• No results found

Social-Engineering. Hacking a mature security program. Strategic Penetration Testing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Social-Engineering. Hacking a mature security program. Strategic Penetration Testing"

Copied!
78
0
0

Loading.... (view fulltext now)

Download now ( 78 Page )

Full text

(1)

Social-Engineering

Hacking a mature security program

Strategic Penetration Testing

Dave Kennedy (ReL1K)

http://www.secmaniac.com

(2)

A Mature Security Program.

•  Companies have invested a significant amount of money on

securing their information.

•  Application Security, Data Loss Prevention, Vulnerability

Management, Monitoring and Detection, Event Correlation….

(3)

2009 to 2010

•  Security conferences

reported record numbers. •  Security staffing

decreased...then increased.

•  Estimated 1 billion spent on

(4)

2008 Breaches (PrivacyRights.org)

•  In 2008 there was a total of 354

reported public data breaches.

•  You might remember this one:

(5)

2009 Breaches (PrivacyRights.org)

•  In 2009 there was a total of 252

reported public data breaches.

•  We got better! … Wait?

•  Largest breaches in history, largest

amount of records disclosed, large amount of PII, PCI, PHI disclosed in one year ever.

(6)

2010 Breaches (PrivacyRights.org)

•  We spent so much more this

year… Estimated 34% increase on our budget.

•  In 2010 there was a total of 594

reported public data breaches. Over double that of last year.

(7)

But we got better at detecting…..

•  Out of the 594 reported, 74% of them had been compromised

(8)

Compliance

•  Companies spend over 40% on compliance driven security (Forrester).

•  Compliance makes up on average roughly 14% of the companies “sensitive data”.

(9)

What the heck happened?

•  11 years ago we discovered SQL Injection.

•  34 (before I was born) years ago we discovered buffer

overflows.

•  1.6 million years ago we discovered

(10)

But buy this, it will fix it.

(11)

But buy this, it will fix it.

(12)

But buy this, it will fix it.

(13)

But buy this, it will fix it.

(14)

But buy this, it will fix it.

(15)

But buy this, it will fix it.

(16)

But buy this, it will fix it.

(17)

But buy this, it will fix it.

(18)

But buy this, it will fix it.

(19)

But buy this, it will fix it.

(20)

But buy this, it will fix it.

(21)
(22)
(23)
(24)
(25)
(26)
(27)
(28)

You get the idea….

(29)

I bet the majority of these had a security

program…

•  RSA, a mature security program?

•  Sony, a mature security program?

(30)

How are we identifying the exposures?

•  What are we accomplishing during a penetration test?

•  What are we doing?

(31)

I bet the majority of these companies had

pentests..

•  I bet RSA had a number of

penetration tests performed on a regular basis.

•  MySQL gets hit with blind SQL

injection? Comon…

•  Most of these companies probably

have dedicated personnel to security.

(32)

A  Mature  Program?  

•  I  haven’t  seen  one  yet….  

•  I  know  I  can  compromise  any  organization  I  want.  

•  I  know  I  can  take  everything  they  own  and  run  

(33)
(34)
(35)
(36)
(37)

How to fix failing..

•  I’m not saying that

penetration testing is the savior.

•  I’m not saying

everything’s bad.

•  What I’m saying is we

can be doing so much more….

(38)

We need…change?

•  Penetration testing needs to focus

on our riskiest areas we do business.

•  Needs to be aimed at stealing

learning the organization.

•  Understand that penetration

testers have a week or two max, hackers have months.

(39)
(40)
(41)

Away from risk formulas and

(42)
(43)
(44)
(45)

Complexity

•  I could be crazy but we have made security so complex we

have no idea what any of this stuff means anymore…

(46)
(47)

An attack targeting the companies

ability to generate revenue.

(48)

The Penetration Testing Execution Standard

(PTES)

•  Aimed at tackling the weaknesses we have

right now in the penetration testing industry.

•  Focused on identifying and understanding

what we want to accomplish during a penetration test.

•  A clear path to mature your information

(49)
(50)

Why this is different…

•  We know what we need to do in

order to fix this industry.

•  Collectively we can tackle the

issues we see today and what we see coming in the future.

(51)

Maturity Model

•  Not every company is ready for each level of a penetration test.

•  Understanding a companies security appetite maturity is

assigned based on a level in PTES.

•  These levels should increase as the company increases their

maturity.

(52)
(53)

Pre-Engagement Interaction

•  Aimed at learning the organization that your

attacking.

•  Finding out what the company does and what

they are getting out of it.

(54)

Intelligence Gathering

•  By far, the number two most important step in

the entire penetration test.

•  Learning the organization and how they work.

•  Finding what your best attack vector is going to

(55)

Threat Modeling

•  Finding our best route into the organization that

will have the most realistic impact.

•  What are the keys to the kingdom? Trade

(56)

Vulnerability Analysis

•  Notice I didn’t say vulnerability assessments.

•  Understanding what vulnerabilities may be

present and doing your research on the best and viable attack vector.

(57)
(58)

Exploitation

•  Precision strike,

something you have researched.

•  Confidence and not

brute force method.

(59)

Post Exploitation

•  Arguably equally as important as intelligence

gathering.

•  Identify the key systems to inflict maximum

damage or loss.

(60)

Reporting

•  Often where we struggle in security.

•  The most important message is

through reporting.

•  This is the number one most

important step of a penetration test and one we dread writing. Why?

(61)

Emphasis on Communication and

Education

•  We need to teach.

•  We need others to

understand.

•  That’s the only way

to be successful at this.

(62)

We are all about the hack.

•  This presentation showed some breakage.

•  This presentation showed hacking and

zero-days.

•  But this presentation was designed around

(63)

We are all about domain admin.

•  Guys and gals, domain admin means squat.

•  Focus on destroying the company, focus on

impacting the bottom line.

•  Learn the company, hack it, and make them

(64)

The blame on many

•  It’s not just penetration testers to blame.

•  It’s companies, who just want that check mark

and don’t take the time to learn security.

•  It’s the high level big picture companies who

couldn’t secure your organization let alone their own.

(65)
(66)
(67)

We are all smart

•  We are equals, I’m not smarter than anyone

here.

•  I may have different experiences, but working

together with each others knowledge, something can actually happen.

•  Support PTES, preach PTES, contribute to

(68)

Again

.

•  There’s a lot more to security than penetration

testing.

•  I’m not naive into thinking this is the only thing

we need to do to fix security.

•  But this has got to change for us even to

(69)

Going back to the basics..

•  Stay away from the shiny toys that vars sell

you.

•  Stay away from that magic bullet that will fix

all of your problems.

•  Think about what your doing and why you

(70)

The Big Picture

•  Penetration testing

aside…

•  Look at what makes

your company money, how they do business.

(71)
(72)
(73)
(74)
(75)
(76)
(77)

DerbyCon  

•  Three  day  conference  with  

training  

•  Insanely  stacked  line-­‐up  

•  September  30  -­‐  October  2nd    

•  Louisville  Kentucky  -­‐  Hyatt  

Regency  

http://www.derbycon.com!

(78)

[email protected]

References

Download now ( PDF - 78 Page - 11.65 MB )

Related documents

Addressing curriculum deficiencies in veterinary public health: a comparison of other health professions’ experiences

training” [59]. The title encompasses the content of the session. Clearly, public health deficiencies in veterinary education are recognized by the AAVMC and ASPH. Should the

Design and Implementation of the Campus E-card System for University and College

On the one hand ,The design and Implementation of the E-card managing system can make school administrative staff increase their working efficiency, get rid of the old fussy

WOOD Magazine 2015-11 Ebook3000

Cannot be used with other discount or coupon or prior purchases after 30 days from original purchase with original receipt.. Offer good while

Vu Hai Dang_Cam Nang 9 IELTS_February 2017

Hãy nghe 1 câu rồi viết lại, thay vì cắt nhỏ từng từ ra nghe – việc này sẽ giúp bạn ôn luyện khả năng lưu thanh cũng như bắt buộc đầu óc của bạn phải làm việc

ITS425: Ethical Hacking and Penetration Testing

This Critical Thinking lab assignment will make use of the student virtual lab environment (VSCL) and lab manual purchased in conjunction with your textbook..

ITS425: Ethical Hacking and Penetration Testing

Hacker Techniques, Tools, and Incident • Discussion (25 points) • Mastery (10 points) • Critical Thinking ( Hacker Techniques, Tools, and Incident • Discussion (25 points)..

Government debt levels and the systemic risks associated with post-crisis fiscal policies

With the argument that fiscal policy has brought about unnecessary spending, and that the associated excessive budget deficits bring about unsustainable public debt,

Debt repudiation by developing countries in the 1980s: a cross-country analysis of major determinants

When the criterion applied was per-capita income > 400 US$ (1980), 38 countries entered the analysis; in the case of per- capita income > 500 US$, the sample was reduced to