07/09/15 NCC Group 1
Who am I? Martin Hansen Senior Security Consultant Fields of expertise Specializes in the following areas of information security: Advanced Internal and External penetration testing - Web applications, Network, Application Security and Social Engineering. PCI (Payment Card Industry) Critical IT Security Controls IT Security Audit Background FortConsult A/S part of NCC Group, Senior Security Consultant 2014 - present Ernst & Young, Manager 2005 2014 Cand.Merc.Aud, Master of Science in Business Economics and Auditing 2005-2009 HA (dat.) Bachelor of Computer Science and Business Administration 2002 2005 Certifications PCI Council PCI Payment Card Industry PCI QSA Qualified Security Assessor SANS GIAC Critical Controls Certification GCCC since 2014 (ISC) 2 Certified Information Systems Security Professional CISSP since 2011 SANS GIAC Penetration Tester GPEN since 2011 ISO 27001 Lead Auditor EY Certify Point, 2011, Denmark ISACA - Certified Information Systems Auditor - CISA since 2010 07/09/15 NCC Group 2
Global IT- Security company, HQ Copenhagen Delivering security assessment, review, test and incident response Working with financial, government, tech and top 100 companies worldwide Owned by NCC Group PLC, 1500 skilled security professionals in 18 location World largest team of penetration testers 07/09/15 NCC Group 3
FortConsult udfører sikkerhedstest for virksomheder som er ISO27001 compliant, får en 3402 revisionserklæring, som er PCI Compliant eller som lever op til andre sikkerhedsstandarder. Selvom disse virksomheder på papiret lever op til diverse krav som stilles igennem diverse frameworks finder vi stadig simple sårbarheder som gør at vi kan gennemtrænge deres netværk. Hvilke sårbarheder er det som FortConsult finder igen og igen når vi udfører vores sikkerhedstest og hvordan kan du som virksomhed indføre simple kontroller for at opdage disse sårbarheder inden en Hacker udnytter disse sikkerhedsbrister. 07/09/15 NCC Group 4
Agenda 1. Password 2. Segmentation 3. Social Engineering 4. Patching of business critical systems 5. Default/hardening/Baseline 5
Password 6
Password How real users interpret password rules!!!! - #!!#!# Passwords must contain at least 1 upper, 1 lower, 1 number, and be at least 7 characters long Take a base word of 6, 7 or 8 characters Chose only one upper Make first character upper Add numbers on the end (one, two, or four numbers) Or, substitute numbers and symbols for letters which look like numbers and symbols ( P@ssw0rd! ) For password changes, users increment the number: "Manunited1!", "Manunited2!", "Manunited3!" 7
Password Problem: User!! Password1 Welcome1 Lars&Mikkel Vinter2014 Top 5 most used 1 Password1 2 12345678 3 Welcome1 4 Sommer2014 5 opret123 Martin12 Sommer2014 Fortconsult10 Bigger Problem: Not only users; Also Admins and Service Accounts!!!!! 8
9
Password 1. Extract password hashes 2. Crack password hashes 3. Force password change 4. Awareness training for users 10
Password How many in this room has a secure password??? 11
Segmentation 12
Segmentation DMZ Development Servers Test Clients Secure zone Different Geographical Locations 13
Segmentation Firewall Review remark *** Access to router *** permit udp host 0.0.0.0 host 255.255.255.255 permit icmp 192.168.168.0 0.0.0.255 host 192.168.168.1 permit udp 192.168.168.0 0.0.0.255 host 192.168.168.1 eq ntp remark *** Access to FRY *** permit ip 192.168.168.0 0.0.0.255 host 10.210.220.2 remark *** KJU access *** permit ip 192.168.168.0 0.0.0.255 10.210.8.0 0.0.0.255 remark *** XX access *** permit ip 192.168.168.0 0.0.0.255 10.210.192.0 0.0.15.255 permit ip 192.168.168.0 0.0.0.255 10.210.208.0 0.0.8.255 permit ip 192.168.168.0 0.0.0.255 10.99.0.0 0.0.64.255 remark *** IL access *** permit ip 192.168.168.0 0.0.0.255 10.210.190.0 0.0.0.41 remark *** Access to INT *** permit ip 192.168.168.0 0.0.0.255 10.0.0.0 0.4.255.255 remark *** Support access *** permit ip 192.168.168.0 0.0.0.255 10.210.20.0 0.0.4.255 permit icmp 192.168.168.0 0.0.0.255 10.210.0.0 0.1.255.255 deny ip any any log ip access- list extended vlan106- in remark *** DNS *** permit udp 10.210.220.14 0.0.0.8 host 10.210.8.11 eq domain permit udp 10.210.220.14 0.0.0.8 host 10.210.8.16 eq domain remark *** rasmor.blob.com *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.144 remark *** raste.blob.com *** permit ip 10.210.220.14 0.0.0.8 host 10.4.65.11 remark *** mdm.limo.blob.com *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.148 remark *** mobile.blob.com *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.218 remark *** melllpo.apple.com *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.184 remark *** proxy.kimh.blob.com *** permit tcp 10.210.220.14 0.0.0.8 host 10.4.200.129 eq www permit tcp 10.210.220.14 0.0.0.8 host 10.4.200.129 range 8088 8088 remark *** DHCP *** permit udp any eq bootpc host 255.255.255.255 eq bootps permit udp host 10.210.220.98 eq bootps host 255.255.255.255 eq bootpc remark *** range for future use *** permit ip 10.210.220.14 0.0.0.8 10.4.5.192 0.0.0.64 deny ip any any log ip access- list extended vlan210- in remark *** Access to router *** permit udp host 0.0.0.0 host 255.255.255.255 permit icmp 10.210.220.104 0.0.0.8 host 10.210.220.105 permit udp 10.210.220.104 0.0.0.8 host 10.210.220.105 eq ntp remark *** BP access *** permit ip 10.210.220.104 0.0.0.8 10.210.8.0 0.0.0.255 14
Segmentation 15
Social Engineering 07/09/15 FortConsult 16
Patching of business critical systems Policy all servers should patched in 90 days? Is this ok.? How is the patch process? 17
Patching of business critical systems What we still find Critical vulnerabilities - Exploiting MS14-068, ms08_067 HeartBleed? Not all systems are covered Third party vendors don t update/patch Hosting don t always update/patch all layers 18
Patching of business critical systems Microsoft Baseline Security Analyzer 2.3 (MBSA) http://www.microsoft.com/en- us/download/details.aspx?id=7558 19
Default/hardening/Baseline Baseline security policy is in place? Is the baseline applied to relevant servers/ workstations/network devices? Check! 20
Default/hardening/Baseline 1. Connect to \\PrinterFF Victim 2. Dont know \\ PrinterFF DNS 3. Who is \\PrinterFF 4. I am \\ PrinterFF 5. Here is my credentials ADMIN:[NTLMv2-hash] Attacker 21
Default/hardening/Baseline 22
Controls Password - Extract password hashes Crack password hashes (24 hours of cracking) Segmentation Test can be done automaticly with script Social Engineering NEXT TOPIC!!!!! No spoilers... Patch MBSA Baseline - Test new exploits/attack scenarios on a periodic basis 23
07/09/15 NCC Group 24