encription IT security services
description
Transcript of encription IT security services
encription IT security services
Penetration Testing
encription IT security services
• Campbell Murray
• Technical Director of Encription
• Technical Panel Chair for Tigerscheme
• CHECK Team Leader (GCHQ/CESG)
Who am I?
encription IT security services
• Penetration Tester aka– ITSHCE (IT Security Health Check
Engineer)– IATP (Information Assurance Testing
Professional)– Ethical Hacker
• Many names for the same thing
What do I do?
encription IT security services
• Vulnerability Research
• Exploit development
• Defensive research
• Community projects– BSides / 44Con / MCSG / OWASP & more
What else do I do?
encription IT security services
Why do people have pen tests done?
encription IT security services
• To protect?
• Detect the risk of:
• Loss to confidentiality (theft)
• Loss to integrity (changes to data)
• Loss of availability (denial of service)
• CIA
Why?
encription IT security services
• Identify all threat arising from:
• Exploitation
• Privilege escalation
• Malware / Virus infection
• Poor passwords
• Network misconfiguration
Why (cont.)?
encription IT security services
• Malicious users
• Poor segregation of duties
• Vulnerability in code
• Opportunists / Recreational
• etc
Why (cont.) ?
encription IT security services
• The threats faced by all organisations are similar
• Insiders
• Outsiders
• Accidents
• Variously motivated
Threats
encription IT security services
• State led
• Criminal
• Political
• Social
• Opportunist / Recreational
• Malevolent
Motivations
encription IT security services
• Honestly, no
• Majority of companies are indifferent
• Banks accept risk and loss
• Rarely a desire to meet best practice or be ‘secure’
• Post ‘hacked’ testing very common
Is this the reason we exist?
encription IT security services
• Most commonly for compliance e.g.• GCSx / Gsi / PSN CoCo• PCI DSS• ISO* e.g. 27001• Protected environments e.g. MoD• Protecting IPR• Commercially sensitive
So why then?
encription IT security services
Jumping inHow do we test?
encription IT security services
• White Box– Full disclosure
• Grey Box– Appropriate disclosure
• Black Box– Zero disclosure
• Red Team– NO RULES TESTING
Types of test?
encription IT security services
• Everything and anything that we are asked to!
• E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc.
• Defined by the SCOPE OF WORK
What do we test?
encription IT security services
• Broad and DETAILED expertise– Programming– Server Admin (Win / *nix / Solaris / AIX etc)– Network Admin– Application Development– etc
What makes us effective?
encription IT security services
• Current market is leaning to Vulnerability Assessment i.e. Tools based testing
• Cheaper but ...
• Limited value compared to a pen test
• Tools are helpful but without experience are misleading
I thought it was simpler :(
encription IT security services
• Market is splitting into ...
• ... Scan based assessment e.g. PCI DSS
• Seen as low end
• And pen testing ...
• ... High end but quality still varies
• Return of Red Teaming!
Polarity
encription IT security services
• We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code
• We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code
Expertise is crucial
encription IT security services
• We cannot JUSTIFY our results if we cannot prove them
• Clients / IT admins will not ACT on reported issues unless they understand the full risk
Expertise is crucial
encription IT security services
• Methodology is key to success
• 5 common stages– Passive reconnaissance / OSINT– Fingerprinting– Vulnerability identification– Exploitation– Extraction / Covering tracks
What else makes us effective?
encription IT security services
• How I hacked a bank without ever going anywhere near it!
Quick Story
encription IT security services
• Pen testing is about SECURITY
• That means identifying ALL possible attack vectors
• And knowing how we could use them
• Frequently two minor vulnerabilities, when combined, can be devastating
• Requires experience, not certification.
Moral of the story
encription IT security services
• Crucial – Defines methodology to be used–What is ‘in scope’– Details given legal permission to test
• Going out of scope will see you fall foul of the CMA
• Not to mention the clients wrath!!!!
Scope of Work?
encription IT security services
• CMA holds stiff penalties• Potential extradition to other countries• Criminal record• You MUST have written permission from
someone AUTHORISED to give that permission
• Research only performed in air gapped networks!
Cautionary notes
encription IT security services
• You can be prosecuted for owning ‘hacking’ and malware creation tools
• Unless you can justify possesion
• Akin to ‘going equipped’ to commit crime, even if you haven’t
Cautionary notes
encription IT security services
All the ducks are lined up, what next?
encription IT security services
• Identify clients soft requirements
• If on site go prepared– Health and Safety– USB / Phone limitation– Dress code– Point of contact– Etc
Delivery
encription IT security services
• People skills are essential
• Polite but firm
• Do not allow others to impede your activity
• Sense of humour essential
• As is fully operational kit and plan B
• Pen and paper just as important!
Delivery
encription IT security services
• The GOLDEN RULE is ...
• .... NEVER leave a system less secure than how you found it!
• E.g. Creating user accounts or other objects
• If a high risk issue is found the client must be informed immediately
Execution
encription IT security services
• Good use of language
• Lots of people will read the report, make it readable.
• Ability to express technical concepts simply and accurately
• Face to face washup meetings require presentation skills
Reporting
encription IT security services
Applying your methodology
encription IT security services
• Methodology!!!!!!
• Reconnaisance (what is it)
• Fingerprinting – (Scan e.g. Nmap)
• Identification
• Exploit – (escalate privilege)
• Clean up – (e.g. grab info, passwd, create user, clear history and exit)
How?
encription IT security services
• Avoid temptation to focus on ‘critical’ issues
• Remember, two low risk issues can make a high risk attack vector
• Observation is as important as running tools
Reporting and Testing
encription IT security services
Android App Testing Demo
encription IT security services
• Mercury
• Android app testing toolkit
• Bit fiddly to set up tbh
• Worth the effort
Lets have a look at …
encription IT security services
• Install Android SDK
• Install Mercury
• Start VM Android device
• Install Mercury agent and the app you want to look at
Testing Android Apps
encription IT security services
• Start adb (linux)
• $adb forward tcp:31415 tcp:31415
• Connect with mercury
• mercury console connect
• Party!
Testing Android Apps
encription IT security services
• Get started commands
• list
• run scanner.provider.injection
• Derp!
• Now write an app to steal the data!
Testing Android Apps
encription IT security services
Getting into security
encription IT security services
• I won’t lie ...
• Pen testing is not for everyone
• Competition for junior positions
• Not great pay at first :(
• Increase your chances by getting involved
• Lots of community activity
Finding a job
encription IT security services
• BSides conferences are free
• OWASP conferences are very low cost
• BSC Groups and meetings
• Find online resources and contribute
Community
encription IT security services
• Gain expert level knowledge in programming, servers, network protocols
• Understanding what security is
• ... It’s not just about exploits
More than anything
encription IT security services
• Lasantha Priyankara
It works!
encription IT security services
• Listened to this talk
• Blogged about the demo
• Went to Bsides London
• Met his current employer there
• Employed!
Success story
encription IT security services
Questions?