VA SCAN 2012: Securing the Future: BYOD and BeyondThe Low Hanging Fruit           of  Penetration Testing               Br...
VA SCAN 2012: Securing the Future: BYOD and Beyond                                Agenda   Speaker Introduction   What’s...
VA SCAN 2012: Securing the Future: BYOD and Beyond                 Speaker Introduction    B.S. ISY, M.S. CS – VCU    VC...
VA SCAN 2012: Securing the Future: BYOD and Beyond             What’s the Problem?                   The Low Hanging Fruit...
VA SCAN 2012: Securing the Future: BYOD and Beyond     In many organizations security is seen as a      nuisance – a “mus...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Most of the breaches are caused by issues that      would never ha...
VA SCAN 2012: Securing the Future: BYOD and Beyond                       Definitions                   The Low Hanging Fru...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Vulnerability Assessment     Penetration Testing     Social Engi...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Vulnerability Assessment           “jiggling the handle”        ...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Penetration Testing           External vs. internal           Go...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Social Engineering           Three easy words: Hacking the Human ...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Wardialing/Wardriving           Wardialing – dialing phone number...
VA SCAN 2012: Securing the Future: BYOD and Beyond            Security Testing Issues                   The Low Hanging Fr...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Penetration Testing vs. Vulnerability Assessments           Is on...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Why should we test?           FERPA, PCI, HIPAA, SOX, FFIEC, NCUA...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Why should we NOT test?           If you consider security a wast...
VA SCAN 2012: Securing the Future: BYOD and Beyond   Why don’t we test?        Our employees don’t know how to do bad th...
VA SCAN 2012: Securing the Future: BYOD and Beyond     In-house or outsource?           The first question you have to a...
VA SCAN 2012: Securing the Future: BYOD and Beyond                 Lessons Learned                   The Low Hanging Fruit...
VA SCAN 2012: Securing the Future: BYOD and Beyond     So, having said all that, what have we learned      about data bre...
VA SCAN 2012: Securing the Future: BYOD and Beyond       The Low Hanging Fruit Top Ten (1-5)   1.       Bad password mana...
VA SCAN 2012: Securing the Future: BYOD and Beyond       The Low Hanging Fruit Top Ten (6-10)   6.       Lack of security...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #1 – Bad password management                       The Low Hanging ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #2 – Default security controls                        The Low Hangi...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #2 – Default security controls                        The Low Hangi...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #3 – Incorrect permissions on web directory                This is ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #4 - Missing OS and application patches                        The ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #5 – Cross Site Scripting (XSS)                        The Low Hang...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #6 – Social Engineering    This is what you can access by pretendin...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #7 – Access to internal systems from the Internet                  ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #8 - Insecure wireless access points/modems                        ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #8 - Insecure wireless access points/modems                        ...
VA SCAN 2012: Securing the Future: BYOD and Beyond    #9 – Lack of encryption with sensitive script                      ...
VA SCAN 2012: Securing the Future: BYOD and Beyond      The real magic occurs when you get creative      Access the Regi...
VA SCAN 2012: Securing the Future: BYOD and Beyond                 Self-Audit Tools                   The Low Hanging Frui...
VA SCAN 2012: Securing the Future: BYOD and Beyond   Port Scanners        Nmap        Nessus        SuperScan 3,4     ...
VA SCAN 2012: Securing the Future: BYOD and BeyondRAPS Output:192.168.0.187 Port 5900 - VNC, Version 3.8192.168.0.187 Port...
VA SCAN 2012: Securing the Future: BYOD and Beyond   IPSec Configuration       IPSecScan         Identify open IPSec en...
VA SCAN 2012: Securing the Future: BYOD and BeyondIKE-Scan Output:192.168.1.254   Aggressive Mode HandshakeHDR=(CKY-R=509c...
VA SCAN 2012: Securing the Future: BYOD and Beyond   Web Applications       Proxies         Burp Suite         Paros  ...
