pen test presentation public oct13
DESCRIPTION
TRANSCRIPT
10th October 2013
1
Introduction
Ben Gunn – MD
26 years with UKSF
4 years with SIS
4 years CT (Police)
7 years Reservist
7 years commercial
PT on landmark buildings/systems
Olympic consultancy
2
3
Agenda
Results from Questions/Survey
HMG Contest - Protect
Penetration Test – what is it?
Types/Methods
The Threat
Physical Pen Test Methodology
ICT Pen Test Methodology
A case study (if time permits)
Summary and Close
Q and A
Survey Results - Physical
Are you concerned about the physical security of your building?
Yes
No
30%
70%
Is there a current policy in place to use Penetration Tests as part of your
audit?
Yes
No
15%
85%
Have you heard of or are you aware of Physical Penetration Tests?
Yes
No
35%
65%
4
Survey Results - ICT
Have you heard of or are you aware of Cyber/IT Penetration Tests?
Yes
No
40%
60%
Does your company employ ethical hackers or IT Penetration Testers?
Yes
No
15%
85%
Does your employer make you aware of the Cyber Threat?
Yes
No
10%
90%
5
6
HMG CONTEST
Home Office CT Strategy
The strategy is based on 4 areas of work:
Pursue: to stop terrorist attacks
Prevent: to stop people becoming terrorists or
supporting terrorism
Protect: to strengthen our protection against a
terrorist attack
Prepare: to mitigate the impact of a terrorist attack
Active or passive assessments of our security
systems will help us ‘protect’
7
What is a Penetration Test?
Based on a credible or perceived threat, a
Penetration Test will actively assess and
evaluate the vulnerabilities of a security
system, application or process and then
potentially exploit those vulnerabilities
The word ‘active’ is emphasised instead of
theoretically assessing the vulnerabilities or
conducting a paper based audit
Two Types
The ability to penetrate a system is divided into two
main categories:
Physical Penetration – carried out by lone workers
or organised teams simulating the current and
perceived threat from individuals ‘physically’ gaining
access by intrusion
Technical – (Information & Communication Technology (ICT)) Penetration – carried out by
lone workers or organised teams ethically hacking
into an ICT system or parts of the system and
exposing the vulnerabilities
8
Two Scenarios – Red or Blue?
Externally – the Pen Test audit team, acting in
what’s known as the Red Team role, should
attempt to penetrate defences with zero
knowledge of the attack timing and vulnerabilities
for both the audit team and the target asset
Internally – the Pen Test audit team, acting in
what’s known as the Blue Team role, should
conduct a test, with knowledge of the systems
configuration and security posture, including
supporting policy, response mechanisms and
security awareness levels
Red Team role – sometimes referred to as Black Box
Blue Team role – sometimes referred to a White Box
9
Threat - Methods
Already Occurring Unlikely to OccurLikely to Occur
Media
intrusion InvestigationSocial
Engineering
(personal)
Hostile
Recon’ce
Social
Engineering
Tel/www Suspicious
package
THREAT SPECTRUM
Postal
BIEDSuspicious
Package
Unauthorised
Access
Open
Source
Search
(www)
Hack from Foreign
IntelServices
VehicleBIED
GREATEST THREAT LEAST THREAT
THREAT TYPE:
Terrorism
Business Crime
Public Sector
Crime (Organised/Petty)
Internal
PHYSICAL / IT
PENETRATION
Unauthorised
Access/Protest
Groups
HMG
Hack
Intranet
Search
Hack
THREAT GROUPS:
AQ, Irish, Domestic Extremists
Competitors
HMG, GCHQ, Police
Media, Organised, Lone worker, Protesters
Current, ex employees, sub-contract
Police
Activity
DOS
10
11
Planning
Umpires x 2
Control, Dynamic Testing, Escalation
Opsec
Rules of Engagement
Day/night/shift changeover
Health and Safety RA
Site Visit
Sequence of Events
Task Sheets
RA
Letter of Authority
P3
Cover stories, Business Facility
Layers allocated
Typical Layers
Layer 1 – Curtilage and outside the
boundary
Layer 2 – FOH/Reception
Layer 3 – Non public areas
Layer 4 – Executive areas/meeting rooms
12
13
Delivery
Open source search (www)
Social engineering* (phone/email)
Hostile reconnaissance – layer 1
Hostile reconnaissance – layer 2
Social engineering
Unauthorised access - pedestrian
Unauthorised access - vehicle
Postal/courier
Suspicious package
*Post event – social engineering
14
Pros and Cons?
