Collaborative Penetration Tests - TERENA · Raiffeisen Informatik 2nd largest IT Service Provider...
Transcript of Collaborative Penetration Tests - TERENA · Raiffeisen Informatik 2nd largest IT Service Provider...
Research Topic:Collaborative Penetration TestingCollaborative Penetration Testing
David HuemerDavid HuemerChristian Proschinger (Speaker) Severin Winkler
Introduction Raiffeisen InformatikDefinition Collaborative PenetrationDefinition Collaborative Penetration TestingMotivationP t tPrototypeFuture Work
Raiffeisen Informatik | 25.09.2008 | 2Collaborative Penetration Testing | public
Raiffeisen Informatik 2nd largest IT Service Provider in Austria
3000 S3000 Server20.000 Clients40.000 km NetworkIT Operations Software Solutions
520 TB Storage1 Mrd. Transactions/Year
Security Competence Center ZwettlDepartment of Raiffeisen InformatikWorking on security topicsResearch Cooperations
Outsourcing Client Management
Secure Business Austria
Raiffeisen Informatik | 25.09.2008 | 3Collaborative Penetration Testing | public
Security Services Output Services
Collaborative Penetration Testing[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Teambased Tests> 2 persons> 2 persons
Stronger specialisationLocal separation(partially) time separation(partially) time separationUsing timeshift of different timezones
Research AreasResearch AreasPenetration TestingComputer Supported Collaborative Work
Raiffeisen Informatik | 25.09.2008 | 4Collaborative Penetration Testing | public
Attack Cycle vs. Penetration Test[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
AttackInformation gatheringg gIdentification of vulnerabilitiesAttack itselfCovering tracksCovering tracks
DifferenceWorkshop with system ownerReporting
Raiffeisen Informatik | 25.09.2008 | 5Collaborative Penetration Testing | public
Quelle: ISSAF
Constraints of Penetration Testing[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
SnapshotM /Ti Li itMoney/Time LimitCollateral DamageAvailability
Test systemsOut of office hours
You are attacking to improve the defense
Raiffeisen Informatik | 25.09.2008 | 6Collaborative Penetration Testing | public
Development in Cybercrime[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Targeted AttacksDi i i f W kDivision of Work
Vulnerability ResearchBotnetsMalware as „Software as a Service“
Markets
Nearly no LimitationsMoneyTimeTime
Raiffeisen Informatik | 25.09.2008 | 7Collaborative Penetration Testing | public
Attack Vectors[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Possible Entry PointsSocial Engineeringphysical personal g gImplementation Errors in ApplicationsConfiguration Errors
p y pApplications
Configuration ErrorsDesign ErrorsAggregationInformation
Growing complexity of systems
T l i ti NetworkWireless
Telecommunication
Raiffeisen Informatik | 25.09.2008 | 8Collaborative Penetration Testing | public
Prototype[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Modular DesignIntegration of 3rd party open source toolsIntegration of 3rd party open source toolsFlexibilityP2P based
R ti E iReporting EngineSummary of the certain modul reports
Integrity CheckBetween results of modules
Basic workflow definition
Raiffeisen Informatik | 25.09.2008 | 9Collaborative Penetration Testing | public
Workflow Management[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Allocation of TasksFunctionalFunctional
SpecialistsInfrastructure
E IP RFinished
Planned Planned Planned
InProgressE.q. IP RangeProcess based
Reliability between modules
FinishedInProgress
Finished Finished InProgress Planned
Planned Planned Planned
Ad-Hoc WorkflowsStatic behaviour at macro level
Finished
Finished
InProgress
Finished Finished
InProgress Planned
New SubProcess
Dynamic aspects at micro levelLarge amount of small activities
Raiffeisen Informatik | 25.09.2008 | 10Collaborative Penetration Testing | public
Future Work[ ]SECUREBusiness Aust riaSecur ity Research for Business and Indust ry.
In Cooperation with
Implement support for different process modelsdifferent process modelsSupport for Ad-Hoc WorkflowsI l kImplement new attack patternsProof of efficiency and effectivity gain
Raiffeisen Informatik | 25.09.2008 | 11Collaborative Penetration Testing | public
Thank you for your attention!
Raiffeisen Informatik GmbHLilienbrunngasse 7-9 A-1020 Wien
T +43 1/99 3 99 - 0 F +43 1/99 3 99 - 1100 E [email protected]@
www.raiffeiseninformatik.at
Raiffeisen Informatik | 25.09.2008 | 12Collaborative Penetration Testing | public