VA SCAN 2012: Securing the Future: BYOD and Beyond   SSL Cipher Strength       SSLDigger       THCSSLCheck       OpenS...
VA SCAN 2012: Securing the Future: BYOD and BeyondSSLDigger Output:192.168.1.1:EXP-RC2-CBC-MD5 – (40)EXP-RC4-MD5 – (40)EXP...
VA SCAN 2012: Securing the Future: BYOD and Beyond   Dial-In        PhoneSweep             Commercial “wardialer” – can...
VA SCAN 2012: Securing the Future: BYOD and BeyondWhy do vendors insist on making it        easy for attackers?           ...
VA SCAN 2012: Securing the Future: BYOD and Beyond                   The Low Hanging Fruit of Penetration Testing10/9/2012...
VA SCAN 2012: Securing the Future: BYOD and Beyond                   The Low Hanging Fruit of Penetration Testing10/9/2012...
VA SCAN 2012: Securing the Future: BYOD and Beyond                 Rule #1 in Security             Ease of                ...
VA SCAN 2012: Securing the Future: BYOD and Beyond                       Wrap-Up                   The Low Hanging Fruit o...
VA SCAN 2012: Securing the Future: BYOD and Beyond     Data breaches affect your organization’s      reputation and can c...
VA SCAN 2012: Securing the Future: BYOD and Beyond                   Q&A                      Bryan Miller                ...
Upcoming SlideShare
Loading in …5
×

Low Hanging Fruit from Penetration Testing

895 views
793 views

Published on

This is a recent presentation I gave at the 2012 VA SCAN conference at VMI.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
895
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Low Hanging Fruit from Penetration Testing

  1. 1. VA SCAN 2012: Securing the Future: BYOD and BeyondThe Low Hanging Fruit of Penetration Testing Bryan Miller Computer Science & Information Systems Virginia Commonwealth University
  2. 2. VA SCAN 2012: Securing the Future: BYOD and Beyond Agenda Speaker Introduction What’s the Problem? Definitions Security Testing Issues Lessons Learned Self-Audit Tools Wrap Up The Low Hanging Fruit of Penetration Testing10/9/2012 2
  3. 3. VA SCAN 2012: Securing the Future: BYOD and Beyond Speaker Introduction B.S. ISY, M.S. CS – VCU VCU Network Engineer for 5 years CISSP, former Cisco CCIE in R/S FTEMS, ISSA, ISACA, IALR, VA SCAN lecturer Penetration testing for 11 years Formed Syrinx Technologies in 2007 Published author with 25 years in I.T. The Low Hanging Fruit of Penetration Testing10/9/2012 3
  4. 4. VA SCAN 2012: Securing the Future: BYOD and Beyond What’s the Problem? The Low Hanging Fruit of Penetration Testing10/9/2012 4
  5. 5. VA SCAN 2012: Securing the Future: BYOD and Beyond  In many organizations security is seen as a nuisance – a “must do” but not a “must have.”  Despite everything we know about securing systems and applications, there are new data breaches announced every week.  Organizations of every size and complexity are affected, including the government, military, commercial, R&D, banking and education. The Low Hanging Fruit of Penetration Testing10/9/2012 5
  6. 6. VA SCAN 2012: Securing the Future: BYOD and Beyond  Most of the breaches are caused by issues that would never have existed if available best practice rules had been followed.  Hacking has become commercialized.  Exploit “frameworks” lower the bar in regards to knowledge required to compromise systems. The Low Hanging Fruit of Penetration Testing10/9/2012 6
  7. 7. VA SCAN 2012: Securing the Future: BYOD and Beyond Definitions The Low Hanging Fruit of Penetration Testing10/9/2012 7
