encription IT security services - PowerPoint PPT Presentation

About This Presentation
Title:

encription IT security services

Description:

encription IT security services Penetration Testing – PowerPoint PPT presentation

Number of Views:155
Avg rating:3.0/5.0
Slides: 47
Provided by: Tonye152
Category:

less

Transcript and Presenter's Notes

Title: encription IT security services


1
encription IT security services
  • Penetration Testing

2
encription IT security services
Who am I?
  • Campbell Murray
  • Technical Director of Encription
  • Technical Panel Chair for Tigerscheme
  • CHECK Team Leader (GCHQ/CESG)

3
encription IT security services
What do I do?
  • Penetration Tester aka
  • ITSHCE (IT Security Health Check Engineer)
  • IATP (Information Assurance Testing Professional)
  • Ethical Hacker
  • Many names for the same thing

4
encription IT security services
What else do I do?
  • Vulnerability Research
  • Exploit development
  • Defensive research
  • Community projects
  • BSides / 44Con / MCSG / OWASP more

5
encription IT security services
Why do people have pen tests done?
6
encription IT security services
Why?
  • To protect?
  • Detect the risk of
  • Loss to confidentiality (theft)
  • Loss to integrity (changes to data)
  • Loss of availability (denial of service)
  • CIA

7
encription IT security services
Why (cont.)?
  • Identify all threat arising from
  • Exploitation
  • Privilege escalation
  • Malware / Virus infection
  • Poor passwords
  • Network misconfiguration

8
encription IT security services
Why (cont.) ?
  • Malicious users
  • Poor segregation of duties
  • Vulnerability in code
  • Opportunists / Recreational
  • etc

9
encription IT security services
Threats
  • The threats faced by all organisations are
    similar
  • Insiders
  • Outsiders
  • Accidents
  • Variously motivated

10
encription IT security services
Motivations
  • State led
  • Criminal
  • Political
  • Social
  • Opportunist / Recreational
  • Malevolent

11
encription IT security services
Is this the reason we exist?
  • Honestly, no
  • Majority of companies are indifferent
  • Banks accept risk and loss
  • Rarely a desire to meet best practice or be
    secure
  • Post hacked testing very common

12
encription IT security services
So why then?
  • Most commonly for compliance e.g.
  • GCSx / Gsi / PSN CoCo
  • PCI DSS
  • ISO e.g. 27001
  • Protected environments e.g. MoD
  • Protecting IPR
  • Commercially sensitive

13
encription IT security services
Jumping in How do we test?
14
encription IT security services
Types of test?
  • White Box
  • Full disclosure
  • Grey Box
  • Appropriate disclosure
  • Black Box
  • Zero disclosure
  • Red Team
  • NO RULES TESTING

15
encription IT security services
What do we test?
  • Everything and anything that we are asked to!
  • E.g. Desktop OS / Laptop / Servers / Phones / Web
    Applications / 3G / VoIP /WiFi / Thin Clients /
    SAN / DR / Network topology / Network protocols /
    People / Policy / Process etc etc etc.
  • Defined by the SCOPE OF WORK

16
encription IT security services
What makes us effective?
  • Broad and DETAILED expertise
  • Programming
  • Server Admin (Win / nix / Solaris / AIX etc)
  • Network Admin
  • Application Development
  • etc

17
encription IT security services
I thought it was simpler (
  • Current market is leaning to Vulnerability
    Assessment i.e. Tools based testing
  • Cheaper but ...
  • Limited value compared to a pen test
  • Tools are helpful but without experience are
    misleading

18
encription IT security services
Polarity
  • Market is splitting into ...
  • ... Scan based assessment e.g. PCI DSS
  • Seen as low end
  • And pen testing ...
  • ... High end but quality still varies
  • Return of Red Teaming!

19
encription IT security services
Expertise is crucial
  • We cannot FIND issues beyond that which tools
    provide if we do not know how to secure systems,
    networks or correct code
  • We cannot RECOMMEND appropriate remedial action
    if we do not know how to secure systems, networks
    or correct code

20
encription IT security services
Expertise is crucial
  • We cannot JUSTIFY our results if we cannot prove
    them
  • Clients / IT admins will not ACT on reported
    issues unless they understand the full risk

21
encription IT security services
What else makes us effective?
  • Methodology is key to success
  • 5 common stages
  • Passive reconnaissance / OSINT
  • Fingerprinting
  • Vulnerability identification
  • Exploitation
  • Extraction / Covering tracks

22
encription IT security services
Quick Story
  • How I hacked a bank without ever going anywhere
    near it!

