Professional Security Tester Seminar

Open Source Security Testing Methodology Manual Professional Security Tester Seminar Pete Herzog Managing Director of ISECOM Creator of the OSSTMM

Pete Herzog Managing Director of The Institute for Security and Open Methodologies Creator of the Open Source Security Testing Methodology Manual Professor at La Salle URL Professor at ESADE Sponsors and Partners: Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 2

Special Thanks S21Sec ISECOM Training Partner for the OPST and OPSA. Ethical hacking provided by Jordi Andre. Seminar assistance by Lydia Sorribes. La Salle URL Jaume Abella and Guiomar Corral. ISECOM Training Sponsor. ISECOM Hacker High School Sponsor. Provides classrooms, infrastructure, and student assistants. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 3

Security Testing Vulnerability Scanning Penetration Testing Security Auditing Security Scanning Ethical Hacking Posture Assessment Risk Assessment Security Auditing Risk Assessment Penetration Testing Posture Assessment & Security Testing Ethical Hacking Security Scanning cost Vulnerability Scanning time Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 4

The Security Testing Profession What you know today prepares you for how you take tomorrow. Network Architecture Helpdesk Support Person Statistician Safety Officer Trainer Privacy Officer Software Testing Safety Inspection Business Development Operations Management Legal Advisor Privacy Advocate Incident Management Forensics Disaster Recovery Survivability Hacker Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 5

What You Know We will start this morning with a creative exercise to think out of the box called Jack of All Trades. The Jack exercises are used in the instruction of new hires on security teams. Each exercise is 4 questions about a scenario of which you are a professional in a different field of study each time. There are a total of 10 professions. Some professions you will understand better than others. That will influence the complexity of your answers but not the variety. The full Jack of All Trades is available on the ISECOM website! Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 6

Jack the Electrician List 10 ways to turn off the light. 1. Turn the switch off. 2. Break the bulb. 3. Rip out the wiring. 4. Overload the electricity in the room. 5. Cut the electricity to the room. 6. Add a brighter light source to the room. 7. Wait until it dies on it s own and don t allow anyone to change it. 8. Ask someone to shut the light off. 9. Cover the bulb with a cloth. 10. Close your eyes. Destruction of any part of the process chain effects the end result. Attacking the process (side attacks) is essential to security testing. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 7

Shopping for Security Do I need a security test? How often do I need a security test? Who should do the security test? Is it better to have a consultant do it or train some people to do it internally? What do I need to know about hiring a consultant? Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 8

Sales and Marketing The international rules for marketing and sales are based on legalities, ethics, and security best practices. no promoting FUD (fear, uncertainty, and doubt) promote "freedom" instead- security grants mobility no name dropping of clients sell security and not yourself truth in security is essential- in the case where a client wants to purchase another service and security best practices requires a second, impartial testing team, it is important to tell the client that. confidentiality is the key no promoting of illegal hacking Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 9

Real World Security Security to the non-security professional: Security has always been a part of life on Earth and it has had a long time to evolve. The concepts of security have often remained the same in theory and have just been reapplied with technology. The professional security tester must be able to identify where these security defences exist and how they parallel historical concepts. The historical security concepts also have a history of being defeated and the history books are full of these attacks. Many of the popular ones have direct Internet influences: The Trojan horse as an attack against perimeter security. The battering ram used brute force to break through walls. Guerrilla warfare is a technique to make a small army appear big. Fake identification cards have often been used to fool guards. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 10

Historical Security Historical security concepts include: The Great Wall the concept of the large, impenetrable wall often also served as high ground for scouts to watch for the enemy. The Guarded Doorway the concept of the single entryway which is watched by a trusted person with a weapon (or sign and alarm). Encryption and Obfuscation both common practices used together or separately to move information without fear of alerting or informing the enemy. Unique Stamps and Signatures a concept used by kings as they pressed a metal seal into specially colored hot wax. The DMZ the demilitarized zone is a concept of separating a conflict space with a neutral area between two enemy armies. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 11

Historical Security Historical security concepts include: The Illusion a technique to make a small army look big or a weak army appear strong in hopes of deterring the enemy The Honey Pot a trophy used to draw armies into areas where they are at a disadvantage. Containment Peace a concept for holding and confining an unknown agent until the risk of contamination is most minimal. the concept that neutrality provides security. A person with no enemies is a person with total security but a person with no friends has much to be wary of. Aggression the bully technique is a concept that having everyone fear your retaliation provides security from attack. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 12

Historical Security Historical security concepts include: Unavailability the concept that what isn't there isn't attackable Disinformation the technique of mixing truth with propaganda to enhance the effectiveness of all other security concepts. Defensive Layering the classic technique of combining security concepts and techniques for more effective security like in the Bastion Host Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 13

