Mind the gap between business and ethical hacking.
- 1. Ethical Hacking...Mind the Gap with BusinessISACA Round Table 10/2011 - Xavier Mertens
2. $ whoami Xavier Mertens Security Consultant @ Telenet (C-CURE) CISSP, CISA, CeH Security Blogger Volunteer for security projects: 3. $ cat disclaimer.txtThe opinions expressed in this presentationare those of the speaker and do not reectthose of past, present or future employers,partners or customers 4. Agenda You said ethical hacking? Some frameworks The process Some tips 5. You said Ethical Hacking? 6. EthicA set of moral principles of right and wrongthat are accepted by an individual or a socialgroup 7. HackingPractice of modifying computer hardware/software or any other electronic device toaccomplish a goal outside of the creatorsoriginal purpose. People who engage incomputer hacking activities are often calledhackers. 8. Hackers are good guysThe term hacker has been misrepresented inpopular media for a long time!Hacking has nothing to do with criminal activities suchas identity theft and electronic trespassing! Rather, it[hacker] has been coined at the Massachusetts Instituteof Technology (MIT) as a term for curious individualsfor whom every device or piece of software is fullof exciting challenges to developpotential improvements or discoveralternative uses." 9. But some derive...Hacking can be used to break into computersfor personal or commercial gains or formalicious activities.Those are called Black Hats 10. Can hacking beethical?Yes, of course!Using the same tools and techniques as badguys, security vulnerabilities are discoveredthen disclosed and patched (sometimes ;-) 11. Ethical Hacking is...An individual who is usually employed with theorganization and who can be trusted toundertake an attempt to penetrate computersystems using the same methods as a Hacker.Ethical hacking is: Legal Granted by the target Scope clearly dened / NDA Non destructive 12. Also Known As... Pentesting White-hat hacking Red-teaming 13. CommunitiesSecurity conference tries to create bridgesbetween the various actors active in computersecurity world, included but not limited tohackers, security professionals, securitycommunities, non-prot organizations, CERTs,students, law enforcement agencies, etc..... 14. Security Researchers Develop tools to understand how attackswork and how to reproduce it Search for software vulnerabilities with thedebate of full-disclosure vs. responsible-disclosure Prosecuted in some countries Research is mandatory! 15. Why are we vulnerable?FeaturesEase of useSecurity New features/ease of use reduce the security or at least increase the attack surface! 16. Nothing new... Condentiality Integrity Availability 17. Some TestingFrameworks 18. OSSTMM Open Source Testing MethodologyManual Based on a scientic method Divided in 4 groups: Scope, Channel, Index& Vector http://www.isecom.org/osstmm 19. ISSAF Information Systems Security AssessmentFramework Focus on 2 areas: Technical & Managerial http://www.oissg.org/issaf 20. OWASP Top Ten Open Web Application Security Project Focus on the application layer (websites) http://www.owasp.org/ 21. WASC-TC Web Application Security ConsortiumThreat Classication Similar to OWASP but deeper Help developers and security tounderstand the threats http://projects.webappsec.org/Threat-Classication 22. PTES Penetration Testing Execution Standard It is a new standard (Alpha) designed toprovide both businesses and securityservice providers with a common languageand scope for performing penetrationtesting http://www.pentest-standard.org 23. Forget the frameworks! Ethical hacking is highly technical Use your imagination! Be vicious! Think as a bad boy! 24. Lets use a standard Check-lists suxx! Reporting a list of CVEs or MS securitybulletins is irrelevant Need of translation from technical risksinto business risks Loss of prot Loss of condentiality Hit the management! 25. The Process 26. Process Preparation Reconnaissance Scanning Gaining access Maintaining access Clearing tracks Reporting 27. Preparation Dene a clear scope with the customer Contract Protection against legal issues Denition of limits and danger Which tests are permitted Time window / Total time Key people NDA 28. Some scope examples An business application Physical security Wi-Fi DMZ A website ... 29. Reconnaissance Active / Passive Information gathering Target discovery Enumeration 30. Scanning Based on data collected during thereconnaissance phase Searching for vulnerabilities to attack thetarget 31. Gaining Access Target Exploration Exploitation of the discoveredvulnerabilities Privilege escalation 32. Maintaining Access Trying to gain/keep the ownership of thecompromised system Zombie systems 33. Covering Tracks Clear all trace of the attack Log les Tunneling Steganography 34. Reporting Critical step! At all levels, keep evidences (logs,screenshots, recordings) Use a mind-mapping software Think to the target audience while writingyour report 35. Some Tips 36. Internet is your friend! Google! All the required information isonline Documents meta-data (FOCA) Social engineering (WEre the weakestlink) Maltego / Facebook / LinkedIn Fuzzing 37. Build Your Toolbox There exists specialized Linux distributionslike BackTrack or Samurai Physical tools (cables, converters, lock-picking kits Software tools(We are all lazy people) 38. Keep in mind... Information is never far-away (often public) Broaden your mind (react as your victim) Everything is a question of time! ($$$) Do not criticize customer. If they fail, dontlauch! Use your imagination Be vicious! 39. Conclusions 40. Why EH is good? Address your security from an attackerperspective Some audit results might give a false senseof security Protect company values Preserve corporate image and customerloyalty 41. Thank You!Q&A?http://blog.rootshell.behttp://twitter.com/xme