  8. 8. VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  Penetration Testing  Social Engineering  Wardialing/Wardriving The Low Hanging Fruit of Penetration Testing10/9/2012 8
  9. 9. VA SCAN 2012: Securing the Future: BYOD and Beyond  Vulnerability Assessment  “jiggling the handle”  Often required for compliance  Sometimes confused with a risk assessment The Low Hanging Fruit of Penetration Testing10/9/2012 9
  10. 10. VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing  External vs. internal  Goal is to simulate a real attacker, but with limits  How do those limits affect the testing?  How do you measure success? The Low Hanging Fruit of Penetration Testing10/9/2012 10
  11. 11. VA SCAN 2012: Securing the Future: BYOD and Beyond  Social Engineering  Three easy words: Hacking the Human  Easy to talk about, extremely difficult to prevent  Policies and education are the front line of defense The Low Hanging Fruit of Penetration Testing10/9/2012 11
  12. 12. VA SCAN 2012: Securing the Future: BYOD and Beyond  Wardialing/Wardriving  Wardialing – dialing phone numbers to look for modems  Wardriving – scanning for wireless access points  Includes 802.11, Bluetooth, Zigbee, X.10  Legal to scan but not to associate to an AP  Includes warwalking and warchalking The Low Hanging Fruit of Penetration Testing10/9/2012 12
  13. 13. VA SCAN 2012: Securing the Future: BYOD and Beyond Security Testing Issues The Low Hanging Fruit of Penetration Testing10/9/2012 13
  14. 14. VA SCAN 2012: Securing the Future: BYOD and Beyond  Penetration Testing vs. Vulnerability Assessments  Is one “better” than the other?  Which one is right for my situation?  Thorough requirements definition  Rules of engagement  What constitutes success?  Deliverables The Low Hanging Fruit of Penetration Testing10/9/2012 14
  15. 15. VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we test?  FERPA, PCI, HIPAA, SOX, FFIEC, NCUA, FIPS  Internal Audit requirements  Baseline the security posture for new management  Mergers & acquisitions  Natural complement to risk assessments The Low Hanging Fruit of Penetration Testing10/9/2012 15
  16. 16. VA SCAN 2012: Securing the Future: BYOD and Beyond  Why should we NOT test?  If you consider security a waste of good money  If you don’t want to know the answers  If you can’t or aren’t going to fix anything  If you really want to be on the local news or have someone write a magazine article about you The Low Hanging Fruit of Penetration Testing10/9/2012 16
  17. 17. VA SCAN 2012: Securing the Future: BYOD and Beyond Why don’t we test?  Our employees don’t know how to do bad things.  We already know what’s broken.  We don’t have anything hackers want.  If you tell us what’s wrong, we’ll have to fix it.  We haven’t fixed the things you found last time. The Low Hanging Fruit of Penetration Testing10/9/2012 17
  18. 18. VA SCAN 2012: Securing the Future: BYOD and Beyond  In-house or outsource?  The first question you have to answer is, “Do I have the staff with the relevant skills/tools/time?”  You might not have a choice due to auditing standards.  A good compromise is to perform internal self-tests followed by a review from a 3rd party.  Knowing something about the process makes you a better consumer. The Low Hanging Fruit of Penetration Testing10/9/2012 18
  19. 19. VA SCAN 2012: Securing the Future: BYOD and Beyond Lessons Learned The Low Hanging Fruit of Penetration Testing10/9/2012 19
  20. 20. VA SCAN 2012: Securing the Future: BYOD and Beyond  So, having said all that, what have we learned about data breaches?  They happen to organizations of all sizes and complexity.  Many of them can be prevented using best practice methods.  Many can be categorized as “low hanging fruit.”  The larger your organization, the more LHF. The Low Hanging Fruit of Penetration Testing10/9/2012 20