Modern Security Historical concepts are often applied to securing modern technology. Sometimes this works. Often times this does not work. To understand why the historical concepts don t always work, we need to understand the new communication channels first. We need to also understand the undertones of society and the legal requirements for doing business. Privacy and Security Legal Business Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 14

Legalities of Testing The security tester must understand and comply with the following legal concepts: Non disclosure assures confidentiality monetarily. Uninvited testing is a criminal offense in various regions. Testing may only occur with written permission. Scanned and e-mailed documents are legal forms of contract. E-mail permission with proper headers are legally admissible evidence. Legally admissible evidence however does not mean a legal defense. FAX documents are legal contracts in Europe, North America and Australia. Regional laws for the tester and the organization being tested both apply. Your company cannot protect your reputation. You are responsible for all your actions. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 15

Ethics in Testing The security tester must understand and comply with the following ethical concepts: Distributed Denial of Service attacks are not to be tested over the Internet. The attacks will nearly always work and will affect all routers in between as well. Keep all tests, results, and clients confidential-- even in internal communication. This includes sales and marketing! Use encryption for sending all test information in client communications and final test reports. The standards are PGP and GPG. Notify client at regular intervals of testing progress. Promote freedom not fear, uncertainty, and doubt to sell, market, or promote the profession. Know your tools, where they came from, how they work, and test them on a restricted test network before using them. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 16

Playing by the Rules This should first be clarified with the client before the tester may begin any security testing: No unusual or major network changes during testing Notify only key people about the testing If necessary for privileged testing, they must provide 2 normal, remote user accounts. When performing a privileges test in a security test, first test blackbox and then test with privileges. No empty accounts! Any privileged accounts received must be working and contain the same "stuff" and configuration options as that of others. Provide internal mail account for testing Provide a public key for secure e-mail Provide the optimal and worst testing times Written authorization for Social Engineering and DoS tests required Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 17

Client Notifications Sec Tester must notify the client whenever: Change of testing plan Change of venue Weekly updates High risk findings High risk tests will be run shortly High traffic testing will occur shortly Confirm and reconfirm meetings Any testing problems have occurred (yours and theirs) Access problems (account given to you doesn't work) Sending the report shortly Planning the workshop schedule Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 18

Perfect Security What is perfect security? A utopia? Boring? Loss of job / income for security testers? Understanding what security best practices are allows a tester to model the network being tested with the ideal. This is also the basis of Risk Assessment. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 19

Estimates and Assessment Who? Where? Why? What? When? How? How Long? How Much? Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 20

Mapping the Assessment ADMIN INTRANET ISP NEWS DMZ Domain Registration SATELLITE OFFICE Note the traditional defense points. MOBILE OFFICE Note what an attacker can do to cause damage.

Assessment Strategies Scheduling Requirements time man hours Basic port scanning rule of thumb (64k addresses): 2 days for a class C <= 12 hops over a 64k digital line Add an additional hour per class C for every hop over 12. More bandwidth will decrease scanning time proportionally. Does not count for systems protected by an active IDS or stateful firewall. Could double or quadruple the time required! Complete OSSTMM testing rule of thumb:» Complete OSSTMM testing includes port scanning as well. 3 man-weeks for 10 live systems in a class C <= 12 hops over 64k ISDN Add an additional 1/2 man hour per live system for every hop over 12. More bandwidth will decrease testing time proportionally up to 1Mb. Increasing the number of testers will decrease testing time proportionally. Analysis and reporting will become more complicated and take longer with more than 5 testers. Does not count for systems protected by an active IDS or stateful firewall. Could double or quadruple the time required! Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 22

BREAK Coffee, Questions, Chat, and Wake Up. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 23

Security Map The security presence is all gateways into a location. Process Security Physical Security Information Security Communications Security Wireless Security Internet Security The OSSTMM uses the security map as a visual display of the security presence. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 24

OSSTMM FAQ Who uses it? There is no requirement for anyone to admit they use the OSSTMM and within best security practice not to say anything about your security practices. How long has it been around? Since January 2000. What is the peer-review process? general public OSSTMM RED core edit OSSTMM Public Release Submissions come from anyone and everywhere. The submissions are edited into the OSSTMM RED. The Red is sent to the core group of peer reviewers. The final cut ends with ISECOM who makes last minute edits and publishes it for public peer review. Cycle starts again. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 25

