Extrusion testing testing your controls inside out against the threats that actually matter
This presentation is the property of its rightful owner.
Sponsored Links
1 / 16

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on
  • Presentation posted in: General

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter!. Panos Dimitriou , MSc InfoSec, CISSP,CISM Director , Managed Security Services 2007. What is “Extrusion”. If you look it up at Wikipedia :

Download Presentation

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter!

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Extrusion testing testing your controls inside out against the threats that actually matter

Extrusion Testing…testing your controls “inside-out” against the threats that actually matter!

Panos Dimitriou, MSc InfoSec, CISSP,CISM

Director, Managed Security Services

2007


What is extrusion

What is “Extrusion”

If you look it up at Wikipedia:

“Extrusion is a manufacturing process used to create long objects of a fixed cross-sectional profile. A material, often in the form of a billet, is pushed and/or drawn through a die of the desired profile shape. Hollow sections are usually extruded by placing a pin or piercing mandrel inside of the die, and in some cases positive pressure is applied to the internal cavities through the pin. Extrusion may be continuous (producing indefinitely long material) or semi-continuous (producing many short pieces). Some materials are hot drawn whilst others may be cold drawn.”

However in Information Security:

“Extrusion is the leakage/theft of internal sensitive data.”


Extrusion attack

“Extrusion Attack”

Attacking “inside-out”

  • If you cannot get directly to the data

  • Let the Users come to you

  • …and the data will follow


Extrusion testing defined

“Extrusion Testing” Defined

Testing the Threats that matter!

  • Targeted, Internet-initiated “Extrusion Attacks”

  • The Objective:

    • Demonstrate external access to internal system(s)/network(s)

    • Demonstrate external access to specific data/services

  • Puts the organization's security controls & capabilities to the test against the professional attacker:

    • Web access/content security

    • Endpoint security

    • Information leak prevention

    • Network Monitoring


Extrusion testing testing your controls inside out against the threats that actually matter

Extrusion Testing

Methodology

  • e-footprinting & e-Social Engineering

    • Profile users in the organization

    • Trick users to access a specific web-site…

  • Web-born Attack

    • Use mobile code exploits to get access on internal user system (endpoint)

  • Full-blown Extrusion Testing

    • Escalate attack to compromise internal business system(s) and/or network

    • Demonstrate ability to obtain specific critical data


E footprinting the power of google

e-footprinting…the power of Google™


E social engineering the power of e mail

“e-social engineering”…the power of e-mail


E social engineering the power of e mail1

“e-social engineering”…the power of e-mail


Web born attack drive by infection

“Web-born” Attack – drive-by infection

Invisible frame

  • Mobile code (JavaScript, VBScript)

  • Exploiting browser vulnerability


Drive by infection by what

drive-by infection by What???

  • The Mechanics…

    • Spawns a IE process, not visible

    • Controls IE via OLE

    • Establishes a connection with the attacker

    • Receives Commands as “HTML pages” from the attacker’s “Web Site”…

    • Sends output of commands as HTTP Requests (POST)


We are in now is extrusion

We are in!...now is Extrusion


We are in now is extrusion1

We are in!...now is Extrusion

Actions:

  • Download Files

  • Upload tools


We are in now is extrusion2

We are in!...now is Extrusion

Execute Commands

  • Under the privileges of the logged-on user

  • Access internal network


We are in now is extrusion3

We are in!...now is Extrusion

Escalate attack

  • Get access on internal critical systems

  • Get critical data out of the systems


Extrusion testing facts

“Extrusion Testing” Facts

Usually it takes:

  • a couple of days to e-footprint an organisation and launch a e-social enginnering attack

  • 1hour to a few days to take control of an internal endpoint…only a matter of determination

  • …and then a few days, or even hours, to “stealthily” take control of critical internal business systems and data, if not of the entire network,

  • and thus being able to conduct fraud, industrial espionage, sabotage, you name it


Extrusion testing testing your controls inside out against the threats that actually matter

www.encodegroup.com

_


  • Login