Rick Redman, Title, KoreLogic Governance, Risk & Compliance G24

Similar documents
Tips for Passing an Audit or Assessment

Securing ArcGIS Server Services An Introduction

CyberSecurity: Top 20 Controls

Security Fundamentals for your Privileged Account Security Deployment

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

Data encryption & security. An overview

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

the SWIFT Customer Security

Securing ArcGIS Services

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Web Application Penetration Testing

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

How NOT To Get Hacked

epldt Web Builder Security March 2017

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

10 FOCUS AREAS FOR BREACH PREVENTION

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Cloud Customer Architecture for Securing Workloads on Cloud Services

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

CoreMax Consulting s Cyber Security Roadmap

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Education Network Security

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

WebLogic Security Top Ten

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Fraud and Social Engineering in Community Banks

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Security Readiness Assessment

How Breaches Really Happen

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

CompTIA Security+(2008 Edition) Exam

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Cloud Security Whitepaper

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Critical Hygiene for Preventing Major Breaches

Recommendations for Device Provisioning Security

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Mapping BeyondTrust Solutions to

Altius IT Policy Collection

Security Gaps from the Field

Engineering Robust Server Software

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

cs642 /introduction computer security adam everspaugh

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

SDLC Maturity Models

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

K12 Cybersecurity Roadmap

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

UNIFICATION OF TECHNOLOGIES

Les joies et les peines de la transformation numérique

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Recommended Software Security Controls

Five steps to securing personal data online Gary Shipsey Managing Director

SECURITY & PRIVACY DOCUMENTATION

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Next Generation Policy & Compliance

Tenable.io for Thycotic

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

COMPUTER PASSWORDS POLICY

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Understanding Perimeter Security

IT Security Horrors That Keep You Up at Night

Chapter 5: Vulnerability Analysis

PrecisionAccess Trusted Access Control

Cybersecurity Today Avoid Becoming a News Headline

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

CIS Top 20 #5. Controlled Use of Administrative Privileges

The Kerberos Authentication Service

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

IT Governance Committee Review and Recommendation

QuickBooks Online Security White Paper July 2017


SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Transcription:

Succe What Audits Miss & How Penetration Testers Abuse Those Gaps Rick Redman, Title, KoreLogic Governance, Risk & Compliance G24 CRISC CGEIT CISM CISA

Intro Rick Redman / Minga / @CrackMeIfYouCan KoreLogic.com Penetration Tester Created 'Crack Me If You Can' - Password cracking contest at DEFCON 2

What audits miss? My goal as a pentester: Inform client about security risks they are unaware of. Watch this talk I did about this subject in 2011. Rick Redman -- Tomorrow you can patch that 0day -- but your users will still get you p0wn3d http://www.youtube.com/watch?v=5c3rq4rztgi All Fortune XXX companies have done audits. Patching Audits, Architecture Audits, Compliance Audits... etc So, Why are we still successful at penetration? 3

What audits miss? - Detection Ability Will you catch me? How will your team react? Will they follow policy? What is the policy proper? Does your detection technology work? 3 Rd party? Have you tested your 3 rd parties ability to detect internal attacks? How do they react? Are admins/users trained on proper incident response? Can a rogue device be detected and removed from the intranet? Pentests are stealthy. When will your team finally catch us? During port scans? After the AD compromise? Via logs? Via behavior? Note: Do these improve over time? How do you know? Stories: Fortune 50 No detection until AD compromise Small company immediate detection via portscans/cgi 4

What audits miss? Unsafe Architecture Architecture assessments help, but... What about the impact of bad architecture? How can it be used by attackers? Example: Webapps on port 80 that auth to SSO/AD Example: Flat Enterprise Networks HUGE risk! Example: Fortune XXX Large SSO/LDAP infrastructure. SSL accelerator, but the 4 backend LDAP system were on the same flat network, and could be accessed directly. Access those systems, run a sniffer get plain-text credentials. Examples: Proper 3-tier web application arch, but credentials on each tier lead to immediate compromise of next tier. (web app middle ware database 5

What audits miss? User/Administrator Behavior User/Administrator behavior is likely the largest risk to a network. Not usually the first thing we find (not the initial toe-hold) But, almost always is what eventually leads to complete system/network/enterprise compromise How do you audit for behavior? First, identify the problem behaviors Examples: Password use/storage by users (passwords.txt.cvspass) Password use/storage by service accounts How do admins do their job? What is their behavior? (ssh keys? Rdesktop? Vnc? Separate accounts for user/admin? ) How are machines accessed? How do services access other services (LDAP / DBs) 6

What audits miss? User/Administrator Behavior (cont) Examples: How do UNIX admins get root? Sudo (is a password required)? Shared password? How do UNIX admins share information (email? IM? TXT files) How do admins remember Administrator/root passwords? Do administrators follow their own security policy? (password reuse / password changing / password complexity / etc) Do UNIX admins have ssh private keys? Encrypted? Do users/admins stored sensitive data (files with credentials) on network shares? Are admin workstations firewalled / separated from the network? What UNIX commands are people running? Are they doing them safely? (ex: passwords on the command line) 7

What audits miss? User/Administrator Behavior (cont) So how do you learn about (and audit) user/administrator behavior? Either: 1) Ask them. Believe them. Don't audit. Trust administrators / users fully to not place network at risk. 2) Perform an audit yourself looking for unsafe behavior. 3) Actually perform a penetration test. Have a bad guy learn the most egregious techniques used by users/administrators. Provide examples and recommendations for fixing / preventing / training / mitigating the examples found. 8

