James Stanger, PhD Senior Director, Products - CompTIA 18 November, 2015

Damien Manuel Chief Information Security Officer (CISO), Blue Coat Systems - ANZ James Stanger, PhD Senior Director, Products - CompTIA 18 November, 2015

A Little Housekeeping Contact information will be provided at the end of the webinar. You are muted by default, please ask all questions in the Q&A section. This webinar is being recorded. Webinar presentation slides and recording link will be available tomorrow. (1) CEU credit towards A+, Network+, Security+, Cloud+, Mobility+, & CASP: After the webinar, you may click on the "Proof of Participation" widget to download a certificate which may be uploaded to your candidate account for activity credit. We want your feedback! Please complete brief survey at the completion of the webinar! Tweet with Us: @CompTIA #HiringaHacker #CompTIAWebinar #CompTIAcertified

Agenda You re going to learn about what it means to hack into systems as a good guy, as well as find out what pen testers do for a living. The hacker process and the penetration tester Comparing the hacker process to auditing and penetration testing Unique skills that you need to learn as an auditor/ penetration tester Penetration testing and the cloud, essential tools, and some war stories PLEASE NOTE: (1) CEU credit towards A+ Network+ Security+ Cloud+ Mobility+ and CASP

Hiring a Hacker: Your Host James Stanger Senior Director, Products, CompTIA Responsible for determining CompTIA s product roadmap Authority in: Open source Security Web technologies Blogging

Hiring a Hacker: Our Guest Damien Manuel Chief Information Security Officer for Blue Coat Systems Australia and New Zealand Chief Information Security Officer (CISO) for Blue Coat Works with senior executives across various industry verticals Creates pen testing teams Helps organizations align their security architectures to auditing best practices Conducts audits for traditional and nontraditional IT implementations Can get in and out of your system without you ever suspecting Creates defense and risk mitigation plans

CompTIA is The voice of the world s information technology (IT) industry. Non-profit: IT Trade Association advancing the global interests of IT professionals and IT channel organizations Philanthropy: Creating IT Futures Advocacy: TechAmerica Provide industry leading credentials and certification: Shameless plug visit certification.comptia.org check out a free trial of CertMaster!

CompTIA Certifications: A Quick Overview Certs in red ANSI/ISO certified/us Government 8570 CompTIA Best Practices Certification IT Fundamentals CyberSecure CompTIA Mastery Certification CompTIA Advanced Security Practitioner (CASP) CompTIA Professional Certification A+ CDIA+ Cloud+ CTT+ Linux+ Mobility+ Network+ Project+ Security+ Server+ CompTIA Specialty Certification Healthcare IT Cloud Essentials

A skills-based look at the CompTIA roadmap Job role We certify essential skills for the entire IT department / ecosystem Help Desk / IT Support Technician / Field Technician Operating system support Network technician IT / cloud architect Systems analyst / mobility engineer Security engineer / IA technician Any employee Project manager Certification This photo is for placement A+ only Server+, Linux+ Network+ Cloud+ Mobility+ Security+, CASP CyberSecure Project+ 8

Job role overview 9

What does it mean to be... A penetration tester? An auditor? Corrections DMV Courts Municipal County State Federal Law Enforcement What other roles are there to consider? Message Switch What additional teams do you work with? IT is no longer just the purview of the CIO or the traditional IT department. Who else do you need to work with as a pen tester? PLEASE NOTE: (1) CEU credit towards A+ Network+ Security+ Cloud+ Mobility+ and CASP

Essential Skills Protocols TCP/IP Databases How entire systems communicate across the enterprise What are some of the unique skills team members possess? Corrections DMV Courts Programming Municipal County State Federal Law Enforcement Message Switch What are you looking for? How essential is this a skill to an auditor/pen tester? What languages would you recommend?

The hacker process and the pen tester 12

The hacking process Infiltration Exfiltration Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Zero Day Phishing Backdoor Remote Access Privilege Escalation Internal Recon / Move Laterally / Data Acquisition Exfiltrate 1110001110 01110 1011101101 10001 1110001110 01110 0101000111 00101 1011101101 10001 0101000111 00101 1010101110 01110 1110001110 01110 1011101101 10001 1110001110 01110 0101000111 00101 1011101101 10001 0101000111 00101 1010101110 01110 1110001110 01110 1011101101 10001 1110001110 01110 0101000111 00101 1011101101 10001 0101000111 00101 1010101110 01110 Infection Phase Exploit Phase

The penetration process Stage 1: Gathering Information about targets (reconnaissance) Stage 2: Identifying and prioritising vulnerabilities Stage 3: Exploiting identified vulnerabilities to determine risk level Stage 4: Providing executive level reporting and actionable remediation strategies Some important things Corrections to consider: DMV Message Switch Client consultation Courts Statement of work Municipal County Defining the parameters (e.g. black box, white box and grey box testing) Reporting State Federal Law Enforcement Risk based context, not just threats / vulnerabilities PLEASE NOTE: (1) CEU credit towards A+ Network+ Security+ Cloud+ Mobility+ and CASP: You will receive a confirmation email along with instructions on how to add the credit to your certification account within 48 hours.

