Of security testing and assessment

 Pain in the arse

 Loudmouth
 Hacker Punk  Tells lies (professionally)

 Is called all sorts of bad words.. That I will likely say

throughout this talk
 Cant code well

 Talks $hit
 Drinks a LOT  Is an overall J3rk


OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…

Traditional InfoSec
• • • • Typical services Proposed value (Sales BS) Set up for failure WYSIWYG

Enhancing Services Value
• • • • Doing services right Mo’ value, less money Eliminating failure Custom Delivery

New Skool InfoSec
• • • • • Red Teaming (CAST:Converged Attack Surface Tesing) Insider Threat Assessment Adversarial Modeling IDCa (interactive defense capability assessment) BCVa(business chain vulnerability analysis)

Doing the same thing and expecting different results.

 A vulnerability assessment is the process of identifying, quantifying,

and prioritizing (or ranking) the vulnerabilities in a system.  http://en.wikipedia.org/wiki/Vulnerability_assessment

Reasons to Conduct
 Identify potential vulnerabilities  Provide scoring of risk & prioritization

How it’s usually done
 Run a bunch of scanners  Generate a report

of remediation
 Manage environment vulnerabilities

 **Sometimes** Generate a custom

over time to show security program improvement, defense capability increase and compliance with ongoing patch, system and vulnerability lifecycle

report consisting of copy/paste data from the Vulnerability scanners and TRY to make sure you delete the word Nessus, qualys… and/or the previous clients name

 Do not run “Dangerous or Experimental Checks” *instant 30%+ reduction in results

and overall accuracy*
 Do not perform Denial of Service  Do not run thorough checks

 Do not run Web checks
 Only run ONE brand of scanner  Limit only to known network checks  Only scan once

 A penetration test is a method of evaluating the security of a computer system or

network by simulating an attack from a malicious source... The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
 http://en.wikipedia.org/wiki/Penetration_test

Reasons to Conduct
 Identify if attackers can readily

How it’s usually done
 Do all the steps in Vulnerability

compromise the security of the business
 Identify potential impact to the

Assessment listed previously
 Run metasploit/Core/Canvas against

 Try a few other automated tools  Call it “SECURE” If those don’t work

 Confirm vulnerabilities identified  Gain a “Real World” View of an

attackers ability to “hack” the environment and resolve issues identified

 Do not allow the exploitation of systems  Restrict testing to non production systems  Restrict the hours of testing  Restrict the length of testing  Improperly scope / fail to include ALL addresses  Only perform externally  Patch/fix BEFORE the test

 Only allow directed attacks ( no SE/ Phishing)
 Lack of focus on BUSINESS risk and increased focus on technical issue

The IT risk management is the application of risk management to Information technology context in order to manage IT risk. Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. http://laresconsulting.com/risk.php

Reasons to Conduct
 Compliance with regulations  Overall health check of the InfoSec

How it’s usually done
 Whip out a checklist  Check stuff off on checklist

 Gain understanding of program

 Have a TON of interviews
 Believe every word  Do a tick mark legend and ask people

 Baseline discovery

 To show 3rd parties and customers

to provide “evidence” *which is usually faked* of THAT specific assessment *often information centric*

they are “Secure”

 Only assess controls that are in scope

 Do not allow ACTUAL/TECHNICAL testing and validation  Rely on all information provided as TRUE  Minimize scope to only include assets and controls that are part of the selected

compliance regulation and NOT the ENTIRE BUSINESS
 Allow for “Compensating Controls” to be an answer to most issues
 Expect to become compliant through outsourcing  Expect to become compliant through product purchase/implementation  Be unprepared  LIE

Stop cutting off your own fingers


 Skip it!

 Do It yourself
 Use Scanners to identify Vulns  Figure out a process to track them over

time  Manage the reduction of Vulns over time  Manage the MTTP ( Mean Time To Patch)  Do the rest and make your testers WORK hard.


