Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Test Preparation

Published byJared Morris Modified over 7 years ago

Similar presentations

Presentation on theme: "Penetration Test Preparation"— Presentation transcript:

1 Penetration Test Preparation
Focuses Your Team To Think Like a Hacker

2 What I will not cover today
Penetration Testing What I will not cover today Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation How to become a pen tester in 30 min What I will cover today Some very basic ways you can start to think like a Hacker

3 Penetration Testing is often seen as something you “have to do”
Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation A validation program can be viewed more as a series of checks and balances against your existing program. Something you simply “should do” Validation exercises are the “Consumer Reports” of your security program

4 Preparing for a Penetration Test (Pen Test) can be unsettling
Penetration Testing Preparing for a Penetration Test (Pen Test) can be unsettling The way we protect our systems is not often aligned with how our systems are attacked Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The separation in the two techniques often leads to common findings we have seen when performing evaluations with a new customer The findings we discuss today are also often 1st impressions we get of your security. Hackers also use these findings to decide how strong your security is and if they should pursue further attacks

5 Yet hackers like these issues because…..
Penetration Testing Why do we often find the same issues across all industries and sizes of companies; from small local charitable non profits to large fortune 100 organizations Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation Probably because what we will discuss today is not cutting edge, its not cool, its not focused on the latest threats or it appears basic Yet hackers like these issues because….. They are not cutting edge, don’t appear to be cool, they’re not focused on the latest threats and to them basic is good as long as they can get into your systems

6 Issues we see during a Penetration Testing
No self port scanning (threshold testing) on firewalls We find lack of clarity or sometimes ownership related to knowing your externally facing IP’s and the assets that reside on them Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation Outdated certificates and encryption ciphers Lack of security team testing on basic Web Application (OWASP) vulnerabilities LAN connections that have no access restrictions Gaps in understanding of factors that cause harm to reputation or create financial loss

7 Exercise One - NMAP Most of us learned about NMAP in school or maybe when preparing for a certification Lessons learned Security professionals who know how to use NMAP yet are not using it on their own system are often surprised by evaluation findings Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation Why use it? Hackers are 100% reviewing the boundaries of your IDS, Firewalls and Routers. Learn to see what they see. NMAP is a start The exercise Run three different types of NMAP scans and then check your firewall and IDS to see the results Myth - Firewall & Router Do not rely on your firewall or router subscriptions to be secure. Review your configuration, many devices are unsecure by default out of the box

8 Exercise Two - External Asset Review
Lesson Learned Most organizations have multiple assets exposed externally. We find that organizations with more than 5 external IPs tend to not have a firm handle on the devices associated with the IP, they can not specify who has access to the assets or who should have access Why it is important Malicious Intruders as part of their footnoting exercises are getting familiar with you external assets and so should you if you want to defend them properly Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise White board (no help-In a safe zone) your externally accessible assets For each asset identify as best as possible who you believe has access Review and discuss who should have access Verify your results against asset management and access control Myth - Asset Management and access control products are enough to defend your organization against attacks

9 Exercise Three - Cryptographic Protocols and Communications Security
Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation

10 Exercise Three - Cryptographic Protocols and Communications Security
Transport layer SSL/TLS, hashing and encryption is easy to identify and is one of the biggest 1st impressions your organization will give While the web example can be determined in 30 seconds someone with your IP address can get the same information about your servers and devices in under 5 min Lessons learned Vendors will not push updating certificates on your servers or devices as there is simply no money in it Many firewalls, routers and server certificates are out of date or are enabling less secure protocols and algorithms Externally exposed non secure certificates give a terrible first impression Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise Review the core certificates for your website, portals, servers and all externally accessible devices Certificate and hashing Myths TLS 1.0 is secure to use until 2018 TLS 1.0 is allowed by some standards but is not considered secure. Certificates should be a minimum of TLS 1.1. Do not enable SSL v2, SSL v3 or TLS 1.0 unless there is a significant business reason SHA-1 is secure. Know it has been broken, yet is still widely accepted and used

11 Exercise Four - SQL Injection
Lesson Learned In 85% or more of the organizations we evaluate that have issues with SQL Injection, the core security team is not running simple queries to test web input or performing text field validation. If we can find an issue in minutes so can a hacker Why it is important Attacks against web portals and web applications are still one of the largest and most effective attack vectors for a hacker Learning very basic queries to see if input fields are validating correctly is 100% something all levels of security personnel can learn and perform Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise Go to and search-testing for SQL Injection Have a member not part of the app dev team review OWASP top10 Learn some basic queries and protect yourself against an unpleasant 1st impression Myth - If you have a web application in a data center they are providing security for your web application

12 Exercise Five - LAN Network Connection in office
Lesson Learned A very large number of customers do not have any segmentation on their network LAN/Ethernet wall ports Many companies feel MAC filtering or other options are a pain Why it is important Opens opportunities for vendors, disgruntled employees or the cleaning crew to get on your systems It takes some of the most secure environments we have seen and make them very vulnerable Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise Plug into a network connection at work and see for yourself what you may have access to Review options such as guest networks, segmentation, MAC filtering or timing when ports are available Myth - The effort (pain) associated with MAC filtering or other limiting techniques are not worth the sacrifice in productivity

13 Exercise Six - Wireless Access For Remote Users
Lesson Learned Many companies today are restricting external access of systems to a few key employees or executives. Policies on how they connect are often strong. Yet policies regarding shared family Wi-Fi use is almost non existent Why it is important Typically you would not use a Wi-Fi guest network at the office to communicate sensitive information. So why is the Wi-Fi your teenagers and their friends are using any different Hackers can find out who has home access, we have had cases where we can access work laptops from outside a home via unsecure networks or IoT devices Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise Review your home access policies and discuss acceptable usage Consider options for segmenting critical users Myth - Hackers are not utilizing the home to initiate attacks on businesses. Last week the DYN attack proved this myth to be very inaccurate Allowing your employees to use guest Wi-Fi at hotels and airports is ok

14 Exercise Seven - Gaps Protecting Against Reputation and Financial Loss
Lesson Learned Often security professionals focus their protective strategies against PHI,PII, employee data, customer data or compliance mandates. Sometimes key types of data are overlooked Why it is important Companies, if they plan well, can recover from many types of breaches. Some information if exposed, such as intellectual property, R&D, engineering designs or a proposal database can become catastrophic Validation Social Engineering- Evaluation Vulnerability- Evaluation Pen Testing- Evaluation The exercise Schedule a meeting with IT, security, leadership and functional business department heads Have everyone go around and discuss their concerns and the data or risks that can cause the biggest harm Myth - PII, PHI, Employee and customer data are the single most important data elements to protect

15 THANK YOU

Download ppt "Penetration Test Preparation"

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Network security policy: best practices

Network security policy: best practices
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Agenda Do You Need to Be Concerned? Information Risk at Nationwide

Agenda Do You Need to Be Concerned? Information Risk at Nationwide
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Chapter 6 of the Executive Guide manual Technology.

Chapter 6 of the Executive Guide manual Technology.
Module 11: Remote Access Fundamentals

Module 11: Remote Access Fundamentals
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Similar presentations

Ads by Google