Penetration Testing: How to Test What Matters Most Presenters: Sam Pfanstiel, CISSP, CISM, QSA(P2PE), ETA CPP, Coalfire John Stickle, OSCE, OSCP, OSWP, Coalfire Labs
Housekeeping Presenters About Conexxus Presentation Q & A Agenda
Housekeeping This webinar is being recorded and will be made available in approximately 30 days. YouTube (youtube.com/conexxusonline) Website Link (conexxus.org) Slide Deck Survey Link Presentation provided at end Participants Ask questions via webinar interface Please, no vendor specific questions Email: info@conexxus.org
Conexxus Host Speakers Allie Russell Conexxus arussell@conexxus.org Sam Pfanstiel CISSP, CISM, QSA(P2PE), ETA CPP Data Security Standards Committee SME Sr. Consultant, Coalfire sam.pfanstiel@coalfire.com Presenters Moderator Kara Gunderson Chair, Data Security Standards Committee POS Manager, CITGO Petroleum kgunder@citgo.com John Stickle OSCE, OSCP, OSWP Security Consultant, Coalfire Labs john.stickle@coalfire.com
About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy
2018 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company March 27, 2018 Penetration Testing: How to Test What Matters Most Sam Pfanstiel John Stickle Coalfire Systems April 2018 Annual Meeting - - May 2018 QIR Program Update Chris Bucolo ControlScan
7 Conexxus: Presentation Title
Pen Testing: What is it? Human-based threat emulation Purpose: discover exploitable security flaws Attack scenarios and targets vary Conexxus: Penetration Testing: How to Test What Matters Most
Pen Testing: Why is it Needed? Find vulnerabilities before the bad guys exploit them Source: 2017 Verizon Data Breach Investigation Report 9 Conexxus: Penetration Testing: How to Test What Matters Most
Enterprise Adversary Attack Vector Vulnerability Breach Exploit Value Asset Exfiltration Threat......... Attack Vector Attack Surface Probability Impact
Assets and Compliance PCI DSS Asset = cardholder data and CDE Recent pen testing guidance (September 2017) Internal External Segmentation & Scope Reduction Controls Network & Application Layer Layers Application layer (6.5) Network Incl. Wireless Systems Industry-accepted penetration testing approaches Quarterly and after significant changes Organizational Independence Contractual Compliance Oil Brand / Distributor Information Security Policies Product Policies Other NIST / ISO / SOC NERC SIP / EPA 11 Conexxus: Penetration Testing: How to Test What Matters Most
Adversaries and Threats Adversaries Profit-driven hackers Nation states and Ideology-driven attacker Trusted Third-Parties Malicious Insiders Non-malicious Insiders Threats Exfiltration of data Destruction of data Denial of Service Theft of property Physical destruction Contamination Brand damage 12 Conexxus: Penetration Testing: How to Test What Matters Most
Common Misconceptions Vulnerability Assessment vs. Screening Technical Tests Automated Tools Known vulnerabilities Scope: Systems Credentials Goal: Technical Report IP / Host Vuln CVSS rating Tactical Recommendations Penetration Testing Multidimensional attack Security Experts Discover and exploit flaws Scope: Objective ( Attack Scenario ) Systems, Networks, & Apps Level of Effort (Time-box) Goal: Fix security flaws Findings Remediation recommendations 13 Conexxus: Penetration Testing: How to Test What Matters Most
Types of Pen Testing
Kill Chain Model - Visualizes stages in attack lifecycle - Threat modeling - Kill one link, defeat the attack; Defense in Depth - Testing targets entities ability to interrupt specific link Recon Weaponize Deliver Exploit Install Command & Control Action 15 Conexxus: Penetration Testing: How to Test What Matters Most
Iterative Attack Recon Weaponize Deliver Exploit Install Command & Control Action Recon Weaponize Deliver Exploit Install Command & Control Action 16 Conexxus: Penetration Testing: How to Test What Matters Most
Social Engineering Attempt to manipulate users Divulging sensitive information Performing IT-related actions Recon Weaponize Deliver Exploit Install Command & Control Action 17 Conexxus: Penetration Testing: How to Test What Matters Most
Network Testing Threat emulated Anonymous attackers across the Internet Internal adversaries to internal environment Attack surface Operating systems Infrastructure Commercial off-the-shelf (COTS) products Exploits: MS17-010 Unauthenticated Remote Code Execution Recon Weaponize Deliver Exploit Install Command & Control Action 18 Conexxus: Penetration Testing: How to Test What Matters Most
19 Conexxus: Presentation Title