 ALWAYS “Ride Along”  Connect to the REAL impact (shells don’t matter)

 Don’t use firms that have “SECRET” processes or can not

explain every step of the test and HOW they do it
 Attack like AN ATTACKER not like a script kiddie
 Use a repeatable methodology







Write Report


• Pre-Engagement • Intelligence Gathering • Threat Modelling • Vulnerability Analysis • Exploitation • Post-Exploitation • Reporting








Common misconceptions

How it’s usually done

 We will get owned, what's

 Send a 419 scam style

the point
 It will offend our users
 Doesn’t provide enough

 Track clicks
 Write a report to show who



How it SHOULD be done to generate MAX value

 MAKE IT BUSINESS FOCUSED NOT IT FOCUSED  Use multiple standards  Remove silo’s and scope restrictions  TEST, TEST, TEST (PBC docs ARE NOT SUFFICENT)  A sample set does not show the ability to secure. I crack in certain parts of the

defense chain allow for the compromise of the ENTIRE COMPANY
 ALWAYS interview each and every executive to understand THEIR concerns and build

the solutions to address THEM and not always “just for the audit”

 Discuss the VALUE of systems in relevance to the business and re-weight scores  NEVER allow a compensating control on a BUSINESS critical system. EVER

THIS is what the BIG BOYS do, catch up.

The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations, and thus test their security measures. The members are professionals who install evidence of their success, e.g. leave cardboard signs saying "bomb" in critical defense installations, hand-lettered notes saying that “your codebooks have been stolen" (they usually have not been) inside safes, etc. Sometimes, after a successful penetration, a high-ranking security person will show up later for a "security review," and "find" the evidence. Afterward, the term became popular in the computer industry, where the security of computer systems is often tested by tiger teams.

How do you know you can put up a fight if you have never taken a punch?

EP Convergance • Attacks on physical systems that are network enabled

• Network Pentesting • Surveillance/ plants

ES Convergance • Blackmail • Phishing • Profiling • Creating moles


• Lockpicking • Direct Attack

• In Person Social Engineering • Phone Conversation • Social Profiling

PS Convergance • Tailgaiting • Impersonation

Reasons to Conduct
 Real world test to see how you will hold up against a highly skilled, motivated and funded

 The only type of testing that will cover a fully converged attack surface  Impact assessment is IMMEDIATE and built to show a maximum damage event  This IS the FULL DR test of an InfoSec Program

Reasons to Conduct
 Exercises in evaluating WHO your top5 most likely attackers are  Full OSINT profiling on the Attackers and their capabilities

 Scenarios which are highly focused at Detecting, Confirming, Mitigating and Resolving

attacks that are the MOST likely to happen
 Testers are forced to use the capabilities of the likely attackers and train the team how to

be cool under fire
 The most relevant attacks are dealt with FIRST, you are not defending against the

pentester… you are prepping to the battle that WILL happen

What is it?
 Evaluate threat and risk from

 Use company provisioned asset/standard access model (limited


 Identify what data/assets can be accessed through authorized

 Identify elevation of privilege scenarios (exploit AND non-exploit


Why do it?
 Provides visibility into “what could happen”
 A user WILL be compromised at some point

 Evaluate security posture of corporate asset  External testing doesn’t always provide accurate measurement of

internal sourced threats  Identify insecure internal communication channels  Evaluate covert channel resistance/prevention

 External assessments usually only measure (1) of these (if you’re lucky)

 Measure defense capabilities internally (beyond perimeter)
    

System to system communication Level of “noise” detection Data leakage/exfil abilities Log/data correlation Incident response/forensics team’s level of knowledge/expertise

Reasons to Conduct
 Targeted at working BOTH sides of the test  Active analysis on defense capability and impreovements / feedback can be real time

 Direct understanding of where process,policy and procedure break down in a REAL LIFE

 Identification of Defensive Technology effectiveness

Reasons to Conduct
 Targeted at working on identifying BUSINESS vulns  How much can/do partners hurt you

 Where can you better defend against Partners and 3rd parties
 Who what where when and why…. Of how the business works and how it can be

materially effected by relationships



Sign up to vote on this title
UsefulNot useful