What audits miss? Passwords! Passwords are a huge risk to the network Password policy is supposed to make stronger passwords but it does not! Password rotation (every 30/90 days) introduces vulnerabilities for date-based passwords and simplistic rotations This does NOT occur on Internet-based passwords because Internet sites don't required password changing. Summer2013 Spring2013 Winter2013 (Wireless assessment story goes here). GreatPass1 GreatPass2 GreatPass3. What happens if I find an old password for California2012? 9

What audits miss? Passwords! Finger patterns q1w2e3q!w@e# qwe123qwe!@# Qwer!@#$!Qwerty1 iop890iop*() If you require a special character it is almost always going to be the last character of a password. Which special characters? There is logic to this.! @ # $? If you require a number it is almost always going to be at the end as well. Which numbers? 1 2 123 2013 2012 etc Password1 Summer13 SanFrancisco123 Administrators will use the same password (or a simple variation) for the admin and non-admin account. (How do you test for this? Are they going to tell you?) Are your users using these patterns? How do you know? 10

What audits miss? Passwords! What about patterns? We are human after all. Example: Oakland1 - Notice location of upper case / number U L L L L L L D (U = Upper L = Lower D = digit) Spring13 U L L L L L D D Love1234 U L L L D D D D Fall2012! - U L L L D D D S ( S = Special Character ) There patterns are universal across enterprise networks! No tool prevent users from choosing passwords based on patterns. Are your users using these patterns? How do you know? 11

What audits miss? Passwords! These patterns are not only universal, they speed up the cracking/attacking drastically. For 9 character passwords: (8 characters is too easy). ULLLLLLLD ULLLLDDDD ULLLLLLDD ULLLLLDDD ULLLDDDDS ULLLLLDDS SULLLDDD Abcdefgh1 Abcde1234 Abcdefg12 Abcdef123 Abcd1234! Abcdef12!!Abcd1234 12

What audits miss? Passwords! Very large company - 100% passes meet complexity requirements. 263356 of 263888 logins cracked - 7308 Patterns Found Most Popular Patterns: 33458 ULLLLLDD ( 8 characters ) 12% of cracks! 33,000+ passwords 33394 ULLLLLLDD ( 9 characters ) 12% of cracks! 27898 ULLLDDDD 19190 ULLLLLLLDD The first pattern, used 33,000+ times cracks in 4 seconds. The top 5 patterns used by 48% of the time cracks in about 15 min The top 100 patterns are used by 85% of the users takes a few hours to crack 13

What audits miss? Passwords! Example 2: Large SSO for an enterprise 449,000+ users 19200 ULLLLLDD (used by 4.3% of users) ex: Sanfra13 17914 ULLLLLDDS ex: Sanfra13! 14025 ULLDDDDS ex: San1234! 12477 ULLLLLDS ex: Sanfra2! 9216 ULLSDDDD ex: San!1234 Top 5 patterns - used by 16% of users. Top 100 patterns used by 62% of users. (vs. 85% in previous example) 14

What audits miss? Wrapping up Password discussion. Your users are choosing bad passwords. Trust, but verify, the password methods used by users / administrators. Prevent users from choosing trivial passwords They are simple to audit. (We can help) Repeatable process easy to show improvement over time. (percentage cracked should go down). No denying their importance in the security realm. Every one uses a password. But are they using them properly? Multiple methods of mitigating risk. Improve complexity rules, training of users, reward users with strong passwords, etc. 15

What audits miss? Patching I trust the audit teams to deliver reports on what patches have not been installed. This is not the job of pentesters. But how do you rank importance? Risk? Threat? Easy to defend a 'dev' machine missing patches but what if it shares the same passwords with the 'prod' system? Is that system as important as a prod system? Is the risk higher? The threat? During pentests 'dev' systems are used to gain a 'toe hold' onto the network. Since 'dev' machines are managed by the same team that manages 'prod' anything we learn about how systems are used/managed/access will likely apply to 'prod'. 16

What audits miss? Home Directories During pentests, home directories and file-shares (such as $HR used by HR department) are harvested for information. What do people do/store when they think no one is looking? Are users storing sensitive data? Is it encrypted? Do the proper users have access to these files? Do the nonproper users have it as well? Is the contents of these directories audited routinely for unsafe content? Does the configuration of home directories (such as via NFS) place the entire infrastructure at risk? (Hint: It does). 17

What audits miss? Internal Web Sites Audits will likely return a list of intranet web-sites, but what data is on those sites? Is any of it sensitive? Would it be useful to attackers? Can any of it be used by a bad guy to gain access to other resources? Are proper credentials required to access any internal site with sensitive data? ( sensitive to auditors and pentesters might be different. Ex: system info lists of users documentation, etc ). Example: SVN/CVS example from 2013 Example: Edward Snowden. Used other peoples credentials to gain access to sensitive data. This made the audit trail of his activities very hard to follow. How did he obtain these other credentials? 18

What audits miss? Internal Web Applications Internal web applications are rarely assessed for web-based vulnerabilities Internal web applications are usually more vulnerable to webbased attacks Example: SQL injection/command Injection/Source Disclosure Can lead to system compromise on critical intranet systems. This can be an initial toe-hold on important intranet systems Not likely to be seen in log files by administrators Not likely to be seen by IDS (if using HTTPS/SSL) 19

What audits miss? MISC: What is the impact of out-of-date Java? Domain Policy? LANMAN? Who can log into domain controller? Who has terminal services access? Are Admin:500: password the same on all workstations? Are they they same as the servers? Outbound firewall rules? Documentation reveal any credentials? How are routers/switches set up / managed / authenticated? 20

Questions? Comments? CRISC CGEIT CISM CISA 9/11/13 21

What audits miss? 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback