IT Security Assessment and auditing using controlled ...

USING CONTROLLED PENETRATION TESTING IN IT SECURITY ASSESSMENT AND AUDITING

Juan Reyes | MSCIS Senior Security Analyst for AT&T Certified Information Security System Professional (CISSP) Certified Information Security Auditor (CISA) Certified Ethical Hacker (CEH) www.linkedin.com/in/jrreyes

THE 1000-FOOT VIEW OF PEN TESTING

This is a simplified model of pen testing with three major stages. There are definitely more aspects to a pen test engagement from start to finish with other functions comprising sub-areas of the whole process. But for the “Intro to Pen Testing” purposes of this three-lecture mini-series, we’ll consume the process in three main stages. If you find yourself interested in pen testing, I strongly encourage you to seek out resources that go more in depth. Most of the professional certification (CEH, GPEN, GWAPT, etc.) bodies of knowledge go more in depth into the sub-areas.

PURPOSE OF PEN TESTING Controlled penetration testing, or pen testing for short, is an auditing component that tests an organization’s security posture by mimicking the actions of attackers (a.k.a. hackers)

The degree to which the security posture withstands attacker actions is an indicator of the efficacy of the organization’s security program.

PURPOSE OF PEN TESTING Penetration testing results give indications as to what is working about the security program and what needs improvement.

The status of the existing risk management framework is exposed.

Its aim is to break through security defenses to determine areas of weakness as well as identify the security controls that are working as intended.

PENETRATION TESTERS MUST THINK LIKE THE ATTACKER AND UNDERSTAND ALL POTENTIAL MOTIVES.

• Mimic the actions of any potential attacker • Nation-state sponsored. • Criminal profit motive, data theft, blackmail. • Competitors seeking competitive advantage (corporate espionage).

WHAT ARE HACKERS LOOKING FOR Data of VALUE. Qualification of value is determined by their motive. • Nation-state sponsored. • Criminal profit motive, data theft, blackmail. • Competitors seeking competitive advantage (corporate espionage). • They seek to narrow down a large number of potential victims down to confirmed vulnerable hosts.

• All about using their time and resources for their gain, ROI – the return on investment of the whole endeavor.

PEN TEST WHEN? Pen tests are commonly part of full-scale formal security audits.

They are also part (or at least should be) of ongoing periodic self-assessments so that organization’s have a constant gauge on their security posture. • System environments are always in flux. Flux can lead to exposure. Self-assessments are meant to identify areas of exposure.

RED TEAM EXERCISES Red teams challenge organizations in efforts to bring improvements to the organization’s security posture. Pen testers on red teams assess security, typically without the target organization’s knowledge. Red team challenges yield a more accurate report of security posture than preplanned exercises and assessments announced in advance of their commencement.

PEN TESTING TO DETERMINE LEVELS OF OBLIGATORY COMPLIANCE Pen testers don’t only engage in the “art of war” against hackers when they test an organization’s security posture. Pen testers regularly engage in determining the level of compliance to standards that organizations are at. • PCI-DSS, HIPAA, FISMA, SOX

Compliance isn’t just a good idea or an indicator of corporate responsibility. It is also a cost of doing business which means organization’s must actively monitor their compliance status or face loss of reputation, fines, and other sanctions.

FROM SANS CRITICAL SECURITY CONTROL 20: “Each organization should define a clear scope and rules of engagement for penetration testing and Red Team analyses. The scope of such projects should include, at a minimum, systems with the organization's highest value information and production processing functionality. Other lower-value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and Red Team analyses should describe, at a minimum, times of day for testing, duration of tests, and the overall test approach.” -excerpt from www.sans.org/critical-security-controls/control/20

WHAT DO PEN TESTERS TEST? The organization’s security posture is made up of: Technology Processes

People Any and all of these areas and their subcomponents can be subject to pen testing to determine their efficacy within the organization’s security program. There is, of course, interrelation between these three areas.

Note: a very important document called the Statement of Work will define explicitly what the pen tester is authorized to test.

TECHNOLOGY COMPONENTS • Operating system vulnerabilities on user hosts (PCs, laptops, tablets) and servers. • Can a server running several critical apps be “owned” due to a vulnerability in the underlying operating system (Windows, Mac OS, Linux) discovered by an attacker?

