encription IT security services
description
Transcript of encription IT security services
![Page 1: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/1.jpg)
encription IT security services
Penetration Testing
![Page 2: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/2.jpg)
encription IT security services
• Campbell Murray
• Technical Director of Encription
• Technical Panel Chair for Tigerscheme
• CHECK Team Leader (GCHQ/CESG)
Who am I?
![Page 3: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/3.jpg)
encription IT security services
• Penetration Tester aka– ITSHCE (IT Security Health Check
Engineer)– IATP (Information Assurance Testing
Professional)– Ethical Hacker
• Many names for the same thing
What do I do?
![Page 4: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/4.jpg)
encription IT security services
• Vulnerability Research
• Exploit development
• Defensive research
• Community projects– BSides / 44Con / MCSG / OWASP & more
What else do I do?
![Page 5: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/5.jpg)
encription IT security services
Why do people have pen tests done?
![Page 6: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/6.jpg)
encription IT security services
• To protect?
• Detect the risk of:
• Loss to confidentiality (theft)
• Loss to integrity (changes to data)
• Loss of availability (denial of service)
• CIA
Why?
![Page 7: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/7.jpg)
encription IT security services
• Identify all threat arising from:
• Exploitation
• Privilege escalation
• Malware / Virus infection
• Poor passwords
• Network misconfiguration
Why (cont.)?
![Page 8: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/8.jpg)
encription IT security services
• Malicious users
• Poor segregation of duties
• Vulnerability in code
• Opportunists / Recreational
• etc
Why (cont.) ?
![Page 9: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/9.jpg)
encription IT security services
• The threats faced by all organisations are similar
• Insiders
• Outsiders
• Accidents
• Variously motivated
Threats
![Page 10: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/10.jpg)
encription IT security services
• State led
• Criminal
• Political
• Social
• Opportunist / Recreational
• Malevolent
Motivations
![Page 11: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/11.jpg)
encription IT security services
• Honestly, no
• Majority of companies are indifferent
• Banks accept risk and loss
• Rarely a desire to meet best practice or be ‘secure’
• Post ‘hacked’ testing very common
Is this the reason we exist?
![Page 12: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/12.jpg)
encription IT security services
• Most commonly for compliance e.g.• GCSx / Gsi / PSN CoCo• PCI DSS• ISO* e.g. 27001• Protected environments e.g. MoD• Protecting IPR• Commercially sensitive
So why then?
![Page 13: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/13.jpg)
encription IT security services
Jumping inHow do we test?
![Page 14: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/14.jpg)
encription IT security services
• White Box– Full disclosure
• Grey Box– Appropriate disclosure
• Black Box– Zero disclosure
• Red Team– NO RULES TESTING
Types of test?
![Page 15: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/15.jpg)
encription IT security services
• Everything and anything that we are asked to!
• E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc.
• Defined by the SCOPE OF WORK
What do we test?
![Page 16: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/16.jpg)
encription IT security services
• Broad and DETAILED expertise– Programming– Server Admin (Win / *nix / Solaris / AIX etc)– Network Admin– Application Development– etc
What makes us effective?
![Page 17: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/17.jpg)
encription IT security services
• Current market is leaning to Vulnerability Assessment i.e. Tools based testing
• Cheaper but ...
• Limited value compared to a pen test
• Tools are helpful but without experience are misleading
I thought it was simpler :(
![Page 18: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/18.jpg)
encription IT security services
• Market is splitting into ...
• ... Scan based assessment e.g. PCI DSS
• Seen as low end
• And pen testing ...
• ... High end but quality still varies
• Return of Red Teaming!
Polarity
![Page 19: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/19.jpg)
encription IT security services
• We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code
• We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code
Expertise is crucial
![Page 20: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/20.jpg)
encription IT security services
• We cannot JUSTIFY our results if we cannot prove them
• Clients / IT admins will not ACT on reported issues unless they understand the full risk
Expertise is crucial
![Page 21: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/21.jpg)
encription IT security services
• Methodology is key to success
• 5 common stages– Passive reconnaissance / OSINT– Fingerprinting– Vulnerability identification– Exploitation– Extraction / Covering tracks
What else makes us effective?
![Page 22: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/22.jpg)
encription IT security services
• How I hacked a bank without ever going anywhere near it!
Quick Story
![Page 23: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/23.jpg)
encription IT security services
• Pen testing is about SECURITY
• That means identifying ALL possible attack vectors
• And knowing how we could use them
• Frequently two minor vulnerabilities, when combined, can be devastating
• Requires experience, not certification.
