1 / 46

encription IT security services

encription IT security services. Penetration Testing. encription IT security services. Who am I?. Campbell Murray Technical Director of Encription Technical Panel Chair for Tigerscheme CHECK Team Leader (GCHQ/CESG). encription IT security services. What do I do?. Penetration Tester aka

lderr
Download Presentation

encription IT security services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. encription IT security services Penetration Testing

  2. encription IT security services Who am I? • Campbell Murray • Technical Director of Encription • Technical Panel Chair for Tigerscheme • CHECK Team Leader (GCHQ/CESG)

  3. encription IT security services What do I do? • Penetration Tester aka • ITSHCE (IT Security Health Check Engineer) • IATP (Information Assurance Testing Professional) • Ethical Hacker • Many names for the same thing

  4. encription IT security services What else do I do? • Vulnerability Research • Exploit development • Defensive research • Community projects • BSides / 44Con / MCSG / OWASP & more

  5. encription IT security services Why do people have pen tests done?

  6. encription IT security services Why? • To protect? • Detect the risk of: • Loss to confidentiality (theft) • Loss to integrity (changes to data) • Loss of availability (denial of service) • CIA

  7. encription IT security services Why (cont.)? • Identify all threat arising from: • Exploitation • Privilege escalation • Malware / Virus infection • Poor passwords • Network misconfiguration

  8. encription IT security services Why (cont.) ? • Malicious users • Poor segregation of duties • Vulnerability in code • Opportunists / Recreational • etc

  9. encription IT security services Threats • The threats faced by all organisations are similar • Insiders • Outsiders • Accidents • Variously motivated

  10. encription IT security services Motivations • State led • Criminal • Political • Social • Opportunist / Recreational • Malevolent

  11. encription IT security services Is this the reason we exist? • Honestly, no • Majority of companies are indifferent • Banks accept risk and loss • Rarely a desire to meet best practice or be ‘secure’ • Post ‘hacked’ testing very common

  12. encription IT security services So why then? • Most commonly for compliance e.g. • GCSx / Gsi / PSN CoCo • PCI DSS • ISO* e.g. 27001 • Protected environments e.g. MoD • Protecting IPR • Commercially sensitive

  13. encription IT security services Jumping in How do we test?

  14. encription IT security services Types of test? • White Box • Full disclosure • Grey Box • Appropriate disclosure • Black Box • Zero disclosure • Red Team • NO RULES TESTING

  15. encription IT security services What do we test? • Everything and anything that we are asked to! • E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc. • Defined by the SCOPE OF WORK

  16. encription IT security services What makes us effective? • Broad and DETAILED expertise • Programming • Server Admin (Win / *nix / Solaris / AIX etc) • Network Admin • Application Development • etc

  17. encription IT security services I thought it was simpler :( • Current market is leaning to Vulnerability Assessment i.e. Tools based testing • Cheaper but ... • Limited value compared to a pen test • Tools are helpful but without experience are misleading

  18. encription IT security services Polarity • Market is splitting into ... • ... Scan based assessment e.g. PCI DSS • Seen as low end • And pen testing ... • ... High end but quality still varies • Return of Red Teaming!

  19. encription IT security services Expertise is crucial • We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code • We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code

  20. encription IT security services Expertise is crucial • We cannot JUSTIFY our results if we cannot prove them • Clients / IT admins will not ACT on reported issues unless they understand the full risk

  21. encription IT security services What else makes us effective? • Methodology is key to success • 5 common stages • Passive reconnaissance / OSINT • Fingerprinting • Vulnerability identification • Exploitation • Extraction / Covering tracks

  22. encription IT security services Quick Story • How I hacked a bank without ever going anywhere near it!

  23. encription IT security services Moral of the story • Pen testing is about SECURITY • That means identifying ALL possible attack vectors • And knowing how we could use them • Frequently two minor vulnerabilities, when combined, can be devastating • Requires experience, not certification.

  24. encription IT security services Scope of Work? • Crucial • Defines methodology to be used • What is ‘in scope’ • Details given legal permission to test • Going out of scope will see you fall foul of the CMA • Not to mention the clients wrath!!!!

  25. encription IT security services Cautionary notes • CMA holds stiff penalties • Potential extradition to other countries • Criminal record • You MUST have written permission from someone AUTHORISED to give that permission • Research only performed in air gapped networks!

  26. encription IT security services Cautionary notes • You can be prosecuted for owning ‘hacking’ and malware creation tools • Unless you can justify possesion • Akin to ‘going equipped’ to commit crime, even if you haven’t

  27. encription IT security services All the ducks are lined up, what next?

  28. encription IT security services Delivery • Identify clients soft requirements • If on site go prepared • Health and Safety • USB / Phone limitation • Dress code • Point of contact • Etc

  29. encription IT security services Delivery • People skills are essential • Polite but firm • Do not allow others to impede your activity • Sense of humour essential • As is fully operational kit and plan B • Pen and paper just as important!

  30. encription IT security services Execution • The GOLDEN RULE is ... • .... NEVER leave a system less secure than how you found it! • E.g. Creating user accounts or other objects • If a high risk issue is found the client must be informed immediately

  31. encription IT security services Reporting • Good use of language • Lots of people will read the report, make it readable. • Ability to express technical concepts simply and accurately • Face to face washup meetings require presentation skills

  32. encription IT security services Applying your methodology

  33. encription IT security services How? • Methodology!!!!!! • Reconnaisance (what is it) • Fingerprinting – (Scan e.g. Nmap) • Identification • Exploit – (escalate privilege) • Clean up – (e.g. grab info, passwd, create user, clear history and exit)

  34. encription IT security services Reporting and Testing • Avoid temptation to focus on ‘critical’ issues • Remember, two low risk issues can make a high risk attack vector • Observation is as important as running tools

  35. encription IT security services Android App Testing Demo

  36. encription IT security services Lets have a look at … • Mercury • Android app testing toolkit • Bit fiddly to set up tbh • Worth the effort

  37. encription IT security services Testing Android Apps • Install Android SDK • Install Mercury • Start VM Android device • Install Mercury agent and the app you want to look at

  38. encription IT security services Testing Android Apps • Start adb (linux) • $adb forward tcp:31415 tcp:31415 • Connect with mercury • mercury console connect • Party!

  39. encription IT security services Testing Android Apps • Get started commands • list • run scanner.provider.injection • Derp! • Now write an app to steal the data!

  40. encription IT security services Getting into security

  41. encription IT security services Finding a job • I won’t lie ... • Pen testing is not for everyone • Competition for junior positions • Not great pay at first :( • Increase your chances by getting involved • Lots of community activity

  42. encription IT security services Community • BSides conferences are free • OWASP conferences are very low cost • BSC Groups and meetings • Find online resources and contribute

  43. encription IT security services More than anything • Gain expert level knowledge in programming, servers, network protocols • Understanding what security is • ... It’s not just about exploits

  44. encription IT security services It works! • Lasantha Priyankara

  45. encription IT security services Success story • Listened to this talk • Blogged about the demo • Went to Bsides London • Met his current employer there • Employed!

  46. encription IT security services Questions?

More Related