Transcript 2016-10-07_WACCI_HowToAnnoyAPentester

HOW TO ANNOY A
PENETRATION TESTER
(AND BAD GUYS TOO)
WACCI 2016
10/07/16
Mark Lachniet
[email protected]
(847-968-0155)
TRIVIA QUESTION
What 19th Century Writer is credited with having
invented the detective fiction genre?
TRIVIA QUESTION
Edgar Allan Poe: the “Dupin” novels
The first popula model of a logic-based detective – C Auguste Dupin
"The Murders in the Rue Morgue" (1841)
Poe Found Dead, October 7th 1849 (167 years ago today)
About The Speaker
•
Currently “sell stuff” at CDW (previously Berbee for Wisconsin
people) and work with the CDW Threat Check team
•
Previously a white-hat hacker (penetration tester), compliance
nit-picker, incident responder and forensics guy
•
Licensed private investigator in the state of Michigan
•
On Michigan HTCIA board most years
•
Whitepapers – hostile forensics, Usenet, etc.
•
First person to “internetify” a pinball game that I know of
(http://lachniet.com/hobbit)
•
Frequent presenter to PIs, law enforcement, private sector,
education, legal etc.
4
| Security solutions
Agenda
• Will focus on attacks that don’t rely on un-patched
systems but rather “working as intended”
• Discuss the ways that I have been most successful in:
• Getting access to a network
• Getting a password
• Escalating this access to administrator
• Escalating this access to diverse systems
• Give practical examples
• Give example controls and detection info
• Question and Answers
5
| Security solutions
Getting In From the Outside
• On the Internet, hacking “stuff” is easy but hacking a
specific target can be hard
• Most organizations have decent firewall rules and keep
their Internet-facing servers patched
• If you have unpatched Internet-facing systems you will
probably discover this fact fairly quickly (the hard way)
• Primary means of attack over the Internet in order of
preference:
• Social engineering / Phishing
• Password guessing
• Known, attackable missing patches (i.e. Metasploit)
• Manipulation of server interfaces (i.e. Tomcat)
• Attacks on web applications (SQL injection, etc.)
6
| Security solutions
Social Engineering and Phishing - Discovery
• Attacking an organization through phishing is FAR easier
than attacking it through technical means
• Many people are vulnerable to phishing, especially those
who have not been using computers their whole lives
• Humans have an in-built desire to be helpful, and attackers
take advantage of this (and will continue to do so at an
increasing rate)
• The first step is to do discovery using public records:
• Social media (LinkedIn, Facebook, etc.,)
• Scripts and software to enumerate names and e-mail
addresses from search engines
• Look for user phone / email directories on official web
sites
7
| Security solutions
Social Engineering and Phishing - Discovery
• Identify generic inboxes such as marketing, accounts
payable, IT helpdesk, etc.
• Metadata from office and PDF documents – shows
actual usernames and software packages used
• Connect to webmail or SMTP and run census data
against it to identify valid usernames
• Timing attacks on Exchange server
• The goal of discovery is a list of valid user IDs / emails
• Free Tool: FOCA
•
https://www.elevenpaths.com/labstools/foca/index.html
• Free Tool: Maletego
•
8
https://www.paterva.com/web6/products/maltego.php
| Security solutions
The Internet of things Fail
• So how about we connect everything in our lives to the
Internet like refrigerators, ovens, thermostats, door locks,
pet doors and surveillance cameras?
• What could go wrong? HUMANS!
• Enter the search engine Shodan.io!
• http://search.slashdot.org/story/16/01/24/0256224/iotsecurity-is-so-bad-theres-a-search-engine-for-sleepingkids
• My Shodan Search: port:554 has_screenshot:true
country:"US" org:"Comcast Cable“
• i.e. show me all the systems running a system on port 554
for which a screen shot is available, for US systems
originating on Comcast Cable
• The following data was pulled from a fresh search 1/26/16
9
| Security solutions
The Internet of Fail
• So how about we connect everything in our lives to
the Internet, like this office in Tracy California, and
not require a password?
