1 / 17

The LBMC Family of Companies LATTIMORE BLACK MORGAN & CAIN, PC LBMC TECHNOLOGIES, LLC LBMC EMPLOYMENT PARTNERS, LLC

Current Trends and Successful Techniques for Conducting Penetration Testing Presented by: The LBMC Security Services Practice Group Thomas Lewis, CISSP, CISA October 28, 2008. The LBMC Family of Companies LATTIMORE BLACK MORGAN & CAIN, PC LBMC TECHNOLOGIES, LLC

livi
Download Presentation

The LBMC Family of Companies LATTIMORE BLACK MORGAN & CAIN, PC LBMC TECHNOLOGIES, LLC LBMC EMPLOYMENT PARTNERS, LLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Current Trends and Successful Techniques for Conducting Penetration Testing Presented by: The LBMC Security Services Practice Group Thomas Lewis, CISSP, CISA October 28, 2008 The LBMCFamily of Companies LATTIMORE BLACK MORGAN & CAIN, PC LBMC TECHNOLOGIES, LLC LBMC EMPLOYMENT PARTNERS, LLC LBMC STRATEGIC STAFFING, LLC LBMC INVESTMENT ADVISORS, LLC LBMC HEALTHCARE GROUP, LLC LBMC eHEALTH SOLUTIONS, LLC LBMC PLANNING SERVICES, LLC

  2. Who is speaking to me? Thomas Lewis, CISSP, CISA and Partner, LBMC Thomas Lewis has over 13 years experience assisting Fortune 500 clients with the development of security solutions for complex environments. Currently, he is the Partner in charge of LBMC’s Security Services Practice. Thomas is responsible for the design, development and implementation of several information security departments. Additionally, he is a frequent speaker for local and national organizations including the Information Systems Security Association (ISSA), MIS Institute, Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA). He has been quoted in publications such as The Tennessean, YAHOO! News, Business Wire, Nashville Business Journal and the Nashville City Paper. In addition to Thomas’ information security consulting experience, he also has several years experience with three of the “Big 5” accounting firms conducting information systems audit and other attest engagements. Thomas is the founding president of the Middle Tennessee ISSA chapter. He has been active within the ISSA organization on a local and international level. Thomas is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE) and Certified Information Systems Auditor (CISA). He received his Master’s degree from the University of Tennessee and Bachelor’s degree from David Lipscomb University.

  3. Overview • Why should I care? • What is a penetration test? • What is the difference between a penetration test and a vulnerability assessment? • Current Trends in penetration testing • Current Successful Techniques in penetration testing Thomas Lewis, CISSP, CISA and Partner, LBMC

  4. Why should I care? Cybercrime Statistics from the 12th Annual Computer Crime & Security Survey • Between 2006 and 2007 there was a net increase in IT budget spent on security. • Significantly, however, the percentage of IT budget spent on security awareness training was very low, with 71% of respondents saying less than 5% of the security budget was spent on awareness training, 22% saying less than 1% was spent on such training. • 71% of respondents said their company has no external insurance to cover computer security incident losses. • 90% of respondents said their company experienced a computer security incident in the past 12 months. • 64% of losses were due to the actions of insiders at the company. Thomas Lewis, CISSP, CISA and Partner, LBMC

  5. Why should I care? • Our 2007 US ID Fraud Report found that all ID crimes totaled $49.3B in the previous twelve months, with 16% of those known-cause crimes being directly related to the consumer’s use of online services (4% online purchases or transactions, 4% phishing, 8% malware on the consumer’s PC).  • U.S. Treasury advisor Valerie McNevin quoted 2004 Treasury Department Report which stated that cybercrime profits surpassed those of drug smuggling taking in more than $100 billion dollars that year alone. • Security is more important in a down economy • Compliance factor Thomas Lewis, CISSP, CISA and Partner, LBMC

  6. What a penetration test is and what it is not! • A true penetration test is a simulation of an attack (target profiling, target vulnerability analysis) • A penetration test is not a Nessus scan • Pen test should have three points of view: technical, physical and human (social) Security is not “point and click,” you need experienced people who have the insight necessary to think like a hacker to find all the ways in which your organization is vulnerable to attack. Don’t let anyone leave you to believe that all the answers come from running a software tool — which is NOT a penetration test. Thomas Lewis, CISSP, CISA and Partner, LBMC

  7. What a penetration test is and what it is not! • Technical focuses on system related weaknesses that can be exploited. These may be in infrastructure (e.g. operating systems, databases, firewalls, routers, etc.) or applications • Physical focuses on the physical security weaknesses that can be exploited. Typically, these are due to poor facility designs or shared multi-tenant facilities. • Human focuses on security weaknesses in us! Thomas Lewis, CISSP, CISA and Partner, LBMC

