Presentation Transcript

1. When a vulnerability assessment > pentest

   The Anomaly
2. $whoami Network Security for Dept of VA Father/Husband Fan of Futbol (Viva Mexico!) Fan of Martial Arts Brazilian JiuJitsu
3. $whoami
4. $whoami
5. $whoami
6. $whoami
7. What is a Pentest? Recon Pwnage Pillage Loot Report
8. What is a Pentest? http://www.pentest-standard.org/ http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343 http://www.offensive-security.com/offsec/sample-penetration-test-report/
9. What is a Pentest?
10. What is a Pentest?
11. What is a Pentest?
12. Injusticia!
13. Probandoboligrafos - How to Not get a good pentest? http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html Marcus Ranum – “The only favorable or useful outcome of a pentest is the worst one.” http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html
14. Pwningnoobs Cons and breaking stuff tracks/talks Social Media: If you break stuff, talk about how to fix it. Reporting is Seriously lacking
15. Pentesting
16. Pentesting – mi mujer me pega “Why don’t you find their weaknesses and then help them fix it?”
17. Vulnerability Assessment
18. Vulnerability Assessment
19. Vulnerability Assessment Scan, how? Inside, external, credentials, ips, firewalls Agent based vs passive vs active Results integration Results reporting Team player
20. Scan how? Scanner Location inside Network, outside network Denial of service Nmap
21. Scan how? Exclusions for Scanners White box vs. Black box Firewalls, IPS
22. Scan how? Credentials Windows Desktops and Servers Linux/Unix servers with SSH account/keys SNMP strings Cisco/Networking SSH credentials Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more. https://lists.immunityinc.com/pipermail/dailydave/2013-February/000334.html
23. Credentials? Risks Capture credentials Use ssh keys Never send clear text credentials Secure your scanner applications Passive Vulnerability (span port)
24. Scan how? Remember HD Moore’s Law “Casual attacker power grows at the rate of Metaspoit.” - Joshua Corman
25. Scan how?
26. Agent vs Active scanning Agent Pros Near real time No network traffic No outages caused by scans Agent Cons May not be installed May not be possible to install Some vulns cannot be found
27. Vuln Assessment and Patch Mgt
28. Vuln Assessment and Patch Mgt
29. Vuln Assessment and Patch Mgt
30. VulnScanningdoing it right Internal Scans Credentialed Scans – Linux, Windows, Network devices Vendor provided exploit availabilities and frameworks Coordinate HIPS/NIPS, Firewall exclusions
31. Scan Data integration Integrate with Org CMDB SA information Satellite Server SCCM WSUS BigFix
32. Scan Data integration Integrate with Org CMDB
33. Scan Data integration Sys Admin information SA POC information (part of cmdb) Sys Admin deemed important information Manual updates from Sys Admins
34. Scan Data integration Satellite Server SCCM WSUS BigFix/Tivoli Endpoing Manager(TEM) Red Hat patch info integration Compare with Scan info
35. Scan Data integration Where Does all this data go? Access DB Custom App with DB backend Excel Spreadsheet GRC – Governance Risk and Compliance Any other solutions?
36. Scan data Incident Response Import into org SIEM or incident correlation tool
37. Scan Reporting Executive reports on important issues Report on Org specified critical findings Organizational severity scoring
38. Scan Reporting Organizational severity scoring
39. Scan Reporting Java JRE vuln – RCE Base Score = 9.3 Temporal Score = 7.7 Final Score = ?
40. Scan Reporting Java JRE vuln – RCE Base Score = 9.3 Temporal Score = 7.7 Final Score = ?
41. Scan Reporting
42. Scan Reporting Default Credentials Exploitable Vulns Malware identification vulns Indicators of Compromise Configuration Auditing More?
43. Call to Action Do work! Improve scanning Improve Patch Mgt Integrate Consolidate data Customize to org needs Work as a team ( Security, Sys Admin, Devs, Operations, etc)
44. Questions?