Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

2012 Taking Complexity out of Information Security …allowing you to focus on your business.

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

BlueRedGreenPurpleOrange.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

An Evaluation of the Google Chrome Extension Security Architecture

Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.

Mitigating Malware Collin Jackson CS142 – Winter 2009.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

PHP (2) – Functions, Arrays, Databases, and sessions.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Norman SecureSurf Protect your users when surfing the Internet.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

And Mobile Web Browsers

Go Back in Time On Your Network Get Faster Problem Resolution.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Prevent Cross-Site Scripting (XSS) attack

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Lesson 15 Client Side Vulnerabilities and you. Active Server Pages MS’s answer to the scripting world of PERL and CGI on Unix Usually Written In Visual.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

CA Professional Web Site Development Class 2: Anatomy of a Web Site and Web Page & Intro to HTML.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Evaluating & Maintaining a Site Domain 6. Conduct Technical Tests Dreamweaver provides many tools to assist in finalizing and testing your website for.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/

Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

January 07 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Mobile Service with.NET By – Sharad Varshney. Agenda What is it supposed to do? Goals Applications System Design Future Work / Enhancements.

Internet addresses By Toni Grey & Rashida Swan HTTP Stands for HyperText Transfer Protocol Is the underlying stateless protocol used by the World Wide.

Browser Compatibility Testing, using different browsers Conditional Statements.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Basic Internet Skills. What is the internet? A large group of computers connected to one another Its purpose is to send information back and forth to.

And Mobile Web Browsers

Computer & Network Security

Javascript worms By Benjamin Mossé SecPro

Cross-Site Scripting Travis Deyarmin.

Web Browsers & Mobile Web Browsers.

Jon Peppler, Menlo Security Channels

Hypertext Transfer Protocol

SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES

Topic 5: Communication and the Internet

Lecture 2 - SQL Injection

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

And Mobile Web Browsers

And Mobile Web Browsers

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007

What is “Extrusion” If you look it up at Wikipedia: “ Extrusion is a manufacturing process used to create long objects of a fixed cross-sectional profile. A material, often in the form of a billet, is pushed and/or drawn through a die of the desired profile shape. Hollow sections are usually extruded by placing a pin or piercing mandrel inside of the die, and in some cases positive pressure is applied to the internal cavities through the pin. Extrusion may be continuous (producing indefinitely long material) or semi-continuous (producing many short pieces). Some materials are hot drawn whilst others may be cold drawn.” However in Information Security: “Extrusion is the leakage/theft of internal sensitive data.”

“Extrusion Attack” Attacking “inside-out”  If you cannot get directly to the data  Let the Users come to you  …and the data will follow

“Extrusion Testing” Defined Testing the Threats that matter!  Targeted, Internet-initiated “Extrusion Attacks”  The Objective: –Demonstrate external access to internal system(s)/network(s) –Demonstrate external access to specific data/services  Puts the organization's security controls & capabilities to the test against the professional attacker: –Web access/content security –Endpoint security –Information leak prevention –Network Monitoring –…

Extrusion Testing Methodology –e-footprinting & e-Social Engineering »Profile users in the organization »Trick users to access a specific web-site… –Web-born Attack »Use mobile code exploits to get access on internal user system (endpoint) –Full-blown Extrusion Testing »Escalate attack to compromise internal business system(s) and/or network »Demonstrate ability to obtain specific critical data

e-footprinting…the power of Google™

“e-social engineering”…the power of e- mail

“Web-born” Attack – drive-by infection Invisible frame  Mobile code (JavaScript, VBScript)  Exploiting browser vulnerability

drive-by infection by What???  The Mechanics… –Spawns a IE process, not visible –Controls IE via OLE –Establishes a connection with the attacker –Receives Commands as “HTML pages” from the attacker’s “Web Site”… –Sends output of commands as HTTP Requests (POST)

We are in!...now is Extrusion

Actions:  Download Files  Upload tools

We are in!...now is Extrusion Execute Commands  Under the privileges of the logged-on user  Access internal network

We are in!...now is Extrusion Escalate attack  Get access on internal critical systems  Get critical data out of the systems

“Extrusion Testing” Facts Usually it takes:  a couple of days to e-footprint an organisation and launch a e-social enginnering attack  1hour to a few days to take control of an internal endpoint…only a matter of determination  …and then a few days, or even hours, to “stealthily” take control of critical internal business systems and data, if not of the entire network,  and thus being able to conduct fraud, industrial espionage, sabotage, you name it

_