Social-Engineering. Hacking a mature security program. Strategic Penetration Testing

Social-Engineering Hacking a mature security program Strategic Penetration Testing Dave Kennedy (ReL1K) http://www.secmaniac.com twitter: Dave_ReL1K

A Mature Security Program. Companies have invested a significant amount of money on securing their information. Application Security, Data Loss Prevention, Vulnerability Management, Monitoring and Detection, Event Correlation. Does this even exist?

2009 to 2010 Security conferences reported record numbers. Security staffing decreased...then increased. Estimated 1 billion spent on Vista and Win 7.

2008 Breaches (PrivacyRights.org) In 2008 there was a total of 354 reported public data breaches. You might remember this one: RBS Worldpay, Atlanta Georgia

2009 Breaches (PrivacyRights.org) In 2009 there was a total of 252 reported public data breaches. We got better! Wait? Largest breaches in history, largest amount of records disclosed, large amount of PII, PCI, PHI disclosed in one year ever.

2010 Breaches (PrivacyRights.org) We spent so much more this year Estimated 34% increase on our budget. In 2010 there was a total of 594 reported public data breaches. Over double that of last year.

But we got better at detecting.. Out of the 594 reported, 74% of them had been compromised for several months or years without detection.

Compliance Companies spend over 40% on compliance driven security (Forrester). Compliance makes up on average roughly 14% of the companies sensitive data.

What the heck happened? 11 years ago we discovered SQL Injection. 34 (before I was born) years ago we discovered buffer overflows. 1.6 million years ago we discovered Social- Engineering.

But buy this, it will fix it. Data Loss Prevention

But buy this, it will fix it. Intrusion Prevention

But buy this, it will fix it. Host Based Intrusion Prevention

But buy this, it will fix it. Web Application Firewall

But buy this, it will fix it. File integrity monitoring

But buy this, it will fix it. Firewall

But buy this, it will fix it. Anti-Virus

But buy this, it will fix it. Whitelisting/Blacklisting

But buy this, it will fix it. Patching Solution

But buy this, it will fix it. Vulnerability Scanners

But buy this, it will fix it. Network Access Control

So We continue to get breached more

And more

And more

And more

And more

And more

And more

You get the idea. 160 breaches this year so far.

I bet the majority of these had a security program RSA, a mature security program? Sony, a mature security program? Where are we going wrong?

How are we identifying the exposures? What are we accomplishing during a penetration test? What are we doing? Who s doing it?

I bet the majority of these companies had pentests.. I bet RSA had a number of penetration tests performed on a regular basis. MySQL gets hit with blind SQL injection? Comon Most of these companies probably have dedicated personnel to security.

A Mature Program? I haven t seen one yet. I know I can compromise any organization I want. I know I can take everything they own and run rampant all over them without detection."

Why?

Penetration Testing Today

I m not judging

But we can t deny the truth

How to fix failing.. I m not saying that penetration testing is the savior. I m not saying everything s bad. What I m saying is we can be doing so much more.

We need change? Penetration testing needs to focus on our riskiest areas we do business. Needs to be aimed at stealing learning the organization. Understand that penetration testers have a week or two max, hackers have months.

We need to move from this:

Move away from not understanding

Away from risk formulas and auditors

To this..

And back to.

Reality

Complexity I could be crazy but we have made security so complex we have no idea what any of this stuff means anymore

What is strategic penetration testing?

An attack targeting the companies ability to generate revenue.

The Penetration Testing Execution Standard (PTES) Aimed at tackling the weaknesses we have right now in the penetration testing industry. Focused on identifying and understanding what we want to accomplish during a penetration test. A clear path to mature your information security program.

Brief History

Why this is different We know what we need to do in order to fix this industry. Collectively we can tackle the issues we see today and what we see coming in the future.

Maturity Model Not every company is ready for each level of a penetration test. Understanding a companies security appetite maturity is assigned based on a level in PTES. These levels should increase as the company increases their maturity.

PTES Methodologies

Pre-Engagement Interaction Aimed at learning the organization that your attacking. Finding out what the company does and what they are getting out of it. Education.

Intelligence Gathering By far, the number two most important step in the entire penetration test. Learning the organization and how they work. Finding what your best attack vector is going to be.

Threat Modeling Finding our best route into the organization that will have the most realistic impact. What are the keys to the kingdom? Trade secrets? Customer Data? Brand?

Vulnerability Analysis Notice I didn t say vulnerability assessments. Understanding what vulnerabilities may be present and doing your research on the best and viable attack vector.

Is it Social-Engineering? :-)

Exploitation Precision strike, something you have researched. Confidence and not brute force method. Attack as a hacker.

Post Exploitation Arguably equally as important as intelligence gathering. Identify the key systems to inflict maximum damage or loss. Learn, understand, go undetected.

Reporting Often where we struggle in security. The most important message is through reporting. This is the number one most important step of a penetration test and one we dread writing. Why?

Emphasis on Communication and Education We need to teach. We need others to understand. That s the only way to be successful at this.

We are all about the hack. This presentation showed some breakage. This presentation showed hacking and zerodays. But this presentation was designed around fixing the problems we face in the industry.

We are all about domain admin. Guys and gals, domain admin means squat. Focus on destroying the company, focus on impacting the bottom line. Learn the company, hack it, and make them feel the pain.

The blame on many It s not just penetration testers to blame. It s companies, who just want that check mark and don t take the time to learn security. It s the high level big picture companies who couldn t secure your organization let alone their own.

This. Doesn t solve it

This. Doesn t solve it

We are all smart We are equals, I m not smarter than anyone here. I may have different experiences, but working together with each others knowledge, something can actually happen. Support PTES, preach PTES, contribute to PTES.

Again. There s a lot more to security than penetration testing. I m not naive into thinking this is the only thing we need to do to fix security. But this has got to change for us even to start.

Going back to the basics.. Stay away from the shiny toys that vars sell you. Stay away from that magic bullet that will fix all of your problems. Think about what your doing and why you need it and build it from the ground up.

The Big Picture Penetration testing aside Look at what makes your company money, how they do business. Secure that.

Understand.

There is no

But Coming together will.

Cloud Computing?

DerbyCon Three day conference with training Insanely stacked line- up September 30 - October 2nd Louisville Kentucky - Hyatt Regency http://www.derbycon.com! info@derbycon.com!

davek@social-engineer.org Twitter: dave_rel1k