Presented By: Bryan Miller CCIE, CISSP

Transcription

1 Presented By: Bryan Miller CCIE, CISSP

2 Speaker Introduction Risks Controls Why We Should Pen Test Why We Don t Pen Test Tools & Techniques Low Hanging Fruit Case Studies Copyright 2010 Syrinx Technologies 2

3 Biography B.S. - Information Systems VCU M.S. Computer Science - VCU CCIE, CISSP Former Cisco CCNA Instructor at John Tyler & J. Sargeant Reynolds Community Colleges Lecturer at VCU Fast Track Executive Master of Science (FTEMS) Program Adjunct Faculty in Information Systems and Computer Science at VCU President, Syrinx Technologies & Partner at ehealthsecurity Copyright 2010 Syrinx Technologies 3

4 Types of Risks Reputational public image Financial protecting monetary funds Strategic goals of the organization Compliance laws and regulations Dealing with Risk Avoid never try anything new Transfer buy lots of insurance Mitigate better planning Accept go ahead and jump Copyright 2010 Syrinx Technologies 4

5 Categories of Controls Preventative - deter inappropriate events from happening Separation of duties, proper authorization and physical control over assets IT firewalls, anti-virus, encryption Detective - actions that are taken to detect and correct undesirable events that have already occurred Physical inventories, reconciliations and audits IT vulnerability scan, Intrusion Detection System Copyright 2010 Syrinx Technologies 5

6 Types of Controls Physical physical security of a server Hardware keyboard logger Technical password complexity enforcement through an operating system setting (GPO) ophcrack Administrative written policies, reviews Social Engineering Copyright 2010 Syrinx Technologies 6

7 Copyright 2010 Syrinx Technologies 7

8 Satisfy legal/governmental/industry requirements (HIPAA, GLBA, SOX, FISMA, PCI). Often required by internal/external auditors. Validate existing technological controls. Copyright 2010 Syrinx Technologies 8

9 Raise overall security awareness. Test Intrusion Detection/Prevention Systems, including incident handling procedures. New management: Provides a great security baseline. Mergers/Acquisitions: Evaluate their security before integrating systems. Copyright 2010 Syrinx Technologies 9

10 A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. A vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. No actual system compromises occur. Copyright 2010 Syrinx Technologies 10

11 Two types of pen tests: "white box - uses vulnerability assessment and other pre-disclosed information "black box - performed with little or no knowledge of the target systems Which one do we choose? Vulnerability assessments answer the question: "Where are our weaknesses? Penetration tests answer the question: "Can someone break in and what can they access?" Copyright 2010 Syrinx Technologies 11

12 If you tell us what s wrong, we ll have to fix it. We already know where everything is broken. We don t have anything that hackers want. Copyright 2010 Syrinx Technologies 12

13 Our employees aren t smart enough to do that kind of thing. We trust our employees. We can t afford it. We re too small to matter. Copyright 2010 Syrinx Technologies 13

14 Start with a proven methodology. Reconnaissance Scanning Verification Use a variety of tools and don t trust any tool too much. Test everything with an IP address. Every device is important, otherwise disconnect it. Copyright 2010 Syrinx Technologies 14

15 Categories of tools: Research Port/Vulnerability Scanners Wardialing/Wardriving Application-specific scanners Web Servers OS specific Database Password cracking Frameworks (Metasploit, BackTrack, Samurai) Social Engineering Copyright 2010 Syrinx Technologies 15

16 Policy & Procedures: Lack of proper physical security. Sensitive data stored without encryption. Sensitive data transmitted/stored in . Common passwords across different platforms and/or architectures. Copyright 2010 Syrinx Technologies 16

17 Patch Management: Verify that patches are actually applied. Make sure to patch desktops and servers. It is important to patch operating systems and applications. Don t forget appliances and other network infrastructure devices. Copyright 2010 Syrinx Technologies 17

18 Password Management: Default Simple Network Management Protocol (SNMP) community strings. Default database passwords (MS SQL, Oracle, MySQL). Default passwords in Compaq Insight Manager (CIM). Default passwords on infrastructure devices. Copyright 2010 Syrinx Technologies 18

19 Each of these 4 cases are real. There are many more. The names and specifics have been changed to protect the innocent and the clueless. Each case provides an example of the domino effect. Note that in each case nothing alerted the client to what was going on. Copyright 2010 Syrinx Technologies 19

20 Large non-profit company running Lotus Notes with many branch offices. One branch had a blank administrator password. The Virtual Network Computing (VNC) password was the domain admin password. Same password provided access to network-attached storage (NAS). While examining file systems a file was found with backup Cisco configurations. Copyright 2010 Syrinx Technologies 20

21 During wardialing at a law firm, a Shiva LanRover was found using Novell authentication. Oracle servers were accessed using default passwords. Cisco infrastructure compromised due to default read-write SNMP community string. Connected via FTP to Novell server, viewing sensitive configuration files. Accessed many UNIX machines, decrypting several password files. Copyright 2010 Syrinx Technologies 21

22 Large financial company in multiple states. Accessed several internal applications using default login credentials. Accessed configuration file left by a developer containing database login credentials. Using these credentials, accessed sensitive client data including SSN, CC # s. Several devices compromised by downloading manuals from Internet. Copyright 2010 Syrinx Technologies 22

23 Large non-profit organization. Several PC s missing old patches. Default SNMP community strings. Blank database passwords allowed access to donor database. Connected to another database and discovered credit card data. Social engineering provided access to 5 buildings/server closets. Copyright 2010 Syrinx Technologies 23

24 What did we learn? The 3 P s Policies & Procedures Patch Management Password Management The majority of the remediation efforts are not costly in resources (human, technology, financial). The biggest changes have to occur with users, systems administrators and developers. Copyright 2010 Syrinx Technologies 24

25 Thank You Very Much for Your Time and Attention! Copyright 2010 Syrinx Technologies 25