Choosing Pen Tests &Real Life Horror Stories

WELCOME TO

Ed McMurrayCISA, CISSP

Assistant DirectorCoNetrix Security, LLC

Audio

Turn up the volume on your device if you do not hear audio.

Questions

A link containing the recording and a copy of the slides will be provided to you after the webinar via email.

Presentation Resources

Disclaimer

• This presentation is for information only. Evaluate risks before acting based on ideas from this presentation.

• This presentation contains opinions of the presenters.Opinions may not reflect the opinions of CoNetrix.

• This presentation is proprietary.Unauthorized release of this information is prohibited.Original material is copyright © 2019 CoNetrix.

Presenter

Ed McMurrayCISA, CISSPAssistant DirectorCoNetrix Security, LLC

Agenda

1. What is Pen Testing?

2. Selecting a Pen Test Firm

3. Rules of Engagement

4. Phases of a Pen Test

5. Exploits!

“You need a pen test. This is a vulnerability assessment.

Have you considered Red Team testing?”

What is Pen Testing?Red Team

Blue Team

Precision Strike

Social Engineering

War Dialing

PhishingPhysical Intrusion

Capture the Flag

Black Box Testing

White Box Testing

Gray Box Testing

Purple Team

Reconnaissance Privilege Escalation

Pivoting

Web Application Testing

Internal Testing External Testing

Credit: The Cyber Security Hub, https://www.linkedin.com/company/the-cyber-security-hub/

Penetration Testing

“There are many types of penetration tests . . . and management should

determine the level and types of tests employed to ensure effective and

comprehensive coverage.”

FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016

So what do you need and how do you find the company to perform it?

Penetration Testing

“A penetration test subjects a system to real-world attacks selected and

conducted by the testers.”

FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016

Choose Your Pen Test

Risk Assessment• What are your most exposed assets?• What are you most critical assets?• What are you most worried about?

What You Want toTest & Why?

• What? - Internet exposed systems

• Why? – These are our most exposed systems

• What? – Employee responses to Social engineering

• Why? - These attacks are frequent and successful

Simple Risk Assessment

What attacks do we hear about from IT, in the news, etc.?

• Phishing!

• Ransomware

• Website attacks

What assets do those attacks target for us?

• Employees

• Corporate email and perimeter defenses

• Web servers

Choose Your Pen Test

Define the Scope

• All public IP addresses• All employees

What You Want toTest & Why?

• What? - Internet exposed systems

• Why? – These are our most exposed systems

• What? – Employee responses to Social engineering

• Why? - These attacks are frequent and successful

Tip • Include all external

IP addresses, active and inactive

Simple Risk Assessment

What attacks do we hear about from IT, in the news, etc.?• Phishing!• Ransomware• Website attacks

What assets do those attacks target for us?• Employees• Corporate email and perimeter defenses• Web servers

What testing do we need?

• Email social engineering for ALL employees

• Internet perimeter testing for ALL of our public IP addresses

BE SPECIFIC

Pen Testing Requested by Iowa State Court Officials

• Scope: “test the security of the court’s electronic records . . . through various means”**Not specific

• Result: two pen testers were arrested and jailed in Adel, Iowa attempting to physically break into the court house

• State’s response: “[we] did not intend, or anticipate, those efforts to include the forced entry into a building.”

https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/

https://www.youtube.com/watch?v=SDl4AO4ancI

Set the Rules of Engagement

• What will the pen testers attempt

• What WON’T the pen testers attempt

Choose Your Pen Test

Define the Scope

• All public IP addresses• All employees

What You Want toTest & Why?

• What? - Internet exposed systems

• Why? – These are our most exposed systems

• What? – Employee responses to Social engineering

• Why? - These attacks are frequent and successful

Penetration Testing

“The test mimics a threat source’s search for and exploitation of vulnerabilities to

demonstrate a potential for loss.”

FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016

Rules of Engagement

• Do no harm.

• No significant customer impact.

• No unplanned operational impact.

• Limited system recovery time/money.

• Attempted exploits provide value.

• If an exploit might break the rules, report the vulnerability.

What do you want tested? Certifications

Usefulness of the ReportWill they help you

understand the issues?

Evaluating a Pen Test Company

Ask for examples of their work.

Default Credentials

• End result: Full, internal network access from an attack system on the Internet.

The pen tester was inside the organization without them knowing they were there.

What Can You Do?

• Change the default credentials on ALL systems

• This sounds easy, but it happens all too often

Unnecessarily Exposed Systems

• HikVision security camera system exposed to the Internet

• Firmware vulnerability (discovered March 2017)• http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

• Downloads an encrypted configuration file

• Decryption using a static encryption key that is derived from “abcdefg”

• Obtained plaintext usernames and passwords

• End result:

What Can You Do?

• Don’t expose systems to the Internet that don’t need to be

• Test your Internet perimeter regularly so you catch accidents

Unpatched Systems

• Web server running Adobe ColdFusion• Not patched since at least 2013

• Vulnerability allows authentication bypass (CVE-2013-0632)• Fix released January 2013

• Malicious scheduled task was discovered• Created November 2014

• Allowed SQL queries of complete customer files

• End result: Access to full customer data & proof of previous compromise

Unpatched Systems

https://mali.cious/URL

Usernames/Passwords

SSL VPN Using Valid Credentials

Pen Tester

The pen tester was inside the network again.

What Can You Do?

• Patch, patch, patch – and then update

• One of the more difficult security processes.

• It is a constant cycle of installing updates, not just on Windows systems, but all systems that are exposed.

Tip • Create a recurring patch process

specifically for Internet-exposed systems

Penetration Testing

Request a quote athttps://conetrix.com/security#ExternalPenTesting

Questions

$15

Survey

Fill out the webinar survey for a chance to win!

THANKS FOR JOINING

Choosing Pen Tests &Real Life Horror Stories

Ed McMurrayCISA, CISSP

Assistant DirectorCoNetrix Security, LLC