Post on 28-Mar-2015
WHEN A VULNERABILITY ASSESSMENT > PENTEST
THE ANOMALY
$WHOAMI
Network Security for Dept of VA
Father/Husband
Fan of Futbol (Viva Mexico!)
Fan of Martial Arts
Brazilian JiuJitsu
$WHOAMI
$WHOAMI
$WHOAMI
$WHOAMI
WHAT IS A PENTEST?
Recon
Pwnage
Pillage
Loot
Report
WHAT IS A PENTEST?
http://www.pentest-standard.org/
http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343
http://www.offensive-security.com/offsec/sample-penetration-test-report/
WHAT IS A PENTEST?
WHAT IS A PENTEST?
WHAT IS A PENTEST?
INJUSTICIA!
PROBANDO BOLIGRAFOS
- How to Not get a good pentest?http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html
- Marcus Ranum – “The only favorable or useful outcome of a pentest is the worst one.”
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html
PWNING NOOBS
- Cons and breaking stuff tracks/talks
- Social Media: If you break stuff, talk about how to fix it.
- Reporting is Seriously lacking
PENTESTING
PENTESTING – MI MUJER ME PEGA
“Why don’t you find their weaknesses and then help them fix it?”
VULNERABILITY ASSESSMENT
VULNERABILITY ASSESSMENT
VULNERABILITY ASSESSMENT
- Scan, how? Inside, external, credentials, ips, firewalls
- Agent based vs passive vs active
- Results integration- Results reporting- Team player
SCAN HOW?
- Scanner Location- inside Network, outside network- Denial of service- Nmap
SCAN HOW?
- Exclusions for Scanners- White box vs. Black box- Firewalls, IPS
SCAN HOW?
- Credentials- Windows Desktops and Servers- Linux/Unix servers with SSH account/keys- SNMP strings- Cisco/Networking SSH credentials
- Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more.
- https://lists.immunityinc.com/pipermail/dailydave/2013-February/000334.html
CREDENTIALS?
- Risks- Capture credentials
- Use ssh keys
- Never send clear text credentials
- Secure your scanner applications
- Passive Vulnerability (span port)
SCAN HOW?
- Remember HD Moore’s Law
“Casual attacker power grows at the rate of Metaspoit.”- Joshua Corman
SCAN HOW?
AGENT VS ACTIVE SCANNING
- Agent Pros- Near real time- No network traffic- No outages caused by scans
- Agent Cons- May not be installed- May not be possible to install- Some vulns cannot be found
VULN ASSESSMENT AND PATCH MGT
VULN ASSESSMENT AND PATCH MGT
VULN ASSESSMENT AND PATCH MGT
VULN SCANNINGDOING IT RIGHT
Internal Scans
Credentialed Scans – Linux, Windows, Network devices
Vendor provided exploit availabilities and frameworks
Coordinate HIPS/NIPS, Firewall exclusions
SCAN DATA INTEGRATION
Integrate with Org CMDB
SA information
Satellite Server
SCCM
WSUS
BigFix
SCAN DATA INTEGRATION
Integrate with Org CMDB
SCAN DATA INTEGRATION
Sys Admin information
SA POC information (part of cmdb)
Sys Admin deemed important information
Manual updates from Sys Admins
SCAN DATA INTEGRATION
Satellite Server
SCCM
WSUS
BigFix/Tivoli Endpoing Manager(TEM)
Red Hat patch info integration
Compare with Scan info
SCAN DATA INTEGRATION
Where Does all this data go?
Access DBCustom App with DB backendExcel Spreadsheet
GRC – Governance Risk and Compliance
Any other solutions?
SCAN DATA- Incident Response
Import into org SIEM or incident correlation tool
SCAN REPORTING
- Executive reports on important issues
- Report on Org specified critical findings
- Organizational severity scoring
SCAN REPORTING
- Organizational severity scoring
SCAN REPORTING
- Java JRE vuln – RCE
- Base Score = 9.3- Temporal Score = 7.7- Final Score = ?
SCAN REPORTING
- Java JRE vuln – RCE
- Base Score = 9.3- Temporal Score = 7.7- Final Score = ?
SCAN REPORTING
SCAN REPORTING
- Default Credentials- Exploitable Vulns- Malware identification vulns- Indicators of Compromise- Configuration Auditing
- More?
CALL TO ACTION
- Do work!- Improve scanning- Improve Patch Mgt- Integrate- Consolidate data- Customize to org needs- Work as a team ( Security, Sys Admin, Devs, Operations, etc)
QUESTIONS?