encription it security services
DESCRIPTION
encription IT security services. Penetration Testing. encription IT security services. Who am I?. Campbell Murray Technical Director of Encription Technical Panel Chair for Tigerscheme CHECK Team Leader (GCHQ/CESG). encription IT security services. What do I do?. Penetration Tester aka - PowerPoint PPT PresentationTRANSCRIPT
encription IT security services
Penetration Testing
encription IT security services
• Campbell Murray
• Technical Director of Encription
• Technical Panel Chair for Tigerscheme
• CHECK Team Leader (GCHQ/CESG)
Who am I?
encription IT security services
• Penetration Tester aka– ITSHCE (IT Security Health Check
Engineer)– IATP (Information Assurance Testing
Professional)– Ethical Hacker
• Many names for the same thing
What do I do?
encription IT security services
• Vulnerability Research
• Exploit development
• Defensive research
• Community projects– BSides / 44Con / MCSG / OWASP & more
What else do I do?
encription IT security services
Why do people have pen tests done?
encription IT security services
• To protect?
• Detect the risk of:
• Loss to confidentiality (theft)
• Loss to integrity (changes to data)
• Loss of availability (denial of service)
• CIA
Why?
encription IT security services
• Identify all threat arising from:
• Exploitation
• Privilege escalation
• Malware / Virus infection
• Poor passwords
• Network misconfiguration
Why (cont.)?
encription IT security services
• Malicious users
• Poor segregation of duties
• Vulnerability in code
• Opportunists / Recreational
• etc
Why (cont.) ?
encription IT security services
• The threats faced by all organisations are similar
• Insiders
• Outsiders
• Accidents
• Variously motivated
Threats
encription IT security services
• State led
• Criminal
• Political
• Social
• Opportunist / Recreational
• Malevolent
Motivations
encription IT security services
• Honestly, no
• Majority of companies are indifferent
• Banks accept risk and loss
• Rarely a desire to meet best practice or be ‘secure’
• Post ‘hacked’ testing very common
Is this the reason we exist?
encription IT security services
• Most commonly for compliance e.g.• GCSx / Gsi / PSN CoCo• PCI DSS• ISO* e.g. 27001• Protected environments e.g. MoD• Protecting IPR• Commercially sensitive
So why then?
encription IT security services
Jumping inHow do we test?
encription IT security services
• White Box– Full disclosure
• Grey Box– Appropriate disclosure
• Black Box– Zero disclosure
• Red Team– NO RULES TESTING
Types of test?
encription IT security services
• Everything and anything that we are asked to!
• E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc.
• Defined by the SCOPE OF WORK
What do we test?
encription IT security services
• Broad and DETAILED expertise– Programming– Server Admin (Win / *nix / Solaris / AIX etc)– Network Admin– Application Development– etc
What makes us effective?
encription IT security services
• Current market is leaning to Vulnerability Assessment i.e. Tools based testing
• Cheaper but ...
• Limited value compared to a pen test
• Tools are helpful but without experience are misleading
I thought it was simpler :(
encription IT security services
• Market is splitting into ...
• ... Scan based assessment e.g. PCI DSS
• Seen as low end
• And pen testing ...
• ... High end but quality still varies
• Return of Red Teaming!
Polarity
encription IT security services
• We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code
• We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code
Expertise is crucial
encription IT security services
• We cannot JUSTIFY our results if we cannot prove them
• Clients / IT admins will not ACT on reported issues unless they understand the full risk
Expertise is crucial
encription IT security services
• Methodology is key to success
• 5 common stages– Passive reconnaissance / OSINT– Fingerprinting– Vulnerability identification– Exploitation– Extraction / Covering tracks
What else makes us effective?
encription IT security services
• How I hacked a bank without ever going anywhere near it!
Quick Story
encription IT security services
• Pen testing is about SECURITY
• That means identifying ALL possible attack vectors
• And knowing how we could use them
• Frequently two minor vulnerabilities, when combined, can be devastating
• Requires experience, not certification.
Moral of the story
encription IT security services
• Crucial – Defines methodology to be used–What is ‘in scope’– Details given legal permission to test
• Going out of scope will see you fall foul of the CMA
• Not to mention the clients wrath!!!!
Scope of Work?
encription IT security services
• CMA holds stiff penalties• Potential extradition to other countries• Criminal record• You MUST have written permission from
someone AUTHORISED to give that permission
• Research only performed in air gapped networks!
Cautionary notes
encription IT security services
• You can be prosecuted for owning ‘hacking’ and malware creation tools
• Unless you can justify possesion
• Akin to ‘going equipped’ to commit crime, even if you haven’t
Cautionary notes
encription IT security services
All the ducks are lined up, what next?
encription IT security services
• Identify clients soft requirements
• If on site go prepared– Health and Safety– USB / Phone limitation– Dress code– Point of contact– Etc
Delivery
encription IT security services
• People skills are essential
• Polite but firm
• Do not allow others to impede your activity
• Sense of humour essential
• As is fully operational kit and plan B
• Pen and paper just as important!
Delivery
encription IT security services
• The GOLDEN RULE is ...
• .... NEVER leave a system less secure than how you found it!
• E.g. Creating user accounts or other objects
• If a high risk issue is found the client must be informed immediately
Execution
encription IT security services
• Good use of language
• Lots of people will read the report, make it readable.
• Ability to express technical concepts simply and accurately
• Face to face washup meetings require presentation skills
Reporting
encription IT security services
Applying your methodology
encription IT security services
• Methodology!!!!!!
• Reconnaisance (what is it)
• Fingerprinting – (Scan e.g. Nmap)
• Identification
• Exploit – (escalate privilege)
• Clean up – (e.g. grab info, passwd, create user, clear history and exit)
How?
encription IT security services
• Avoid temptation to focus on ‘critical’ issues
• Remember, two low risk issues can make a high risk attack vector
• Observation is as important as running tools
Reporting and Testing
encription IT security services
Android App Testing Demo
encription IT security services
• Mercury
• Android app testing toolkit
• Bit fiddly to set up tbh
• Worth the effort
Lets have a look at …
encription IT security services
• Install Android SDK
• Install Mercury
• Start VM Android device
• Install Mercury agent and the app you want to look at
Testing Android Apps
encription IT security services
• Start adb (linux)
• $adb forward tcp:31415 tcp:31415
• Connect with mercury
• mercury console connect
• Party!
Testing Android Apps
encription IT security services
• Get started commands
• list
• run scanner.provider.injection
• Derp!
• Now write an app to steal the data!
Testing Android Apps
encription IT security services
Getting into security
encription IT security services
• I won’t lie ...
• Pen testing is not for everyone
• Competition for junior positions
• Not great pay at first :(
• Increase your chances by getting involved
• Lots of community activity
Finding a job
encription IT security services
• BSides conferences are free
• OWASP conferences are very low cost
• BSC Groups and meetings
• Find online resources and contribute
Community
encription IT security services
• Gain expert level knowledge in programming, servers, network protocols
• Understanding what security is
• ... It’s not just about exploits
More than anything
encription IT security services
• Lasantha Priyankara
It works!
encription IT security services
• Listened to this talk
• Blogged about the demo
• Went to Bsides London
• Met his current employer there
• Employed!
Success story
encription IT security services
Questions?