Moral of the story
![Page 24: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/24.jpg)
encription IT security services
• Crucial – Defines methodology to be used–What is ‘in scope’– Details given legal permission to test
• Going out of scope will see you fall foul of the CMA
• Not to mention the clients wrath!!!!
Scope of Work?
![Page 25: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/25.jpg)
encription IT security services
• CMA holds stiff penalties• Potential extradition to other countries• Criminal record• You MUST have written permission from
someone AUTHORISED to give that permission
• Research only performed in air gapped networks!
Cautionary notes
![Page 26: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/26.jpg)
encription IT security services
• You can be prosecuted for owning ‘hacking’ and malware creation tools
• Unless you can justify possesion
• Akin to ‘going equipped’ to commit crime, even if you haven’t
Cautionary notes
![Page 27: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/27.jpg)
encription IT security services
All the ducks are lined up, what next?
![Page 28: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/28.jpg)
encription IT security services
• Identify clients soft requirements
• If on site go prepared– Health and Safety– USB / Phone limitation– Dress code– Point of contact– Etc
Delivery
![Page 29: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/29.jpg)
encription IT security services
• People skills are essential
• Polite but firm
• Do not allow others to impede your activity
• Sense of humour essential
• As is fully operational kit and plan B
• Pen and paper just as important!
Delivery
![Page 30: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/30.jpg)
encription IT security services
• The GOLDEN RULE is ...
• .... NEVER leave a system less secure than how you found it!
• E.g. Creating user accounts or other objects
• If a high risk issue is found the client must be informed immediately
Execution
![Page 31: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/31.jpg)
encription IT security services
• Good use of language
• Lots of people will read the report, make it readable.
• Ability to express technical concepts simply and accurately
• Face to face washup meetings require presentation skills
Reporting
![Page 32: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/32.jpg)
encription IT security services
Applying your methodology
![Page 33: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/33.jpg)
encription IT security services
• Methodology!!!!!!
• Reconnaisance (what is it)
• Fingerprinting – (Scan e.g. Nmap)
• Identification
• Exploit – (escalate privilege)
• Clean up – (e.g. grab info, passwd, create user, clear history and exit)
How?
![Page 34: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/34.jpg)
encription IT security services
• Avoid temptation to focus on ‘critical’ issues
• Remember, two low risk issues can make a high risk attack vector
• Observation is as important as running tools
Reporting and Testing
![Page 35: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/35.jpg)
encription IT security services
Android App Testing Demo
![Page 36: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/36.jpg)
encription IT security services
• Mercury
• Android app testing toolkit
• Bit fiddly to set up tbh
• Worth the effort
Lets have a look at …
![Page 37: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/37.jpg)
encription IT security services
• Install Android SDK
• Install Mercury
• Start VM Android device
• Install Mercury agent and the app you want to look at
Testing Android Apps
![Page 38: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/38.jpg)
encription IT security services
• Start adb (linux)
• $adb forward tcp:31415 tcp:31415
• Connect with mercury
• mercury console connect
• Party!
Testing Android Apps
![Page 39: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/39.jpg)
encription IT security services
• Get started commands
• list
• run scanner.provider.injection
• Derp!
• Now write an app to steal the data!
Testing Android Apps
![Page 40: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/40.jpg)
encription IT security services
Getting into security
![Page 41: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/41.jpg)
encription IT security services
• I won’t lie ...
• Pen testing is not for everyone
• Competition for junior positions
• Not great pay at first :(
• Increase your chances by getting involved
• Lots of community activity
Finding a job
![Page 42: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/42.jpg)
encription IT security services
• BSides conferences are free
• OWASP conferences are very low cost
• BSC Groups and meetings
• Find online resources and contribute
Community
![Page 43: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/43.jpg)
encription IT security services
• Gain expert level knowledge in programming, servers, network protocols
• Understanding what security is
• ... It’s not just about exploits
More than anything
![Page 44: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/44.jpg)
encription IT security services
• Lasantha Priyankara
It works!
![Page 45: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/45.jpg)
encription IT security services
• Listened to this talk
• Blogged about the demo
• Went to Bsides London
• Met his current employer there
• Employed!
Success story
![Page 46: encription IT security services](https://reader036.fdocuments.in/reader036/viewer/2022062722/56813a71550346895da268d7/html5/thumbnails/46.jpg)
encription IT security services
Questions?