Research Topic: Collaborative Penetration Testing David Huemer David Huemer Christian Proschinger (Speaker) Severin Winkler
Introduction Raiffeisen Informatik Definition Collaborative Penetration Testing Motivation Prototype t Future Work Raiffeisen Informatik 25.09.2008 2
Raiffeisen Informatik IT Operations Outsourcing Software Solutions Client Management 2nd largest IT Service Provider in Austria 3000 Server 20.000 Clients 40.000 km Network 520 TB Storage 1 Mrd. Transactions/Year Security Competence Center Zwettl Department of Raiffeisen Informatik Working on security topics Research Cooperations Secure Business Austria Security Services Output Services Raiffeisen Informatik 25.09.2008 3
Collaborative Penetration Testing Security Research for Business and Indust ry. Teambased Tests >2persons Stronger specialisation Local separation (partially) timeseparation Using timeshift of different timezones Research Areas Penetration Testing Computer Supported Collaborative Work Raiffeisen Informatik 25.09.2008 4
Attack Cycle vs. Penetration Test Security Research for Business and Industry. Attack Information gathering g Identification of vulnerabilities Attack itself Covering tracks Difference Workshop with system owner Reporting Quelle: ISSAF Raiffeisen Informatik 25.09.2008 5
Constraints of Penetration Testing Security Research for Business and Indust ry. Snapshot Money/Time Limit it Collateral Damage Availability Test systems Out of office hours You are attacking to improve the defense Raiffeisen Informatik 25.09.2008 6
Development in Cybercrime Security Research for Business and Indust ry. Targeted Attacks Division i i of Work Vulnerability Research Botnets Malware as Software as a Service Markets Nearly no Limitations Money Time Raiffeisen Informatik 25.09.2008 7
Attack Vectors Security Research for Business and Industry. Possible Entry Points physical personal Social Engineering g Applications Implementation Errors in Applications Configuration Errors Design Errors Information Aggregation Growing complexity of systems Tl Telecommunication Network Wireless Raiffeisen Informatik 25.09.2008 8
Prototype Security Research for Business and Indust ry. Modular Design Integration of 3rd party open source tools Flexibility P2P based Reporting Engine Summary of the certain modul reports Integrity Check Between results of modules Basic workflow definition Raiffeisen Informatik 25.09.2008 9
Workflow Management Security Research for Business and Indust ry. Allocation of Tasks Functional Specialists Infrastructure E.q. IP Range Process based Reliability between modules Ad-Hoc Workflows Static behaviour at macro level Dynamic aspects at micro level Large amount of small activities Finished Finished Finished Planned Planned Planned InProgress Finished Finished InProgress Planned Finished Finished Planned Planned Planned InProgress Finished InProgress New SubProcess Planned Raiffeisen Informatik 25.09.2008 10
Future Work Security Research for Business and Indust ry. Implement support for different process models Support for Ad-Hoc Workflows Implement new attack patterns Proof of efficiency and effectivity gain Raiffeisen Informatik 25.09.2008 11
Thank you for your attention! Raiffeisen Informatik GmbH Lilienbrunngasse 7-9 A-1020 Wien T +431/99399-0 F +43 1/99 3 99-1100 E info@r-it.at www.raiffeiseninformatik.at Raiffeisen Informatik 25.09.2008 12