Penetration Testing: How to Test What Matters Most

Similar documents
Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

How Stores Comply with Updated PCI Version

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

What every IT professional needs to know about penetration tests

Attacking Fuel Mobile Payment Solutions

Career Paths In Cybersecurity

Ingram Micro Cyber Security Portfolio

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Protecting Retail ATMs: A guide to preventing and detecting skimming. September 15, 2016

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Protect Your Organization from Cyber Attacks

Definitive Guide to PENETRATION TESTING

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Training on CREST Practitioner Security Analyst (CPSA)

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

CompTIA Cybersecurity Analyst+

ASSURANCE PENETRATION TESTING

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

DIS10.1 Ethical Hacking and Countermeasures

FedRAMP Penetration Test Guidance. Version 1.0.1

Cybersecurity for Service Providers

Chapter 5: Vulnerability Analysis

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Train as you Fight: Are you ready for the Red Team?

Cloud Customer Architecture for Securing Workloads on Cloud Services

Department of Management Services REQUEST FOR INFORMATION

Advanced Penetration Testing The Ultimate Penetration Testing Standard

SECURITY & PRIVACY DOCUMENTATION

How Breaches Really Happen

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

locuz.com SOC Services

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Penetration testing.

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

RiskSense Attack Surface Validation for Web Applications

Spillemyndigheden s Certification Programme. Instructions on Penetration Testing SCP EN.1.1

Professional Services Overview

PROTECTING INFORMATION ASSETS NETWORK SECURITY

10 FOCUS AREAS FOR BREACH PREVENTION

An ICS Whitepaper Choosing the Right Security Assessment

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

IoT & SCADA Cyber Security Services

Advanced Security Tester Course Outline

Cloud Transformation Program Cloud Change Champions June 20, 2018

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Choosing the Right Security Assessment

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Vulnerability Assessments and Penetration Testing

Security!Maturity Oc O t c o t b o er r 20 2, 0,

Taking Control of Your Application Security

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Carbon Black PCI Compliance Mapping Checklist

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

to Enhance Your Cyber Security Needs

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Combating Cyber Risk in the Supply Chain

Data Sheet The PCI DSS

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Building Secure Systems

Unlocking the Power of the Cloud

The Future of PCI: Securing payments in a changing world

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

DIS10.1:Ethical Hacking and Countermeasures

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

CYBER SECURITY AND MITIGATING RISKS

Imperva Incapsula Website Security

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Lessons Learned from a Web Application Penetration Tester. David Caissy ISSA Los Angeles July 2017

Cyber Security: It s all about TRUST

PCI DSS COMPLIANCE 101

hidden vulnerabilities

A Passage to Penetration Testing!

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

CPTE: Certified Penetration Testing Engineer

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Cybersecurity Today Avoid Becoming a News Headline

Background FAST FACTS

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

How Secure is Your Border? An Attack and Penetration Audit Houston IIA Annual Conference

RSA NetWitness Suite Respond in Minutes, Not Months

INTELLIGENT INFORMATION SECURITY. Optimizing Your Information Security Investments. We Know Security. We Know Compliance. Let Our Expertise Be Yours.

Building a Resilient Security Posture for Effective Breach Prevention

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

with Advanced Protection

DIS10.2. DIS10.2:Advanced Penetration Testing and Security Analyst Certification. Online Training Classroom Training Workshops Seminars

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Automating the Top 20 CIS Critical Security Controls

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Transcription:

Penetration Testing: How to Test What Matters Most Presenters: Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire John Stickle, OSCE, OSCP, OSWP, Coalfire Labs

Housekeeping Presenters About Conexxus Presentation Q & A Agenda

Housekeeping This webinar is being recorded and will be made available in approximately 30 days. YouTube (youtube.com/conexxusonline) Website Link (conexxus.org) Slide Deck Survey Link Presentation provided at end Participants Ask questions via webinar interface Please, no vendor specific questions Email: info@conexxus.org

