tiger teams! the new face of penetration testing– web application hacking ......
TRANSCRIPT
1
Tiger Teams! The new face of Penetration TestingTiger Teams! The new face of Penetration Testing
Justin Clarke CISSP CISM AIISPIvan Phillips MSc MBCS CITP NCSA
June 2006June 2006
2
AgendaAgenda
• Our talk will cover the following topics:– Web Application Hacking– PBX, War Dialling & VoIP Hacking– Wireless Hacking– Physical & Social Engineering – Some Overall Comments
• Instructor Introductions
• Audience technical level?
3
What is Penetration Testing?What is Penetration Testing?
•Penetration testing may be loosely defined as:– “An attempt to gain access to a client’s network, systems
and data by simulating various threat groups (e.g. hackers, unethical competitors, disgruntled employees).”
•For maximum value, testing should simulate threat groups and scenarios that are relevant to your organisation.
4
What is Penetration Testing?What is Penetration Testing?•Uses various tools and techniques to identify,
& try to exploit security vulnerabilities to gain access to data and systems.
•May not produce a comprehensive list of all vulnerabilities within a client’s IT infrastructure, due to time limits and customer limitations.
•Because of this, risk management is imperative.
5
Why perform Penetration Testing?Why perform Penetration Testing?Penetration testing can help you answer:
• How security aware are my staff?
• How effective are my technical, physical and process based security mechanisms?
• How vulnerable are my home-grown web applications to attack?
• Are there unauthorised/insecure configured wireless devices / modems present?
Example tests:
• Social engineering
• Logical & physical attacks (external / internal)
• Web application attacks
• Wireless & modem scans and attacks
Use Penetration Testing:
• As part of security improvement
• To aid awareness of vulnerabilities
• As part of development process
• As a metric in security reporting from more than one provider
• To help meet regulatory expectations
6
Penetration Tests vs. HackersPenetration Tests vs. Hackers• Hackers exploit “path of least resistance”
– Penetration testers will attempt to find multiple points of entry
• Hackers use opportunistic approaches– Penetration testing is methodical and repeatable allowing easy
verification
• Hackers seek to gain information, cause damage– Penetration Testers gain sufficient access to illustrate breaches and stop!
• Penetration Tests bounded by limitations which hackers do not face such as:
1. Time bounded 2. Sensitive to the environmental restrictions3. Tests may be narrow in scope, if required by client.
7
Attack SophisticationAttack Sophistication
1980 1985 1990 1995 2000
High
Low
Intruder Knowledge
Attack Sophistication
Attackers
Tools
password guessingself-replicating code
password crackingExploiting known vulnerabilities
burglariesHijacking sessions
Network mgmt. diagnostics
GUIAutomated probes/scans
www attacksDDOS attacks
“stealth”/advanced scanning techniques
Denial of servicePacket spoofingsniffers
sweepers
Back doorsDisabling audits
©2001 Carnegie Mellon University
As attacks get more sophisticated, intruders can be less skilledAs attacks get more sophisticated, intruders can be less skilled::
8
The Problem!The Problem!
WLAN
Internet Traffic Internet
Corporate Network
Physical Building
Servers
Malicious User
FW VPN
Remote User – Dial Up
Network Perimeter
Remote User - WiFi
9
Typical range of tests availableTypical range of tests availableInternal A&P Testing:Internal A&P Testing:
• After being given a physical connection to a point on the client’s network, attempt to gain a privileged level of access to systems/data on that network
• Performed from network point(s) on the client site
Physical Security Testing:Physical Security Testing:
• Attempt to gain unauthorised physical access to the client’s office / site, followed by an attempt to plug a laptop/device into the client’s network undetected
• No attempt to penetrate the client’s internal network
External A&P Testing:External A&P Testing:
• Attempt to penetrate the client’s network security perimeter in order to access client systems/data from the Internet
• May include techniques such as social engineering and ‘trophy’ gathering
External Vulnerability Scanning:External Vulnerability Scanning:
• Use commercially available software tools to perform vulnerability scanning of the client’s business critical servers and network devices
• No attempt to exploit potential vulnerabilities identified
• No investigation of false positives from the scanning tool(s)
Web / Application Testing:Web / Application Testing:
• Attempt to circumvent the programming logic of a web site to gain unauthorised access to data or underlying systems.
• Can be done anonymously and/or with suitable credentials.
