Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Transcription

1 Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA

2 Agenda No Agenda Some minimum theory More real life examples 1

3 Keywords Ethical Hacking Penetration Testing Pentesting Red Teaming Vulnerability Assessment OTHERs, as defined by you 2

4 Why this talk? Raise the awareness regarding security risks upon our data o Most businesses today are based on IT systems o Critical data is stored on IT systems o What would happen to my business if this data is stolen/lost? 3

5 What are the challenges when trying to protect our data? Question Jeweler store IT-based business Which are my valuable assets? Jewels Data (client data, intellectual property, payment information, etc) Where are my assets? On the shelf - My servers vs. Cloud - In transit - In backup copies - In DR center -?? How do I protect them from being stolen? Mechanisms to prevent the thief to leave with the jewels Prevent unauthorized access Encrypt Detect data misuse Prevent exfiltration What do I do in case of theft? Call the Police Call the Police? Report to CERT? Private investigation? 4

6 How do I know if my data is secure? Wait for an attack to happen Test proactively simulate an attack Is my data safe? 5

7 How to simulate an attack? Penetration Testing (a.k.a. Pentesting, Ethical Hacking, Red Teaming) Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders Tools find this Exploit vulnerabilities and dig much deeper Penetration Testing is: Authorized Adversary based Ethical (for defensive purposes) Penetration Testing is not Vulnerability Assessment / Scanning Manual tests find this 6

8 What is? Vulnerability Assessment A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system Penetration Testing A penetration test is a method of evaluating the computer security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders Definitions by Wikipedia 7

9 Vulnerability Assessment 8

10 Vulnerability Assessment Automated tool that finds vulnerabilities in the running application by interacting with it Web application scanners General vulnerability scanners (OS, databases, services, network) Send requests and compare the response against a database of signatures False positives, false negatives Must be fine tuned to produce good results 9

11 Example: Vulnerability Assessment 10

12 Penetration Testing 11

13 Penetration Testing Related terms: Penetration testing Pentesting Ethical hacking Tiger Teaming Red Teaming Penetration testing is: authorized adversary-based ethical (for defensive purposes) (BG: ръководители на проникване) 12

14 Penetration testing objectives (examples) External penetration test: Evaluate the security of internet facing web applications Test the security of internet banking / mobile banking app Find vulnerabilities in network perimeter systems Access personal data in online medical applications Internal penetration test: Obtain access to database server containing client information Gain domain administrator rights Obtain administrative access to ERP application Gain access to company assets (sensitive files, project plans, intellectual property) 13

15 Penetration Testing - By example Threats Vulnerabilities Assets Risks Vulnerable? Exploitable? External attacker - hacker - industrial espionage - organized crime Internal attacker - malicious employee - collaborator - consultant - visitor Insufficient input validation Insecure session configuration Application logic flaws Insecure server configuration Internet Banking application SQL injection OS command execution Authentication bypass Cross Site Scripting Directory browsing H H H M M Password autocomplete L 14

16 Real Life Examples 15

17 Internet Banking Application 16

18 Online Store Application 17

19 Online Store Application cont. 18

20 Online Store Application cont. 19

21 Website hacked before our pentest 20

22 Arbitrary file download 21

23 Social Engineering Test 22

24 Internal Penetration Test Scenario 23

25 Gaining root access 24

26 More examples One of the ATMs hacked by our team during an internal penetration test Hardware device created by our team to demonstrate the risk of rounding vulnerabilities in internet banking applications VoIP phone hacked during an internal penetration test 25

27 Some 0 day examples EMC Documentum D2 Multiple DQL Injection Vulnerabilities EMC Identifier: ESA CVE Identifier: CVE , CVE Credits: EMC would like to thank Ionut Popescu, Security Consultant at KPMG Romania, for reporting CVE and Ionut Ambrosie, Security Consultant at KPMG Romania, for reporting CVE EMC Documentum D2 Cross-Site Scripting Vulnerability EMC Identifier: ESA CVE Identifier: CVE Credits: EMC would like to thank Ionut Ambrosie, Security Consultant at KPMG Romania, for reporting this issue. ESA : EMC Documentum WebTop Open Redirect Vulnerability ESA Identifier: ESA CVE Identifier: CVE Credits: EMC would like to thank Daniel Tomescu, Security Penetration Tester at KPMG Romania, for reporting this issue. 26

28 Penetration testing types According to attacker s location: Test type External pentest Internal pentest Simulated threats Hackers, corporate espionage, terrorists, organized crime Malicious employee, collaborator, consultant, visitor According to attacker s initial information: Black box test Gray box test White box test Hackers, organized crime, terrorists, visitors Consultants, corporate espionage, business partner, regular employees Malicious system administrators, developers, consultants According to the attacks performed: - pure technical - social engineering - denial of service 27

29 How? (example graf) Information gathering Create attack trees Prepare tools Perform collaborative attacks Identify vulnerabilities Exploit vulnerabilities Extract sensitive data Gain system access Escalate privileges Pivot to other systems Write the report 28