Conexxus Host Speakers Allie Russell Conexxus arussell@conexxus.org Sam Pfanstiel CISSP, CISM, QSA(P2PE), ETA CPP Data Security Standards Committee SME Sr. Consultant, Coalfire sam.pfanstiel@coalfire.com Presenters Moderator Kara Gunderson Chair, Data Security Standards Committee POS Manager, CITGO Petroleum kgunder@citgo.com John Stickle OSCE, OSCP, OSWP Security Consultant, Coalfire Labs john.stickle@coalfire.com

About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy

2018 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company March 27, 2018 Penetration Testing: How to Test What Matters Most Sam Pfanstiel John Stickle Coalfire Systems April 2018 Annual Meeting - - May 2018 QIR Program Update Chris Bucolo ControlScan

7 Conexxus: Presentation Title

Pen Testing: What is it? Human-based threat emulation Purpose: discover exploitable security flaws Attack scenarios and targets vary Conexxus: Penetration Testing: How to Test What Matters Most

Pen Testing: Why is it Needed? Find vulnerabilities before the bad guys exploit them Source: 2017 Verizon Data Breach Investigation Report 9 Conexxus: Penetration Testing: How to Test What Matters Most

Enterprise Adversary Attack Vector Vulnerability Breach Exploit Value Asset Exfiltration Threat......... Attack Vector Attack Surface Probability Impact

Assets and Compliance PCI DSS Asset = cardholder data and CDE Recent pen testing guidance (September 2017) Internal External Segmentation & Scope Reduction Controls Network & Application Layer Layers Application layer (6.5) Network Incl. Wireless Systems Industry-accepted penetration testing approaches Quarterly and after significant changes Organizational Independence Contractual Compliance Oil Brand / Distributor Information Security Policies Product Policies Other NIST / ISO / SOC NERC SIP / EPA 11 Conexxus: Penetration Testing: How to Test What Matters Most

Adversaries and Threats Adversaries Profit-driven hackers Nation states and Ideology-driven attacker Trusted Third-Parties Malicious Insiders Non-malicious Insiders Threats Exfiltration of data Destruction of data Denial of Service Theft of property Physical destruction Contamination Brand damage 12 Conexxus: Penetration Testing: How to Test What Matters Most

Common Misconceptions Vulnerability Assessment vs. Screening Technical Tests Automated Tools Known vulnerabilities Scope: Systems Credentials Goal: Technical Report IP / Host Vuln CVSS rating Tactical Recommendations Penetration Testing Multidimensional attack Security Experts Discover and exploit flaws Scope: Objective ( Attack Scenario ) Systems, Networks, & Apps Level of Effort (Time-box) Goal: Fix security flaws Findings Remediation recommendations 13 Conexxus: Penetration Testing: How to Test What Matters Most

Types of Pen Testing

Kill Chain Model - Visualizes stages in attack lifecycle - Threat modeling - Kill one link, defeat the attack; Defense in Depth - Testing targets entities ability to interrupt specific link Recon Weaponize Deliver Exploit Install Command & Control Action 15 Conexxus: Penetration Testing: How to Test What Matters Most

Iterative Attack Recon Weaponize Deliver Exploit Install Command & Control Action Recon Weaponize Deliver Exploit Install Command & Control Action 16 Conexxus: Penetration Testing: How to Test What Matters Most

Social Engineering Attempt to manipulate users Divulging sensitive information Performing IT-related actions Recon Weaponize Deliver Exploit Install Command & Control Action 17 Conexxus: Penetration Testing: How to Test What Matters Most

Network Testing Threat emulated Anonymous attackers across the Internet Internal adversaries to internal environment Attack surface Operating systems Infrastructure Commercial off-the-shelf (COTS) products Exploits: MS17-010 Unauthenticated Remote Code Execution Recon Weaponize Deliver Exploit Install Command & Control Action 18 Conexxus: Penetration Testing: How to Test What Matters Most

19 Conexxus: Presentation Title

Wireless Testing Capture handshake Crack authentication Exploit: WEP WPA-2 Krack Attack Weak Passwords Aircrack-ng Recon Weaponize Deliver Exploit Install Command & Control Action 20 Conexxus: Penetration Testing: How to Test What Matters Most

