1. Vulnerability Ass... Penetrate What? You are doing it wrong! Hacker Halted 2010
2. Jorge Orchilles is a South Florida Information Security ProfessionalInformation * field for over 8 yearsSecurity Analyst for Fortune 10 company (not speaking ontheir behalf, LinkedIn.com for more ;)Consultant by night - Orchilles ConsultingBBA and MS in MIS - Florida International UniversityAuthor - Microsoft Windows 7 Administrator’s Reference(Syngress)Certs - CEH, GCIH, CICP, CCDA, CSSDA, MCTS, MCP,Security+Organizations - VP of SFISSA, OWASP, Hack Miami,InfraGard, MECTF
3. We will be discussing how to perform a vulnerabilityassessment (VA) or penetration test (PenTest) toprovide the most value to the target business Audience Feedback Terminology Planning (scope) Testing Reporting
4. What does the audience know about VAand/or PenTesting and/or Ethical Hacking Does your company have a VA or PenTest policy or had an assessment performed against your organization? Internal or third-party testing? Have you ever performed a VA or PenTest? Internal or for another organization?
5. VA and/or PenTests are performedto bring business valueMeasure the organizations business riskWhat is the business trying to accomplish orget out of the test? Identify vulnerabilities Add realism to threats Test defenses (IDS, IPS, Firewall, AV, etc) Compliance :(
6. TerminologyVulnerability - a flaw or weakness in systemsecurity procedures, design, implementation, orinternal controls that may be exploitedThreat - any potential danger to information oran information systemAttack - an effort by a threat agent to launch athreat by exploiting a vulnerabilityRisk - compromised of the factors of threats,vulnerabilities, and current value of assets
7. Vulnerability Assessments andPenetration Testing are differentVulnerability Assessment (VA)- process ofidentifying, quantifying, andprioritizing the vulnerabilities in a systemPenetration Testing (PenTest)- simulatingan actual attack. May not identify allvulnerabilities.Difference is in the scope (is exploitationallowed; how far can you go)
8. Defining the scope is criticalWhat does the business want?External or Internal: External testing is more realistic of an external attacker Internal testing is more realistic to an insider threat or once an external attacker has breached the perimeter. Easier to identify vulnerabilitiesType of testing: Black Box testing - no authentication White Box testing - authenticated testingWho will be notified?What systems will be tested?When may they be tested (green zones)?What systems may be exploited?Social Engineering allowed?Physical, Wireless, Web App, Network testing?
9. Attackers do not have theseboundariesAttackers don’t have ascope or testing timesAttackers don’t stop oncethey get rootAttackers don’t haveportions of the testremoved from scope
10. Manage the VA or PentestSales Engineer - understands technicaland businessProject ManagerPrimary TesterSecondary TesterSpecialized testers?Communication is key!
11. The kick off call is veryimportant for everyoneThis is the conference that must occur beforethe testing beginsIt is mainly to confirm the scopeA great time and opportunity for the testersto understand the business and processes(reason for the systems in the first place)Notify business where you will be attackingfrom (if in scope)
12. Different MethodologiesInformation System SecurityAssessment Framework (ISSAF)Open Source Security TestingMethodology Manual (OSSTM)Project Management Body of KnowledgeCombination of these and some of yourown
13. The testing process may varydepending on scopeStep 1: Information GatheringStep 2: ScanningStep 3: Identify and ValidatevulnerabilitiesStep 4: Exploitation, Post-Exploitation,and clean-up (Pen Testing)Step 5: Reporting
14. Information Gathering isVERY importantUnderstand and learn the networkLearn about your targetDevelop your attack for this specifictargetThis will ensure the other steps don’t fail
15. Gathering Information istime consuming but worth itGoogle Hacking (Dorks)Social NetworksMailing ListsDNS (whois, host)
16. Scanning“One machine can do the work of fifty ordinary men. No machinecan do the work of an extraordinary man.” – Elbert HubbardAutomated Scanning nmap - identify hosts, OS, services Nessus - based on nmap (Nmap NASL) and intel configure the scanManual Testing Difference between you and others
17. Vulnerability Identification &VerificationGo through the automated and manualscan output http://cve.mitre.org http://osvdb.org/Must verify all identifiedvulnerabilities as they may be falsepositive
19. OMG! I g0t r00t!So what?This brings no business value!Dig deeper - find: Intellectual property Future projections Confidential or Secret documents
20. Clean-up your mess!After exploitation and digging deeper,clean up your mess!Very important to document what youdid.If this step fails we as an industry lookbad!
21. The report is the mostimportant to the businessWho will get the report? SysAdmins get technical Management gets summarySpend time writing the report! Makesure it is understandable and bringsvalue!
22. Most organizations and serviceproviders are not doing it rightLack of talent and focusMany cheap providers of VA and PenTestsReason for testing = Compliance
23. How it should be done
24. Remediation & RetestingThe report alone doesn’t bring value ifthe issues are not fixed.Assist the business in fixing. Providerecommendations to issues on the report.Retest once the business thinks theyfixed the issue