30 Automated vs. Manual Automated testing: Configure scanner Run scanner & wait for results (Validate findings where possible) Deliver report to client Manual testing: Use tools as helpers only Validate findings by exploitation (no false positives) Dig for sensitive data, escalate privileges, gain access to other systems Model and simulate real threats: simulate attacker s way of thinking, consider attacker s resources, knowledge, culture, motivation Several manual tests for exploitation of specific vulnerabilities Strict control, logging, quick feedback Interpret the findings according to business impact 29

31 Pen test Resources Dedicated machines Dedicated network Software tools: In-house developed Open source Commercial Dedicated workspace (IT Security Laboratory) Protect client data Logging facility 30

32 Pen Test Limitations Timeframe Budget Resources Personnel awareness Things change Does not discover all vulnerabilities but reduces the number of vulnerabilities that could be found by high skilled attackers having similar resources and knowledge All software vulnerabilities Known Vulnerabilities 31

33 Reporting Executive summary Overview Key findings High-level observations Risk matrix Technical report Findings Risks Recommendations Present report to client 32

34 Conclusions Security is a continuous process New vulnerabilities / weaknesses appear every day Everyone in the organization is responsible There is no bullet proof solution Defense in depth works best Be proactive rather than reactive 33

35 Case Study 1 34

36 Pentesting the internal network (2011) Objective: See what an internal malicious user could do, given simple network physical access. Malicious user: visitor, contractor, malicious employee Targets: confidential data, client information, strategic business plans, etc Initial access: physical network port in users subnet 35

37 Pentesting the internal network (2011) cont. 36

38 Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 37

39 Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc 38

40 Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc 3. Vulnerability scanning Nessus: 1 high, 30 medium, 39 low MsSQL server default password for sa user 39

41 Pentesting the internal network (2011) cont. 4. Exploitation 40

42 Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 41

43 Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 42

44 Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 6. Pivoting Connect to 2 nd db server Upload Meterpreter 43

45 Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 6. Pivoting Connect to 2 nd db server Upload Meterpreter 7. Post-exploitation List tokens Impersonate Domain Admin token Create Domain Admin user Game Over 44

46 Pentesting the internal network (2011) cont. Game over on Domain Controller: 45

47 Case Study 2 46

48 Pentesting the (same) internal network (2012) Objective: See what an internal malicious user could do, given simple network access. Test the findings from previous year Malicious user: Targets: Initial access: visitor, contractor, malicious employee confidential data, client information, strategic business plans, etc network port in users subnet 47

49 Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 48

50 Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 3. Vulnerability scanning Nessus: 0 high, 21 medium, 30 low 49

51 Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 3. Vulnerability scanning Nessus: 0 high, 21 medium, 30 low Now what? No default/weak passwords No missing patches No exploitable config problems No sql injection. 50

52 Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 51

53 Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 Setup a fake local NetBIOS server Respond to every request with my IP address Setup multiple local services (HTTP, SMB) Request Windows authentication on connection => capture password hashes 52

54 Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 cont. Captured around NTLM 50 hashes Cracked about 25% using dictionary attack with mangling rules in a few hours Gained network access as domain user (low privileges) Could access some shared files on file server Not enough 53

55 Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 2 Man in the middle attack between victim and proxy server Setup a fake local proxy server Request Basic authentication Receive user s credentials in clear text (base64 encoded) 54

56 Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 2 cont The victim sees this: What would you do? 55

57 Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) from a special user Could connect as admin on any workstation 56

58 Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) Could connect as admin on any workstation 6. Pivoting Search the machines from IT subnet for interesting credentials / tokens Found a process running as a domain admin user 57

59 Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) Could connect as admin on any workstation 6. Pivoting Search the machines from IT subnet for interesting credentials / tokens Found a process running as a domain admin user 7. Exploitation Impersonate domain admin Create new domain admin user Game over 58

60 Lessons learned 59

61 Pentest comparison Low hanging fruits removed no yes IT personnel vigilance low high Network prepared for pentest no yes Existing vulnerabilities yes yes (lower nr) Overall exploitation difficulty medium high 60

62 Consultant s advice Make yourself periodic vulnerability assessments (e.g. Nessus scans) Prepare your network before a pentest (you should always be prepared, btw) An homogeneous network is easier to defend then an heterogeneous one Do not allow local admin rights for regular users Patch, patch, patch Educate users for security risks 61

63 Overall Conclusions Penetration testing can be used for improving our cyber security Do it periodically with specialized people Mandatory for new applications / systems before putting in production Vulnerability assessment is not penetration testing 62

64 Being proactive Penetration testing can be used for improving our cyber security Do it periodically with specialized people Mandatory for new applications / systems before putting in production Vulnerability scanning is not penetration testing 63

65 Our clients recommend us We tested the security of high profile Romanian and international companies; the feedback received encourages us to continue our high quality work as part of KPMG NL team as part of KPMG HU team as part of KPMG NL team CEE and many more... 64

66 Gabriel Mihai Tanase, Advisory Director KPMG in CEE, CyberSecurity Services Nikola Nyagolov, Advisory Director KPMG in Bulgaria Thank you!