of Platform and Programming Language
Specialized in Compliance engagements and certifications like ISO 27001, PCI-DSS,PA-DSS, HIPAA, Indian IT Act etc
Monday, September 23, 2013
we45 service lines
weEquip Training Services
weConsult Consulting Services
weAssure Security Testing Services
Monday, September 23, 2013
Our Session today....
Information on a $40 million cardholder data breach
Real-world we45 Case Study on Security Testing
Stories on Information Security and Security Testing
Monday, September 23, 2013
A recent data breach...
Leading bank in the MENA region
Over $40 million stolen - Card Fraud
Bank’s card processing infrastructure breached
Effective Web Application Attack
Monday, September 23, 2013
Anatomy of the Attack
Attacker utilized a technique called “Forced Browsing”
Accessed a privileged application console page
Gained Access to the Database containing Prepaid Card Data
Increased limits on 12 prepaid cards
Duplicated the cards - over 1000
Withdrawals Galore!! $$$$
Monday, September 23, 2013
The Sad Part.....
Common Attack Vectors that we see and use every day in our security tests.
Basic Things were missed
Simple, but Effective Attack Vectors were missed
Monday, September 23, 2013
Case in Study - ABC Manufacturing Co
Monday, September 23, 2013
Critical R&D Information
Multiple Locations - Mature IT Deployment
Custom Web Apps and SAP Deployment
Private MPLS Cloud with multiple Network deployments
Tested multiple times over for security, but IT Management unsatisfied with results
Some facts - ABC Manufacturing
Monday, September 23, 2013
Our goal
Get access to critical R&D Information of ABC Manufacturing - externally AND/OR Internally
Use all methods to gain access to critical R&D Information
Simulate EVERYTHING close to an real attacker as possible
Monday, September 23, 2013
The Incursion...
Client’s Custom Web App - HR
Backend Database - HR
The Database was running as ‘root’
Some interesting features were enabled.....
SQL Injection
Monday, September 23, 2013
The attack...
Compromising the public facing web application and database
MSSQL - XP-CMDShell
Root Access on the Windows Server
Using exploits to elevate privileges to Domain Administrator
Logging into the R&D Server with “Domain Admin” Credentials
Complete Compromise of Critical R&D Information
Monday, September 23, 2013
The ‘Professional’ Testing Company
Seamless Contact - ‘Seamless’
A SMS Gateway Application for several companies including Fortune 500 companies
Tested for three years by a Information Security Testing Company
Clean Reports were the norm.....
Monday, September 23, 2013
The Problems we saw....
No Method to the Madness
The VA as PT
The river runs shallow....
All those fancy tools....
The Tales from the Cryptic Report
Monday, September 23, 2013
What’s Methodology?
We asked our client - “Did you check for methodology?”
There didn’t seem to be one
Not enumerated in the report
That was a BIG problem
Monday, September 23, 2013
Methodology - Some Examples
Monday, September 23, 2013
Methodology - The Benefits
Consistent!
Repeatable!
Comprehensive!
Qualitative!
Monday, September 23, 2013
Good Questions - Methodology
What Methodology do you use for testing?
PTES, OSSTMM and others
Explain multiple steps in the methodology.
How do you ensure that you dont miss results?
Monday, September 23, 2013
The VA as the PT
Vulnerability Assessment - Structured Process for IDENTIFYING Vulnerabilities and Reporting on them
Penetration Test - Structured Process for IDENTIFYING Vulnerabilities, EXPLOITING them as feasible
Monday, September 23, 2013
Benefits of a Penetration Test
Proof of Concept! Deeper Access!
Test of Compensating controls!
Simulating Real Attackers!
Monday, September 23, 2013
Good Questions
How do you execute Penetration Tests?
Give me some examples of some Penetration Attempts that you have performed.
Monday, September 23, 2013
Are you testing for this?
Information Leakage
Looking Deeper....
Monday, September 23, 2013
All those fancy tools...
Monday, September 23, 2013
Skills, NOT Tools....
Tools - Limited in their scope and capability
Tools - Must be used to enhance. NOT Primary Factor
Multiple tools - for multiple dimensions of a test
Hybrid Method WORKS!
Monday, September 23, 2013
Tales from a Cryptic Report
Monday, September 23, 2013
Cryptic Reports
Security Testing Reports - LONG and BORING
They are like reference books that are never used
Executive Summaries - Laboured and Highly ‘Jargonized’
Findings - Wrong or Different Company
IT Teams - Unable to focus and prioritize
Lost in Translation
Monday, September 23, 2013
What are Great Reports?
Simple, Action Oriented
Multiple Recommendations
Business Impact - Exec Summary
Prioritized Findings - MetricsClosure Trackers
Monday, September 23, 2013
Our Approach - Presentation
Presentation to IT and Senior Management
Greater Interaction
Deeper Engagement
Greater Confidence
Monday, September 23, 2013
Good Questions - Reporting
What is your reporting structure?
Show me some sample Security Test Reports
Monday, September 23, 2013
Conclusion
Good Security Testing - Exponentially increases security posture
The best way to evaluate security implementation
Provides great value and insight
Monday, September 23, 2013
Monday, September 23, 2013