Paul Vlissidis Group Technical Director NCC Group plc

Transcription

1 Managing IT Fraud Using Ethical Hacking Paul Vlissidis Group Technical Director NCC Group plc

2 Agenda Introductions Context for Ethical Hacking Effective use of ethical hacking in fraud scenarios Ensuring the ethical dimension

3 About NCC Group 400m business publically listed on LSE 20 offices across the UK, Europe, North America & Australia Over 15,000 customers worldwide Information assurance services Started security testing in 1997 now the largest single penetration/cybersecurity testing team in the world (by a considerable margin) Making the internet a safer place to be 3

4 Penetration Test Definition Authorised, adversary-based assessment for defensive purposes. Authorised means someone with legal control of the facility, system, or entity to be tested has agreed to the process. Adversary-based means that the activity is centred around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries knowledge, skills, commitment, resources, and culture. Assessment means one is making an expert, methodical and consistent judgement of security Defensive purposes we do what we do to help the good guys make decisions about business, about security, about computer systems, about control systems.

5 Why do we use ethical hacking? A regular risk-based assessment of cyber security To support assessment of compliance Pre/Post go-live for a new system/application As an independent check on external service providers/vendors To support audit requirements As part of an incident response To exercise incident detection and escalation processes

6 Categories of Penetration Test External network as viewed from the Internet Internal network as viewed by an internal user Web Application web application issues account for many successful attacks Database security Wireless network security Desktop the new front line /social media phishing Laptop/Mobile Mobile Applications Malware Procedural (social engineering) Red Team a holistic black box covert test of security posture 6

7 A test can be much more than just an audit Audits find issues but mostly the ones they expect to find Penetration tests offer a holistic test of complete security posture Simulate creative thinking by a motivated a capable threat actor A fair test that the security really works Allows exercise of multiple mechanisms :- Intrusion detection Host-based security Security event logging Password strength Incident response Security awareness Security processes Patching processes Coding standards adherance True risk often emerges from a combination of lesser vulnerabilities. 7

8 What can t it do You can t test everything, way too expensive Sampling and scope are essential to get best value It s a snapshot not a continuous process Security is a moving target You can t infringe people s rights or break the laws of the land It doesn t offer certainty that you are secure, just reduces uncertainty

9 Ethical hacking techniques applied to fraud scenarios Penetration tests often find :- Default accounts left active (often with default passwords) Shared passwords being used in departments Database security issues Evidence of data exfiltration through log analysis Account privilege abuses Malware deployment Penetration test reports often (always) contain information that informs auditors but often go unread By showing how it can be done ethical hacking can reveal how fraud was/is being done Ethical hackers determine what is possible and then construct fraud scenarios to demonstrate proof of concept.

10 Penetration testing during incident response Often used to reverse engineer the fraud/attack and answer the question how was it done? Can be used alongside other incident response services forensics, log analysis Can be deployed quickly and inform/direct the investigation.

11 The ethical dimension Formal rules of engagement Scope Definition System/network/data ownership Legal/regulatory issues Data allowed to be taken offsite (e.g. password hashes, configs) Destruction requirements for test data Escalation Path(s) If Fraud Is discovered what is the Process to Engage first responders Tester Credentials And Clearances CREST membership

12 Appropriate Accreditations ISO 9001:2008 The NCC Group s services are accredited to ISO 9001:2000 and have held ISO 9001 status since ISO 27001:2005 NCC Group s Information Consultancy & Testing Solutions division is certified to ISO 27001:2005 (formerly BS7799 part 2). (LRQ ) CESG CHECK We are accredited under the Government s CESG Check scheme for network penetration and testing services. We have been classed as a Green service provider continuously since 2001, this being the highest attainable standard. PCI Approved Scan Vendors/PCI Qualified Security Assessor NCC Group is a Qualified Security Assessor and an Approved Scan Vendor regulated by the PCI Standards Council. CREST Council of Registered Ethical Security Testers NCC Group is an active member of CREST, the standards-based organisation for penetration test suppliers aimed at ensuring the very highest standards of leading-edge security testing. 12

13 Who is CREST Council of Registered Ethical Security Testers Formed as a Company Limited by Guarantee Initial members were all from CHECK community Currently 38 member companies Additional support from CESG, CPNI 13

14 CREST Assurance Carry out stringent background checks on their staff Provide their staff with a structured framework covering awareness, education, research and career development Deploy rigorous testing methodologies and processes Produce clear, insightful reports for both technical and management audiences Protect client information in a professional manner Meet any legal, regulatory or business constraints on their testing Have signed company and individual codes of conduct Adhere to a signed memorandum of agreement on good practice Deal with complaints in a diligent fashion, with agreement that any conflict can be handled by an independent professional body.

15 Summary Penetration testing / Ethical Hacking is a powerful audit tool It addresses categories of risk not covered elsewhere It provides concrete evidence that your security investment is effective against many fraud scenarios It can assist in detecting fraud opportunities It can be used in a fraud incident response But. It cannot find everything It must be used properly as part of a mix of controls It needs proper specification, planning and execution to be effective Someone has to read the reports to realise the benefits 15

16 UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame European Offices Amsterdam - Netherlands Munich Germany Zurich - Switzerland North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney