presented by: bryan miller ccie, cissp - isaca pres... · presented by: bryan miller ccie, cissp...
TRANSCRIPT
Presented By:
Bryan MillerCCIE, CISSP
Speaker Introduction
Risks
Controls
Why We Should Pen Test
Why We Don’t Pen Test
Tools & Techniques
Low Hanging Fruit
Case Studies
Copyright 2010 Syrinx Technologies 2
Biography B.S. - Information Systems – VCU
M.S. – Computer Science - VCU
CCIE, CISSP
Former Cisco CCNA Instructor at John Tyler & J. Sargeant Reynolds Community Colleges
Lecturer at VCU Fast Track Executive Master of Science (FTEMS) Program
Adjunct Faculty in Information Systems and Computer Science at VCU
President, Syrinx Technologies & Partner at eHealthSecurity
Copyright 2010 Syrinx Technologies 3
Types of Risks
Reputational – public image
Financial – protecting monetary funds
Strategic – goals of the organization
Compliance – laws and regulations
Dealing with Risk
Avoid – never try anything new
Transfer – buy lots of insurance
Mitigate – better planning
Accept – go ahead and jump
Copyright 2010 Syrinx Technologies 4
Categories of Controls
Preventative - deter inappropriate events from happening
Separation of duties, proper authorization and physical control over assets
IT – firewalls, anti-virus, encryption
Detective - actions that are taken to detect and correct undesirable events that have already occurred
Physical inventories, reconciliations and audits
IT – vulnerability scan, Intrusion Detection System
Copyright 2010 Syrinx Technologies 5
Types of Controls
Physical – physical security of a server
“Hardware keyboard logger”
Technical – password complexity enforcement through an operating system setting (GPO)
“ophcrack”
Administrative – written policies, reviews
“Social Engineering”
Copyright 2010 Syrinx Technologies 6
Copyright 2010 Syrinx Technologies 7
Satisfy legal/governmental/industry requirements (HIPAA, GLBA, SOX, FISMA, PCI).
Often required by internal/external auditors.
Validate existing technological controls.
Copyright 2010 Syrinx Technologies 8
Raise overall security awareness.
Test Intrusion Detection/Prevention Systems, including incident handling procedures.
New management: Provides a great security baseline.
Mergers/Acquisitions: Evaluate their security before integrating systems.
Copyright 2010 Syrinx Technologies 9
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker.
A vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. No actual system compromises occur.
Copyright 2010 Syrinx Technologies 10
Two types of pen tests: "white box“ - uses vulnerability assessment and
other pre-disclosed information
"black box“ - performed with little or no knowledge of the target systems
Which one do we choose? Vulnerability assessments answer the question:
"Where are our weaknesses?“
Penetration tests answer the question: "Can someone break in and what can they access?"
Copyright 2010 Syrinx Technologies 11
If you tell us what’s wrong, we’ll have to fix it.
We already know where everything is broken.
We don’t have anything that hackers want.
Copyright 2010 Syrinx Technologies 12
Our employees aren’t smart enough to do that kind of thing.
We trust our employees.
We can’t afford it.
We’re too small to matter.
Copyright 2010 Syrinx Technologies 13
Start with a proven methodology.
Reconnaissance
Scanning
Verification
Use a variety of tools and don’t trust any tool too much.
Test everything with an IP address.
Every device is important, otherwise disconnect it.
Copyright 2010 Syrinx Technologies 14
Categories of tools: Research
Port/Vulnerability Scanners
Wardialing/Wardriving
Application-specific scanners Web Servers
OS specific
Database
Password cracking
Frameworks (Metasploit, BackTrack, Samurai)
Social Engineering
Copyright 2010 Syrinx Technologies 15
Policy & Procedures:
Lack of proper physical security.
Sensitive data stored without encryption.
Sensitive data transmitted/stored in email.
Common passwords across different platforms and/or architectures.
Copyright 2010 Syrinx Technologies 16
Patch Management:
Verify that patches are actually applied.
Make sure to patch desktops and servers.
It is important to patch operating systems andapplications.
Don’t forget appliances and other network infrastructure devices.
Copyright 2010 Syrinx Technologies 17
Password Management:
Default Simple Network Management Protocol (SNMP) community strings.
Default database passwords (MS SQL, Oracle, MySQL).
Default passwords in Compaq Insight Manager (CIM).
Default passwords on infrastructure devices.
Copyright 2010 Syrinx Technologies 18
Each of these 4 cases are real. There are many more.
The names and specifics have been changed to protect the innocent and the clueless.
Each case provides an example of the “domino effect”.
Note that in each case nothing alerted the client to what was going on.
Copyright 2010 Syrinx Technologies 19
Large non-profit company running Lotus Notes with many branch offices.
One branch had a blank administrator password.
The Virtual Network Computing (VNC) password was the domain admin password.
Same password provided access to network-attached storage (NAS).
While examining file systems a file was found with backup Cisco configurations.
Copyright 2010 Syrinx Technologies 20
During wardialing at a law firm, a Shiva LanRover was found using Novell authentication.
Oracle servers were accessed using default passwords.
Cisco infrastructure compromised due to default read-write SNMP community string.
Connected via FTP to Novell server, viewing sensitive configuration files.
Accessed many UNIX machines, decrypting several password files.
Copyright 2010 Syrinx Technologies 21
Large financial company in multiple states.
Accessed several internal applications using default login credentials.
Accessed configuration file left by a developer containing database login credentials.
Using these credentials, accessed sensitive client data including SSN, CC #’s.
Several devices compromised by downloading manuals from Internet.
Copyright 2010 Syrinx Technologies 22
Large non-profit organization.
Several PC’s missing “old” patches.
Default SNMP community strings.
Blank database passwords allowed access to donor database.
Connected to another database and discovered credit card data.
Social engineering provided access to 5 buildings/server closets.
Copyright 2010 Syrinx Technologies 23
What did we learn? The 3 P’s
Policies & Procedures
Patch Management
Password Management The majority of the remediation efforts are not costly in
resources (human, technology, financial).
The biggest changes have to occur with users, systems administrators and developers.
Copyright 2010 Syrinx Technologies 24
Thank You Very Much for Your Time and Attention!
Copyright 2010 Syrinx Technologies 25