OSSTMM FAQ Who writes it? Security experts, scientists, security testers, lawyers, and hackers. Youngest contributor is 15 years old. Why is OSSTMM needed? A standard for methodical security testing. A guide for the security testing professional. Isn t it impossible to make a methodology for something so complex, changing, and intricate as the OSSTMM? It's not worth having goals which are easily obtained. ;) The basics of security testing change very slowly. The most current version OSSTMM is only good for a few years backward and forward at any given time. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 26

OSSTMM FAQ Aren't you just teaching hackers how to hack? A methodology teaches WHAT, WHICH, and WHEN. Hackers require HOW and WHY. Anyone who knows enough about security testing to do the OSSTMM already know how to hack. Why use it as opposed to XYZ methodology? The OSSTMM attempts to include all laws and high-level methodologies in its low-level tests. It's just not practical. Practical testing comes from how it is followed. Try scripting it if it seems too slow and impractical to use. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 27

Making OSSTMM Certified Tests As of OSSTMM 3.0, a security test checklist is required to accompany all final reports. This checklist will show modules and tasks completed, not completed and not applicable. The checklist will then be signed by the tester and provided with the final test report to the client or executive officer. Reasons for the checklist are: Serves as proof of thorough testing. Makes a tester responsible for the test. Makes a clear statement to the client or executive officer. Provides a convenient overview. Provides a clear checklist for the tester. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 28

Dynamics of Testing The dynamics of security testing have changed greatly since the first administrators tested their own Internet security in the early 1990s with the SATAN automated tool. Customers have become clients. The term customer is used before contracts are signed, during sales meetings and during the assessment. You are ethically responsible for confidentiality of information you learn about the customer. The term client refers to the legal status of your obligation to your customer. After the contract is signed, your customer becomes a client and your ethical responsibility to confidentiality becomes a legal responsibility. Security testing is now a legitimate profession. The role of the security tester is no longer just security testing. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 29

Security Testing in Practice In the security testing profession, certain considerations must always be kept in mind: Solutions must be practical and realistic. Tests must be creative yet methodical. Analysis must be based on business justifications. Tests need to be properly assessed and risks properly identified. Tests will reveal internal processes and policies. Testing must comply to the various laws. Analysis must be completed in consideration of the various international and regional laws. The security tester must promote trust with the client. The determined risk must be measurable and quantifiable. The security tester must promote freedom and not paranoia. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 30

Technical Preparations With a background in ethical and legal obligations, the security tester is prepared to venture into the technical side of testing. This is just one difference between the security testing professional and the hacker. Technical preparations include: Setting up the attack network Preparations for full packet sending and recovery abilities Avoiding firewall and NAT pitfalls Access to security testing resources Finding the right tools and exploits Setting up the attack server The management of confidential data The installation of tools Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 31

In Practice You have seen: Theory Concepts Nothing interesting, new, or mind-shattering You will see: A privacy review of the Disney website in action. A live assessment in action while I talk about the security test. demo Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 32

Disney Demo Let s look at the following questions: What is the privacy policy for Walt Disney say? What kinds of information does Disney claim to collect? If we register an account at Disney as an adult, what kind of information does Disney ask for? Is different for children. Does the source code on the Disney Adult and Children's registration forms say otherwise? How is the information submitted to the organization? Through what server? Encrypted? Held locally? Does the account sign-up promote SPAM? How does this compare with the privacy policy? How does this stand in Spain (LOPD)? And you? Any volunteers? Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 33

Goals for Security Test Assess IT and Information Security Vulnerabilities and Threats the key being to assess what they are and if they are real Recognize Security Best Practices need a model of "secure and private" to compare to Recognize the Business Risks the info security risks for a search portal are very different than that of a financial institution or health clinic. Recognize Privacy Issues both Internal and External privacy risks to customers, employees, and the company Suggest / Implement Practical Security Solutions This is the line that crosses over into Risk Assessment Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 34

Limits of Security Test Loss of business down time during test, because of test maybe? Wasted resources employee reactions to alarm states False sense of Security it's not definitive since a successful test score does not mean perfect security It is really superficial it means nothing if nothing gets fixed Process failures can cause internal procedures to halt like patching and other administration tasks Politics a security test cannot help a bad, internal political situation because if the boss is right-- he's right! Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 35

Rules of Engagement These are the OSSTMM 3.0 standard steps to the security testing process: 1. Sales and Marketing 2. Assessment / Estimate Delivery 3. Dance of the mighty Contracts non disclosure liabilities scope and deliverables 4. Providing Test Plan 5. Review the rules 6. Testing periodic management notification 7. Report Writing 8. Report Delivery 9. Workshop Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 36

