encription IT security services

encription IT security services

Penetration Testing


• Campbell Murray

• Technical Director of Encription

• Technical Panel Chair for Tigerscheme

• CHECK Team Leader (GCHQ/CESG)

Who am I?


• Penetration Tester aka– ITSHCE (IT Security Health Check

Engineer)– IATP (Information Assurance Testing

Professional)– Ethical Hacker

• Many names for the same thing

What do I do?


• Vulnerability Research

• Exploit development

• Defensive research

• Community projects– BSides / 44Con / MCSG / OWASP & more

What else do I do?


Why do people have pen tests done?


• To protect?

• Detect the risk of:

• Loss to confidentiality (theft)

• Loss to integrity (changes to data)

• Loss of availability (denial of service)

• CIA

Why?


• Identify all threat arising from:

• Exploitation

• Privilege escalation

• Malware / Virus infection

• Poor passwords

• Network misconfiguration

Why (cont.)?


• Malicious users

• Poor segregation of duties

• Vulnerability in code

• Opportunists / Recreational

• etc

Why (cont.) ?


• The threats faced by all organisations are similar

• Insiders

• Outsiders

• Accidents

• Variously motivated

Threats


• State led

• Criminal

• Political

• Social

• Opportunist / Recreational

• Malevolent

Motivations


• Honestly, no

• Majority of companies are indifferent

• Banks accept risk and loss

• Rarely a desire to meet best practice or be ‘secure’

• Post ‘hacked’ testing very common

Is this the reason we exist?


• Most commonly for compliance e.g.• GCSx / Gsi / PSN CoCo• PCI DSS• ISO* e.g. 27001• Protected environments e.g. MoD• Protecting IPR• Commercially sensitive

So why then?


Jumping inHow do we test?


• White Box– Full disclosure

• Grey Box– Appropriate disclosure

• Black Box– Zero disclosure

• Red Team– NO RULES TESTING

Types of test?


• Everything and anything that we are asked to!

• E.g. Desktop OS / Laptop / Servers / Phones / Web Applications / 3G / VoIP /WiFi / Thin Clients / SAN / DR / Network topology / Network protocols / People / Policy / Process etc etc etc.

• Defined by the SCOPE OF WORK

What do we test?


• Broad and DETAILED expertise– Programming– Server Admin (Win / *nix / Solaris / AIX etc)– Network Admin– Application Development– etc

What makes us effective?


• Current market is leaning to Vulnerability Assessment i.e. Tools based testing

• Cheaper but ...

• Limited value compared to a pen test

• Tools are helpful but without experience are misleading

I thought it was simpler :(


• Market is splitting into ...

• ... Scan based assessment e.g. PCI DSS

• Seen as low end

• And pen testing ...

• ... High end but quality still varies

• Return of Red Teaming!

Polarity


• We cannot FIND issues beyond that which tools provide if we do not know how to secure systems, networks or correct code

• We cannot RECOMMEND appropriate remedial action if we do not know how to secure systems, networks or correct code

Expertise is crucial


• We cannot JUSTIFY our results if we cannot prove them

• Clients / IT admins will not ACT on reported issues unless they understand the full risk

Expertise is crucial


• Methodology is key to success

• 5 common stages– Passive reconnaissance / OSINT– Fingerprinting– Vulnerability identification– Exploitation– Extraction / Covering tracks

What else makes us effective?


• How I hacked a bank without ever going anywhere near it!

Quick Story


• Pen testing is about SECURITY

• That means identifying ALL possible attack vectors

• And knowing how we could use them

• Frequently two minor vulnerabilities, when combined, can be devastating

• Requires experience, not certification.

Moral of the story


• Crucial – Defines methodology to be used–What is ‘in scope’– Details given legal permission to test

• Going out of scope will see you fall foul of the CMA

• Not to mention the clients wrath!!!!

Scope of Work?


• CMA holds stiff penalties• Potential extradition to other countries• Criminal record• You MUST have written permission from

someone AUTHORISED to give that permission

• Research only performed in air gapped networks!

Cautionary notes


• You can be prosecuted for owning ‘hacking’ and malware creation tools

• Unless you can justify possesion

• Akin to ‘going equipped’ to commit crime, even if you haven’t

Cautionary notes


All the ducks are lined up, what next?


• Identify clients soft requirements

• If on site go prepared– Health and Safety– USB / Phone limitation– Dress code– Point of contact– Etc

Delivery


• People skills are essential

• Polite but firm

• Do not allow others to impede your activity

• Sense of humour essential

• As is fully operational kit and plan B

• Pen and paper just as important!

Delivery


• The GOLDEN RULE is ...

• .... NEVER leave a system less secure than how you found it!

• E.g. Creating user accounts or other objects

• If a high risk issue is found the client must be informed immediately

Execution


• Good use of language

• Lots of people will read the report, make it readable.

• Ability to express technical concepts simply and accurately

• Face to face washup meetings require presentation skills

Reporting


Applying your methodology


• Methodology!!!!!!

• Reconnaisance (what is it)

• Fingerprinting – (Scan e.g. Nmap)

• Identification

• Exploit – (escalate privilege)

• Clean up – (e.g. grab info, passwd, create user, clear history and exit)

How?


• Avoid temptation to focus on ‘critical’ issues

• Remember, two low risk issues can make a high risk attack vector

• Observation is as important as running tools

Reporting and Testing


Android App Testing Demo


• Mercury

• Android app testing toolkit

• Bit fiddly to set up tbh

• Worth the effort

Lets have a look at …


• Install Android SDK

• Install Mercury

• Start VM Android device

• Install Mercury agent and the app you want to look at

Testing Android Apps


• Start adb (linux)

• $adb forward tcp:31415 tcp:31415

• Connect with mercury

• mercury console connect

• Party!



• Get started commands

• list

• run scanner.provider.injection

• Derp!

• Now write an app to steal the data!



Getting into security


• I won’t lie ...

• Pen testing is not for everyone

• Competition for junior positions

• Not great pay at first :(

• Increase your chances by getting involved

• Lots of community activity

Finding a job


• BSides conferences are free

• OWASP conferences are very low cost

• BSC Groups and meetings

• Find online resources and contribute

Community


• Gain expert level knowledge in programming, servers, network protocols

• Understanding what security is

• ... It’s not just about exploits

More than anything


• Lasantha Priyankara

It works!


• Listened to this talk

• Blogged about the demo

• Went to Bsides London

• Met his current employer there

• Employed!

Success story


Questions?

Documents

encription IT security services