Social Engineering:Social Engineering:
• Impersonation/deception techniques directed at targeted individuals in an attempt to obtain information that could be used to further other attacks
Remote Access / Remote Access / WardiallingWardialling::
• Dialling telephone number ranges allocated to the client in order to identify possible modems
Corporate Desktop / Laptop Build Assessment:Corporate Desktop / Laptop Build Assessment:
• Assess the security of your Standard Build
Wireless Testing:Wireless Testing:
• Scanning for Wireless networks or devices, within your premises which could potentially allow access to be gained to your internal network
10
Web Application HackingWeb Application Hacking
June 2006June 2006
11
A Real RiskA Real Risk
• 69% of publicly reported vulnerabilities for the last half of 2005 affected web applications
– Symantec Internet Security Threat Report, March 2006
• 41% of organisations have no formal security involvement in building web applications
– Ernst & Young Global Information Security Survey 2005
12
The ProblemThe Problem
ServerOS
WebServer
RPC
Telnet
FTP XXX
Web TrafficHTTP(S)
DB
Mainframe
WebApp
Web TrafficHTTP(S)
13
The CauseThe Cause
• Custom development
• Functionality v Security
• Lack of security education
• Gaps in accountability
14
The Cause (cont)The Cause (cont)
10 Most Critical Web Application Vulnerabilities
1. Unvalidated Input2. Broken Access Control3. Broken Authentication and Session Management4. Cross-Site Scripting (XSS)5. Buffer Overflows6. Injection Flaws7. Improper Error Handling8. Insecure Data Storage9. Denial of Service
10. Insecure Configurations Management
DataData
ApplicationApplication
Server/ServicesServer/Services
Operating SystemOperating System
InfrastructureInfrastructure
Trad
ition
al S
ecur
ity
Source: www.owasp.org
15
Web Application Hacking DemoWeb Application Hacking Demo
16
SolutionsSolutions
• Application Security Testing
• Security in the Development Process
• Education
17
Application Security TestingApplication Security Testing
• Automated tools– Efficient, but provides limited assurance– Ideal for low and medium risk applications– Can give a false sense of security
• Manual testing– Internal or external vendor staff– Requires specialist skills and training– Time consuming and expensive– Can provide a good level of assurance
18
Testing ApproachesTesting Approaches
Limited Knowledge
Application Attack
No source code
Black Box
Full Knowledge
Security Code Review with No
Front-End Access
White Box
Grey BoxGrey Box
Full Knowledge
Security Code Review with Full
Front-End Access
Full Knowledge
Security Code Review with Full
Front-End Access
19
Security in the Development ProcessSecurity in the Development Process
• Involves internal or external security resources at key design and development milestones– Cost effective, as issues can often be identified and
solved at the design or specifications phases
20
EducationEducation
• Developers don’t deliberately develop insecure code
• A lot of commercial and free materials and organisations exist– Open Web Application Security Project
(http://www.owasp.org)• Secure Development Guide• Application Security Testing Guide
21
SummarySummary
• The Risk is Real – it is likely that this will only increase in the future
• Critical business data is being put on the web by organisations
• We need to consider the risks and how to mitigate them
22
PBX, War Dialling and VOIP HackingPBX, War Dialling and VOIP Hacking
June 2006June 2006
23
Telecomms - a brief history (simplified!)Telecomms - a brief history (simplified!)
• Early networks used Mainframes, connected to devices by dial up modems.
• Later modems connect companies to Internet
• More recently modems replaced by Broadband– modems used for back door links
• Now voice traffic sent over Internet– over Instant Messaging (IM), – standalone applications (Skype)
24
The ProblemThe Problem
WLAN
Internet Traffic Internet
Corporate Network
Physical Building
Servers
Malicious User
FW VPN
Remote User – Dial Up
Network Perimeter
Remote User - WiFi
25
How real is the risk?How real is the risk?
• The toll fraud industry– Expected to rise as next-generation wireless and
internet services become more widespread.– This is a huge industry in the UK in particular.
• Private Branch eXchange (PBX) Hacking– The French authorities investigating Madrid commuter
train attack, are checking a PBX for a Bank near Paris, for signs of hacking.
26
The Problem – PBXs & VoicemailThe Problem – PBXs & Voicemail
• Disclosure of information, through listening to voicemail messages, etc.