• Application vulnerabilities – web apps, databases, etc. • Can a database or web application that contains or relays credit card numbers or SSNs be “owned” by an attacker?

TECHNOLOGY COMPONENTS • Network security defense measures • Firewall, intrusion prevention/detection, anti-virus – can they be subverted by an attacker?

• Company WiFi • Can a pen tester crack the WiFi encryption key and subsequently view in plain text any sensitive data traversing the WiFi network?

• Can a pen tester get onto the corporate WiFi network and then pivot into other internal networks to gain access to sensitive data?

PEN TESTING THE PROCESS AND POLICY COMPONENTS • Passwords – do pen testers find an organization’s passwords easy to crack because an insufficient password length and complexity policy is in effect?

• Incident handling – pen testers on a designated Red Team attack will exploit a vulnerability and “own” an organization’s database so that the organization’s incident handling response can be observed.

• Can a pen tester determine and use the login credentials of a recently fired database administrator to make changes to the database? If so, this indicates a critical deficiency in the organization’s employee termination processes.

PEN TESTING THE PEOPLE COMPONENT • Social engineering • Can someone call a help desk to get a password reset without authenticating their true identity first?

• Can someone follow another individual through a door controlled by badge access without using a badge, giving them access to a secure area that contains an organization’s critical assets?

HACKER AFFILIATION DESIGNATORS White Hat • Use their hacking techniques for the good of humanity. The ultimate goal of the white hat is to limit the looting opportunities that black hats seek out. Pen testers and security researchers fall into this category. White hat pen testers have permission to test. Black Hat

• Hackers with nefarious intent that try breaking into systems without permission. Grey Hat

• May have some history of shady hacking activity but have used their skills for good purposes such as helping security researchers and pen testers identify and prevent exploits and attacks through experience they’ve garnered as a black hat. Not always voluntary – can be part of courtroom plea deals.

TYPES OF PEN TESTS • Black Box Testing • Most closely simulates the methods and actions of an outside attacker, typically from the Internet. The pen tester starts from scratch, with no previous knowledge of the target of evaluation.

• White Box Testing • Designed to replicate an “inside job” attacker such an organization IT administrator that has gone to the dark side. The pen tester is given full knowledge of the environment, similar to what a privileged access-level insider would have.

• Gray Box Testing • Another test that replicates insider activity, though one of less access than an administrator. The pen tester is given some limited amount of information about the target of evaluation.

THE STATEMENT OF WORK DOCUMENT

The Statement of Work document is a legally binding document for both parties – the party doing the testing and the party whose assets are being tested. The SoW documents specifies:

•

Which assets (hosts, networks, servers) are to be tested, the Targets of Evaluation, and to what extent the tests can run.

• •

Duration of authorization to test. Pricing.

…AND ANOTHER IMPORTANT DOCUMENT The Permission to Test document (may also be rolled up in the Statement of Work.) “This document states the scope and contains a signature which acknowledges awareness of the activities of the testers. Further, it should clearly state that testing can lead to system instability and all due care will be given by the tester to not crash systems in the process. However, because testing can lead to instability the customer shall not hold the tester liable for any system instability or crashes. It is critical that testing does not begin until this document is signed by the customer.” – excerpt from http://www.pentest-standard.org/index.php/Pre-engagement

TIME TO TEST

***WARNING*** TOOLS

OF THE TRADE

***WARNING***

We’ll now briefly cover scanning, exploit, and attack tools that pen testers use to do their jobs. DON’T USE THESE AGAINST A TARGET WITHOUT PERMISSION. BUILD A TEST LAB (I’ll be happy to give you guidance on building one.) Your guest lecturer, Juan R. Reyes, doesn’t send the explicit or implicit message to you that using these tools against a target without permission is OK. I can’t speak on behalf of the University of Texas’ McCombs School of Business, but rest assured that they don’t send an explicit or implicit message to you that using these tools against a target without permission is OK.

TOOLS OF THE TRADE Comprehensive paid-for offerings (initial purchase and subscription fees) from commercial security vendors that contain hundreds to thousands of scan types, exploits, and attacks.

