June 2006 Tiger Teams! The new face of Penetration Testing

Transcription

1 June 2006 Tiger Teams! The new face of Penetration Testing Justin Clarke CISSP CISM AIISP Ivan Phillips MSc MBCS CITP NCSA 1

2 Agenda Our talk will cover the following topics: Web Application Hacking PBX, War Dialling & VoIP Hacking Wireless Hacking Physical & Social Engineering Some Overall Comments Instructor Introductions Audience technical level? 2

3 What is Penetration Testing? Penetration testing may be loosely defined as: An attempt to gain access to a client s network, systems and data by simulating various threat groups (e.g. hackers, unethical competitors, disgruntled employees). For maximum value, testing should simulate threat groups and scenarios that are relevant to your organisation. 3

4 What is Penetration Testing? Uses various tools and techniques to identify, & try to exploit security vulnerabilities to gain access to data and systems. May not produce a comprehensive list of all vulnerabilities within a client s IT infrastructure, due to time limits and customer limitations. Because of this, risk management is imperative. 4

5 Why perform Penetration Testing? Penetration testing can help you answer: How security aware are my staff? How effective are my technical, physical and process based security mechanisms? How vulnerable are my home-grown web applications to attack? Are there unauthorised/insecure configured wireless devices / modems present? Example tests: Social engineering Logical & physical attacks (external / internal) Web application attacks Wireless & modem scans and attacks Use Penetration Testing: As part of security improvement To aid awareness of vulnerabilities As part of development process As a metric in security reporting from more than one provider To help meet regulatory expectations 5

6 Penetration Tests vs. Hackers Hackers exploit path of least resistance Penetration testers will attempt to find multiple points of entry Hackers use opportunistic approaches Penetration testing is methodical and repeatable allowing easy verification Hackers seek to gain information, cause damage Penetration Testers gain sufficient access to illustrate breaches and stop! Penetration Tests bounded by limitations which hackers do not face such as: 1. Time bounded 2. Sensitive to the environmental restrictions 3. Tests may be narrow in scope, if required by client. 6

7 Attack Sophistication As attacks get more sophisticated, intruders can be less skilled: High Intruder Knowledge Attack Sophistication Low Disabling audits Network mgmt. diagnostics Hijacking burglaries sessions Exploiting known vulnerabilities password cracking password guessing Back doors self-replicating code Packet spoofing sniffers sweepers stealth /advanced scanning techniques Denial of service Automated probes/scans GUI Attackers Tools DDOS attacks www attacks 2001 Carnegie Mellon University 7

8 The Problem! Malicious User Remote User Dial Up Internet Traffic Internet Network Perimeter Servers FW VPN Remote User -WiFi Corporate Network WLAN Physical Building 8

9 Typical range of tests available Internal A&P Testing: Physical Security Testing: After being given a physical connection to a point on the client s network, attempt to gain a privileged level of access to systems/data on that network Performed from network point(s) on the client site External A&P Testing: Attempt to penetrate the client s network security perimeter in order to access client systems/data from the Internet May include techniques such as social engineering and trophy gathering External Vulnerability Scanning: Use commercially available software tools to perform vulnerability scanning of the client s business critical servers and network devices No attempt to exploit potential vulnerabilities identified No investigation of false positives from the scanning tool(s) Corporate Desktop / Laptop Build Assessment: Assess the security of your Standard Build 9 Attempt to gain unauthorised physical access to the client s office / site, followed by an attempt to plug a laptop/device into the client s network undetected No attempt to penetrate the client s internal network Web / Application Testing: Attempt to circumvent the programming logic of a web site to gain unauthorised access to data or underlying systems. Can be done anonymously and/or with suitable credentials. Social Engineering: Impersonation/deception techniques directed at targeted individuals in an attempt to obtain information that could be used to further other attacks Remote Access / Wardialling: Dialling telephone number ranges allocated to the client in order to identify possible modems Wireless Testing: Scanning for Wireless networks or devices, within your premises which could potentially allow access to be gained to your internal network

10 June 2006 Web Application Hacking 10

11 A Real Risk 69% of publicly reported vulnerabilities for the last half of 2005 affected web applications Symantec Internet Security Threat Report, March % of organisations have no formal security involvement in building web applications Ernst & Young Global Information Security Survey

12 The Problem Web Traffic HTTP(S) Web Traffic HTTP(S) Web Server Web App FTP RPC X X Server OS DB Telnet X Mainframe 12

13 The Cause Custom development Functionality v Security Lack of security education Gaps in accountability 13

14 The Cause (cont) Traditional Security Data Application Server/Services Operating System Infrastructure 10 Most Critical Web Application Vulnerabilities 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross-Site Scripting (XSS) 5.Buffer Overflows 6.Injection Flaws 7.Improper Error Handling 8.Insecure Data Storage 9.Denial of Service 10.Insecure Configurations Management 14 Source:

15 Web Application Hacking Demo 15

16 Solutions Application Security Testing Security in the Development Process Education 16

17 Application Security Testing Automated tools Efficient, but provides limited assurance Ideal for low and medium risk applications Can give a false sense of security Manual testing Internal or external vendor staff Requires specialist skills and training Time consuming and expensive Can provide a good level of assurance 17

18 Testing Approaches Black Box Limited Knowledge Application Attack No source code Grey Box Full Knowledge Security Code Review with Full Front-End Access White Box Full Knowledge Security Code Review with No Front-End Access 18

19 Security in the Development Process Involves internal or external security resources at key design and development milestones Cost effective, as issues can often be identified and solved at the design or specifications phases 19

20 Education Developers don t deliberately develop insecure code A lot of commercial and free materials and organisations exist Open Web Application Security Project ( Secure Development Guide Application Security Testing Guide 20

21 Summary The Risk is Real it is likely that this will only increase in the future Critical business data is being put on the web by organisations We need to consider the risks and how to mitigate them 21

22 June 2006 PBX, War Dialling and VOIP Hacking 22

23 Telecomms -a brief history (simplified!) Early networks used Mainframes, connected to devices by dial up modems. Later modems connect companies to Internet More recently modems replaced by Broadband modems used for back door links Now voice traffic sent over Internet over Instant Messaging (IM), standalone applications (Skype) 23

24 The Problem Malicious User Remote User Dial Up Internet Traffic Internet Network Perimeter Servers FW VPN Remote User -WiFi Corporate Network WLAN Physical Building 24

25 How real is the risk? The toll fraud industry Expected to rise as next-generation wireless and internet services become more widespread. This is a huge industry in the UK in particular. Private Branch exchange (PBX) Hacking The French authorities investigating Madrid commuter train attack, are checking a PBX for a Bank near Paris, for signs of hacking. 25

26 The Problem PBXs & Voic Disclosure of information, through listening to voic messages, etc. Modifying data E.g., billing information Use of telecoms for illegal activities Denial of service Toll Fraud / Dial Through Fraud (most common) A fraudster who has gained access to an organisation s switchboard makes outgoing calls on the organisation s lines. 26

27 The Cause PBXs & Voic How are PBX systems compromised? Remote maintenance port (standard users & default passwords). By cracking authorisation codes for the remote access feature. Through the auto-attendant feature Through the voic system 27

28 Solutions PBX Security assessment of PBX controls, including: War dialling to identify remote access systems such as modems and to identify rogue dial-up access points. Manual modem verification and attempted compromise External PBX testing: Attempt to compromise PBX systems from the external network Internal PBX testing: Attempt to compromise PBX systems from the internal network Security tests of voic system 28

29 The Cause War Dialling Modems often connect remote users/ 3 rd parties to corporate network Unauthorised modems Out of hours / Administrative access Legacy / forgotten devices Often no security War dialling: calling a range of phone numbers to identify live data modems May be possible to brute force user names & passwords 29

30 Solutions War Dialling Configure Dial Back Require user names and strong authentication Physical Security Measures Plug in only when required Awareness / Education War dialling tests, to identify rogue modems, and insecure remote access lines 30

31 The Problem - VoIP Same problems as per IP data networks Service interruption Viruses Hacking plus some new ones Signalling attacks Caller ID spoofing Packet injection SPIT 31

32 The Causes - VoIP Lack of segmentation from IP data networks Very common to see 802.1q VLAN tagging VOIP solutions built on common hacking targets Cisco Call Manager & Microsoft Windows 2000, Microsoft SQL Server Encryption usually supported, but not enabled Commonly due to performance issues, or lack of manageability 32

33 Solutions - VoIP Firewalls and segregation controls Separate voice from data traffic Consider enabling encryption Consider what voice traffic may be more sensitive than others Hardening VoIP devices Install the latest patches, restrict connecting devices, authenticate devices Monitoring VoIP related logs Consider review of system logs, application logs, security logs 33

34 Summary The Risk is Real it is likely that this will only increase in the future. Telecommunication based security incidents are becoming more common. Expansion of Internet services such as Skype, can bypass your perimeter. Consider defence in depth measures to protect against the risks. 34

35 June 2006 Wireless Hacking 35

36 Your Wireless Network? 36

37 The Problem Malicious User Remote User Dial Up Internet Traffic Internet Network Perimeter Servers FW VPN Remote User -WiFi Corporate Network WLAN Physical Building Wireless attacker 37

38 Wireless Demo 38

39 The Cause 39

40 The Cause (cont) 40

41 Solutions Detecting rogue access points Secure wireless architecture Wireless security technologies 41

42 Detecting rogue access points Educate employees about wireless Periodically detect what is present War walking company premises Detecting devices connected to the network Deploy wireless security devices 42

43 Secure wireless architecture Do it properly Use WPA / WPA2 (not with preshared keys!) Use a secure EAP based authentication method i.e. EAP-TLS, PEAP, EAP-TTLS etc Don t use dynamic WEP Be aware of the RF dynamics Consider segmenting wireless clients from your main network VLANs Partially / totally firewalled 43

44 Wireless security technologies Wireless IDS / IPS Rogue / unknown wireless detection technologies Unauthorised wireless suppression technologies More basic techniques Building materials Frequency jamming (note illegal in most cases) 44

45 Summary The Risk is Real it is likely that this will only increase in the future Business demands are driving wireless deployments Traditional controls do not address the risks of wireless all that well The best defence is not to have any wireless networks, but how do you know you don t have one? 45

46 June 2006 Making Mission Impossible Possible! 46

47 Mission Impossible or Possible? We ve all seen the film but how does reality compare? How easy is it for someone like me to break into An office building A secure 3 rd party hosting facility Do I even need to? 47

48 What are the Risks? Malicious User Remote User Dial Up Network Perimeter Internet Traffic Internet Servers FW VPN Remote User -WiFi Corporate Network WLAN Physical Building 48

49 Humans the weakest link! efforts to influence popular attitudes and social behaviour on a large scale, whether by governments or private groups wikipedia def. of social engineering techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through Kevin Mitnick definition 49

50 What is the risk? Sumitomo Mitsui Bank 220m via keyloggers Lexis-Nexis 310,000 customer details compromised through 59 instances of password social engineering ChoicePoint SOLD personal information of nearly 145,000 people to social engineers posing as legitimate businesses And these are just some of the ones that hit the news 50

51 Physical Testing & Social Engineering 1. Identify target personnel and buildings to access. 2. Research targets and identify critical information. 3. Illicit critical information from target(s) 4. Use information to misdirect target(s) 5. Attempt to bypass any authentication processes in place. 6. Escalate access and exploit physical access. 1. eg,, IT Manager, Security Managers, Helpdesk 2. Telephone numbers, other personnel etc 3. Access control processes to building/server rooms 4. Phone hosting centre pretending to be IT manager 5. Add contractors name to access list 6. Enter hosting centre posing as the contractor 7. Gain access to sensitive data and systems, shut them down, install wireless device, Business Implications Risk of theft, loss of data, etc Risk to reputation Risk to internal (and possibly unprotected IT infrastructure) 51

52 Case Study 1 Global Investment Bank Test conducted in multiple countries all successful Gained entry using Reconnaisance (photographic & video) Fake ID card Distraction (of security guard) Result Unauthorised access to data & network 52

53 Case Study 2 Professional Services 3 Premises tested 2 Office Buildings 1 3rd Party Secure Hosted Facility Gained Entry via Social Engineering Fake authorisation Physical Entry Result Access to server room, environmental controls etc Possible Unauthorised Access to Data, Denial of Service Attack against IT infrastructure and Web hosting 53

54 How to prevent these attacks Education & Awareness of all staff! Social engineering testing Physical Security Audits & tests Security policy Vet all your staff Don t trust anyone! 54

55 Summary The Risk is Real it is likely that this will only increase in the future! If your physical security can be circumvented, then logical access is usually a formality. Best defence is awareness, training and logical security features. Ensure Security Policies are adhered to! 55

56 Conclusions Given real risk, how does A&P fit into your overall strategy? If you have A&P testing currently Is it effective & covering all of your areas of risk? Do your reports include the business context relevant to you, or are the reports purely technical? If you don t use A&P testing What can it do for you? How do you know that your security measures are effective? Perimeter security is not enough! Don t forget, it s your network or is it!?! 56

57 Important Information The information in this pack is intended to provide only a general outline of the subjects covered. It should not be regarded as comprehensive or sufficient for making decisions, nor should it be used in place of professional advice Accordingly, Ernst & Young LLP accepts no responsibility for loss arising from any action taken or not taken by anyone using this pack The information in this pack will have been supplemented by matters arising from any oral presentation by us, and should be considered in the light of this additional information If you require any further information or explanations, or specific advice, please contact us and we will be happy to discuss matters further 57