How Secure is Your Border? An Attack and Penetration Audit Houston IIA Annual Conference

Similar documents
The SANS Institute Top 20 Critical Security Controls. Compliance Guide

RiskSense Attack Surface Validation for Web Applications

10 FOCUS AREAS FOR BREACH PREVENTION

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Building Resilience in a Digital Enterprise

How Breaches Really Happen

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Ingram Micro Cyber Security Portfolio

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Application Security Approach

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Trustwave Managed Security Testing

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

ANATOMY OF AN ATTACK!

C1: Define Security Requirements

Curso: Ethical Hacking and Countermeasures

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Development*Process*for*Secure* So2ware

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Automating the Top 20 CIS Critical Security Controls

RiskSense Attack Surface Validation for IoT Systems

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cyber Security Audit & Roadmap Business Process and

CloudSOC and Security.cloud for Microsoft Office 365

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

with Advanced Protection

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Security Solutions. Overview. Business Needs

Certified Secure Web Application Engineer

SECURITY TESTING. Towards a safer web world

IoT & SCADA Cyber Security Services

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Copyright

Continuously Discover and Eliminate Security Risk in Production Apps

Zimperium Global Threat Data

Web Application Penetration Testing

Advanced Security Tester Course Outline

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CSWAE Certified Secure Web Application Engineer

CPTE: Certified Penetration Testing Engineer

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

CIS Controls Measures and Metrics for Version 7

Teradata and Protegrity High-Value Protection for High-Value Data

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Penetration testing a building automation system

CIS Controls Measures and Metrics for Version 7

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

AT&T Endpoint Security

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Protect Your Organization from Cyber Attacks

RSA NetWitness Suite Respond in Minutes, Not Months

Security Communications and Awareness

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Cyber Security. Building and assuring defence in depth

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Transforming Security from Defense in Depth to Comprehensive Security Assurance

MEETING ISO STANDARDS

Aguascalientes Local Chapter. Kickoff

OWASP TOP OWASP TOP

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

The Top 6 WAF Essentials to Achieve Application Security Efficacy

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

the SWIFT Customer Security

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Mobile Devices prioritize User Experience

Choosing the Right Security Assessment

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Train as you Fight: Are you ready for the Red Team?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

External Supplier Control Obligations. Cyber Security

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CEH: CERTIFIED ETHICAL HACKER v9

Audience. Pre-Requisites

CompTIA CSA+ Cybersecurity Analyst

CYBERSECURITY RISK LOWERING CHECKLIST

NEN The Education Network

Protecting Smart Buildings

Application. Security. on line training. Academy. by Appsec Labs

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Transcription:

How Secure is Your Border? An Attack and Penetration Audit 2019 Houston IIA Annual Conference

Bill Jenkins Manager, One Cyber Background A proven Cyber Security professional providing insights and recommendations at the CISO/CSO level. Bill s skills and experiences make him a frequent selection for the enterprise engagements facing the challenges of establishing, maintaining and maturing a corporate cyber security program. Bill takes an integrated approach to satisfy customer, business, and regulatory concerns in response to evolving risks. He leverages his management, networking, and systems engineering background to be an organizational catalyst connecting dots, and establishing relationships critical to effective performance. Phone: 720-810-0568 william.jenkins@pwc.com Specialization He organizes, leads, and delivers information protection and compliance projects across highly regulated industries addressing security and privacy controls in balance with operational imperatives. Education and certifications MS, The Johns Hopkins University, Computer Science BS, Rice University Electrical Engineering Certified Information System Security Professional (CISSP) Certified Cloud Security Professional (CCSP) Certified Information Systems Auditor (CISA) 2

Motivations for a Penetration Test Timing Purpose Pre- Audit Verify remediations are working Discover blind spots Audit Stress test Operational and response validation Periodic Operational readiness Threat/Risk validation Adhoc Someone thought of it Hasn t been done in a while Mindset Testing individual/specific controls? Assessing integration of controls and process? Validating overall security defense and response capabilities? Compliance requirement? A Board member asked? 3

So many threats to consider Attack from external Attack from internal External components Employee PC Rogue Employees Attack from external Attack from internal Hacker Internet-facing applications Corporate Network Malicious Guests/ Vendors On-premise attack Attack from malware Employee PC On-premise facilities Malicious Guests/ Vendors 4

Scoping Checklist External Penetration Testing Mobile Penetration Testing Social Engineering Exercise Web Application Security Assessment Internal Penetration Testing Red Teaming Wireless Network Penetration Testing 5

External Penetration Testing Approach Simulating a threat actor external to the organization trying to identify and leverage weaknesses in an attempt to gain access to internal systems and data; assess the effectiveness of detection and response capabilities, and highlight relevant risks. Reconnaissance: Identify potentially vulnerable ports and services Analyze externally exposed services Generate usernames, passwords and password crack lists Crack the perimeter: Password sprays against exposed interfaces VPN pre-shared key interrogation Default configuration and credentialmanipulation Injection and execution attacks against exposed websites Non-standard port attacks Service interrogation (SNMP, TFTP, Finger, SMTP etc.) Remote Code Execution (RCE) attacks Manipulate old, outdated or no longer supported services Lateral Movement: Pass-the-Hash (PtH) Native remote access solutions Gain access to Crown Jewels Sensitive data exfiltration Establish persistence 6

Social Engineering The methodology for engaging in phishing testing can be found broken down in the three steps listed below: 1. The first step in the phishing process involves performing open source intelligence gathering using publicly available data sources and manual investigation techniques to gather information on an organization s employees. Following this, a tester provides a list of discovered email addresses for validation. A tester will also propose scenarios that are likely to be successful based on the information discovered and work with any given organization to ensure the proposed campaign aligns with current threats seen in the industry. 2. At an agreed time by the client, a tester will execute a phishing campaign. Possible attack scenarios may include the sending of malicious attachments to employees or enticing users to visit a test website that would collect information which may include employee credentials, system configurations or other data that may allow an attacker to obtain access to sensitive information. This step is designed to test the effectiveness of both security awareness training and technical security controls. 3. Finally, the tester will assessthe impact and businessrisk ofthe phishing campaign. The tester will provide detailed information including users who were successfully compromised and the date and time of our assessment activities to be compared to the business internal system logs and alerts. 1. Assess and Model Threats Involve using publicly available data sources and manual investigation 2. Intrusion Design targeted attacks for selected individuals and formulate a phishing campaign 3. Assess Exposures Assess the impact and business risks of compromise by identifying key sensitive data elements 7

Internal Penetration Testing Approach Simulate the threats faced from connected third parties, employees, or contractors who have direct internal network access. Perform manual testing and attempt to gain access to your resources from a standard network connection. Internal fingerprinting: Identify potentially vulnerable ports and services Analyze internally exposed services and enterprise traffic Gain a foothold: Man-in-the-Middle (MitM) session attacks Web Proxy Auto-Detection (WPAD) poisoning Link-Local Multicast Name Resolution (LLMNR) poisoning NetBIOS Name Service (NB-NS) poisoning Manipulate old, outdated or no longer supported services Default configuration and credentialmanipulation Lateral Movement: Pass-the-Hash (PtH) System pivoting Manipulation of whitelisted tools and services Gain access to Crown Jewels: Attempt to gain privileged access Attempt to gain access to sensitive data 8

Wireless Network Assessment and Penetration Testing Validate the weakness and misconfigurations previously identified Vulnerabilities in your wireless networks may provide access to data, workstations, and other internal systems that are connected to wireless networks. Site Visits Identify wireless access points & gather information about encryption methods supported by config settings Rogue Access Points Analyze wireless access points data and determine whether there are unauthorized wireless devices connected to the network. Demonstration of impact Exploit any observed issues to demonstrate the ability to gain access to additional resources just like an external threat actor Authentication & Security Controls Testing Controlled authenticated testing to simulate insider threat 9

Mobile Penetration Testing Reverse Engineering Network Communications Analysis Local Resource Handling Analysis Run-time and Logic Manipulation A tester attempts to reverse engineer the application content to identify sensitive hard-coded values that could be used to gain unauthorized access, or to identify potential logic and operational flaws pertaining in the execution of the application. A tester eavesdrops on and manipulates network calls to the back end servers supporting the execution of the application. These tests are performed in an effort to identify common input validation flaws that could lead to sensitive information disclosure or unauthorized access. idemntifay snenispitiuvelahatrido-cnoded values that could A tester monitors and analyzes A tester performs various local resource handling different techniques to operations as different tasks manipulate the logic of the within the application are application as it is executed on performed. the device, to attempt to identify risks associated with misuse, data leakage, or unauthorized access. 10

Physical Testing Physical penetration tests are designed to assess an organization s physical security posture based on agreed upon objectives and agreed upon testing scenarios. Scenario Development Develop custom scenarios to meet the agreed upon objectives for physical penetration testing Assess Exposures Assess effectiveness of the physical security controls encountered and provide recommendations for improvement and additional compensating controls Validate the weakness and misconfigurations previously identified Planning & Reconnaissance Perform the necessary steps for successful execution of the scenario. Steps may include preparing false documents or performing research to build credible back-stories Execution Execute scenarios using information gained from the setup. If required, perform a walkthrough to determine what type of sensitives data is accessible or removable 11

Web Application Security Assessment PwC assesses each of web applications susceptibility to a variety of attacks including Open Web Application Security Project (OWASP) top 10 security flaws: Injection Flaws Automated Scanning A tester performs automated assessments using industry leading scanning tools based on the application type and access provided. Manual Testing A tester performs penetration testing against selected mobile applications using manual testing techniques to identify technical and business logic related vulnerabilities. Risk Rating The tester attempts to understand whether multiple lower- or mediumrisk vulnerabilities constitute a higher risk rating when exploited together. Weak Authentication and Session Management Cross-Site Scripting (XSS) Flaws Insecure Direct Object References Security Misconfigurations Sensitive Data Exposure Missing Functional-Level Access Control Cross-Site Request Forgery (CSRF) Flaws Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards 12

Red Teaming Testing A range of techniques can be used to craft a customized attack scenario in line with client requirements. These techniques are designed to replicate the modus operandi of real-world attackers. Depending on the objective of the test, the tester will customize the assessment procedures, tools, techniques, and procedures, but at a high-level, some of these may include: Spear-phishing attack High value users are identified for a targeted phishing attack. Using data gathered during our reconnaissance phase, emails are constructed to entice the target to perform an action that would disclose credentials or compromise their system Custom Remote Access Tools (RAT) Systems are infected using custom Remote Access Tools (RAT) coupled with a number of different delivery mechanisms. The toolkit is designed to evade common malware detection technologies and will enable the team to penetrate further into the network Browser exploits Users are directed to a webpage under tester control. The webpage uses customized code to fingerprint the web browser and deliver exploit code Custom RAT Browser exploits USB drive drops Users are enticed into inserting USB drives with malicious files into their system, which may contain the RAT or other utilities to create a foothold in the organization s network Spearphishing USB drop Attack scenarios Mass phishing attack Social engineering Mass phishing attack Using data gathered from a reconnaissance, the tester will target multiple employees using a tailored email designed to trick them into disclosing credentials or executing a malicious file Physical security External infrastructure Physical security The tester will attempt to bypass physical security controls within premises like data centers and offices in order to implant devices on the network or gain access to systems External infrastructure The tester will perform testing on externally facing systems identified during the Planning & Scoping phase. Identified vulnerabilities will be exploited in order to gain access to sensitive data and the internal network Social engineering The tester will use techniques designed to manipulate users in order to exploit trust relationships or gain unauthorized access to sensitive information, such as pre-text calls or enticement 13

Recommendations ExternalPenetration Testing Social Engineering Exercise InternalPenetration Testing Wireless Network Penetration Testing Mobile Penetration Testing Web Application Security Assessment Red Teaming Targeted & Risk Aligned Objectives Documented Routinely Performed Methods Varied 13

IoT - The Game Changes

What is the Internet of Things? The Internet of Things (IoT) describes an ecosystem of sensors, embedded computers, and smart devices that communicate among themselves and with private/public cloud services in order to collect, analyze and present data about the physical world. Source: Intel Gartner expects 15-20% annual growth to 25 billion connected devices to be in use by 2020. 16

IoT Reference Architecture An internet of things architecture is different from a traditional web application architectures due to the introduction of a fleet of connected devices and the data that they generate. This introduces a new set of challenges and considerations across the following areas. Device User Data Aggregation e.g. real-time data ingestion and storage Sensors e.g., thermometer, load sensor, motion detector Connectivity e.g. WiFi, Bluetooth, Zigbee Business IT 3 rd Party Applications & Visualizations e.g., admin portal, data dashboard, API IoT Platform The cloud platforms that aggregate, analyze and display device and sensor data Event Processing & Analytics e.g. rules, triggers, time series analytics Gateways Hardware components that relay data between connected devices and platforms Computing e.g. Arduino, Spark Core, Raspberry Pi User Interface e.g., screen, microphone, LEDs Security Integration Device Management 17

Connected Devices The term connected device is a catch-all that refers to a wide spectrum of devices but in its most fundamental form, a connected device must be able to capture, process and transmit some environmental data. Example Connected Devices Motion Sensor Connected Thermostat Fitness Tracker Smartphone Connected Car * All connected devices must also have a power source which is most often either a battery or a power outlet but can also include alternative sources such as solar or ambient electromagnetic power COMPUTING CONNECTIVITY SENSOR/ACTUATOR USER INTERFACE User Interface (Optional) Connected Device Components The functionality through which a user interacts with the device (e.g., screen, microphone, LED lights) Connectivity The transmitter that sends the data to another device or to a central platform for processing (e.g., Wifi, Bluetooth, Zigbee) Sensor/Actuator The transmitter that sends the data to another device or to a central platform for processing (e.g., temperature, humidity, speaker) Many smart consumer products may include a bundle of various sensors that work together as well as local data storage, local analytics and event triggering or a user interface to present the data. Computing The processor that records, stores and analyzes the sensor output (e.g., Arduino, Photon, ARM Chip) 18

New Questions Raised Where is the boundary? What are the roles, responsibilities and authority in Operational areas? To what extent do we rely on attestation by 3 rd parties and suppliers? What are the risks to Operations in running a penetration test? Do we have the knowledge? 19

Questions?

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback