WHEN A VULNERABILITY ASSESSMENT > PENTEST

THE ANOMALY

$WHOAMI

Network Security for Dept of VA

Father/Husband

Fan of Futbol (Viva Mexico!)

Fan of Martial Arts

Brazilian JiuJitsu

$WHOAMI

$WHOAMI

$WHOAMI

$WHOAMI

WHAT IS A PENTEST?

Recon

Pwnage

Pillage

Loot

Report

WHAT IS A PENTEST?

http://www.pentest-standard.org/

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

http://www.offensive-security.com/offsec/sample-penetration-test-report/

WHAT IS A PENTEST?

WHAT IS A PENTEST?

WHAT IS A PENTEST?

INJUSTICIA!

PROBANDO BOLIGRAFOS

- How to Not get a good pentest?http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html

- Marcus Ranum – “The only favorable or useful outcome of a pentest is the worst one.”

http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html

PWNING NOOBS

- Cons and breaking stuff tracks/talks

- Social Media: If you break stuff, talk about how to fix it.

- Reporting is Seriously lacking

PENTESTING

PENTESTING – MI MUJER ME PEGA

“Why don’t you find their weaknesses and then help them fix it?”

VULNERABILITY ASSESSMENT

VULNERABILITY ASSESSMENT

VULNERABILITY ASSESSMENT

- Scan, how? Inside, external, credentials, ips, firewalls

- Agent based vs passive vs active

- Results integration- Results reporting- Team player

SCAN HOW?

- Scanner Location- inside Network, outside network- Denial of service- Nmap

SCAN HOW?

- Exclusions for Scanners- White box vs. Black box- Firewalls, IPS

SCAN HOW?

- Credentials- Windows Desktops and Servers- Linux/Unix servers with SSH account/keys- SNMP strings- Cisco/Networking SSH credentials

- Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more.

- https://lists.immunityinc.com/pipermail/dailydave/2013-February/000334.html

CREDENTIALS?

- Risks- Capture credentials

- Use ssh keys

- Never send clear text credentials

- Secure your scanner applications

- Passive Vulnerability (span port)

SCAN HOW?

- Remember HD Moore’s Law

“Casual attacker power grows at the rate of Metaspoit.”- Joshua Corman

SCAN HOW?

AGENT VS ACTIVE SCANNING

- Agent Pros- Near real time- No network traffic- No outages caused by scans

- Agent Cons- May not be installed- May not be possible to install- Some vulns cannot be found

VULN ASSESSMENT AND PATCH MGT

VULN ASSESSMENT AND PATCH MGT

VULN ASSESSMENT AND PATCH MGT

VULN SCANNINGDOING IT RIGHT

Internal Scans

Credentialed Scans – Linux, Windows, Network devices

Vendor provided exploit availabilities and frameworks

Coordinate HIPS/NIPS, Firewall exclusions

SCAN DATA INTEGRATION

Integrate with Org CMDB

SA information

Satellite Server

SCCM

WSUS

BigFix

SCAN DATA INTEGRATION

Integrate with Org CMDB

SCAN DATA INTEGRATION

Sys Admin information

SA POC information (part of cmdb)

Sys Admin deemed important information

Manual updates from Sys Admins

SCAN DATA INTEGRATION

Satellite Server

SCCM

WSUS

BigFix/Tivoli Endpoing Manager(TEM)

Red Hat patch info integration

Compare with Scan info

SCAN DATA INTEGRATION

Where Does all this data go?

Access DBCustom App with DB backendExcel Spreadsheet

GRC – Governance Risk and Compliance

Any other solutions?

SCAN DATA- Incident Response

Import into org SIEM or incident correlation tool

SCAN REPORTING

- Executive reports on important issues

- Report on Org specified critical findings

- Organizational severity scoring

SCAN REPORTING

- Organizational severity scoring

SCAN REPORTING

- Java JRE vuln – RCE

- Base Score = 9.3- Temporal Score = 7.7- Final Score = ?

SCAN REPORTING

- Java JRE vuln – RCE

- Base Score = 9.3- Temporal Score = 7.7- Final Score = ?

SCAN REPORTING

SCAN REPORTING

- Default Credentials- Exploitable Vulns- Malware identification vulns- Indicators of Compromise- Configuration Auditing

- More?

CALL TO ACTION

- Do work!- Improve scanning- Improve Patch Mgt- Integrate- Consolidate data- Customize to org needs- Work as a team ( Security, Sys Admin, Devs, Operations, etc)

QUESTIONS?