Penetration Testing: How to Test What Matters Most

Transcription

1 Penetration Testing: How to Test What Matters Most Presenters: Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire John Stickle, OSCE, OSCP, OSWP, Coalfire Labs

2 Housekeeping Presenters About Conexxus Presentation Q & A Agenda

3 Housekeeping This webinar is being recorded and will be made available in approximately 30 days. YouTube (youtube.com/conexxusonline) Website Link (conexxus.org) Slide Deck Survey Link Presentation provided at end Participants Ask questions via webinar interface Please, no vendor specific questions

4 Conexxus Host Speakers Allie Russell Conexxus Sam Pfanstiel CISSP, CISM, QSA(P2PE), ETA CPP Data Security Standards Committee SME Sr. Consultant, Coalfire Presenters Moderator Kara Gunderson Chair, Data Security Standards Committee POS Manager, CITGO Petroleum John Stickle OSCE, OSCP, OSWP Security Consultant, Coalfire Labs

5 About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy

6 2018 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company March 27, 2018 Penetration Testing: How to Test What Matters Most Sam Pfanstiel John Stickle Coalfire Systems April 2018 Annual Meeting - - May 2018 QIR Program Update Chris Bucolo ControlScan

7 7 Conexxus: Presentation Title

8 Pen Testing: What is it? Human-based threat emulation Purpose: discover exploitable security flaws Attack scenarios and targets vary Conexxus: Penetration Testing: How to Test What Matters Most

9 Pen Testing: Why is it Needed? Find vulnerabilities before the bad guys exploit them Source: 2017 Verizon Data Breach Investigation Report 9 Conexxus: Penetration Testing: How to Test What Matters Most

10 Enterprise Adversary Attack Vector Vulnerability Breach Exploit Value Asset Exfiltration Threat Attack Vector Attack Surface Probability Impact

11 Assets and Compliance PCI DSS Asset = cardholder data and CDE Recent pen testing guidance (September 2017) Internal External Segmentation & Scope Reduction Controls Network & Application Layer Layers Application layer (6.5) Network Incl. Wireless Systems Industry-accepted penetration testing approaches Quarterly and after significant changes Organizational Independence Contractual Compliance Oil Brand / Distributor Information Security Policies Product Policies Other NIST / ISO / SOC NERC SIP / EPA 11 Conexxus: Penetration Testing: How to Test What Matters Most

12 Adversaries and Threats Adversaries Profit-driven hackers Nation states and Ideology-driven attacker Trusted Third-Parties Malicious Insiders Non-malicious Insiders Threats Exfiltration of data Destruction of data Denial of Service Theft of property Physical destruction Contamination Brand damage 12 Conexxus: Penetration Testing: How to Test What Matters Most

13 Common Misconceptions Vulnerability Assessment vs. Screening Technical Tests Automated Tools Known vulnerabilities Scope: Systems Credentials Goal: Technical Report IP / Host Vuln CVSS rating Tactical Recommendations Penetration Testing Multidimensional attack Security Experts Discover and exploit flaws Scope: Objective ( Attack Scenario ) Systems, Networks, & Apps Level of Effort (Time-box) Goal: Fix security flaws Findings Remediation recommendations 13 Conexxus: Penetration Testing: How to Test What Matters Most

14 Types of Pen Testing

15 Kill Chain Model - Visualizes stages in attack lifecycle - Threat modeling - Kill one link, defeat the attack; Defense in Depth - Testing targets entities ability to interrupt specific link Recon Weaponize Deliver Exploit Install Command & Control Action 15 Conexxus: Penetration Testing: How to Test What Matters Most

16 Iterative Attack Recon Weaponize Deliver Exploit Install Command & Control Action Recon Weaponize Deliver Exploit Install Command & Control Action 16 Conexxus: Penetration Testing: How to Test What Matters Most

17 Social Engineering Attempt to manipulate users Divulging sensitive information Performing IT-related actions Recon Weaponize Deliver Exploit Install Command & Control Action 17 Conexxus: Penetration Testing: How to Test What Matters Most

18 Network Testing Threat emulated Anonymous attackers across the Internet Internal adversaries to internal environment Attack surface Operating systems Infrastructure Commercial off-the-shelf (COTS) products Exploits: MS Unauthenticated Remote Code Execution Recon Weaponize Deliver Exploit Install Command & Control Action 18 Conexxus: Penetration Testing: How to Test What Matters Most

19 19 Conexxus: Presentation Title

20 Wireless Testing Capture handshake Crack authentication Exploit: WEP WPA-2 Krack Attack Weak Passwords Aircrack-ng Recon Weaponize Deliver Exploit Install Command & Control Action 20 Conexxus: Penetration Testing: How to Test What Matters Most

21 21 Conexxus: Presentation Title

22 Application and API Threat emulated: Credentialed and uncredentialed adversaries Attack surface: Accessible portions of an application Recon Weaponize Deliver Exploit Install Command & Control Action 22 Conexxus: Penetration Testing: How to Test What Matters Most

23 23 Conexxus: Presentation Title

24 Case Study: Application Browser-based Fuel Controller Leveraged known authentication vulnerability Identified ability to upload payload to obtain remote code execution Access to Tank fuel, temperature levels Trigger or ignore sensor alarm 24 Conexxus: Penetration Testing: How to Test What Matters Most

25 CVE CVE Conexxus: Presentation Title

26 Appliance / Embedded / IoT Threat emulated: Attacker has gained physical access to a device Attack surface: Physical and logical devices, network connectivity to the device, and backend systems Fuel controllers Car Wash Tanks and pumps Security systems Third-party vending Car wash HVAC Recon Weaponize Deliver Exploit Install Command & Control Action 26 Conexxus: Penetration Testing: How to Test What Matters Most

27 Case Study: Car Wash Coalfire Labs Researcher Buffer Overflow Arbitrary Code Execution Potential Human Threat 27 Conexxus: Presentation Title

28 Red Team People, processes and technologies Recon Weaponize Deliver Exploit Install Command & Control Action 28 Conexxus: Penetration Testing: How to Test What Matters Most

29 Case Study: Casino Red team attack Physical, social, and logical vectors of attack Harvesting of addresses of employees from public sources Spearphishing attack with image vulnerability Retrieved logins and passwords Access to the internal network via the casino s VPN Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment. See: Studies/Coalfire_Casino_Case_Study 29 Conexxus: Presentation Title

30 Reverse Engineering Manipulate binary code to change intended application behavior Can be used to bypass authentication to grant access Recon Weaponize Deliver Exploit Install Command & Control Action 30 Conexxus: Penetration Testing: How to Test What Matters Most

31 31 Conexxus: Presentation Title

32 Hunt Operations Identify adversaries already on network Recon Weaponize Deliver Exploit Install Command & Control Action 32 Conexxus: Penetration Testing: How to Test What Matters Most

33 Enterprise Testing Mature security testing Comprehensive security program to test all aspects of environment and response Recon Weaponize Deliver Exploit Install Command & Control Action 33 Conexxus: Penetration Testing: How to Test What Matters Most

34 Penetration Testing Considerations 34 Conexxus: Penetration Testing: How to Test What Matters Most

35 Maturity 35 Conexxus: Presentation Title

36 Impact vs. Disruption Every penetration test will have impact Logs Traffic Notifications Avoiding disruption takes planning and communication 36 Conexxus: Penetration Testing: How to Test What Matters Most

37 Timing Time of day/week Time box for testing (point-in-time) 37 Conexxus: Penetration Testing: How to Test What Matters Most

38 Methodology Discovery: Reconnaissance and Vulnerability Scanning Post exploitation phase 38 Conexxus: Penetration Testing: How to Test What Matters Most

39 Target and Scope Risk assessment (assets and threats) Compliance requirements vs. security goals Attack surface, vectors and scenarios Prior notification and communication 39 Conexxus: Penetration Testing: How to Test What Matters Most

40 Skill Set Certifications Offensive Security Certified Professional (OSCP) Offensive Security Wireless Professional (OSWP) Offensive Security Certified Expert (OSCE) GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT) Certified Ethical Hacker (CEH) Licensed Penetration Tester Master (LPT) CREST Registered Tester (CRT-Pen) CESG IT Health Check Service (CHECK) certification Skill Sets Reputable firm Background check System and Technology-specific Training MCSE AWS-CCP Security certifications and skillsets CISSP CISM Other Security Certs 40 Conexxus: Penetration Testing: How to Test What Matters Most

41 Other Considerations System exclusion Data destruction Reporting Remediation support 41 Conexxus: Penetration Testing: How to Test What Matters Most

42 Conexxus: Penetration Testing: How to Test What Matters Most

43 Website: LinkedIn Group: Conexxus Online Follow us on Conexxus: Penetration Testing: How to Test What Matters Most