  21. 21. VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (1-5) 1. Bad password management 2. Default security controls 3. Incorrect permissions on files, directories, databases, etc. 4. Missing OS and application patches 5. SQL Injection, XSS, cookie, state and URL issues on web sites The Low Hanging Fruit of Penetration Testing10/9/2012 21
  22. 22. VA SCAN 2012: Securing the Future: BYOD and Beyond  The Low Hanging Fruit Top Ten (6-10) 6. Lack of security awareness 7. Access to internal systems from the Internet 8. Insecure wireless access points/modems 9. Lack of encryption (laptops, sensitive data & emails) 10. Weak physical security The Low Hanging Fruit of Penetration Testing10/9/2012 22
  23. 23. VA SCAN 2012: Securing the Future: BYOD and Beyond #1 – Bad password management The Low Hanging Fruit of Penetration Testing 10/9/2012 23
  24. 24. VA SCAN 2012: Securing the Future: BYOD and Beyond #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 24
  25. 25. VA SCAN 2012: Securing the Future: BYOD and Beyond #2 – Default security controls The Low Hanging Fruit of Penetration Testing 10/9/2012 25
  26. 26. VA SCAN 2012: Securing the Future: BYOD and Beyond #3 – Incorrect permissions on web directory This is how web defacements happen. The Low Hanging Fruit of Penetration Testing 10/9/2012 26
  27. 27. VA SCAN 2012: Securing the Future: BYOD and Beyond #4 - Missing OS and application patches The Low Hanging Fruit of Penetration Testing 10/9/2012 27
  28. 28. VA SCAN 2012: Securing the Future: BYOD and Beyond #5 – Cross Site Scripting (XSS) The Low Hanging Fruit of Penetration Testing 10/9/2012 28
  29. 29. VA SCAN 2012: Securing the Future: BYOD and Beyond #6 – Social Engineering This is what you can access by pretending to be the “Verizon guy.” The Low Hanging Fruit of Penetration Testing 10/9/2012 29
  30. 30. VA SCAN 2012: Securing the Future: BYOD and Beyond #7 – Access to internal systems from the Internet The Low Hanging Fruit of Penetration Testing 10/9/2012 30
  31. 31. VA SCAN 2012: Securing the Future: BYOD and Beyond #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 31
  32. 32. VA SCAN 2012: Securing the Future: BYOD and Beyond #8 - Insecure wireless access points/modems The Low Hanging Fruit of Penetration Testing 10/9/2012 32
  33. 33. VA SCAN 2012: Securing the Future: BYOD and Beyond #9 – Lack of encryption with sensitive script The Low Hanging Fruit of Penetration Testing 10/9/2012 33
  34. 34. VA SCAN 2012: Securing the Future: BYOD and Beyond  The real magic occurs when you get creative  Access the Registry via a blank SA password and run the reg query command to display the VNC password  Use the osql command to turn on Telnet and remotely access the server  Use the osql command to turn on xp_cmdshell  Watch keystrokes remotely via X-Windows with xspy  Download and compile a password cracking program and then run it to crack the machine’s passwords  Spoof a wireless access point and execute a MITM attack The Low Hanging Fruit of Penetration Testing10/9/2012 34
  35. 35. VA SCAN 2012: Securing the Future: BYOD and Beyond Self-Audit Tools The Low Hanging Fruit of Penetration Testing10/9/2012 35
  36. 36. VA SCAN 2012: Securing the Future: BYOD and Beyond Port Scanners  Nmap  Nessus  SuperScan 3,4  RAPS (Remote Access Perimeter Scanner)  GFI The Low Hanging Fruit of Penetration Testing10/9/2012 36
