welcome to choosing pen tests & real life … › rs › 246-qxh-030 › images ›...
TRANSCRIPT
Choosing Pen Tests &Real Life Horror Stories
WELCOME TO
Ed McMurrayCISA, CISSP
Assistant DirectorCoNetrix Security, LLC
Audio
Turn up the volume on your device if you do not hear audio.
Questions
A link containing the recording and a copy of the slides will be provided to you after the webinar via email.
Presentation Resources
Disclaimer
• This presentation is for information only. Evaluate risks before acting based on ideas from this presentation.
• This presentation contains opinions of the presenters.Opinions may not reflect the opinions of CoNetrix.
• This presentation is proprietary.Unauthorized release of this information is prohibited.Original material is copyright © 2019 CoNetrix.
Presenter
Ed McMurrayCISA, CISSPAssistant DirectorCoNetrix Security, LLC
Agenda
1. What is Pen Testing?
2. Selecting a Pen Test Firm
3. Rules of Engagement
4. Phases of a Pen Test
5. Exploits!
“You need a pen test. This is a vulnerability assessment.
Have you considered Red Team testing?”
What is Pen Testing?Red Team
Blue Team
Precision Strike
Social Engineering
War Dialing
PhishingPhysical Intrusion
Capture the Flag
Black Box Testing
White Box Testing
Gray Box Testing
Purple Team
Reconnaissance Privilege Escalation
Pivoting
Web Application Testing
Internal Testing External Testing
Credit: The Cyber Security Hub, https://www.linkedin.com/company/the-cyber-security-hub/
Penetration Testing
“There are many types of penetration tests . . . and management should
determine the level and types of tests employed to ensure effective and
comprehensive coverage.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
So what do you need and how do you find the company to perform it?
Penetration Testing
“A penetration test subjects a system to real-world attacks selected and
conducted by the testers.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
Choose Your Pen Test
Risk Assessment• What are your most exposed assets?• What are you most critical assets?• What are you most worried about?
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
Simple Risk Assessment
What attacks do we hear about from IT, in the news, etc.?
• Phishing!
• Ransomware
• Website attacks
What assets do those attacks target for us?
• Employees
• Corporate email and perimeter defenses
• Web servers
Choose Your Pen Test
Define the Scope
• All public IP addresses• All employees
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
Tip • Include all external
IP addresses, active and inactive
Simple Risk Assessment
What attacks do we hear about from IT, in the news, etc.?• Phishing!• Ransomware• Website attacks
What assets do those attacks target for us?• Employees• Corporate email and perimeter defenses• Web servers
What testing do we need?
• Email social engineering for ALL employees
• Internet perimeter testing for ALL of our public IP addresses
BE SPECIFIC
Pen Testing Requested by Iowa State Court Officials
• Scope: “test the security of the court’s electronic records . . . through various means”**Not specific
• Result: two pen testers were arrested and jailed in Adel, Iowa attempting to physically break into the court house
• State’s response: “[we] did not intend, or anticipate, those efforts to include the forced entry into a building.”
https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
https://www.youtube.com/watch?v=SDl4AO4ancI
Set the Rules of Engagement
• What will the pen testers attempt
• What WON’T the pen testers attempt
Choose Your Pen Test
Define the Scope
• All public IP addresses• All employees
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
Penetration Testing
“The test mimics a threat source’s search for and exploitation of vulnerabilities to
demonstrate a potential for loss.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
Rules of Engagement
• Do no harm.
• No significant customer impact.
• No unplanned operational impact.
• Limited system recovery time/money.
• Attempted exploits provide value.
• If an exploit might break the rules, report the vulnerability.
What do you want tested? Certifications
Usefulness of the ReportWill they help you
understand the issues?
Evaluating a Pen Test Company
Ask for examples of their work.
Default Credentials
• End result: Full, internal network access from an attack system on the Internet.
The pen tester was inside the organization without them knowing they were there.
What Can You Do?
• Change the default credentials on ALL systems
• This sounds easy, but it happens all too often
Unnecessarily Exposed Systems
• HikVision security camera system exposed to the Internet
• Firmware vulnerability (discovered March 2017)• http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
• Downloads an encrypted configuration file
• Decryption using a static encryption key that is derived from “abcdefg”
• Obtained plaintext usernames and passwords
• End result:
What Can You Do?
• Don’t expose systems to the Internet that don’t need to be
• Test your Internet perimeter regularly so you catch accidents
Unpatched Systems
• Web server running Adobe ColdFusion• Not patched since at least 2013
• Vulnerability allows authentication bypass (CVE-2013-0632)• Fix released January 2013
• Malicious scheduled task was discovered• Created November 2014
• Allowed SQL queries of complete customer files
• End result: Access to full customer data & proof of previous compromise
Unpatched Systems
https://mali.cious/URL
Usernames/Passwords
SSL VPN Using Valid Credentials
Pen Tester
The pen tester was inside the network again.
What Can You Do?
• Patch, patch, patch – and then update
• One of the more difficult security processes.
• It is a constant cycle of installing updates, not just on Windows systems, but all systems that are exposed.
Tip • Create a recurring patch process
specifically for Internet-exposed systems
Penetration Testing
Request a quote athttps://conetrix.com/security#ExternalPenTesting
Questions
$15
Survey
Fill out the webinar survey for a chance to win!
THANKS FOR JOINING
Choosing Pen Tests &Real Life Horror Stories
Ed McMurrayCISA, CISSP
Assistant DirectorCoNetrix Security, LLC