Testing Your Security A Security Testing How To From Someone Who s Likely Broken Into An Organization Just Like Yours

Transcription

1 Testing Your Security A Security Testing How To From Someone Who s Likely Broken Into An Organization Just Like Yours Tom Liston Senior Security Consultant InGuardians, Inc. Director InGuardians Labs tom@inguardians.com 1

2 Who are you and why are you here? Senior Security Analyst InGuardians, Inc. Penetration Tester Networks, Web Apps, Physical Security Malware Analyst SANS Malware Analysis Team Security Researcher SANS Internet Storm Center Author (with Ed Skoudis) Counter Hack Reloaded A Step-by-Step Guide to Computer Attacks and Effective Defenses Follow the Bouncing Malware Programmer LaBrea, PEInfo, CertGuard, SpyCar, various malware analysis tools, tools for the SANS ISC, etc 2

3 The Agenda The main points: Why is security testing important? What types of testing are there? Testing best-practices Illustrated by War Stories 5 tips that can DRAMATICALLY increase your organization s security 3

4 Crime Spree! First off I m one of the good guys However, as a part of my job, I do bad things Things that would likely land me in prison if I wasn t doing them with permission 4

5 Thief! I ve broken into Banks Movie Studios Hospitals Insurance Companies Stock Brokerages Religious Institutions Energy Companies Government Organizations Charities Educational Institutions High-Tech Startups And that s just this year 5

6 Securing Your Organization Organizations spend considerable time and money in an effort be secure Firewalls, secure gateways, intrusion detection systems, web application firewalls, single sign-on, two factor authentication, etc, etc But when everything is in place, how do you know if it all works? 6

7 It s IMPORTANT We say it time and time again: As defenders, we need to be right 100% of the time The attackers need to find only one flaw Like it or not, that s the way it is 7

8 War Story #1 The Charity 8

9 Tip #1 Do not use a SINGLE Local Administrator password for all of your Windows machines Worst case: use the same password only on smaller groups of machines Best case: tools exist that allow you to use random passwords on each machine AND give you some nifty password management / logging functions Google: windows administrator password management 9

10 Tip #2 The single most prevalent security issues on the Internet today are found in web applications Writing secure web applications is a difficult, error-prone process If you ve never had your web applications tested, I can almost guarantee you that they have security flaws 10

11 Perspective Finding security flaws is a matter of perspective As security professionals, we cultivate an attacker mindset and apply it everywhere we look Attacker mindset: Attacking isn t the opposite of defending Not defending is the opposite of defending It s a BIG difference 11

12 Non-Testing Security Work Security Architecture Review This type of work involves looking at how an organization is currently securing their environment and assisting them in bolstering their security Policy Review Assisting an organization in creating or amending their policies so business processes are performed using security best practices 12

13 Checkboxes More and more we see people trying to do security by checklist We ve got a firewall We ve got an IDS We re secure! 13

14 War Story #2 The Brokerage 14

15 Tip #3 Security isn t about filling in checkboxes If your organization thinks that it is, find another job quickly 15

16 Tip #4 Big, flat networks are insecure Your network should be segmented by role users who work in accounting should be in a separate network segment from those work in purchasing Access control devices should only allow access between segments for legitimate business functions 16

17 Types of Testing Vulnerability Assessment Testers examine the network and create a listing of all potential vulnerabilities discovered along with recommendations for fixing them Penetration Testing Testers act as attackers and see how far they can penetrate a network 17

18 Vulnerability Assessments Pros Good first test against an organization Creates a listing of actionable items A kilometer wide Cons a centimeter deep Potentially downplays overall risk of vulnerabilities Many attacks combine multiple vulnerabilities 18

19 Penetration Testing Pros Tests the resilience of your network to a real attack Can be leveraged as a learning experience for your incident response team Can dramatically prove a point about security (or insecurity ) Cons Generally very focused doesn t give you the same wide coverage as a vuln assessment Because of time constraints, a failed pentest doesn t really address the security of the organization 19

20 Models The vulnerability assessment and penetration testing models can be applied to several different types of tests: External network assessments Internal network assessments Physical security assessments Web / Mobile / Application assessments 20

21 Internal Pentest? Admittedly, it sounds strange However, the single greatest threat to organizations today comes from malicious insiders Disgruntled employees Compromised internal machines Start with no accounts and a network jack See where you can go 21

22 Tip #5 Not all of your organization s employees are perfectly happy Machines on your organization s internal network WILL be compromised YOUR ORGANIZATION S SYSTEMS MUST BE SECURE DESPITE THERE BEING COMPROMISED SYSTEMS ON YOUR NRTWORK 22

23 War Story #3 The Bank 23

24 Tip #6 Never, EVER challenge a pentester 24

25 Tip #7 Administrative users should have separate, non-administrative accounts that they use for day to day work High-value (administrative) accounts should have a different (and far stronger) password from this day-today account 25

26 Testing Paradigms Black Box The organization shares no information with the testers Simulates a true attack White Box The organization openly shares information with the testers Grey Box A black box test that transitions to a white box test 26

27 Testing Best Practices All too often, we have someone sit us down at the beginning of testing and give us a list of rules Do the bad guys have to follow your rules? 27

28 Testing Best Practices (cont) Don t hide anything from the testers if they want to look at the source code for your web application, LET THEM It only increases the value of the test for you There is some value in a fully black box test, but only to a point 28

29 Testing Best Practices (cont) Do not treat testing as an adversarial activity Security testers aren t trying to make you look bad They re trying to help you to better secure your organization 29

30 Thank you! I sincerely hope that today s presentation has given you something to think about Questions / Comments? Tom Liston Twitter 30