Advantages:
Highlighting of general and specific vulnerabilities and exposing them
Assists in creating a strong security culture
Improves the effectiveness and consistency of existing controls
Can stimulate the adoption of additional cost-effective controls
Will ensure compliance and standards of P3 are adhered to
Can stimulate enhancements of current P3
Helps reduce the number and extent of information and physical security breaches ‘’protect’’
Disadvantages:
Additional cost
Own goals!
The Internet
www…..a sieve, leaking sensitive information through innumerable pores that are vulnerable to an increasing amount of hackers, viruses, and unnamed maliciousness, that can compromise business data, steal identities or shut down organisations.
15
All Out Attack
Minimal amount of information
By using techniques used by the
‘hacktivist’ we can assess and evaluate
the vulnerabilities to a ‘real-world’ attack
Strict ROE
Umpired/regular updates and managed
The most relevant…..and costly!
Suggested discussion points:
ROE
Budget
Timeframes
Documentation
16
An invitation to test/survey Wifi networks
connected to the LAN/WAN
Over the air assessment
Secure/cryptographic settings
Wireless bands and Bluetooth
Access points
Rogue access points
Report and technical recommendations
1-3 days
Wireless
17
Web Application Security Assessment
Sites with search – Internet shopping, banking,
holidays, travel, gambling, social media,
communications
Why so important?
Web Applications deal with sensitive information
Logins, forgotten password etc
Query and update stored data, software
Connected to application and data base servers
and other architecture
5-10 days
18
Quicklook – Infrastructure Security
Blue team – behind the firewall
Plugged into the system
How far can they go?
How much can we find?
Security vulnerability
Weak domain passwords
Default settings
Weak infrastructure passwords
IT Security controls
3-5 days
19
Probability of Successful Exploitation (PSE)
A Penetration Test should address all identifiable vulnerabilities, assessing
each of them for the Probability of Successful Exploitation (PSE)
Colour
CodePSE Meaning Action Required
HighHIGH – An attack will probably be
successful
Immediate specific review and action
recommended
MediumMEDIUM – An attack will possibly be
successful
Review and follow-up action
recommended
LowLOW – An attack is unlikely to be
successful
Continue periodic review of security risk
20
Case Study – High Street Bank
What do we know?
Eight men were arrested after a gang stole more than £1m from a high street bank by taking control of one of its computer systems
The money was embezzled from a branch in London earlier this year, using a device known as a "keyboard, video and mouse" (KVM) switch
The hardware, which is commercially available is the size of a small laptop computer, allowed the gang to transmit the contents of the computer's desktop and take control of the machine remotely
It is believed that the device was installed by a man who pretended to be an IT engineer to gain access to the branch
21
Case Study – High Street Bank
What can we assume?
Open source search – sub-contractors?
Hostile reconnaissance in Layer 1 and Layer 2?
Social Engineering?
Penetration into Layer 3?
False ID – cover story?
‘Quicklook’ ICT penetration
Data was transmitted out by RF, 3G mobile?
Fact - credit cards and personal data were seized
22
Case Study – High Street Bank
What can we learn from this?
Bank security staff are to be congratulated on detecting the crime
Hallmarks of a classic ‘test’ scenario
Physical penetration by committed criminals
IT penetration by ‘hacktivists’
The threat is credible!
Could the vulnerabilities have been actively assessed prior to the crime?
Could this crime have been prevented?
23
24
Questions?
THANK YOU
Ben Gunn
T: +44 (0)203 1903030T: +44 (0)1432 303030
25