Title: encription IT security services
1encription IT security services
2encription IT security services
Who am I?
- Campbell Murray
- Technical Director of Encription
- Technical Panel Chair for Tigerscheme
- CHECK Team Leader (GCHQ/CESG)
3encription IT security services
What do I do?
- Penetration Tester aka
- ITSHCE (IT Security Health Check Engineer)
- IATP (Information Assurance Testing Professional)
- Ethical Hacker
- Many names for the same thing
4encription IT security services
What else do I do?
- Vulnerability Research
- Exploit development
- Defensive research
- Community projects
- BSides / 44Con / MCSG / OWASP more
5encription IT security services
Why do people have pen tests done?
6encription IT security services
Why?
- To protect?
- Detect the risk of
- Loss to confidentiality (theft)
- Loss to integrity (changes to data)
- Loss of availability (denial of service)
- CIA
7encription IT security services
Why (cont.)?
- Identify all threat arising from
- Exploitation
- Privilege escalation
- Malware / Virus infection
- Poor passwords
- Network misconfiguration
8encription IT security services
Why (cont.) ?
- Malicious users
- Poor segregation of duties
- Vulnerability in code
- Opportunists / Recreational
- etc
9encription IT security services
Threats
- The threats faced by all organisations are
similar - Insiders
- Outsiders
- Accidents
- Variously motivated
10encription IT security services
Motivations
- State led
- Criminal
- Political
- Social
- Opportunist / Recreational
- Malevolent
11encription IT security services
Is this the reason we exist?
- Honestly, no
- Majority of companies are indifferent
- Banks accept risk and loss
- Rarely a desire to meet best practice or be
secure - Post hacked testing very common
12encription IT security services
So why then?
- Most commonly for compliance e.g.
- GCSx / Gsi / PSN CoCo
- PCI DSS
- ISO e.g. 27001
- Protected environments e.g. MoD
- Protecting IPR
- Commercially sensitive
13encription IT security services
Jumping in How do we test?
14encription IT security services
Types of test?
- White Box
- Full disclosure
- Grey Box
- Appropriate disclosure
- Black Box
- Zero disclosure
- Red Team
- NO RULES TESTING
15encription IT security services
What do we test?
- Everything and anything that we are asked to!
- E.g. Desktop OS / Laptop / Servers / Phones / Web
Applications / 3G / VoIP /WiFi / Thin Clients /
SAN / DR / Network topology / Network protocols /
People / Policy / Process etc etc etc. - Defined by the SCOPE OF WORK
16encription IT security services
What makes us effective?
- Broad and DETAILED expertise
- Programming
- Server Admin (Win / nix / Solaris / AIX etc)
- Network Admin
- Application Development
- etc
17encription IT security services
I thought it was simpler (
- Current market is leaning to Vulnerability
Assessment i.e. Tools based testing - Cheaper but ...
- Limited value compared to a pen test
- Tools are helpful but without experience are
misleading
18encription IT security services
Polarity
- Market is splitting into ...
- ... Scan based assessment e.g. PCI DSS
- Seen as low end
- And pen testing ...
- ... High end but quality still varies
- Return of Red Teaming!
19encription IT security services
Expertise is crucial
- We cannot FIND issues beyond that which tools
provide if we do not know how to secure systems,
networks or correct code - We cannot RECOMMEND appropriate remedial action
if we do not know how to secure systems, networks
or correct code
20encription IT security services
Expertise is crucial
- We cannot JUSTIFY our results if we cannot prove
them - Clients / IT admins will not ACT on reported
issues unless they understand the full risk
21encription IT security services
What else makes us effective?
- Methodology is key to success
- 5 common stages
- Passive reconnaissance / OSINT
- Fingerprinting
- Vulnerability identification
- Exploitation
- Extraction / Covering tracks
22encription IT security services
Quick Story
- How I hacked a bank without ever going anywhere
near it!
23encription IT security services
Moral of the story
- Pen testing is about SECURITY
- That means identifying ALL possible attack
vectors - And knowing how we could use them
- Frequently two minor vulnerabilities, when
combined, can be devastating - Requires experience, not certification.
24encription IT security services
Scope of Work?
- Crucial
- Defines methodology to be used
- What is in scope
- Details given legal permission to test
- Going out of scope will see you fall foul of the
CMA - Not to mention the clients wrath!!!!
25encription IT security services
Cautionary notes
- CMA holds stiff penalties
- Potential extradition to other countries
- Criminal record
- You MUST have written permission from someone
AUTHORISED to give that permission - Research only performed in air gapped networks!
26encription IT security services
Cautionary notes
- You can be prosecuted for owning hacking and
malware creation tools - Unless you can justify possesion
- Akin to going equipped to commit crime, even if
you havent
27encription IT security services
All the ducks are lined up, what next?
28encription IT security services
Delivery
- Identify clients soft requirements
- If on site go prepared
- Health and Safety
- USB / Phone limitation
- Dress code
- Point of contact
- Etc
29encription IT security services
Delivery
- People skills are essential
- Polite but firm
- Do not allow others to impede your activity
- Sense of humour essential
- As is fully operational kit and plan B
- Pen and paper just as important!
30encription IT security services
Execution
- The GOLDEN RULE is ...
- .... NEVER leave a system less secure than how
you found it! - E.g. Creating user accounts or other objects
- If a high risk issue is found the client must be
informed immediately
31encription IT security services
Reporting
- Good use of language
- Lots of people will read the report, make it
readable. - Ability to express technical concepts simply and
accurately - Face to face washup meetings require presentation
skills
32encription IT security services
Applying your methodology
33encription IT security services
How?
- Methodology!!!!!!
- Reconnaisance (what is it)
- Fingerprinting (Scan e.g. Nmap)
- Identification
- Exploit (escalate privilege)
- Clean up (e.g. grab info, passwd, create user,
clear history and exit)
34encription IT security services
Reporting and Testing
- Avoid temptation to focus on critical issues
- Remember, two low risk issues can make a high
risk attack vector - Observation is as important as running tools
35encription IT security services
Android App Testing Demo
36encription IT security services
Lets have a look at
- Mercury
- Android app testing toolkit
- Bit fiddly to set up tbh
- Worth the effort
37encription IT security services
Testing Android Apps
- Install Android SDK
- Install Mercury
- Start VM Android device
- Install Mercury agent and the app you want to
look at
38encription IT security services
Testing Android Apps
- Start adb (linux)
- adb forward tcp31415 tcp31415
- Connect with mercury
- mercury console connect
- Party!
39encription IT security services
Testing Android Apps
- Get started commands
- list
- run scanner.provider.injection
- Derp!
- Now write an app to steal the data!
40encription IT security services
Getting into security
41encription IT security services
Finding a job
- I wont lie ...
- Pen testing is not for everyone
- Competition for junior positions
- Not great pay at first (
- Increase your chances by getting involved
- Lots of community activity
42encription IT security services
Community
- BSides conferences are free
- OWASP conferences are very low cost
- BSC Groups and meetings
- Find online resources and contribute
43encription IT security services
More than anything
- Gain expert level knowledge in programming,
servers, network protocols - Understanding what security is
- ... Its not just about exploits
44encription IT security services
It works!
45encription IT security services
Success story
- Listened to this talk
- Blogged about the demo
- Went to Bsides London
- Met his current employer there
- Employed!
46encription IT security services
Questions?