White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview

White Hats and Ethical Hacking:What You’ve Been Doing Wrong

FocusOn CyberSecurity30 March 2016

Overview

• Vulnerability assessments and penetration

testing

• What goes wrong

• The future of penetration testing

© 2016 Digital Defence. All rights reserved. This document is for informational purposes

only. Digital Defence makes no warranties, express or implied, in this document.Slide 2

Show of Hands …

• Have you ever requested a penetration test and

been disappointed with the results?

• Have you ever completed a penetration test for a

customer and felt that it “went nowhere”?



Vulnerability Assessments and

Penetration Testing



Vulnerability Assessments

• Tool-based

• Automated signature-based

scans for known

vulnerabilities

• Follows defined methodology

• Catches ~ 60% of vulnerabilities

• High false positive rates; value comes from

interpretation of results, root cause analysis



Penetration Testing

• Intelligence-based testing; human intelligence

and experience drive results

• Identifies security weaknesses, vulnerabilities

• Goal is to exploit weaknesses

• Victory conditions:

– Compromise a system;

launch successful attacks

– Gain root access

– Even 1 compromise is a victory



Vulnerability Assessments and Penetration Testing



What Goes Wrong?



Customer Quote

“I’m only doing this testing because it’s a

requirement for PCI.

I find it’s too expensive, you guys have a license to

print money!

Sure, you found lots of little vulnerabilities, but I

knew about those before you even got here. For

the money I’m paying you, I expect you to have

root access within an hour. Come on – impress

me!



Customer Quote

“We’ve just started doing a security review so we

can qualify for new work from our client.

I’d like you to do a penetration test against my

network.

We’ll knock that off while the rest of the team

works on the other stuff like writing policies …”



Customer Quote

“We want you to test our production network of

800 (+) servers. Some of the servers are flaky, so

make sure that you don’t crash them.

We need the testing to be completed by the end of

the week (reconciliation time is coming).

Because we do financial services, you can only

test at night, after midnight and end testing by 6:00

AM.



Customer Quote

“You can only bid on this project if the testers have

actual experience in testing _______ plants of this

type, and have demonstrated that they can write

their own protocols to test the Zigbee radio

systems.

The following will be out of scope: physical

security, social engineering (including USB keys,

hostile phishing emails, and impersonating the

FedEx guy), insider attacks, attacks against the

NT4 servers we know are still there ….



Consultant and Client

Consultant: “Here are the test results”

Client: “Thanks, I’ll make sure that IT against them

when we’re done the review”

Consultant: “I couldn’t help noticing that most of

the report is the stuff that we found last year …

and the year before that … and the year before

that one ….”

Client: “Yeah, well … we’ve been kinda busy”



Summary of Findings

• Lack of executive support

• Misalignment of financial and liability versus risk

• Don’t understand impact of testing on network

• Unrealistic scope – tester

• Scope does not reflect reality – adversary type,

attack methodologies

• No accountability for responding to results

• No resolution tracking, change control



Effective Vulnerability Scanning

• Credentialed scans

• Continuous scanning frequency

• Use at least 2 different scanning tools

• Feed results to trouble ticket system

• Accountability for remediation

• Verify remediation

• Scan devices (printers, power bars, etc)

• Build scanning into operational programs



Effective Penetration Testing

• Define the goal - why are you testing?

• Align testing with risk, documented security policies

• Threat modelling

• In testing, follow the (critical) data

• Skilled testers + good reports = win

• Monitor

• Measure progress

• Don’t rely on a single tester



The Future of Penetration Testing



Change Your Testing Methodology 1

• Risk-based approach – what data are you trying

to protect?

• This data defines the tester’s goal

– It’s not about getting root, it’s about confirming

that you’ve protected the most important

corporate data

– Scoping will allow physical, logical tests

– Scope may include supply chain, 3rd parties



Change Your Testing Methodology - 2

• What is the adversary doing? What “rules” dothey obey?

• What is their attackmethodology?

• If the attackers are usingsocial engineering, are you training to counteract that?

• Train as you fight



Attack Methodologies You MUST Include

• Physical attacks against data systems (theft of

devices, key loggers, “road apples”)

• Wireless, VoIP networks

• Hostile MS Word, Excel documents with

PowerShell macros

• APT simulations

• Exfiltration simulations



Change Your Testing Methodology - 3

• Blue Team - defenders

• Red Team – attackers, vulnerability scanners,

penetration testers

• Purple Team = Blue + Red

• Meaningfully exercise the

internal defences

• Doubles the value of a test

(at least)



Questions?



DigitalDefence (www.digitaldefence.ca)

• Specialize in penetration

testing, incident

response, data forensics

• Training provider

Robert W. Beggs, CISSP

• 15+ years experience in

all aspects of data

security



Contact Me



519-771-8808

https://ca.linkedin.com/in/robertbeggs

Documents

White Hats and Ethical Hacking: What You’ve Been Doing Wrong€¦ · White Hats and Ethical Hacking: What You’ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016. Overview