21 Conexxus: Presentation Title

Application and API Threat emulated: Credentialed and uncredentialed adversaries Attack surface: Accessible portions of an application Recon Weaponize Deliver Exploit Install Command & Control Action 22 Conexxus: Penetration Testing: How to Test What Matters Most

23 Conexxus: Presentation Title

Case Study: Application Browser-based Fuel Controller Leveraged known authentication vulnerability Identified ability to upload payload to obtain remote code execution Access to Tank fuel, temperature levels Trigger or ignore sensor alarm 24 Conexxus: Penetration Testing: How to Test What Matters Most

CVE-2017-6564 CVE-2017-6565 25 Conexxus: Presentation Title

Appliance / Embedded / IoT Threat emulated: Attacker has gained physical access to a device Attack surface: Physical and logical devices, network connectivity to the device, and backend systems Fuel controllers Car Wash Tanks and pumps Security systems Third-party vending Car wash HVAC Recon Weaponize Deliver Exploit Install Command & Control Action 26 Conexxus: Penetration Testing: How to Test What Matters Most

Case Study: Car Wash Coalfire Labs Researcher Buffer Overflow Arbitrary Code Execution Potential Human Threat 27 Conexxus: Presentation Title

Red Team People, processes and technologies Recon Weaponize Deliver Exploit Install Command & Control Action 28 Conexxus: Penetration Testing: How to Test What Matters Most

Case Study: Casino Red team attack Physical, social, and logical vectors of attack Harvesting of email addresses of employees from public sources Spearphishing attack with image vulnerability Retrieved logins and passwords Access to the internal network via the casino s VPN Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment. See: https://www.coalfire.com/documents/case- Studies/Coalfire_Casino_Case_Study 29 Conexxus: Presentation Title

Reverse Engineering Manipulate binary code to change intended application behavior Can be used to bypass authentication to grant access Recon Weaponize Deliver Exploit Install Command & Control Action 30 Conexxus: Penetration Testing: How to Test What Matters Most

31 Conexxus: Presentation Title

Hunt Operations Identify adversaries already on network Recon Weaponize Deliver Exploit Install Command & Control Action 32 Conexxus: Penetration Testing: How to Test What Matters Most

Enterprise Testing Mature security testing Comprehensive security program to test all aspects of environment and response Recon Weaponize Deliver Exploit Install Command & Control Action 33 Conexxus: Penetration Testing: How to Test What Matters Most

Penetration Testing Considerations 34 Conexxus: Penetration Testing: How to Test What Matters Most

Maturity 35 Conexxus: Presentation Title

Impact vs. Disruption Every penetration test will have impact Logs Traffic Notifications Avoiding disruption takes planning and communication 36 Conexxus: Penetration Testing: How to Test What Matters Most

Timing Time of day/week Time box for testing (point-in-time) 37 Conexxus: Penetration Testing: How to Test What Matters Most

Methodology Discovery: Reconnaissance and Vulnerability Scanning Post exploitation phase 38 Conexxus: Penetration Testing: How to Test What Matters Most

Target and Scope Risk assessment (assets and threats) Compliance requirements vs. security goals Attack surface, vectors and scenarios Prior notification and communication 39 Conexxus: Penetration Testing: How to Test What Matters Most

Skill Set Certifications Offensive Security Certified Professional (OSCP) Offensive Security Wireless Professional (OSWP) Offensive Security Certified Expert (OSCE) GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT) Certified Ethical Hacker (CEH) Licensed Penetration Tester Master (LPT) CREST Registered Tester (CRT-Pen) CESG IT Health Check Service (CHECK) certification Skill Sets Reputable firm Background check System and Technology-specific Training MCSE AWS-CCP Security certifications and skillsets CISSP CISM Other Security Certs 40 Conexxus: Penetration Testing: How to Test What Matters Most

Other Considerations System exclusion Data destruction Reporting Remediation support 41 Conexxus: Penetration Testing: How to Test What Matters Most

Conexxus: Penetration Testing: How to Test What Matters Most

Website: www.conexxus.org Email: info@conexxus.org LinkedIn Group: Conexxus Online Follow us on Twitter: @Conexxusonline Conexxus: Penetration Testing: How to Test What Matters Most

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback