When a vulnerability assessment pentest
Sponsored Links
This presentation is the property of its rightful owner.
1 / 46

When a vulnerability assessment > pentest PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on
  • Presentation posted in: General

When a vulnerability assessment > pentest. The Anomaly. $ whoami. Network Security for Dept of VA Father/Husband Fan of Futbol (Viva Mexico!) Fan of Martial Arts Brazilian JiuJitsu. $ whoami. $ whoami. $ whoami. $ whoami. What is a Pentest ?. Recon Pwnage Pillage Loot

Download Presentation

When a vulnerability assessment > pentest

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


When a vulnerability assessment > pentest

The Anomaly


$whoami

  • Network Security for Dept of VA

  • Father/Husband

  • Fan of Futbol (Viva Mexico!)

  • Fan of Martial Arts

  • Brazilian JiuJitsu


$whoami


$whoami


$whoami


$whoami


What is a Pentest?

  • Recon

  • Pwnage

  • Pillage

  • Loot

  • Report


What is a Pentest?

  • http://www.pentest-standard.org/

  • http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

  • http://www.offensive-security.com/offsec/sample-penetration-test-report/


What is a Pentest?


What is a Pentest?


What is a Pentest?


Injusticia!


Probandoboligrafos

  • - How to Not get a good pentest?

  • http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html

  • Marcus Ranum – “The only favorable or useful outcome of a pentest is the worst one.”

  • http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html


Pwningnoobs

  • Cons and breaking stuff tracks/talks

  • Social Media: If you break stuff, talk about how to fix it.

  • Reporting is Seriously lacking


Pentesting


Pentesting – mi mujer me pega

  • “Why don’t you find their weaknesses and then help them fix it?”


Vulnerability Assessment


Vulnerability Assessment


Vulnerability Assessment

  • Scan, how? Inside, external, credentials, ips, firewalls

  • Agent based vs passive vs active

  • Results integration

  • Results reporting

  • Team player


Scan how?

  • Scanner Location

    • inside Network, outside network

    • Denial of service

    • Nmap


Scan how?

  • Exclusions for Scanners

    • White box vs. Black box

    • Firewalls, IPS


Scan how?

  • Credentials

    • Windows Desktops and Servers

    • Linux/Unix servers with SSH account/keys

    • SNMP strings

    • Cisco/Networking SSH credentials

    • Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more.

    • https://lists.immunityinc.com/pipermail/dailydave/2013-February/000334.html


Credentials?

  • Risks

    • Capture credentials

      • Use ssh keys

      • Never send clear text credentials

      • Secure your scanner applications

      • Passive Vulnerability (span port)


Scan how?

  • Remember HD Moore’s Law

    • “Casual attacker power grows at the rate of Metaspoit.”

    • -Joshua Corman


Scan how?


Agent vs Active scanning

  • Agent Pros

    • Near real time

    • No network traffic

    • No outages caused by scans

  • Agent Cons

    • May not be installed

    • May not be possible to install

    • Some vulns cannot be found


Vuln Assessment and Patch Mgt


Vuln Assessment and Patch Mgt


Vuln Assessment and Patch Mgt


VulnScanningdoing it right

  • Internal Scans

  • Credentialed Scans – Linux, Windows, Network devices

  • Vendor provided exploit availabilities and frameworks

  • Coordinate HIPS/NIPS, Firewall exclusions


Scan Data integration

  • Integrate with Org CMDB

  • SA information

  • Satellite Server

  • SCCM

  • WSUS

  • BigFix


Scan Data integration

  • Integrate with Org CMDB


Scan Data integration

  • Sys Admin information

  • SA POC information (part of cmdb)

  • Sys Admin deemed important information

  • Manual updates from Sys Admins


Scan Data integration

  • Satellite Server

  • SCCM

  • WSUS

  • BigFix/Tivoli Endpoing Manager(TEM)

  • Red Hat patch info integration

  • Compare with Scan info


Scan Data integration

  • Where Does all this data go?

Access DB

Custom App with DB backend

Excel Spreadsheet

GRC – Governance Risk and Compliance

Any other solutions?


Scan data

  • Incident Response

  • Import into org SIEM or incident correlation tool


Scan Reporting

  • Executive reports on important issues

  • Report on Org specified critical findings

  • Organizational severity scoring


Scan Reporting

  • Organizational severity scoring


Scan Reporting

  • Java JRE vuln – RCE

    • Base Score = 9.3

    • Temporal Score = 7.7

    • Final Score = ?


Scan Reporting

  • Java JRE vuln – RCE

    • Base Score = 9.3

    • Temporal Score = 7.7

    • Final Score = ?


Scan Reporting


Scan Reporting

  • Default Credentials

  • Exploitable Vulns

  • Malware identification vulns

  • Indicators of Compromise

  • Configuration Auditing

  • More?


Call to Action

  • Do work!

  • Improve scanning

  • Improve Patch Mgt

  • Integrate

  • Consolidate data

  • Customize to org needs

  • Work as a team ( Security, Sys Admin, Devs, Operations, etc)


Questions?


  • Login