10
| Security solutions
The Internet of Fail
• The screen capture has a caption of CDC and we can
see (if you reverse the image in a mirror) the word
dentistry in the window
• A little searching in yelp finds us a convenient match
when we search for dentists in Tracy, CA: California
Dental Care (CDC)
• Is this a HIPAA compliance issue? It may depend on
the resolution of the camera! In this case it seems to
suck but very high resolution ones CAN read
documents from a distance, certainly see faces
• http://www.yelp.com/biz/california-dental-care-tracy
11
| Security solutions
The Internet of Fail
• Yelp gives some nice pictures of the inside… sure looks like
the same desk! Note the Dell monitor and paper thingy
12
| Security solutions
The Internet of Fail
• Pull up the web site and
get location information
including “Next to Mi
Pueblo Market”
• Its Google Street View
time… put in the
address, find the
market, find the dentist
office
• If this was a pen-test
we’d have an engineer
go goof under the
camera and take a
screen cap
13
| Security solutions
Nice and Stalky!
The Internet of Fail
• Or how about all of the open VNC screens at MSU?
14
| Security solutions
Lessons Learned
• Controls: OpSec! Don’t put crap out there unless you have
to! Beware of friends and family posting stuff about you
(and their EXIF data). Don’t use your work address (i.e.
@ic.fbi.gov) for personal stuff
• Controls: Regularly check you and your organization’s
posture and exposure to see what is exposed
• Controls: Have user ID’s that are NOT the same as email
addresses and are not easy to discover (i.e. through
metadata). Blocking repeat connections to mail services.
• Detection: Hard to do, can be done without ever touching
one of your servers
• Detection: Could possibly see in server logs (Exchange,
web servers) but would be very hard to differentiate from
search engines
15
| Security solutions
Phishing – Enticement
• Focus on: Management, billing, HR
• Avoid: IT, Risk Management, legal
• Create customized phishing emails:
• Must look legit – steal HTML signature block from boss
• Use timely information about the organization (time to
re-up your insurance, pay day, etc.)
• “bypass your organization’s firewall and content filter”
• Contests - Amazon gift card for participating in a survey
• Infected PDF documents – tracking from UPS or a
vendor invoice that looks just legit enough to open
• Free iPad! (who falls for this any more!?!)
• Request from IT staff to test new and better system
16
| Security solutions
Phishing Example – The Citrix Server
•
Create a fake Citrix web site registered under a name such as
http://www.organization-beta.com that looks exactly like the
official Citrix server (costs about $15)
•
Send a phishing e-mail saying that IT is responding to user
demand and rolling out a new, much faster, Citrix server and that
they have been selected to test it. Fake the IT director as the
source with a perfectly copied signature at the end
•
The e-mail is from the lookalike domain, so any responses go to
the attacker and not the IT director
•
The fake web site will take their login information (user ID and
password) and log it to a text file. After submitting their login,
they get redirected to the real Citrix server login page
•
User believes that they must have made a mistake typing in their
password and often doesn’t notice the URL change
•
Possibly take 3-4 logins before redirecting – the users will type in
every password they know which is useful to the attacker
17
| Security solutions
Results from a CDW Password Study
• Dave Reflexia from CDW’s Security Assessment Team (the
hackers) has been compiling a list of passwords from both
our customer engagements and from data dumps from
hacks
• He has performed analysis on this to identify the
characteristics of passwords “in the wild”
• Contains 933,979,289 password records
• This is very helpful for efficiently cracking the passwords
using tools such as oclHashCat
• https://blog.cdw.com/security/password-security-report
• Here are some interesting findings from the top 100 most
common passwords:
18
| Security solutions
Results from a CDW Password Study
• Passwords based on the season are popular:
• Given any especially large user population, it is very
likely to find someone who takes this approach
• This often allows us to get in over the Internet if we can
find enough valid usernames through search tools
• Among the most popular are those formatted with the
season, capitalized, followed by the full year, such as
Summer2014 (3930 occurrences)
• Also popular was the same with a two-digit year such
as Summer14 (6126 occurrences)
• You will note that only one of these variations, such as
fall15, is short of the default Windows password length
of seven characters
19
| Security solutions
Results from a CDW Password Study
• Also popular are variations on the word password:
• 21,328 instances of the password “password”
• Also popular was a capitalized version, with a one to
three digit number at the end, such as Password123
(19,472 instances)
• We see the perpetual trick of “leet speak” vowel
substitution, which hasn’t been a fresh idea for at least
fifteen years (12,134)
• Rounding out the top 100, were initial user passwords and
help desk passwords. 34,147 passwords containing a
variation on the world welcome, with Welcome1 topping
out the list at 22,538 instances
• 4,105 of passwords based on the word helpdesk, with good
old “helpdesk” pulling in 1,629 occurrences.
