Who am I? Martin Hansen Senior Security Consultant

Transcription

1 07/09/15 NCC Group 1

2 Who am I? Martin Hansen Senior Security Consultant Fields of expertise Specializes in the following areas of information security: Advanced Internal and External penetration testing - Web applications, Network, Application Security and Social Engineering. PCI (Payment Card Industry) Critical IT Security Controls IT Security Audit Background FortConsult A/S part of NCC Group, Senior Security Consultant present Ernst & Young, Manager Cand.Merc.Aud, Master of Science in Business Economics and Auditing HA (dat.) Bachelor of Computer Science and Business Administration Certifications PCI Council PCI Payment Card Industry PCI QSA Qualified Security Assessor SANS GIAC Critical Controls Certification GCCC since 2014 (ISC) 2 Certified Information Systems Security Professional CISSP since 2011 SANS GIAC Penetration Tester GPEN since 2011 ISO Lead Auditor EY Certify Point, 2011, Denmark ISACA - Certified Information Systems Auditor - CISA since /09/15 NCC Group 2

3 Global IT- Security company, HQ Copenhagen Delivering security assessment, review, test and incident response Working with financial, government, tech and top 100 companies worldwide Owned by NCC Group PLC, 1500 skilled security professionals in 18 location World largest team of penetration testers 07/09/15 NCC Group 3

4 FortConsult udfører sikkerhedstest for virksomheder som er ISO27001 compliant, får en 3402 revisionserklæring, som er PCI Compliant eller som lever op til andre sikkerhedsstandarder. Selvom disse virksomheder på papiret lever op til diverse krav som stilles igennem diverse frameworks finder vi stadig simple sårbarheder som gør at vi kan gennemtrænge deres netværk. Hvilke sårbarheder er det som FortConsult finder igen og igen når vi udfører vores sikkerhedstest og hvordan kan du som virksomhed indføre simple kontroller for at opdage disse sårbarheder inden en Hacker udnytter disse sikkerhedsbrister. 07/09/15 NCC Group 4

5 Agenda 1. Password 2. Segmentation 3. Social Engineering 4. Patching of business critical systems 5. Default/hardening/Baseline 5

6 Password 6

7 Password How real users interpret password rules!!!! - #!!#!# Passwords must contain at least 1 upper, 1 lower, 1 number, and be at least 7 characters long Take a base word of 6, 7 or 8 characters Chose only one upper Make first character upper Add numbers on the end (one, two, or four numbers) Or, substitute numbers and symbols for letters which look like numbers and symbols ( P@ssw0rd! ) For password changes, users increment the number: "Manunited1!", "Manunited2!", "Manunited3!" 7

8 Password Problem: User!! Password1 Welcome1 Lars&Mikkel Vinter2014 Top 5 most used 1 Password Welcome1 4 Sommer opret123 Martin12 Sommer2014 Fortconsult10 Bigger Problem: Not only users; Also Admins and Service Accounts!!!!! 8

9 9

10 Password 1. Extract password hashes 2. Crack password hashes 3. Force password change 4. Awareness training for users 10

11 Password How many in this room has a secure password??? 11

12 Segmentation 12

13 Segmentation DMZ Development Servers Test Clients Secure zone Different Geographical Locations 13

14 Segmentation Firewall Review remark *** Access to router *** permit udp host host permit icmp host permit udp host eq ntp remark *** Access to FRY *** permit ip host remark *** KJU access *** permit ip remark *** XX access *** permit ip permit ip permit ip remark *** IL access *** permit ip remark *** Access to INT *** permit ip remark *** Support access *** permit ip permit icmp deny ip any any log ip access- list extended vlan106- in remark *** DNS *** permit udp host eq domain permit udp host eq domain remark *** rasmor.blob.com *** permit ip host remark *** raste.blob.com *** permit ip host remark *** mdm.limo.blob.com *** permit ip host remark *** mobile.blob.com *** permit ip host remark *** melllpo.apple.com *** permit ip host remark *** proxy.kimh.blob.com *** permit tcp host eq www permit tcp host range remark *** DHCP *** permit udp any eq bootpc host eq bootps permit udp host eq bootps host eq bootpc remark *** range for future use *** permit ip deny ip any any log ip access- list extended vlan210- in remark *** Access to router *** permit udp host host permit icmp host permit udp host eq ntp remark *** BP access *** permit ip

15 Segmentation 15

16 Social Engineering 07/09/15 FortConsult 16

17 Patching of business critical systems Policy all servers should patched in 90 days? Is this ok.? How is the patch process? 17

18 Patching of business critical systems What we still find Critical vulnerabilities - Exploiting MS14-068, ms08_067 HeartBleed? Not all systems are covered Third party vendors don t update/patch Hosting don t always update/patch all layers 18

19 Patching of business critical systems Microsoft Baseline Security Analyzer 2.3 (MBSA) us/download/details.aspx?id=

20 Default/hardening/Baseline Baseline security policy is in place? Is the baseline applied to relevant servers/ workstations/network devices? Check! 20

21 Default/hardening/Baseline 1. Connect to \\PrinterFF Victim 2. Dont know \\ PrinterFF DNS 3. Who is \\PrinterFF 4. I am \\ PrinterFF 5. Here is my credentials ADMIN:[NTLMv2-hash] Attacker 21

22 Default/hardening/Baseline 22

23 Controls Password - Extract password hashes Crack password hashes (24 hours of cracking) Segmentation Test can be done automaticly with script Social Engineering NEXT TOPIC!!!!! No spoilers... Patch MBSA Baseline - Test new exploits/attack scenarios on a periodic basis 23

24 07/09/15 NCC Group 24