welcome to choosing pen tests & real life … › rs › 246-qxh-030 › images ›...
TRANSCRIPT
![Page 1: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/1.jpg)
Choosing Pen Tests &Real Life Horror Stories
WELCOME TO
Ed McMurrayCISA, CISSP
Assistant DirectorCoNetrix Security, LLC
![Page 2: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/2.jpg)
Audio
Turn up the volume on your device if you do not hear audio.
![Page 3: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/3.jpg)
Questions
![Page 4: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/4.jpg)
A link containing the recording and a copy of the slides will be provided to you after the webinar via email.
Presentation Resources
![Page 5: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/5.jpg)
Disclaimer
• This presentation is for information only. Evaluate risks before acting based on ideas from this presentation.
• This presentation contains opinions of the presenters.Opinions may not reflect the opinions of CoNetrix.
• This presentation is proprietary.Unauthorized release of this information is prohibited.Original material is copyright © 2019 CoNetrix.
![Page 6: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/6.jpg)
Presenter
Ed McMurrayCISA, CISSPAssistant DirectorCoNetrix Security, LLC
![Page 7: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/7.jpg)
Agenda
1. What is Pen Testing?
2. Selecting a Pen Test Firm
3. Rules of Engagement
4. Phases of a Pen Test
5. Exploits!
![Page 8: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/8.jpg)
“You need a pen test. This is a vulnerability assessment.
Have you considered Red Team testing?”
![Page 9: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/9.jpg)
What is Pen Testing?Red Team
Blue Team
Precision Strike
Social Engineering
War Dialing
PhishingPhysical Intrusion
Capture the Flag
Black Box Testing
White Box Testing
Gray Box Testing
Purple Team
Reconnaissance Privilege Escalation
Pivoting
Web Application Testing
Internal Testing External Testing
![Page 10: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/10.jpg)
![Page 11: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/11.jpg)
Credit: The Cyber Security Hub, https://www.linkedin.com/company/the-cyber-security-hub/
![Page 12: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/12.jpg)
Penetration Testing
“There are many types of penetration tests . . . and management should
determine the level and types of tests employed to ensure effective and
comprehensive coverage.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
![Page 13: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/13.jpg)
So what do you need and how do you find the company to perform it?
![Page 14: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/14.jpg)
Penetration Testing
“A penetration test subjects a system to real-world attacks selected and
conducted by the testers.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
![Page 15: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/15.jpg)
Choose Your Pen Test
Risk Assessment• What are your most exposed assets?• What are you most critical assets?• What are you most worried about?
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
![Page 16: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/16.jpg)
Simple Risk Assessment
What attacks do we hear about from IT, in the news, etc.?
• Phishing!
• Ransomware
• Website attacks
What assets do those attacks target for us?
• Employees
• Corporate email and perimeter defenses
• Web servers
![Page 17: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/17.jpg)
Choose Your Pen Test
Define the Scope
• All public IP addresses• All employees
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
Tip • Include all external
IP addresses, active and inactive
![Page 18: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/18.jpg)
Simple Risk Assessment
What attacks do we hear about from IT, in the news, etc.?• Phishing!• Ransomware• Website attacks
What assets do those attacks target for us?• Employees• Corporate email and perimeter defenses• Web servers
What testing do we need?
• Email social engineering for ALL employees
• Internet perimeter testing for ALL of our public IP addresses
BE SPECIFIC
![Page 19: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/19.jpg)
Pen Testing Requested by Iowa State Court Officials
• Scope: “test the security of the court’s electronic records . . . through various means”**Not specific
• Result: two pen testers were arrested and jailed in Adel, Iowa attempting to physically break into the court house
• State’s response: “[we] did not intend, or anticipate, those efforts to include the forced entry into a building.”
https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
![Page 21: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/21.jpg)
Set the Rules of Engagement
• What will the pen testers attempt
• What WON’T the pen testers attempt
Choose Your Pen Test
Define the Scope
• All public IP addresses• All employees
What You Want toTest & Why?
• What? - Internet exposed systems
• Why? – These are our most exposed systems
• What? – Employee responses to Social engineering
• Why? - These attacks are frequent and successful
![Page 22: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/22.jpg)
Penetration Testing
“The test mimics a threat source’s search for and exploitation of vulnerabilities to
demonstrate a potential for loss.”
FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
![Page 23: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/23.jpg)
Rules of Engagement
• Do no harm.
• No significant customer impact.
• No unplanned operational impact.
• Limited system recovery time/money.
• Attempted exploits provide value.
• If an exploit might break the rules, report the vulnerability.
![Page 24: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/24.jpg)
What do you want tested? Certifications
Usefulness of the ReportWill they help you
understand the issues?
Evaluating a Pen Test Company
![Page 25: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/25.jpg)
Ask for examples of their work.
![Page 26: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/26.jpg)
Default Credentials
• End result: Full, internal network access from an attack system on the Internet.
![Page 27: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/27.jpg)
The pen tester was inside the organization without them knowing they were there.
![Page 28: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/28.jpg)
What Can You Do?
• Change the default credentials on ALL systems
• This sounds easy, but it happens all too often
![Page 29: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/29.jpg)
Unnecessarily Exposed Systems
• HikVision security camera system exposed to the Internet
• Firmware vulnerability (discovered March 2017)• http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
• Downloads an encrypted configuration file
• Decryption using a static encryption key that is derived from “abcdefg”
• Obtained plaintext usernames and passwords
• End result:
![Page 30: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/30.jpg)
![Page 31: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/31.jpg)
What Can You Do?
• Don’t expose systems to the Internet that don’t need to be
• Test your Internet perimeter regularly so you catch accidents
![Page 32: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/32.jpg)
Unpatched Systems
• Web server running Adobe ColdFusion• Not patched since at least 2013
• Vulnerability allows authentication bypass (CVE-2013-0632)• Fix released January 2013
• Malicious scheduled task was discovered• Created November 2014
• Allowed SQL queries of complete customer files
• End result: Access to full customer data & proof of previous compromise
![Page 33: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/33.jpg)
![Page 34: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/34.jpg)
Unpatched Systems
![Page 35: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/35.jpg)
https://mali.cious/URL
Usernames/Passwords
SSL VPN Using Valid Credentials
Pen Tester
![Page 36: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/36.jpg)
The pen tester was inside the network again.
![Page 37: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/37.jpg)
What Can You Do?
• Patch, patch, patch – and then update
• One of the more difficult security processes.
• It is a constant cycle of installing updates, not just on Windows systems, but all systems that are exposed.
Tip • Create a recurring patch process
specifically for Internet-exposed systems
![Page 38: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/38.jpg)
Penetration Testing
Request a quote athttps://conetrix.com/security#ExternalPenTesting
![Page 39: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/39.jpg)
Questions
![Page 40: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/40.jpg)
$15
Survey
Fill out the webinar survey for a chance to win!
![Page 41: WELCOME TO Choosing Pen Tests & Real Life … › rs › 246-QXH-030 › images › Choosing...Real Life Horror Stories WELCOME TO Ed McMurray CISA, CISSP Assistant Director CoNetrix](https://reader035.vdocument.in/reader035/viewer/2022081612/5f2747f40dddb343b843df78/html5/thumbnails/41.jpg)
THANKS FOR JOINING
Choosing Pen Tests &Real Life Horror Stories
Ed McMurrayCISA, CISSP
Assistant DirectorCoNetrix Security, LLC