Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Breaking and entering how and why dhs conducts penetration tests

513 views

Published on

Source : RSA Conference

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Breaking and entering how and why dhs conducts penetration tests

  1. 1. SESSION ID: #RSAC Robert Karas BREAKING AND ENTERING: HOW AND WHY DHS CONDUCTS PENETRATION TESTS TV-R04 National Cybersecurity Assessments and Technical Services (NCATS)
  2. 2. #RSAC NCCIC | National Cybersecurity and Communications Integration Center 2 • Act as Adversary • Common Paths to Success • Phishing – Click rate 12% • Credentials • Default • Re-Used Penetration Tests
  3. 3. #RSAC NCCIC | National Cybersecurity and Communications Integration Center 3 Issue Impact Mitigation Stakeholder believed they had 800 hosts, scan revealed over Flat network, person in region 1 can access all region 8 Segment network with router or firewall Discovered over 200 security cameras accessible with default credentials Physical security, theft, watching key strokes of users Change default credentials and add network filters SQL Injection- successfully crafted and input a data string enumerated web application usernames and passwords. credentials to log into web application and other devices Unauthorized user access was achieved from the Sanitize all input provided by an untrusted Implement server-side controls of white-listed character sets. Encrypt data stored on the Discovered WAP buried underneath paper/trash/debris and into the Local Area Network Security controls implemented to connected to the bypassed. Anyone at Starbucks next door could have Monitor network for rogue devices, conduct walk-throughs to identify rogue devices Phishing email sent to a limited number of employees. One forward to the entire agency All machines were potentially compromised or had to cleaned. IT resources allocated to mitigation and clean Train users to identify malicious email, technical controls. Password reset function allowed the reset password to be any email address Anyone could reset an account and log into the This logic flaw impacted Confidentiality, Availability Integrity Ensure passwords can only be reset by the account owner and sent to the email address record for the account owner
  4. 4. #RSAC NCCIC | National Cybersecurity and Communications Integration Center 4 Domain Controller Network ApplianceSQL Server SQL QA DHS <Initial Attack Vector> Local Account Hash Dump Pivot to user computers User User User Admin Domain Controller is accessed DHS User Domain admin created Admin What Happens Next?
  5. 5. #RSAC NCCIC | National Cybersecurity and Communications Integration Center Why DHS offers these services • Make informed, risk-based decisions • Eliminate remote attack paths • Promote data-driven decisions
  6. 6. #RSAC NCCIC | National Cybersecurity and Communications Integration Center CYBER.DHS.GOV SERVICES 15-01 Critical Vulnerability Mitigation _____________________ 16-01- Security High Value Assets _____________________ 16-01 - Threat to Network Infrastructure Devices _____________________ 16-03 – 2016 Agency Cybersecurity Reporting Requirements _____________________ 17-01 – Removal of Kaspersky Products _____________________ 18-01 – Enhance Email and Web Security Vulnerability Scanning _____________________ Incident Response _____________________ Automated Indicator Sharing _____________________ Architecture Review _____________________ Hunt _____________________ Self Assessments _____________________ Risk and Vulnerability Assessments How DHS is helping
  7. 7. #RSAC NCCIC | National Cybersecurity and Communications Integration Center Questions? NCATS_INFO@HQ.DHS.GOV

×