Alexander Polyakov, QSA,PA-QSA CTO Digital Security (dsec.ru) Head of DSecRG (dsecrg.com) ERPSCAN Architect (erpscan.com) Head of OWASP-EAS
Pentests? Again? Why? Many companies are doing this Many companies need this (PCI DSS) Still many questions 2
Pentest 101 A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. Wikipedia 3
Is It Enough? We have gained unauthorized access to your corporate environment by sending an e-mail with social engineering text and 0-day for Adobe. Is it ok to show only one Way? Is it ok if your doctor talks only about neck pain? There is an obvious need to show ALL POSSIBLE WAYS 4
Why is It Enough? Can you guarantee that after you ve patched ALL vulnerabilities nobody will hack us? Even doctor Haus is mistaken That is why you need to make pentests regularly That is why you need to think twice before choosing a contractor 5
Purpose??? Let s look through the evolution 6
First Era before 2000 Objects Network, OS Purpose Penetration from the Internet Methods Not formal, State of art Teaching Blackhat methodologies, Improving the security of your site by breaking into it, Dan Farmer & Wietse Venema, 1993 Result of Pentest Screenshots with shell and couple of words 7
First Era Why? To prove that networks are vulnerable (many people do not believe it) Why now? To show the business that there is a need in security (pre-sales) C in PDCA if you have PDCA 8
After 2000 Era 2 VIVA LA WEB Objects Network, OS,WEB Purpose Methods Teaching Penetration from the Internet Hacking WEB-site The first version of OSSTMM, Programs like CORE IMPACT Different books (hacking exposed), conference materials Result of Pentest Report with vulnerabilities and their countermeasures 9
Second Era Why? More complex pentest Why now? To show the business that there is a need in security (pre-sales) Part of SDLC for WEB development after secure development and code analysis PCI DSS 10
Middle 2000 Third Era Objects Networks, OS, DBMS, Applications, ERP, Mobile,.. Wireless, SCADA, Users (social engineering) Internal pentesting, Purpose Deep assessment of a application or technology Firewall pentesting, Cloud pentesting, ALL Methods WEB pentesting, OSTMM, NIST, ISSAF. Database THAT pentesting OWASP, WASC, OWASP-EAS.. SAP pentesting, Teaching YOU WIFI pentesting, Certifications: CEH, CREST, CPT, GPEN.. SS7 pentesting, WANT Training: Blackhat/HITB/Offensive security SCADA pentesting, Result of pentest Standardized reports with the list of GSM pentesting, vulnerabilities, their risks and countermeasures Mobile pentesting 11
Third Era Why now? Network is good and there is a need to assess security more deeply Deep segregation inside a company (a clerk with DBA access ) Part of PDCA for Application/Technology implementation 12
2010 HOUSTON, WE'VE GOT A PROBLEM Do we know more about current threats? Have we become more secure?? Does the business understand all security risks? 13
They don t care about us )) Business making business If it doesn t bring money we don t need this If they don t understand us it means that we explain it incorrectly 14
Technical Fail We don t use SAP. All business migrates to JDE. 15
Business Fail We ve found 5 critical vulnerabilities. You can read about them and the countermeasures in the report. What is this? Just 10 pages? For the money I pay you it must be 10 times more! 16
Business Fail We ve found a vulnerability in DC that can give unauthorized access to the server. We have the latest antivirus that makes us secure. 17
Technical Fail We ve found a buffer overflow vulnerability at the 10.0.0.201 server which can be used to run the code execution, making possible to bypass ASLR and DEP countermeasures. See the screenshot for the results. DOS box? We don t use DOS :) 18
Technical Fail We ve found a XSS vulnerability in the payment system and we can gain access to user accounts. All money transfers are confirmed by SMS. This vulnerability is not so critical. 19
What s Next? Era 4 Business-oriented pentest Purpose show how technical vulnerabilities can be used for business threats Instead of Integrity, Availability Confidentiality Espionage, Sabotage and Fraud I don t care about exploits, show to steal money? 20
Example 1 We have: Internal user inside a company, with no knowledge Purpose: Find the ways of stealing money 21
Classic Payment Scheme SAP File server All is analyzed using Blackbox Bank Net Accountant Client-Bank 22
Example 2 We have: Business-critical system for gasoline sales Purpose: Find technical vulnerabilities and show how they can be used for fraud in the system 23
Scheme of Gasoline Station Some help needed GreyBox Managing server Database Terminal Gasoline station 24
Example 3 We Have: Payment system Purpose: Find technical vulnerabilities that can be used for fraud and money stealing in the system 25
Payment System Analysis Found XSS vulnerability Binding of the session to IP (cannot just steal the cookies) Money sending needs SMS confirmation Function found for issuing an invoice Find XSS in receipt request information field User can approve the receipt or not Using XSS + XSRF we can automatically approve the receipt As a result user loses money by clicking on the receipt 26
Example 4 We have: SAP system inside a company Purpose: Need to gain access to critical data through the Internet 27
Attacking SAP Users Sending an e-mail with social engineering link Link consists of exploits for SAPGUI Exploit gains access to user workstation Collects the saplogon.ini info Connects to the SAP servers using default passwords, passwords in shortcuts and bruteforce Gains critical data (user password hashes and banking accounts) Sends it to the server More on http://erpscan.com Sapsploit Tool by DSecRG automates all these things Presentation from HITB Conference http://dsecrg.com/files/pub/pdf/hitb%20-%20attacking%20sap%20users%20with%20sapsploit.pdf 28
Forth Era Business-oriented Pentest Objects Purpose Methodology Teaching Business-critical systems Show how technical vulnerabilities can be used for business threats OSTMM, NIST, ISSAF + business process analysis All that we have plus business-process analysis, specific knowledge of business area Result of Pentest Report that shows real business risks which can cause Fraud, Sabotage and Espionage 29
Problems and Things for the Next Presentations Contractors Need additional professional knowledge in business area for pentesters Need more complex checks of business logic Lack methodologies Clients Need to engage personnel Raise legal issues of access to data 30
Conclusion Business must understand that: Hackers are ready to learn something new Hackers are the only ones that can help to secure systems from cybercrimes 31
Conclusion Hackers must: Know more about business processes and business needs Speak the business language 32
Both Respect and understand problems of each other Understand that both have the same aims 33
Respect to all these guys and their presentations (by timeline) Tactical Exploitation By Val Smith & HDM (Blackhat 2007) The pentest is dead, long live the pentest! By Taylor Banks & Carric (Defcon 16) Why Black Hats Always Win By Val Smith & Cris (Blackhat 2010) Security Chasm By Anton Chuvakin (HITB AMS 2010) Building Bridges: Forcing Hackers and Business to "Hug it Out By Andrew Hay & Chris Nickerson (SourceBarcelona 2010) 34
Questions??? Mail: Twitter: Blog: Sites: a.polyakov@dsec.ru @sh2kerr dsecrg.blogspot.com http://dsecrg.com (in Russian http://dsec.ru) http://erpscan.com http://pcidssru.com (in Russian http://pcidss.ru) 35