Your SlideShare is downloading. ×
ISACA Ethical Hacking Presentation 10/2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ISACA Ethical Hacking Presentation 10/2011

2,057
views

Published on

Mind the gap between business and ethical hacking.

Mind the gap between business and ethical hacking.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,057
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
87
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Ethical Hacking...Mind the Gap with Business ISACA Round Table 10/2011 - Xavier Mertens
  • 2. $ whoami• Xavier Mertens• Security Consultant @ Telenet (C-CURE)• CISSP, CISA, CeH• Security Blogger• Volunteer for security projects:
  • 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not reflectthose of past, present or future employers,partners or customers”
  • 4. Agenda• You said “ethical hacking”?• Some frameworks• The process• Some tips
  • 5. You said “Ethical Hacking”?
  • 6. “Ethic”“A set of moral principles of right and wrongthat are accepted by an individual or a socialgroup”
  • 7. “Hacking”“Practice of modifying computer hardware/software or any other electronic device toaccomplish a goal outside of the creator’soriginal purpose. People who engage incomputer hacking activities are often called‘hackers’.”
  • 8. Hackers are good guysThe term hacker has been misrepresented inpopular media for a long time!“Hacking has nothing to do with criminal activities suchas identity theft and electronic trespassing! Rather, it[hacker] has been coined at the Massachusetts Instituteof Technology (MIT) as a term for curious individualsfor whom every device or piece of software is fullof exciting challenges to developpotential improvements or discoveralternative uses."
  • 9. But some derive...Hacking can be used to break into computersfor personal or commercial gains or formalicious activities.Those are called “Black Hats”
  • 10. Can hacking be“ethical”?Yes, of course!Using the same tools and techniques as badguys, security vulnerabilities are discoveredthen disclosed and patched (sometimes ;-)
  • 11. Ethical Hacking is...An individual who is usually employed with theorganization and who can be trusted toundertake an attempt to penetrate computersystems using the same methods as a Hacker.Ethical hacking is: • Legal • Granted by the target • Scope clearly defined / NDA • Non destructive
  • 12. Also Known As...• Pentesting• White-hat hacking• Red-teaming
  • 13. CommunitiesSecurity conference tries to create bridgesbetween the various actors active in computersecurity world, included but not limited tohackers, security professionals, securitycommunities, non-profit organizations, CERTs,students, law enforcement agencies, etc.....
  • 14. Security Researchers• Develop tools to understand how attacks work and how to reproduce it• Search for software vulnerabilities with the debate of full-disclosure vs. responsible- disclosure• Prosecuted in some countries• Research is mandatory!
  • 15. Why are we vulnerable? Features Ease of use Security New features/ease of use reduce the security or at least increase the attack surface!
  • 16. Nothing new...• Confidentiality• Integrity• Availability
  • 17. Some TestingFrameworks
  • 18. OSSTMM• “Open Source Testing Methodology Manual”• Based on a scientific method• Divided in 4 groups: Scope, Channel, Index & Vector• http://www.isecom.org/osstmm
  • 19. ISSAF• “Information Systems Security Assessment Framework”• Focus on 2 areas: Technical & Managerial• http://www.oissg.org/issaf
  • 20. OWASP Top Ten• Open Web Application Security Project• Focus on the application layer (websites)• http://www.owasp.org/
  • 21. WASC-TC• “Web Application Security Consortium Threat Classification”• Similar to OWASP but deeper• Help developers and security to understand the threats• http://projects.webappsec.org/Threat- Classification
  • 22. PTES• “Penetration Testing Execution Standard”• It is a new standard (Alpha) designed to provide both businesses and security service providers with a common language and scope for performing penetration testing• http://www.pentest-standard.org
  • 23. Forget the frameworks!• Ethical hacking is highly technical• Use your imagination!• Be “vicious”!• Think as a “bad boy”!
  • 24. Let’s use a standard• Check-lists suxx!• Reporting a list of CVE’s or MS security bulletins is irrelevant• Need of translation from technical risks into business risks • Loss of profit • Loss of confidentiality • Hit the management!
  • 25. The Process
  • 26. Process• Preparation• Reconnaissance• Scanning• Gaining access• Maintaining access• Clearing tracks• Reporting
  • 27. Preparation• Define a clear scope with the customer• Contract • Protection against legal issues • Definition of limits and danger • Which tests are permitted • Time window / Total time • Key people • NDA
  • 28. Some scope examples • An business application • Physical security • Wi-Fi • DMZ • A website • ...
  • 29. Reconnaissance• Active / Passive• Information gathering• Target discovery• Enumeration
  • 30. Scanning• Based on data collected during the reconnaissance phase• Searching for vulnerabilities to attack the target
  • 31. Gaining Access• “Target Exploration”• Exploitation of the discovered vulnerabilities• Privilege escalation
  • 32. Maintaining Access• Trying to gain/keep the ownership of the compromised system• Zombie systems
  • 33. Covering Tracks• Clear all trace of the attack• Log files• Tunneling• Steganography
  • 34. Reporting• Critical step!• At all levels, keep evidences (logs, screenshots, recordings)• Use a mind-mapping software• Think to the target audience while writing your report
  • 35. Some Tips
  • 36. Internet is your friend!• Google! All the required information is online• Documents meta-data (FOCA)• Social engineering (WE’re the weakest link) • Maltego / Facebook / LinkedIn• Fuzzing
  • 37. Build Your Toolbox• There exists specialized Linux distributions like BackTrack or Samurai• Physical tools (cables, converters, lock- picking kits• Software tools (We are all lazy people)
  • 38. Keep in mind...• Information is never far-away (often public)• Broaden your mind (react as your victim)• Everything is a question of time! ($$$)• Do not criticize customer. If they fail, don’t lauch!• Use your imagination• Be vicious!
  • 39. Conclusions
  • 40. Why EH is good?• Address your security from an attacker perspective• Some audit results might give a false sense of security• Protect company values• Preserve corporate image and customer loyalty  
  • 41. Thank You! Q&A?http://blog.rootshell.behttp://twitter.com/xme

×