23
encription IT security services
Moral of the story
  • Pen testing is about SECURITY
  • That means identifying ALL possible attack
    vectors
  • And knowing how we could use them
  • Frequently two minor vulnerabilities, when
    combined, can be devastating
  • Requires experience, not certification.

24
encription IT security services
Scope of Work?
  • Crucial
  • Defines methodology to be used
  • What is in scope
  • Details given legal permission to test
  • Going out of scope will see you fall foul of the
    CMA
  • Not to mention the clients wrath!!!!

25
encription IT security services
Cautionary notes
  • CMA holds stiff penalties
  • Potential extradition to other countries
  • Criminal record
  • You MUST have written permission from someone
    AUTHORISED to give that permission
  • Research only performed in air gapped networks!

26
encription IT security services
Cautionary notes
  • You can be prosecuted for owning hacking and
    malware creation tools
  • Unless you can justify possesion
  • Akin to going equipped to commit crime, even if
    you havent

27
encription IT security services
All the ducks are lined up, what next?
28
encription IT security services
Delivery
  • Identify clients soft requirements
  • If on site go prepared
  • Health and Safety
  • USB / Phone limitation
  • Dress code
  • Point of contact
  • Etc

29
encription IT security services
Delivery
  • People skills are essential
  • Polite but firm
  • Do not allow others to impede your activity
  • Sense of humour essential
  • As is fully operational kit and plan B
  • Pen and paper just as important!

30
encription IT security services
Execution
  • The GOLDEN RULE is ...
  • .... NEVER leave a system less secure than how
    you found it!
  • E.g. Creating user accounts or other objects
  • If a high risk issue is found the client must be
    informed immediately

31
encription IT security services
Reporting
  • Good use of language
  • Lots of people will read the report, make it
    readable.
  • Ability to express technical concepts simply and
    accurately
  • Face to face washup meetings require presentation
    skills

32
encription IT security services
Applying your methodology
33
encription IT security services
How?
  • Methodology!!!!!!
  • Reconnaisance (what is it)
  • Fingerprinting (Scan e.g. Nmap)
  • Identification
  • Exploit (escalate privilege)
  • Clean up (e.g. grab info, passwd, create user,
    clear history and exit)

34
encription IT security services
Reporting and Testing
  • Avoid temptation to focus on critical issues
  • Remember, two low risk issues can make a high
    risk attack vector
  • Observation is as important as running tools

35
encription IT security services
Android App Testing Demo
36
encription IT security services
Lets have a look at
  • Mercury
  • Android app testing toolkit
  • Bit fiddly to set up tbh
  • Worth the effort

37
encription IT security services
Testing Android Apps
  • Install Android SDK
  • Install Mercury
  • Start VM Android device
  • Install Mercury agent and the app you want to
    look at

38
encription IT security services
Testing Android Apps
  • Start adb (linux)
  • adb forward tcp31415 tcp31415
  • Connect with mercury
  • mercury console connect
  • Party!

39
encription IT security services
Testing Android Apps
  • Get started commands
  • list
  • run scanner.provider.injection
  • Derp!
  • Now write an app to steal the data!

40
encription IT security services
Getting into security
41
encription IT security services
Finding a job
  • I wont lie ...
  • Pen testing is not for everyone
  • Competition for junior positions
  • Not great pay at first (
  • Increase your chances by getting involved
  • Lots of community activity

42
encription IT security services
Community
  • BSides conferences are free
  • OWASP conferences are very low cost
  • BSC Groups and meetings
  • Find online resources and contribute

43
encription IT security services
More than anything
  • Gain expert level knowledge in programming,
    servers, network protocols
  • Understanding what security is
  • ... Its not just about exploits

44
encription IT security services
It works!
  • Lasantha Priyankara

45
encription IT security services
Success story
  • Listened to this talk
  • Blogged about the demo
  • Went to Bsides London
  • Met his current employer there
  • Employed!

46
encription IT security services
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "encription IT security services" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!