The auditing process Process varies from auditor to auditor and from company to company Step 1: Plan the audit (auditor / organization) Step 2: Hold audit kick-off meeting (auditor/organization) Step 3: Gather data and test IT controls [DE and OE] (auditor) Step 4: Analyze and report findings (auditor) Corrections Step 5: Respond DMV to findings (organization) Courts Municipal Step 6: Issue final report (auditor) County State Federal Law Enforcement Message Switch Step 7: Remediate identified deficiencies (organization) Step 8: Test remediated controls (auditor/organization) Step 9: Analyze and report findings (auditor)

Auditing and the scruffy guy In what way has the pen tester or auditor role changed from the romanticized version we all know and love? The wizard Corrections DMV Courts Municipal County State Federal Law Enforcement PLEASE NOTE: CEU credit towards A+ Network+ Security+ Cloud+ Mobility+ and CASP: After the webinar, you may click on the "Proof of Participation" widget to download a certificate which may be uploaded to your candidate account for activity credit. Message Switch

Auditing and penetration testing tools a practical overview 17

Avoiding the tool parade What essential practices are there? What tools and questions help you get to the right point? Considering the customer s environment Technologies used Susceptibility to social engineering Corrections DMV Courts What other factors? Specific tools can include: Municipal County State Federal Law Enforcement Tools built-in to operating systems Open source and proprietary Others? Message Switch

Penetration testing tools Kali Linux Cain & Abel Metasploit & Nexpose Nmap Aircrak-ng NetStumbler Nikto2, DAVTest KisMAC & Kismet Wireshark Paros Proxy OpenVAS Jawfish Netsparker Netcat THC Hydra Tcpdump & WinDump W3af John Corrections the DMV Courts Ripper Ping/telnet/ dig/traceroute Netstat/whois Sysinternals sqlmap ZAP Net Stumbler Message Switch Social- Engineer Toolskit (SET) Sqlninja Socat Hping & Nping Cryptcat Scapy BeEF Maltego

Developments in auditing procedures

New approaches, and technologies What are some of the more important changes over the last 10 years? The last 5 years? The last year or so? Analytics The ability be data-driven intelligence, rather than typical signature-based tools Can big data approaches help you as an auditor? What tools help give you the most essential data? Corrections DMV Courts Human beings? Networking applications? Specific security applications? Municipal County State Federal The cloud? Mobility? Law Enforcement Message Switch What about the advent of mobile devices? How have technologies and approaches such as software-defined networking, virtualization, and the Internet of Things (IoT) affected your approach as a pen tester/auditor?

FORCES IMPACTING SECURITY POSTURE EVOLVING ENDPOINT DISSOLVING PERIMETER COMPLEXITY OF PRIVACY SECURITY POSTURE ENCRYPTED TRAFFIC VISIBILITY INCIDENT RESPONSE NEW SECURITY CONTROL ADOPTION

Penetration testing and the cloud How are cloud-based systems and clients different? Corrections DMV Courts Municipal County State In what ways do you approach them differently? Message Switch How do you audit systems without affecting tenants? Federal Guide for Amazon Web services: http://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html Law Enforcement https://aws.amazon.com/security/penetration-testing Joyent: https://www.joyent.com/about/security-and-compliance Generic: http://www.infoq.com/articles/cloud-security-auditing-challenges-and-emerging-approaches

And now for some (seemingly) random lightning round questions

Past trends Connecting information Connecting people Connecting things PHISHING SPYWARE APT WATERING HOLE DDoS RANSOMWARE MOBILE ATTACKS SPAM PC VIRUS INTERNET VIRUS DMV WORMS TROJANS MALVERTISING DLP IDS IPS HIPS Data Analytics SSL Decryption SIEM CASB Stateful Firewalls UTM WAF 1996 1998 2000 2003 2005 2007 2010 2015+

Future trends What do you see changing in the next five years? What are the top things to watch for 2016 and beyond? Future? 2015 2005 2000

Some questions about what you are seeing... What excites you the most about security auditing in the future? What resources should attendees consider reading or consulting in the future? Web sites? Books Other resources What is the best way to get skilled up for future security issues?

What is happening at Blue Coat? Let s talk about the latest news and innovations at Damien s organization What challenges are you addressing? Research into critical security controls Policy innovations What additional technologies? CASB SSL Visibility Security Analytics PLEASE NOTE: (1) CEU credit towards A+, Net+, Sec+, and CASP: You will receive a confirmation email along with instructions on how to add the credit to your certification account within 48 hours.

Summary Today, we talked about: Job roles and skills related to pen testing and auditing The hacker process and the penetration tester Comparing the hacker process to auditing and penetration testing Steps that you follow Unique skills to consider learning Working with clients Auditing and pen testing tools Auditing, the cloud, and mobile devices 29

QUESTIONS? James Stanger jstanger@comptia.org Skype: stangernet Damien Manuel Blue Coat damien.manuel@bluecoat.com Stay tuned for the next CompTIA IT Pro Webinar in January 2016! Thank you! 30