• Modifying data E.g., billing information
• Use of telecoms for illegal activities
• Denial of service
• Toll Fraud / Dial Through Fraud (most common)– “A fraudster who has gained access to an organisation’s
switchboard makes outgoing calls on the organisation’s lines.”
27
The Cause – PBXs & Voicemail The Cause – PBXs & Voicemail
• How are PBX systems compromised?– Remote maintenance port (standard users & default
passwords).– By cracking authorisation codes for the remote access
feature.– Through the auto-attendant feature– Through the voicemail system
28
Solutions – PBXSolutions – PBX
• Security assessment of PBX controls, including:– War dialling to identify remote access systems such as
modems and to identify ‘rogue’ dial-up access points. – Manual modem verification and attempted compromise – External PBX testing: Attempt to compromise PBX
systems from the external network– Internal PBX testing: Attempt to compromise PBX
systems from the internal network– Security tests of voicemail system
29
The Cause – War DiallingThe Cause – War Dialling
• Modems often connect remote users/ 3rd
parties to corporate network
• Unauthorised modems– Out of hours / Administrative access– Legacy / forgotten devices– Often no security
• War dialling: calling a range of phone numbers to identify live data modems– May be possible to brute force user names &
passwords
30
Solutions – War DiallingSolutions – War Dialling
• Configure ‘Dial Back’
• Require user names and strong authentication
• Physical Security Measures– Plug in only when required
• Awareness / Education
• War dialling tests, to identify roguemodems, and insecure remoteaccess lines
31
The Problem - VoIPThe Problem - VoIP
• Same problems as per IP data networks– Service interruption– Viruses– Hacking
• …plus some new ones– Signalling attacks– Caller ID spoofing– Packet injection– SPIT
32
The Causes - VoIPThe Causes - VoIP
• Lack of segmentation from IP data networks– Very common to see 802.1q VLAN tagging
• VOIP solutions built on common hacking targets– Cisco Call Manager & Microsoft Windows 2000,
Microsoft SQL Server
• Encryption usually supported, but not enabled– Commonly due to performance issues, or lack of
manageability
33
Solutions - VoIPSolutions - VoIP
• Firewalls and segregation controls– Separate voice from data traffic
• Consider enabling encryption– Consider what voice traffic may be more sensitive than others
• Hardening VoIP devices– Install the latest patches, restrict connecting devices, authenticate
devices
• Monitoring VoIP related logs– Consider review of system logs, application logs, security logs
34
SummarySummary
• The Risk is Real – it is likely that this will only increase in the future.
• Telecommunication based security incidents are becoming more common.
• Expansion of Internet services such as Skype, can bypass your perimeter.
• Consider defence in depth measures to protect against the risks.
35
Wireless HackingWireless Hacking
June 2006June 2006
36
Your Wireless Network?Your Wireless Network?
37
The ProblemThe Problem
WLAN
Internet Traffic Internet
Corporate Network
Physical Building
Servers
Malicious User
FW VPN
Remote User – Dial Up
Network Perimeter
Remote User - WiFi
Wireless attacker
38
Wireless DemoWireless Demo
39
The CauseThe Cause
40
The Cause (cont)The Cause (cont)
41
SolutionsSolutions
• Detecting rogue access points
• Secure wireless architecture
• Wireless security technologies
42
Detecting rogue access pointsDetecting rogue access points
• Educate employees about wireless
• Periodically detect what is present– War walking company premises– Detecting devices connected to the network– Deploy wireless security devices
43
Secure wireless architectureSecure wireless architecture
• Do it properly– Use WPA / WPA2 (not with preshared keys!)– Use a secure EAP based authentication method – i.e.
EAP-TLS, PEAP, EAP-TTLS etc– Don’t use dynamic WEP
• Be aware of the RF dynamics
• Consider segmenting wireless clients from your main network– VLANs– Partially / totally firewalled
44
Wireless security technologiesWireless security technologies
• Wireless IDS / IPS– Rogue / unknown wireless detection technologies– Unauthorised wireless suppression technologies
• More basic techniques– Building materials– Frequency jamming (note – illegal in most cases)
45
SummarySummary
• The Risk is Real – it is likely that this will only increase in the future
• Business demands are driving wireless deployments
• Traditional controls do not address the risks of wireless all that well
• The best defence is not to have any wireless networks, but how do you know you don’t have one?
46
Making Mission Impossible –Possible!Making Mission Impossible –Possible!
June 2006June 2006
47
Mission Impossible or Possible?Mission Impossible or Possible?
• We’ve all seen the film but how does reality compare?
• How easy is it for someone like me to break into– An office building– A secure 3rd party hosting facility
• Do I even need to?
48
What are the Risks?What are the Risks?
WLAN
Internet Traffic Internet
Corporate Network
Physical Building
Servers
Malicious User
FW VPN
Remote User – Dial Up
Network Perimeter
Remote User - WiFi
49
Humans – the weakest link!Humans – the weakest link!
• “efforts to influence popular attitudes and social behaviour on a large scale, whether by governments or private groups”– wikipedia def. of social engineering
• techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through– Kevin Mitnick definition
50
What is the risk?What is the risk?
• Sumitomo Mitsui Bank– £220m via keyloggers
• Lexis-Nexis– 310,000 customer details compromised through 59
instances of password social engineering
• ChoicePoint– SOLD personal information of nearly 145,000 people to
social engineers posing as legitimate businesses
• And these are just some of the ones that hit the news…
51
Physical Testing & Social EngineeringPhysical Testing & Social Engineering1. Identify target personnel and 1. Identify target personnel and
buildings to access.buildings to access.1.1. egeg, IT Manager, Security Managers, , IT Manager, Security Managers,
HelpdeskHelpdesk
2.2. Telephone numbers, other personnel etcTelephone numbers, other personnel etc
3.3. Access control processes to building/server Access control processes to building/server roomsrooms
4.4. Phone hosting centre pretending to be IT Phone hosting centre pretending to be IT managermanager
5.5. Add Add ““contractorscontractors”” name to access listname to access list
6.6. Enter hosting centre posing as the Enter hosting centre posing as the ““contractorcontractor””
7.7. Gain access to sensitive data and systems, Gain access to sensitive data and systems, shut them down, install wireless device, shut them down, install wireless device, …………
2. Research targets and identify 2. Research targets and identify critical information.critical information.
3. Illicit critical information from 3. Illicit critical information from target(starget(s))
4. Use information to misdirect 4. Use information to misdirect target(starget(s))
5. Attempt to bypass any 5. Attempt to bypass any authentication processes in place.authentication processes in place.
6. Escalate access and exploit 6. Escalate access and exploit physical access.physical access.
Business Implications
• Risk of theft, loss of data, etc
• Risk to reputation
• Risk to internal (and possibly unprotected IT infrastructure)
52
Case Study 1 – Global Investment BankCase Study 1 – Global Investment Bank
• Test conducted in multiple countries – all successful ☺
• Gained entry using– Reconnaisance (photographic & video)– Fake ID card– Distraction (of security guard)
• Result– Unauthorised access to data & network
53
Case Study 2 – Professional ServicesCase Study 2 – Professional Services
• 3 Premises tested– 2 Office Buildings– 1 3rd Party Secure Hosted Facility
• Gained Entry via– Social Engineering– Fake authorisation– Physical Entry
• Result– Access to server room, environmental controls etc– Possible Unauthorised Access to Data, Denial of Service Attack
against IT infrastructure and Web hosting
54
How to prevent these attacksHow to prevent these attacks
• Education & Awareness of all staff!
• Social engineering testing
• Physical Security Audits & tests
• Security policy
• Vet all your staff
• Don’t trust anyone!
55
SummarySummary
• The Risk is Real – it is likely that this will only increase in the future!
• If your physical security can be circumvented, then logical access is usually a formality.
• Best defence is awareness, training and logical security features.
• Ensure Security Policies are adhered to!
56
ConclusionsConclusions• Given real risk, how does A&P fit into your overall
strategy?
• If you have A&P testing currently– Is it effective & covering all of your areas of risk?– Do your reports include the business context relevant to you, or
are the reports purely technical?
• If you don’t use A&P testing– What can it do for you?– How do you know that your security measures are effective?
• Perimeter security is not enough!
• Don’t forget, it’s your network or is it!?!
57
The information in this pack is intended to provide only a general outline of the subjects covered. It should not be regarded as comprehensive or sufficient for making decisions, nor should it be used in place of professional advice
Accordingly, Ernst & Young LLP accepts no responsibility for loss arising from any action taken or not taken by anyone using this pack
The information in this pack will have been supplemented by matters arising from any oral presentation by us, and should be considered in the light of this additional information
If you require any further information or explanations, or specific advice, please contact us and we will be happy to discuss matters further
57
Important InformationImportant Information