20
| Security solutions
Results from a CDW Password Study
• Some results on password size:
Password Size
Uniq # Found Most common password at this size
6
135,819 123456 (2,033)
7
273,978 Sales01 (3,546)
8
534,187 Welcome1 (22,538)
9
378,426 Password1
10
266,857 [REDACTED]
11
132,960 Change.Pass (1,984)
12
79,215
600000
500000
400000
Password Size
300000
Uniq # Found
200000
100000
0
1
2
3
4
5
6
7
• Having an 8-character password is not surprising as it is
the recommended default by Microsoft
• If you know what your opponents minimum password size
and complexity is you can greatly decrease the amount of
time it will take to crack it
21
| Security solutions
Passwords Guessing – Outlook only
•
A lot of organizations use multi-factor authentication for stuff like
VPN but DON’T use it for Outlook e-mail. This is dangerous!
•
“so what if they can get e-mail, they can’t run anything”
•
People often store passwords and legally interesting data in email – we sometimes search mailboxes for “pass” “password”
•
If Outlook allows remote access over XMLRPC to the Internet, an
attacker can set up outlook on their attacking computer, sync all
the e-mail, and then create a message rule that runs an
executable
•
SEE: https://silentbreaksecurity.com/malicious-outlook-rules/
•
Attacker can then send a message that matches the rule and get
program execution on the target system! Bam!
22
| Security solutions
Passwords Guessing
•
Controls: User training, check service accounts, no seasons, different
starter passwords for each user
•
Controls: ONLY use multi-factor authentication for all external facing
systems (including Outlook!)
•
Note: Even multi-factor authentication won’t save your bacon if
you are dumb enough to be phished. If there is a live person
watching they can use your token!
•
Controls: Do a password strength audit
•
Detection: A long shot but you could plant fake e-mail addresses out
there and look for evidence that people tried to log in using that
account. Since it would likely never be a valid user any attempt
would be demonstrative of profiling
•
Detection: Check log files for the outlook server and any web servers
associated with outlook (like OWA)
•
Detection: Check all log files associated with a suspect user and geolocate them to see where they are coming from, use an IP blacklist
file of TOR and VPN servers if you can find one
23
| Security solutions
Attacks on Applications
•
Look for interfaces to middleware and control panels
•
Sometimes can find control panels for SQL databases
•
Tomcat, JBOSS jmxconsole, – often left with a default password, can be
used to upload a “WAR” file to get a command shell on the server
•
Web application security attacks:
•
Time consuming and expensive
•
Test all client-side fields for proper input validation
•
May be able to find SQL injection attacks – if you can find one you
can dump database contents (often including passwords) and even
run commands (via xp_cmdshell)
•
See OWASP.ORG for more information
•
Controls: Make sure all management ports are firewalled, all interfaces
have unique passwords, test web applications for security (even if off the
shelf!), require proof of third party tests from vendors, keep dev/QA
systems off the Internet!
•
Controls: Never trust a developer (or perhaps “trust but verify”)
24
| Security solutions
Attacks on the Inside Network – Getting On
•
Need to be able to connect to the inside network
•
May be able to do it remotely or from guest wireless via VPN,
VDI, Remote Desktop systems with a password already known
•
Plug into the pass-through port on an IP phone
•
Move a printer to a small hub/wireless router
•
Unmonitored but connected ports – conf room, lounges, library
•
Guess the wireless password (or find it written on a piece of
paper at the front desk)
•
Crack a wireless password (with WPA/WPA2 pre-shared keys it is
possible to capture a few packets and then use wordlists or brute
force attacks to identify the PSK)
25
| Security solutions
Attacks on the Inside Network – Getting On
•
Controls: Disable pass-through ports on phones
•
Controls: Keep ports unplugged until needed
•
Controls: Networking mojo - use Network Access Control (NAC)
systems, limit # of MAC addresses per physical port on switch,
only allow known MAC addresses (requires decent inventory)
•
Controls: Make wireless passwords long and not just a simple
word/number combo
•
Detection: Very difficult without dedicated technology like NAC or
intrusion detection. SOMETIMES can get information from
switches about what port a MAC address connected to so that you
can pin it to a physical location but this is rare
•
Detection: Logs on any system that users can use to run
programs like Citrix, VMWare, remote desktop, etc (as these will
appear to be legitimate systems from the IT point of view but
could be controlled from anywhere)
26
| Security solutions
Internal Attacks – Getting Started
• Once on the inside the first thing that will happen is to
discover the network ranges in use
• Use Wireshark to sniff the network and identify IP
addresses and server names, DHCP leases
• Sniff switch traffic such as the Cisco Discovery Protocol
(CDP) protocol
• Use NMAP ping sweeps to find live machines
• Use Nessus to scan live machines for known vulnerabilities
• Controls: Use very large 10.x.x.x/16 network address
spaces with sparse usage
• Detection: Easily done with intrusion prevention tools
• Detection: Search logs from multiple systems at once and
look at the timeline for bursts of unusual activity
27
| Security solutions
Internal Attacks – AD Account Checking
•
Assuming that you can’t identify systems that are vulnerable to attacks
using known exploits and go directly to an exploit, you want to check
Active Directory for easy passwords
•
Some server configurations will let you enumerate all of the domain’s user
ID’s without authenticating, but this is more rare on modern systems, so
you will usually need an account
•
Your first task as an attacker is to get at least one valid user ID and
password, preferably for a somewhat privileged user
•
This may be as simple as getting a login that is used for a cafeteria
•
Use the low-privilege account to list all user ID’s in AD
•
Check each user ID for passwords=blank, same as user ID, or 1-2 simple
passwords (often works for service accounts)
•
Controls: No generic accounts, even if they have minimal rights. make
sure servers require auth to list domain accounts, make sure all accounts
have a password that is not blank or equal to the user ID
•
Detection: Server logs! Look for more than one failed login in a minute
or so. This one can be found with forensics on a limited number of
machines (tip: look for workstation names that don’t fit)
28
| Security solutions
Fake AP Wireless Attacks
•
Can use the “fake Access Point” wireless attack
•
Many Windows systems remember AP’s they have connected to and
constantly broadcast looking for them
•
The Fake AP sees these broadcasts and impersonates a previous AP
such as a coffee shop so the client will connect to it (only works for
open access points, not WPA, etc.)
•
Once connected, the attacker can view traffic to get passwords (if
unencrypted HTTP, Telnet, etc.)
•
Use a look-alike “captive portal” to get user to put in password
•
Can also manipulate what is seen by modifying traffic
•
Fake AP attacks can also be useful to get onto Ethernet as many machines
allow both to be connected at once
•
Controls: Don’t let Windows “remember” previous access points, use
wireless kill key when plugged in
•
Detection: Modern wireless systems can detect “rogue access points” but
in densely populated areas it is worthless because there are too many –
may require a laptop walk-through looking for strong signals
29
| Security solutions
Attacking Name Resolution: Responder.py
•
If you can’t get that first user ID, you can attack systems with
misconfigured name resolution systems
•
Responder.py is demonstrative of this attack:
•
Issue occurs when machines are not properly configured to
the local name resolution system (DNS)
1. Windows tries to resolve names like SERVER1 or cnn.com
2. If the machine cannot resolve the name using DNS, it
resorts to LLMNR and NetBIOS which are *broadcast* on
the local network
3. Any machine that sees the broadcast may respond that it
is them, and hence get the machine to connect to them
and the malicious processes they are running (like
Responder.py)
•
30
Common for IT people who like to set up their own machines,
since they are too cool to accept restrictive group policy
| Security solutions
Attacking with Responder.py
•
Works especially well for systems that are not domain joined
machines, such as those owned by IT admins and guests
•
The best attack is to pretend to be WPAD.organization.org and serve
up a proxy-auto-config (PAC) file
•
The PAC file list the attacker as being the proxy to use for Internet
browsing, hence we can Man-In-The-Middle all traffic
•
Responder lets us do things like pop up authentication windows in
order to access web servers, log user ID’s and passwords, and even
modify HTML on the fly to inject executables, etc.
•
Controls: Make sure that you have a WPAD server defined in the
correct DNS system so that machines don’t resort to insecure name
resolution, ensure that DNS is properly configured – especially for
domain joined systems and in DHCP leases, don’t let machines that
aren’t properly configured on secure networks, find “lost” machines
•
Detection: IPS, network logging – probably not stored in normal log
files
31
| Security solutions
Attacking with Responder.py
• Example: the WPAD server (from my log files)
LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested
was : OFFICECUBES-015.
LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested
was : wpad.
[+]WPAD (no auth) file sent to: 172.16.12.34
LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested
was : isaproxysrv..
Client IP is: 172.16.12.34
LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested
was : cnn
Requested URL: http://www.bing.com/search?q=cnn&src=IETopResult&FORM=IE10TR
name
name
name
name
Complete Cookie: _FS=mkt=en-US&NU=1;
_SS=SID=D4BDAC3EFAA0459AA61EE66D4C33B36C;
MUID=24A89A3984E36E6E24F79C4685FC6E88;
OrigMUID=24A89A3984E36E6E24F79C4685FC6E88%2c367b40a8a956494f
b9d5b3a227458330; SRCHD=D=3448476&MS=3448476&AF=IE10SS;
SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20140722
Client IP is: 172.16.12.34
32
| Security solutions
Windows Server Name Resolution Attacks
•
•
33
From the inside, plugged into your network (or your wireless) we
have other tricks like the sticky samba:
•
To do this, use a customized version of SAMBA (a Windows
fileshare emulator) that is configured for this purpose
•
See: http://www.foofus.net/~jmk/passhash.html for patches,
or use Metasploit
•
The SAMBA server will automatically respond to all broadcast
requests for a Windows file share by clients on the network
and hold up its electronic hand saying “Oh! Oh! That’s me!”
(just like Responder.py)
•
When the client connects, we get their password hash and
can then crack it
•
Does tend to cause a lot of tech support calls for internal
staff, as every single Windows request on that “broadcast
domain” can go to our server and fail
Controls/Detection: Same as Responder.py
| Security solutions
Internal Penetration and Pivoting
•
Once I get a user ID and password, I start looking to see what
this account will get me into – usually this is a large chunk of
workstations (if not all workstations, if not all windows systems, if
not all systems)
•
Scan all Windows machines with Medusa to see if I can log in. If
I can, I can browse around the machine (as is the case when
“Domain Users” is added as a user group to domain members)
•
If I have local administrator access (“Domain Users” is added as a
member of local administrators) we dump the local password
hashes and session tokens
•
This allows me to get the credentials of every user that has a
password cached on the machine, or that has a local account
(often a service account or domain admin)
•
I then use THOSE accounts to scan each machine in the
environment and repeat the process, until I finally find a cached
credential for a domain administrator
34
| Security solutions
Internal Penetration and Pivoting
•
Then I crack that hash and use it to pull data from a domain
controller for analysis using volume shadow copy to get NTDS.DIT
(the database of user Active Directory)
•
Once we have pulled the passwords from the domain controller,
we run them through a password cracker in order to create
statistics on how long it takes to crack the passwords
•
Compare the “average” organization with target for time to crack
•
Identifies the most common passwords and where in use
•
Useful for identifying very bad passwords very quickly, often
these are used to get into yet more systems
•
In a penetration tests, these passwords are not used only on
Windows machines but on SQL databases, network devices,
appliances, physical security systems, etc.
•
Find exceptions to the password complexity rules
•
Often find leftover account provisioning passwords (changeme)
35
| Security solutions
Example Trust Relationship Compromise
36
| Security solutions
Internal Penetration and Pivoting (East/West)
•
Controls:
•
Don’t allow local administrator rights for users
•
Add individual domain user accounts as local machine users, not
“Domain Users”
•
Don’t use the same local administrator password in more than
one place (painful!).
•
Don’t use the same admin password for more than one type of
system (i.e. AD and Cisco and SQL)
•
Don’t log on to workstations with domain admin accounts unless
absolutely necessary (use split-admin roles).
•
Enable workstation firewalls and network segmentation so I can’t
connect and pull the data in the first place.
•
Detection: Have an alarm set so you get a text or email every time a
new domain admin is made.
•
Detection: Workstation logs showing login attempts (will require a lot
of log pulling if you don’t have an IPS)
37
| Security solutions
Random Passwords, Random Places
•
Another common mistake of organizations is a failure to
accurately identify their sensitive information and appropriately
handle it from “cradle to grave”
•
Once I get a domain user account password (or preferably
domain admin account) one of the first things I do is connect to
the organization’s various file shares and search for all files
containing the word ‘password’ in them
•
Inevitably, I will find passwords for various internal systems,
scripts and batch files that get run automatically, passwords used
for testing, passwords for vendors or service accounts, text files
or spreadsheets with users’ personal passwords to gmail and such
•
Approximately 50% of the time I can find a password for the
organization, about 25% of the time it is an admin password.
•
Searching through e-mail – amazing what people put in there
•
Often allows escalation (to banking, DNS/SSL providers, etc.)
38
| Security solutions
Random Passwords, Random Places
•
Controls: Training!
•
Controls: Use a password safe so you can safely store your
passwords
•
Controls: Log in as admin, do a keyword search for all files
containing the word password. Weep.
•
Detection: A lot of activity from one host? (will be accessing
every bit of every file on servers)
•
Detection: Alerts if an account tries to access to many denied file
shares? (often a search will just be pointed at the “user” or
“group” drive root since they don’t want to do each directory
individually)
39
| Security solutions
Messing with IT Administrators
•
IT Admin workstations are useful to hack!
•
They don’t like doing things the same way as everyone else (for
example having a domain joined computer)
•
Install a key logger and then complain about the firewall
•
Look for device configuration backup files (especially Cisco
routers and switches that use the easily decrypted “password
type 7” format)
•
Look for cached passwords in programs like PuTTY or WinSCP.
We may not be able to reveal the password but we can often
change the IP address and change it from SSH to Telnet, then
sniff the traffic as it connects to our system to get password
•
Proxy through their workstation to get to restricted networks
•
Review documentation, work notes, etc. for passwords
•
Controls: Make IT admin workstations AT LEAST as secure, don’t
store backups with passwords in them, don’t cache passwords in
windows or office documents (use a password safe)
40
| Security solutions
Connect to Everything!
• Make a list of all the Telnet, SQL, FTP, web interfaces, etc.
found during port and Nessus scanning
• Connect to each of them and find out what they are for – a
good way to find interesting services on random ports
• Research product on Internet – what is the default
password? Try it!
• This has gotten us into countless APC power devices, video
surveillance systems, SAN/NAS devices, etc.
• Multi-Function Printing (MFP) devices are especially
interesting if they have a LDAP connection to AD for scan
to home folder functionality – have found many devices
with default printer credentials but with configured LDAP
credentials that we could steal to get domain access
• SQL databases are also interesting, often have no or stupid
passwords – users often don’t even know they are there
41
| Security solutions
Logging and Incident Response
• Many organizations do not have formal oversight of
information security (i.e. a group that meets regularly to
talk about security risks, track findings and tasks, etc.)
• Most organizations do not have a good logging system, let
alone a way to use log data proactively to identify abuse
• While some organizations do have an incident response
plan, many don’t and those that do have one that isn’t
terribly good
• The most effective way to catch a hacker is a combination
of technology (logging systems) and human oversight
(someone to tune and monitor systems)
• Unannounced penetration tests are useful for testing staff
• Consider the following Hierarchy of logging – each level
assumes all of the levels below it
42
| Security solutions
Lachniet’s Hierarchy of Logging
43
| Security solutions
Logging and Incident Response
• Even basic logging, providing it is stored off-device and
includes minimal information such as IP addresses, ports,
administrative actions, etc. is better than nothing
• Can then be used in the event that you have a particularly
nasty incident that involves fraud, pornography, etc.
• Example: Simply getting an email any time a user is
added to “Domain Admins” or “Enterprise Admins”
• Example: Getting a list of all new user adds and having
helpdesk staff tie these back to a specific ticket so they can
see if they are all legitimate
• Example: Logins to Internet-facing systems (from other
countries, from multiple simultaneous locations, during odd
hours when they should be sleeping or on-site, etc.)
44
| Security solutions
Physical Security and Social Engineering
•
Did a combo framework assessment (policy) and penetration test
for a large religious organization
•
Requested some physical security review, in particular if we could
get into a certain floor and steal PHI
•
I wasn’t assigned to the physical security project, but I was
walking in with a co-worker to check in on the first day
•
Saw that we were in an elevator with a number of badged
employees and asked “hey, do you guys know where the big
printer on floor #6 is? I’m told it keeps sticking and
malfunctioning and was sent to fix it” (there is always a
misbehaving big printer somewhere)
•
Staff badged me in and showed me the mail room and printer
•
Got a cup of coffee, made myself at home…
•
About 15 minutes later…..
45
| Security solutions
Physical Security and Social Engineering
•
The same types of attacks are happening through the phone (i.e.
the “Microsoft Technical Support” phone calls, and are obviously
happening through e-mail and we arde bad at defense!
•
Conducting targeted SE engagements can give you a better read
on employee awareness, complemented by service-based
learning and phishing platforms for long-term awareness
46
| Security solutions
Training and Testing
• You can never get too much security training
• Consider using LMS system and make sure that all users
take it (get a nasty-gram from H.R.)
• Send your IT people to decent training
• Use real-world phishing exercises to make the point
• Scan your own stuff, regularly.
• Periodically contract real red team / penetration tests (try
to make sure they don’t suck first)
• Get practice and procedure reviews to help prioritize
funding and prioritize over multiple years
• Test your people and test your tools, you need both!
47
| Security solutions
Product Integration
•
All of the things I have mentioned are fairly basic, simple
things to do, most of which are low cost (except political)
•
We can further reduce our residual risk through leading-edge
security products, particularly if used correctly:
48
•
Log the heck out of everything
•
Identify odd executables in traffic, ”detonate” and alert
•
Content filters that can proxy HTTPS traffic (and especially
identify unusual traffic afterwards)
•
Good workstation software that can block most known
attacks (whitelisting if you can manage it!)
•
Web filtering at the office and on the road
•
Filtering through protected DNS servers
•
Multi-factor authentication
•
System inventory and patching software
| Security solutions
Q&A / Discussion
????
Thank You!
49
| Security solutions