  37. 37. VA SCAN 2012: Securing the Future: BYOD and BeyondRAPS Output:192.168.0.187 Port 5900 - VNC, Version 3.8192.168.0.187 Port 5900 - VNC, NO LOGIN REQUIRED, Version 3.8192.168.0.9 Port 3389 - Terminal Server192.168.10.57 Port 5631 - pcAnywhere, Host: A1192.168.10.56 Port 1720 - NetMeeting10.2.0.139 Port 1494 – Citrix Server10.2.1.20 Port 6000 – X Server, Version 11.010.2.1.21 Port 6000 – X Server, NO LOGIN REQUIRED, Version 11.0 The Low Hanging Fruit of Penetration Testing10/9/2012 37
  38. 38. VA SCAN 2012: Securing the Future: BYOD and Beyond IPSec Configuration  IPSecScan  Identify open IPSec endpoints  IKE-Scan  Display configuration parameters  With “aggressive mode”, dump PSK and brute force The Low Hanging Fruit of Penetration Testing10/9/2012 15
  39. 39. VA SCAN 2012: Securing the Future: BYOD and BeyondIKE-Scan Output:192.168.1.254 Aggressive Mode HandshakeHDR=(CKY-R=509ca66bcabbcc3a)SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds )VID=12f5f2887f768a9702d9fe274cc0100VID=afcad713a12d96b8696fc77570100VID=a55b0176cabacc3a52207fea2babaa9VID=0900299bcfd6b712 (XAUTH)KeyExchange(128 bytes)ID(Type=ID_IPV4_ADDR, Value=192.168.1.254)Nonce(20 bytes)Hash(20 bytes) What 3 items are not best practice? The Low Hanging Fruit of Penetration Testing 10/9/2012 15
  40. 40. VA SCAN 2012: Securing the Future: BYOD and Beyond Web Applications  Proxies  Burp Suite  Paros  Scanners  Acunetix  Nikto  Nessus  HP WebInspect The Low Hanging Fruit of Penetration Testing10/9/2012 15
  41. 41. VA SCAN 2012: Securing the Future: BYOD and Beyond SSL Cipher Strength  SSLDigger  THCSSLCheck  OpenSSL The Low Hanging Fruit of Penetration Testing10/9/2012 41
  42. 42. VA SCAN 2012: Securing the Future: BYOD and BeyondSSLDigger Output:192.168.1.1:EXP-RC2-CBC-MD5 – (40)EXP-RC4-MD5 – (40)EXP1024-DES-CBC-SHA – (56)EXP1024-RC4-SHA – (56)DES-CBC-SHA – (56)(X) – Number of bits of encryption This tool is great for checking PCI compliance The Low Hanging Fruit of Penetration Testing 10/9/2012 42
  43. 43. VA SCAN 2012: Securing the Future: BYOD and Beyond Dial-In  PhoneSweep  Commercial “wardialer” – can identify modems/architecture and perform dictionary-based attacks on accounts Wireless  802.11  Aircrack-ng  Kismet  Bluetooth  Bluesnarf  BlueAuditor The Low Hanging Fruit of Penetration Testing10/9/2012 43
  44. 44. VA SCAN 2012: Securing the Future: BYOD and BeyondWhy do vendors insist on making it easy for attackers? The Low Hanging Fruit of Penetration Testing10/9/2012 44
  45. 45. VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing10/9/2012 45
  46. 46. VA SCAN 2012: Securing the Future: BYOD and Beyond The Low Hanging Fruit of Penetration Testing10/9/2012 46
  47. 47. VA SCAN 2012: Securing the Future: BYOD and Beyond Rule #1 in Security Ease of Secure Use The Low Hanging Fruit of Penetration Testing10/9/2012 47
  48. 48. VA SCAN 2012: Securing the Future: BYOD and Beyond Wrap-Up The Low Hanging Fruit of Penetration Testing10/9/2012 48
  49. 49. VA SCAN 2012: Securing the Future: BYOD and Beyond  Data breaches affect your organization’s reputation and can cost you significant money.  Software is becoming more complex while attacker tools are becoming easier to use.  The majority of data breaches can be prevented by following simple, best practice rules to eliminate low hanging fruit. The Low Hanging Fruit of Penetration Testing10/9/2012 49
  50. 50. VA SCAN 2012: Securing the Future: BYOD and Beyond Q&A Bryan Miller bryan@syrinxtech.com www.syrinxtech.com 804-539-9154 The Low Hanging Fruit of Penetration Testing10/9/2012 50

×