Wireless Testing Capture handshake Crack authentication Exploit: WEP WPA-2 Krack Attack Weak Passwords Aircrack-ng Recon Weaponize Deliver Exploit Install Command & Control Action 20 Conexxus: Penetration Testing: How to Test What Matters Most
21 Conexxus: Presentation Title
Application and API Threat emulated: Credentialed and uncredentialed adversaries Attack surface: Accessible portions of an application Recon Weaponize Deliver Exploit Install Command & Control Action 22 Conexxus: Penetration Testing: How to Test What Matters Most
23 Conexxus: Presentation Title
Case Study: Application Browser-based Fuel Controller Leveraged known authentication vulnerability Identified ability to upload payload to obtain remote code execution Access to Tank fuel, temperature levels Trigger or ignore sensor alarm 24 Conexxus: Penetration Testing: How to Test What Matters Most
CVE-2017-6564 CVE-2017-6565 25 Conexxus: Presentation Title
Appliance / Embedded / IoT Threat emulated: Attacker has gained physical access to a device Attack surface: Physical and logical devices, network connectivity to the device, and backend systems Fuel controllers Car Wash Tanks and pumps Security systems Third-party vending Car wash HVAC Recon Weaponize Deliver Exploit Install Command & Control Action 26 Conexxus: Penetration Testing: How to Test What Matters Most
Case Study: Car Wash Coalfire Labs Researcher Buffer Overflow Arbitrary Code Execution Potential Human Threat 27 Conexxus: Presentation Title
Red Team People, processes and technologies Recon Weaponize Deliver Exploit Install Command & Control Action 28 Conexxus: Penetration Testing: How to Test What Matters Most
Case Study: Casino Red team attack Physical, social, and logical vectors of attack Harvesting of email addresses of employees from public sources Spearphishing attack with image vulnerability Retrieved logins and passwords Access to the internal network via the casino s VPN Exploiting vulnerabilities found throughout the network, gained administrator-level access to the environment. See: https://www.coalfire.com/documents/case- Studies/Coalfire_Casino_Case_Study 29 Conexxus: Presentation Title
Reverse Engineering Manipulate binary code to change intended application behavior Can be used to bypass authentication to grant access Recon Weaponize Deliver Exploit Install Command & Control Action 30 Conexxus: Penetration Testing: How to Test What Matters Most
31 Conexxus: Presentation Title
Hunt Operations Identify adversaries already on network Recon Weaponize Deliver Exploit Install Command & Control Action 32 Conexxus: Penetration Testing: How to Test What Matters Most
Enterprise Testing Mature security testing Comprehensive security program to test all aspects of environment and response Recon Weaponize Deliver Exploit Install Command & Control Action 33 Conexxus: Penetration Testing: How to Test What Matters Most
Penetration Testing Considerations 34 Conexxus: Penetration Testing: How to Test What Matters Most
Maturity 35 Conexxus: Presentation Title
Impact vs. Disruption Every penetration test will have impact Logs Traffic Notifications Avoiding disruption takes planning and communication 36 Conexxus: Penetration Testing: How to Test What Matters Most
Timing Time of day/week Time box for testing (point-in-time) 37 Conexxus: Penetration Testing: How to Test What Matters Most
Methodology Discovery: Reconnaissance and Vulnerability Scanning Post exploitation phase 38 Conexxus: Penetration Testing: How to Test What Matters Most
Target and Scope Risk assessment (assets and threats) Compliance requirements vs. security goals Attack surface, vectors and scenarios Prior notification and communication 39 Conexxus: Penetration Testing: How to Test What Matters Most
Skill Set Certifications Offensive Security Certified Professional (OSCP) Offensive Security Wireless Professional (OSWP) Offensive Security Certified Expert (OSCE) GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT) Certified Ethical Hacker (CEH) Licensed Penetration Tester Master (LPT) CREST Registered Tester (CRT-Pen) CESG IT Health Check Service (CHECK) certification Skill Sets Reputable firm Background check System and Technology-specific Training MCSE AWS-CCP Security certifications and skillsets CISSP CISM Other Security Certs 40 Conexxus: Penetration Testing: How to Test What Matters Most
Other Considerations System exclusion Data destruction Reporting Remediation support 41 Conexxus: Penetration Testing: How to Test What Matters Most
Conexxus: Penetration Testing: How to Test What Matters Most
Website: www.conexxus.org Email: info@conexxus.org LinkedIn Group: Conexxus Online Follow us on Twitter: @Conexxusonline Conexxus: Penetration Testing: How to Test What Matters Most