CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Similar documents
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Cyber Security. Building and assuring defence in depth

CYBER SECURITY AND MITIGATING RISKS

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Introduction to Ethical Hacking. Chapter 1

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Department of Management Services REQUEST FOR INFORMATION

CITADEL INFORMATION GROUP, INC.

Penetration Testing and Team Overview

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Information Security Controls Policy

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber security reviews and the benefits MM-CS-CSR-01

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Cybersecurity Today Avoid Becoming a News Headline

Take Risks in Life, Not with Your Security

hidden vulnerabilities

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Cyber Risk in the Marine Transportation System

Managing an Active Incident Response Case. Paul Underwood, COO

Choosing the Right Security Assessment

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Security Program

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Vulnerability Assessments and Penetration Testing

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Session 5311 Critical Testing Programs for Security Operations

Information Technology General Control Review

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

How Breaches Really Happen

QuickBooks Online Security White Paper July 2017

An ICS Whitepaper Choosing the Right Security Assessment

Tiger Scheme QST/CTM Standard

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

The Eight Rules of Security

Transforming Security from Defense in Depth to Comprehensive Security Assurance

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

CCISO Blueprint v1. EC-Council

Heavy Vehicle Cyber Security Bulletin

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

The Cyber War on Small Business

Education Network Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Checklist: Credit Union Information Security and Privacy Policies

ANATOMY OF AN ATTACK!

OA Cyber Security Plan FY 2018 (Abridged)

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

2017 Annual Meeting of Members and Board of Directors Meeting

Is Your z/os System Secure?

Understanding IT Audit and Risk Management

MIS Class 2. The Threat Environment

10 FOCUS AREAS FOR BREACH PREVENTION

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity The Evolving Landscape

MIS5206-Section Protecting Information Assets-Exam 1

falanx Cyber Falanx Cyber Awareness Training: Educating your staff

Governance Ideas Exchange

Advanced Security Tester Course Outline

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

Integrated Access Management Solutions. Access Televentures

Protect Your Organization from Cyber Attacks

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Sage Data Security Services Directory

Objectives of the Security Policy Project for the University of Cyprus

Matt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.

Understanding the Changing Cybersecurity Problem

Security Awareness Training Courses

Cyber Criminal Methods & Prevention Techniques. By

to Enhance Your Cyber Security Needs

External Supplier Control Obligations. Cyber Security

Cybersecurity, safety and resilience - Airline perspective

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Cyber security tips and self-assessment for business

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Bring Your Own Device (BYOD)

Request for Proposal (RFP)

Cybersecurity and Hospitals: A Board Perspective

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

Breaches and Remediation

The GenCyber Program. By Chris Ralph

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Cyber Security Congress 2017

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Security Stream for Computer Science

Unit 3 Cyber security

Computer Security Policy

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

90% of data breaches are caused by software vulnerabilities.

Transcription:

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Introduction Pen-testing 101 University Focus Our Environment Openness and learning Sharing and collaboration Leads to Security Weaknesses

What is Penetration Testing?

What Is Penetration Testing?

Why do Penetration Testing?

Attacker Profiles

Script Kiddies (Minor)

Hacker Group (Minor)

Criminal Organization (Major)

Patriot Hacking (Major)

Nation State Cyber Terrorism (Major)

Hacktivist(Moderate)

Hacktivist / Criminals? (Moderate)

Black Hat Professional (Moderate)

Vulnerability Assessment / Penetration Testing

Vulnerability Testing / Assessment

Vulnerability Testing / Assessment

Penetration Testing

Vulnerability Assessment NOT = Penetration Testing

Types of Penetration Tests

Types of Penetration Tests

Whitelisting

Penetration Testing

Reconnaissance

Reconnaisance What is available out there about you. https://www.youtube.com/watch?v=rnjl9ee csoe Intended / developed for Humor In part two. Less benign samples

Scanning

Gaining Access

Maintaining Access

Clearing Tracks

CYBERSECURITY PENETRATION TESTING EXPERIENCE CONFIDENTIAL

Agenda RFP Phase 1 (Assessment) Results Phase 2 (Penetration) Results Where do we go from here?

RFP Phase Penetration Testing at UVic Approach Phases Lessons

Penetration Testing at UVic Why Internal Audit? Client: Audit Committee Scope: University Wide/Multi-Jurisdiction

Approach RFP for Specialists Defined Attacker Profile (Moderate) Double Blind / Black Box / Remote Contracted Specialists Phase 1 - Vulnerability Assessment (inc. Social Engineering) Phase 2 - Penetration Testing

Phases Phase 1: Using a double-blind / black box approach, the proponent will employ all possible non-disruptive and non-destructive means of identifying vulnerabilities in the UVic environment that would allow penetration past UVic s defences (information security and cultural) and allow an attacker to gain access to the core financial systems and/or personal (employee, student, or member of the public) information. Interlude Phase 2: Within a defined scope, the proponent will perform an ethical (white hat) hack to perform a minimal disruption and non-destructive penetration with the objective of gaining evidence of access to core financial systems and/or employee, student or member of the public personal information

Select an Attacker Profile Establishes scope and context for RFP Defines how communications regarding the project will be handled Allows nature and extent of vulnerability scans and tests to be defined Establishes scope and context for assessing and reporting results

Be Very Specific in Your RFP Due to potential legal concerns with inadvertently scanning non-uvic information resources a number of proponents declined to submit responses or failed to meet selection criteria in this respect

Set Clear Rules of Engagement Vulnerability scanning can break systems or cause unexpected problems Rules of Engagement: What can be touched and what cannot Inside or outside Business Hours Who to contact when things go wrong

Involve Information Security Trusted IT Staff Member Part of the Audit Team A team member who Knows what we are likely to break Knows who we might need to inform Is supportive of the testing Is able to stick handle Can tell us if we broke something

Phase 1 (Assessment) Social Engineering Whitelisted Vulnerability Scanning Perimeter Defense Testing Lessons, Lessons, and More Lessons

Phishing

Common Phishing Example

Social Engineering

Social Engineering

Social Engineering Results 4 hours 838 phishing e-mails sent 99 viewed, 49 responded nn sets of valid credentials obtained 1 unreported download of a Trojan Horse *** nn% compromise rate Statistically, not a great Detected/reported within 45-60 minutes Shut down within a few hours

Trust Your Penetration Tester Do a thorough background check Select a trusted vendor Because they may gain access

Whitelisted Vulnerability Scanning Not feasible to scan every IP on network 3,000+ IP s targeted Assets of high value Assets of low awareness/visibility Representative Sample Whitelisted attacker Avoided assets where disruption would have a high negative impact

Vulnerability Scanning Results 3,260 Systems, 1000 top attack vectors 323 (10%) had vulnerabilities. Risk = Vulnerability (likelihood) Consultant report Consequences (impact) our analysis False Positives

Do or Don t: Whitelisting? Attackers wouldn t be whitelisted Moderate attackers would attack from behind the perimeter defence Or use Stealth to circumvent detection And actually don t do vulnerability scans

Perimeter Defense Testing Four series of Tests, no Whitelisting Payload Detection Needle in a Haystack Everything Plus the Kitchen Sink Lost in the Crowd Proved that the firewall doing its job Which is great against minor attackers

Do or Don t: Stealth Scanning? A stealth (detection avoidance) approach to vulnerability assessment carries significant cost implications and an undesirable engagement duration and is not how an attacker in our moderate range tends to attack the organization

Do or Don t: Stealth Scanning? There were benefits to whitelisted scanning (patch management validation) but it didn t prove much. Stealth scanning passes perimeter defences And interestingly finds new things

Other Test Elements Detection and Reporting of Security Incidents Effectiveness and Efficiency of Responding to a cyberattack Weaknesses in distributed (self managed) systems

Distinguish Between Scanning and Assessment Scanning is well. Scanning; seeing if ports respond Assessment is testing to see if a potential vulnerability is responsive We upset people with our terminology!

Involve General Counsel Because sometimes well intentioned internal staff take matters into their own hands in somewhat unexpected ways Even when policy and procedures would lead us to believe they would act in a different way

Be Prepared for Minor Disruption Unexpected disruptions occur during vulnerability assessments As staff react to these as security incidents, communication is needed to calm down the situation Such communications should be drafted in advance

Be Prepared for Mea Culpa In a partly distributed, multi-jurisdictional IT environment It s important to accept ownership for the impact of the engagement And get all fingers pointing squarely at us

Assess Organizational Responses It s not just about the technical vulnerabilities It s an opportunity to see how the organization reacts to unexpected events And potentially identify some areas for improvement

Look at Response Mechanisms Originally we just wanted to see if we were vulnerable but assessing organizational reaction and response was actually more interesting - Social Engineering - Incident Response and Internal Communication - Incident Attribution

Inform Staff of Perimeter Testing For additional testing of perimeter defences Tell people when testing will start and when testing will end Just in case a real attack happens at the same time

Involve System/Business Owners in Risk Evaluation Technical vulnerability does not = business risk you need to assess the real business impact risk. Fixing vulnerabilities will be an organizational / unit exercise

Share What You Learn Keep track of learnings for any future engagements and Share internally Share externally

Safeguard Findings Even When Reporting When discussing vulnerabilities in a multijurisdictional environment principle of least privilege applies It takes a swack of effort to only tell people about their systems perhaps we could have outsourced this a bit better

Keep Vulnerability Reporting Relevant Do not waste (anyone s) time and effort on low risk vulnerabilities and especially on informational items After going to the extent of testing rather than scanning, potential false positives were not helpful they were just annoying Exclude items with no appreciable risk factor or no solution.

Recognize You Can t Win Even when you tell people what s going on they may not believe you and auditors are scary people no matter what we do to try and generally people don t know we exist or what we do anyway

Put a Non-technical Wrapper Around the Technical Details Vulnerability scans are not the sorts of things most people can read or want to read vulnerabilities need context the why do I care factor And we wanted Board clarity but also educational awareness

Perform Follow-up Testing A Vulnerability Test in not a one-time event Ensure remediation is effective Look for new vulnerabilities The Auditors Mantra: Trust, but Validate

Phase 2 (Penetration) Social Engineering Check (Phase 1) Vulnerability Mitigation Validation Privilege Escalation SpearPhishing More Lessons

Engagement Differences Technical Components Vulnerability Mitigation Validation Privilege Escalation People Components Social Engineering Check SpearPhishing

Social Engineering Check From our original compromised accounts, some were still active in the UVic Domain Did they change their passwords like we requested? Surprise Some Didn t

Vulnerability Mitigation Validation Retested 26 of the highest risk hosts from Phase 1 Undertook stealth scanning and found even more issues than when whitelisted Tried to exploit vulnerabilities Nothing to Report

Privilege Escalation

Privilege Escalation Created an isolated target desktop Activated the compromise Attacker tried to compromise desktop standard protection Nothing to Report

SpearPhishing

SpearPhishing

Reconnaisance https://www.youtube.com/watch?v=f7pyhn 9iC9I After Questions. A bit more far fetched?

SpearPhishing Exercise The Target (image deleted)

SpearPhishing Exercise

SpearPhishing Exercise

SpearPhishing Exercise

SpearPhishing Exercise The Target (sorry, image still deleted)

SpearPhishing Results Targets were Institution Leaders nn hours 90 SpearPhishing e-mails sent nn responded nn submitted credentials nn submitted valid credentials 1 person not on our list gave credentials nn% compromise rate

Sacred Cows Displeasure with Internal Audit Perfect example of real SpearPhishing Phishing Not = SpearPhishing Are some organizational elements untouchable?

The Weakest Link

The Weakest Link

Low Cost Technical Solution

Multi-Factor Authentication (MFA)

Where Do We Go From Here? Our IT department is trying to setup proactive phishing training and awareness processes We may roll out MFA to key users Internal Audit future involvement in Penetration Testing

As Promised The Sequel https://www.youtube.com/watch?annotation_ id=annotation_202513&feature=iv&src_vid= F7pYHN9iC9I&v=Rn4Rupla11M

Questions 8 Minutes for Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback