encription it security services penetration testing

encription IT security services

Penetration Testing


• Campbell Murray

• Technical Director of Encription

• Technical Panel Chair for Tigerscheme

• CHECK Team Leader (GCHQ/CESG)

Who am I?


• Penetration Tester aka– ITSHCE (IT Security Health Check

Engineer)– IATP (Information Assurance Testing

Professional)– Ethical Hacker

• Many names for the same thing

What do I do?


• Vulnerability Research

• Exploit development

• Defensive research

• Community projects– BSides / 44Con / MCSG / OWASP & more

What else do I do?


Why do people have pen tests done?


• To protect?

• Detect the risk of:

• Loss to confidentiality (theft)

• Loss to integrity (changes to data)

• Loss of availability (denial of service)

• CIA

Why?


• Identify all threat arising from:

• Exploitation

• Privilege escalation

• Malware / Virus infection

• Poor passwords

• Network misconfiguration

Why (cont.)?


• Malicious users

• Poor segregation of duties

• Vulnerability in code

• Opportunists / Recreational

• etc

Why (cont.) ?


• The threats faced by all organisations are similar

• Insiders

• Outsiders

• Accidents

• Variously motivated

Threats


• State led

• Criminal

• Political

• Social

• Opportunist / Recreational

• Malevolent

Motivations


• Honestly, no

• Majority of companies are indifferent

• Banks accept risk and loss

• Rarely a desire to meet best practice or be ‘secure’

• Post ‘hacked’ testing very common

Is this the reason we exist?


• Most commonly for compliance e.g.• GCSx / Gsi / PSN CoCo• PCI DSS• ISO* e.g. 27001• Protected environments e.g. MoD• Protecting IPR• Commercially sensitive

So why then?


Jumping inHow do we test?


• White Box– Full disclosure

• Grey Box– Appropriate disclosure

• Black Box– Zero disclosure

• Red Team– NO RULES TESTING

Types of test?


• Everything and anything that we are asked to!

• E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc.

• Defined by the SCOPE OF WORK

What do we test?


• Broad and DETAILED expertise– Programming– Server Admin (Win / *nix / Solaris / AIX etc)– Network Admin– Application Development– etc

What makes us effective?


• Current market is leaning to Vulnerability Assessment i.e. Tools based testing

• Cheaper but ...

• Limited value compared to a pen test

• Tools are helpful but without experience are misleading

I thought it was simpler :(


• Market is splitting into ...

• ... Scan based assessment e.g. PCI DSS

• Seen as low end

• And pen testing ...

• ... High end but quality still varies

• Return of Red Teaming!

Polarity


• We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code

• We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code

Expertise is crucial


• We cannot JUSTIFY our results if we cannot prove them

• Clients / IT admins will not ACT on reported issues unless they understand the full risk

Expertise is crucial


• Methodology is key to success

• 5 common stages– Passive reconnaissance / OSINT– Fingerprinting– Vulnerability identification– Exploitation– Extraction / Covering tracks

What else makes us effective?


• How I hacked a bank without ever going anywhere near it!

Quick Story


• Pen testing is about SECURITY

• That means identifying ALL possible attack vectors

• And knowing how we could use them

• Frequently two minor vulnerabilities, when combined, can be devastating

• Requires experience, not certification.

Moral of the story


• Crucial – Defines methodology to be used–What is ‘in scope’– Details given legal permission to test

• Going out of scope will see you fall foul of the CMA

• Not to mention the clients wrath!!!!

Scope of Work?


• CMA holds stiff penalties• Potential extradition to other countries• Criminal record• You MUST have written permission from

someone AUTHORISED to give that permission

• Research only performed in air gapped networks!

Cautionary notes


• You can be prosecuted for owning ‘hacking’ and malware creation tools

• Unless you can justify possesion

• Akin to ‘going equipped’ to commit crime, even if you haven’t

Cautionary notes


All the ducks are lined up, what next?


• Identify clients soft requirements

• If on site go prepared– Health and Safety– USB / Phone limitation– Dress code– Point of contact– Etc

Delivery


• People skills are essential

• Polite but firm

• Do not allow others to impede your activity

• Sense of humour essential

• As is fully operational kit and plan B

• Pen and paper just as important!

Delivery


• The GOLDEN RULE is ...

• .... NEVER leave a system less secure than how you found it!

• E.g. Creating user accounts or other objects

• If a high risk issue is found the client must be informed immediately

Execution


• Good use of language

• Lots of people will read the report, make it readable.

• Ability to express technical concepts simply and accurately

• Face to face washup meetings require presentation skills

Reporting


Applying your methodology


• Methodology!!!!!!

• Reconnaisance (what is it)

• Fingerprinting – (Scan e.g. Nmap)

• Identification

• Exploit – (escalate privilege)

• Clean up – (e.g. grab info, passwd, create user, clear history and exit)

How?


• Avoid temptation to focus on ‘critical’ issues

• Remember, two low risk issues can make a high risk attack vector

• Observation is as important as running tools

Reporting and Testing


Android App Testing Demo


• Mercury

• Android app testing toolkit

• Bit fiddly to set up tbh

• Worth the effort

Lets have a look at …


• Install Android SDK

• Install Mercury

• Start VM Android device

• Install Mercury agent and the app you want to look at

Testing Android Apps


• Start adb (linux)

• $adb forward tcp:31415 tcp:31415

• Connect with mercury

• mercury console connect

• Party!



• Get started commands

• list

• run scanner.provider.injection

• Derp!

• Now write an app to steal the data!



Getting into security


• I won’t lie ...

• Pen testing is not for everyone

• Competition for junior positions

• Not great pay at first :(

• Increase your chances by getting involved

• Lots of community activity

Finding a job


• BSides conferences are free

• OWASP conferences are very low cost

• BSC Groups and meetings

• Find online resources and contribute

Community


• Gain expert level knowledge in programming, servers, network protocols

• Understanding what security is

• ... It’s not just about exploits

More than anything


• Lasantha Priyankara

It works!


• Listened to this talk

• Blogged about the demo

• Went to Bsides London

• Met his current employer there

• Employed!

Success story


Questions?

encription it security services penetration testing

Documents

security services market

security services state

security services broad

security services white

polarity slide

pen testing

based testing

pen test tools