  8. What is the difference between a vulnerability assessment and penetration test? • A vulnerability assessment is a comprehensive examination of all vulnerabilities within a system. Typically, you only try to discover the vulnerabilities but you don’t exploit them. • A penetration test is a simulation of an attack where your goal is to find a vulnerability that you can exploit and lead you to your target. Once you gain access to your target the game is over. You don’t necessarily need to discover all the vulnerabilities within a system. • Why would you choose one over the other? Thomas Lewis, CISSP, CISA and Partner, LBMC

  9. Current Trends in Penetration Testing • Less success with infrastructure vulnerabilities • More trends toward social engineering (e.g. phishing) • Web applications common targets with great success rates • VoIP is the new upcoming target Thomas Lewis, CISSP, CISA and Partner, LBMC

  10. What do these trends mean? • Improving configuration and patch management • Weak physical security • Weak user awareness • Weak security processes within application development Thomas Lewis, CISSP, CISA and Partner, LBMC

  11. Current Successful Techniques in Penetration Testing • Interesting CDs In this scenario, our target was to gain access to a client’s internal systems from an external Internet point. We were permitted to use any means necessary to accomplish our goals. We had escorted physical access to the client’s site. We determined the best attack vector to be social engineering users into giving access to their userids and passwords. We developed 10 CDs that were labeled “ClientName Reorganization and Compensation Plan”. These CDs contained a program that we developed which would callback to our systems with the computer name and info about the target. The program would ask the user for their network userid and password prior to access to the information. During our normal course of business we “dropped” these CDs in common areas throughout the client’s facilities. Within hours we had several network userids and passwords we then could use to gain access to the client network via the Internet.

  12. Current Successful Techniques in Penetration Testing • Email Spoof with Fake Web Site In this scenario, our goal was to gain access to internal systems from a remote site. We could not use physical testing within our scope but could use social engineering techniques. Based upon our preliminary work, we determined the best attack vector would be a social engineering attempt to gain login credentials. We setup a fake “benefits survey” site that contained a “1” in the domain name where the valid site would have an “l”. We determined the email alias scheme from the target’s website. We sent spoofed emails to employees listed on the website and from information gained elsewhere. The email contained the link to the fake survey site and the first step in the process was for the employee to enter their username and password to gain access to the survey. Within minutes of the email we had several login credentials that allowed us to compromise the internal network.

  13. Current Successful Techniques in Penetration Testing • Bank and Restroom In this scenario, our target was to gain physical and/or logical access to a bank’s datacenter and banking applications. We profiled our target from external logical and physical perspectives and determined the physical aspect was the best attack vector. We gained access to the bank facilities during normal business hours and stationed our consultant in the restroom facilities until several hours after the bank closed. At that point, our consultant gained access to workstations, network ports and the datacenter which compromised the majority of the bank’s controls and countermeasures.

  14. Current Successful Techniques in Penetration Testing • Hard Infrastructure/Weak Web Application In this scenario, our target was to gain access to sensitive data through an external remote location. We could not use physical or social engineering testing. We determined the client’s infrastructure had been secured to the point where penetration was not feasible. However, the client was hosting several web applications via the Internet. We performed several manual testing procedures on the web applications and gained access to the underlying data which was patient healthcare information. We then used the vulnerabilities in the web application to launch a remote shell back to us which allowed us to compromise the host system and we then compromised the entire client network. We also gained control of the client’s physical security systems and security cameras from the remote location.

  15. Recap • Both penetration testing and vulnerability assessments are much more than running scans. • Web applications and social engineering are the two popular targets/techniques of the day with VoIP on the near horizon. • Strong security awareness programs and secure coding practices are two functions that organizations cannot afford to overlook. Thomas Lewis, CISSP, CISA and Partner, LBMC

  16. What should you do now? • Prepare a Risk/Threat Assessment • Fund, Develop and Implement an appropriate InfoSec function based upon risk • Develop and Implement a configuration management program • Develop and Implement a testing and validation program Thomas Lewis, CISSP, CISA and Partner, LBMC

  17. Current Trends and Successful Techniques for Conducting Penetration Testing Thank You for Your Attendance tlewis@lbmc.com The LBMCFamily of Companies LATTIMORE BLACK MORGAN & CAIN, PC LBMC TECHNOLOGIES, LLC LBMC EMPLOYMENT PARTNERS, LLC LBMC STRATEGIC STAFFING, LLC LBMC INVESTMENT ADVISORS, LLC LBMC HEALTHCARE GROUP, LLC LBMC eHEALTH SOLUTIONS, LLC LBMC PLANNING SERVICES, LLC Thomas Lewis, CISSP, CISA and Partner, LBMC

More Related