What is Security Testing? According to the OSSTMM-- a security test is only valid if it is: Quantifiable can be numerically measured Consistent and repeatable two testers would receive the same test results at the same time Valid beyond the "now" time frame lasts and remains valid longer than the wet ink on the report Based on merit of the tester and analyst not on brands it is based on smarts and not expensive tools Thorough a complete test where nothing is left untested from the scope Compliant to individual and local laws and the human right to privacy puts the protection of personal privacy before corporate data Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 37

Common Tests Common Sec Tests EXPOSED! Verification Testing Periodic Testing VPN Testing Privilege Testing Router / Firewall / IDS testing DoS Testing Web Application Testing Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 38

Verification Testing what is it? A single test to verify problems have been addressed with proper, working solutions. who should do it? Not the same team from the original test. how soon should it be done? It should be started no longer than 2 months after the initial test has completed or no more than 1 month after all fixes have been made. More than 3 months later and it's another full security test. how frequently can it be done? Twice. Once to verify changes. A second, small test of new or replaced systems. when is it not verification? When it's more than once. Then it's a periodic test. what should be included? All systems which were originally discovered. All other new systems is part of a new test. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 39

Periodic Testing what is it? Regular weekly or monthly testing who should do it? The same team who conducts the initial test should designate a person for this weekly review. how soon should it be done? It should be started no longer than 2 months after the initial test has completed or no more than 1 month after all fixes have been made. how often can it be done? It can be done with a daily review of vulnerabilities and testing only weekly. 1 year is the maximum recommended time before having the whole team conduct another full test. how can I plan this best? Refer to the RAVs what should be included? Everything- just not all at once. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 40

VPN Testing what is it? A test of the remote access VPN how soon should it be done? It should be done after the black-box security test. Doing it before gives way too much information to allow for a reasonable test. how often can it be done? As often as desired but these generally take time as they include internal systems enumeration which can get big and sometimes modem access which can go slowly. what are some problems with VPN testing scope depth finding the VPN proprietary client software may be required leads to white or grey box testing if done first Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 41

Privileged Testing what is it? A test with login credentials like a normal, valid system user. who should do it? The security testing team what are the privileges? Two accounts are generally required to try moving data back in forth or hijacking one from the other. Assets in the account like info or money should also be available to the testers. how is it done? It's an application test with a foothold in the server what should be included? All remote access points that require specific credentials Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 42

Firewall / IDS Testing what is it? Generally a test where another system is placed inside the DMZ to respond or convey information during egress testing as well as access to the logs during the tests would be right here. who should do it? Include your most knowledgeable firewall, router, or IDS admins in the team. what do I need to start? A portable system to egress from the inside to the outside as well as monitor and log. what should be included? All firewalls should be tested together and separately from the router if it screens. Include HIDs and NIDs in the IDS tests. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 43

Denial of Service Testing what is it? A patience game- a process of firing an attack and waiting patiently for the admin to tell you if it worked. who should do it? The security testing team and include your most evil thinkers and late night people because this is rarely done during the day what do I need to start? An extra person onsite, a laptop, and a phone. how is it done? You need a person inside standing watch over the safety of all machines, ready to reboot if necessary. Include a portable machine to monitor all the systems being attacked as well. what should be included? specific information on risks in the contract what should be included? All of the DMZ but no bandwidth flooding or DDoS attacks! Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 44

Containment Measures Testing what is it? A test on the containment measures for trojans, dangerous extensions, lamed viruses or eicar (fake virus) and spam passed through email or internal web browsing with scripts and applets. who should do it? The most organized and meticulous person on the team what do I need to start? Fake viruses, eicar text, e-mail, a web server, various compression algorithms, and a list of key words. how is it done? From the outside to the inside, it's sent like an egression test what should be included? It's worth testing webmail, pop mail, smtp, and desktop security. Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 45

Web Application Testing what is it? A test of the website as an application test which includes usability, security holes and weaknesses, performance testing, and software quality testing who should do it? Add a software quality tester and performance tester to the team. A web developer with usability background is useful as well. what do I need to start? Checklists and more checklists. how is it done? Must be done in the real operating environment what should be included? Any website should be tested like this Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 46

Voluntary Results Anything interesting? Obvious Privacy Problems? Obvious Security Problems? Size of network? Web components? Rating? Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 47

Need More Information? ISECOM free consulting: www.isecom.org Training: OSSTMM Professional Security Tester OSSTMM Professional Security Analyst OSSTMM Professional Security Services My last classes: March 17 th and March 27 th Look for the OSSTMM 3.0 Look for the Business Security Testing and Analysis Workbook Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 48

Questions? If you have more questions on the OSSTMM or want to dedicate time to the project, please write us at info@isecom.org More information is available at: http://www.isecom.org/certification.htm http://www.osstmm.org/ Copyright 2002 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM) www.isecom.org 49