Of security testing and assessment

Pain in the arse

Loudmouth
Hacker Punk Tells lies (professionally)

Is called all sorts of bad words.. That I will likely say

throughout this talk

Cant code well

Talks $hit
Drinks a LOT Is an overall J3rk

LARES

OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I cant write down

Traditional InfoSec
Typical services Proposed value (Sales BS) Set up for failure WYSIWYG

Enhancing Services Value

Doing services right Mo value, less money Eliminating failure Custom Delivery

New Skool InfoSec

Red Teaming (CAST:Converged Attack Surface Tesing) Insider Threat Assessment Adversarial Modeling IDCa (interactive defense capability assessment) BCVa(business chain vulnerability analysis)

Doing the same thing and expecting different results.

 A vulnerability assessment is the process of identifying, quantifying,

and prioritizing (or ranking) the vulnerabilities in a system. http://en.wikipedia.org/wiki/Vulnerability_assessment

Reasons to Conduct
Identify potential vulnerabilities Provide scoring of risk & prioritization

How its usually done

Run a bunch of scanners Generate a report

of remediation
Manage environment vulnerabilities

**Sometimes** Generate a custom

over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle

report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys and/or the previous clients name

 Do not run Dangerous or Experimental Checks *instant 30%+ reduction in results

and overall accuracy*

Do not perform Denial of Service Do not run thorough checks

Do not run Web checks

Only run ONE brand of scanner Limit only to known network checks Only scan once

 A penetration test is a method of evaluating the security of a computer system or

network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
http://en.wikipedia.org/wiki/Penetration_test

Reasons to Conduct
Identify if attackers can readily

How its usually done

Do all the steps in Vulnerability

compromise the security of the business

Identify potential impact to the

Assessment listed previously

Run metasploit/Core/Canvas against

hosts
Try a few other automated tools Call it SECURE If those dont work

business
Confirm vulnerabilities identified Gain a Real World View of an

attackers ability to hack the environment and resolve issues identified

 Do not allow the exploitation of systems Restrict testing to non production systems Restrict the hours of testing Restrict the length of testing Improperly scope / fail to include ALL addresses Only perform externally Patch/fix BEFORE the test

Only allow directed attacks ( no SE/ Phishing)

Lack of focus on BUSINESS risk and increased focus on technical issue

The IT risk management is the application of risk management to Information technology context in order to manage IT risk. Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. http://laresconsulting.com/risk.php

Reasons to Conduct
Compliance with regulations Overall health check of the InfoSec

How its usually done

Whip out a checklist Check stuff off on checklist

program
Gain understanding of program

Have a TON of interviews

Believe every word Do a tick mark legend and ask people

Effectiveness
Baseline discovery

To show 3rd parties and customers

to provide evidence *which is usually faked* of THAT specific assessment *often information centric*

they are Secure

Only assess controls that are in scope

 Do not allow ACTUAL/TECHNICAL testing and validation Rely on all information provided as TRUE Minimize scope to only include assets and controls that are part of the selected

compliance regulation and NOT the ENTIRE BUSINESS

Allow for Compensating Controls to be an answer to most issues
Expect to become compliant through outsourcing Expect to become compliant through product purchase/implementation Be unprepared LIE

Stop cutting off your own fingers

TESTING

 Skip it!

Do It yourself
Use Scanners to identify Vulns Figure out a process to track them over

time Manage the reduction of Vulns over time Manage the MTTP ( Mean Time To Patch) Do the rest and make your testers WORK hard.

 DONT RUSH IT

PLAN FOR INTERACTION

ALWAYS Ride Along Connect to the REAL impact (shells dont matter)

GO FULL SCOPE
Dont use firms that have SECRET processes or can not

explain every step of the test and HOW they do it

Attack like AN ATTACKER not like a script kiddie
Use a repeatable methodology

IF THE TESTING TIME LOOKS LIKE THIS, GET A NEW TESTER

Recon

Scan

Enumerate

Exploit

PostExploit

Write Report

Pre-Engagement Intelligence Gathering Threat Modelling Vulnerability Analysis Exploitation Post-Exploitation Reporting

WWW.PENTESTSTANDARD.ORG HTTP://WWW.PENTESTSTANDARD.ORG/INDEX.P HP/PTES_TECHNICAL_GUI DELINES

Common misconceptions

How its usually done

We will get owned, what's

Send a 419 scam style

the point
It will offend our users
Doesnt provide enough

email
Track clicks
Write a report to show who

value

clicked

How it SHOULD be done to generate MAX value

 MAKE IT BUSINESS FOCUSED NOT IT FOCUSED Use multiple standards Remove silos and scope restrictions TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT) A sample set does not show the ability to secure. I crack in certain parts of the

defense chain allow for the compromise of the ENTIRE COMPANY

ALWAYS interview each and every executive to understand THEIR concerns and build

the solutions to address THEM and not always just for the audit

Discuss the VALUE of systems in relevance to the business and re-weight scores NEVER allow a compensating control on a BUSINESS critical system. EVER

THIS is what the BIG BOYS do, catch up.

The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams.

How do you know you can put up a fight if you have never taken a punch?

Electronic
EP Convergance Attacks on physical systems that are network enabled

Network Pentesting Surveillance/ plants

ES Convergance Blackmail Phishing Profiling Creating moles

RED TEAM

Physical
Lockpicking Direct Attack

Social
In Person Social Engineering Phone Conversation Social Profiling

PS Convergance Tailgaiting Impersonation

Reasons to Conduct
Real world test to see how you will hold up against a highly skilled, motivated and funded

attacker
The only type of testing that will cover a fully converged attack surface Impact assessment is IMMEDIATE and built to show a maximum damage event This IS the FULL DR test of an InfoSec Program

Reasons to Conduct
Exercises in evaluating WHO your top5 most likely attackers are Full OSINT profiling on the Attackers and their capabilities

Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving

attacks that are the MOST likely to happen

Testers are forced to use the capabilities of the likely attackers and train the team how to

be cool under fire

The most relevant attacks are dealt with FIRST, you are not defending against the

pentester you are prepping to the battle that WILL happen

What is it?
Evaluate threat and risk from

employee/staff/contractor/executive/etc..
Use company provisioned asset/standard access model (limited

privs)

Identify what data/assets can be accessed through authorized

channels
Identify elevation of privilege scenarios (exploit AND non-exploit

methods)

Why do it?
Provides visibility into what could happen
A user WILL be compromised at some point

Evaluate security posture of corporate asset External testing doesnt always provide accurate measurement of

internal sourced threats Identify insecure internal communication channels Evaluate covert channel resistance/prevention

External assessments usually only measure (1) of these (if youre lucky)

Measure defense capabilities internally (beyond perimeter)

System to system communication Level of noise detection Data leakage/exfil abilities Log/data correlation Incident response/forensics teams level of knowledge/expertise

Reasons to Conduct
Targeted at working BOTH sides of the test Active analysis on defense capability and impreovements / feedback can be real time

Direct understanding of where process,policy and procedure break down in a REAL LIFE

EVENT
Identification of Defensive Technology effectiveness

Reasons to Conduct
Targeted at working on identifying BUSINESS vulns How much can/do partners hurt you

Where can you better defend against Partners and 3rd parties
Who what where when and why. Of how the business works and how it can be

materially effected by relationships

Cnickerson@laresconsulting.com

WWW.LARES.COM