Vendors such as Rapid7, Critical Watch, Core Impact, and Qualys exist in this space.

These “off the shelf” suites are very helpful when auditing regulatory compliance. Most major vendors have specific modules that test for compliance of PCI-DSS, HIPAA, SOX, etc.

TOOLS OF THE TRADE Rapid7 (local here in Austin) provides several pen testing platforms. Simple UIs allow for easy navigation. Specify a target of evaluation and test type, click the appropriate icons, and your test is underway. Their Metasploit Pro tool is an industry standard.

TOOLS OF THE TRADE A NICE UI CAN BE A WELCOME ALTERNATIVE TO USING THE VERY SAME TOOL FROM A COMMAND LINE

TOOLS OF THE TRADE – OPEN SOURCE Kali - comprehensive FREE Linux distribution chock full of pen testing resources. http://www.kali.org/

TOOLS OF THE TRADE – OPEN SOURCE Kali - comprehensive FREE Linux distribution chock full of pen testing resources. http://tools.kali.org/tools-listing

TOOLS OF THE TRADE – CUSTOM SCRIPTING Pen test ninjas write custom scripts when the need calls for it – a unique scenario that requires a certain component be tested a certain way yet no pre-existing tools exist to execute the test. This is a Python script that connects to FTP (File Transfer Protocol) servers and returns their banners. This script is from Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers by T.J. O’Connor. This is an excellent resource for the DIY’er pen tester.

TOOLS OF THE TRADE

A comprehensive and thorough pen test will use a combination of commercial products, open source tools, and custom scripting to cover all of the bases.

PENETRATION TESTING AS A CAREER Experience with data networking, web programming, and databases is helpful. Degree in MIS/CIS, CS, helpful but not required. Industry Certifications represent an individual’s overall understanding of bodies of knowledge pertaining to penetration testing: EC-Council Certified Ethical Hacker - CEH

SANS GIAC Penetration Tester - GPEN SANS GIAC Web Application Tester - GWAPT Among others…

NMAP – NETWORK MAPPER • Nmap was originally developed by Gordon Lyon (a.k.a. Fyodor) • Downloadable from http://nmap.org/download.html • Scans for services and can run exploit scripts – assists in vetting uninteresting hosts with the goal of finding targets of interest (database servers, medical records, pre-patent filings – data worth looting.)

• UI front-end, called zenmap, is included.

NMAP – NETWORK MAPPER Nmap – a pen tester’s friend for the same reasons it is a hacker’s friend. It helps determine the following: 1. The hosts that are up and running on the network. 2. The IP addresses in use on the network. 3. The operating systems of hosts running on the network. A host running Windows XP (security updates no longer supported by Microsoft) exposes itself as a target. 4. Which ports (services) are in use on the hosts connected to the assessed/audited network. Port 3306 is open? That server must be running a MySQL database. What could be in that database? 5. Are any hosts infected with malware or viruses? 6. Are there any unauthorized servers or services running on the assessed/audited network? 7. Locate hosts which don't meet the organization's minimum level of security.

NMAP BASICS WE’LL DIG DEEPER DURING THE SECOND LECTURE

Type nmap –sT localhost into the Command field The results comes back with Open state on the ports and services that are active on the host. In this case, the host is a laptop running Windows 7. See port that port 445 is open - a popular hacking vector. Note: This nmap scan was performed on the same host that the nmap instance runs on for demonstation purposes only – hence the “localhost” target. Actually finding port 445 open on a scan run across the Internet would be a reason to start asking questions such as “is there a legitimate business reason for this port to be accessible across the Internet.”

RESEARCH FINDINGS TO DETERMINE THE RELEVANCE OF THE NMAP OUTPUT YOU’RE SEEING

Port 445 Microsoft-DS had the distinction up until recently of being the top hacking target – it is still in the top three per http://www.cnet.com/news/microsoft-ds-no-longer-hackers-top-target/ ***The pen tester has to determine if there is a legitimate business reason for port 445 on this host to be accessible to anyone on the Internet.***

RESEARCH FINDINGS TO DETERMINE THE RELEVANCE OF THE NMAP OUTPUT YOU’RE SEEING • Port and protocol registry – Service Name and Transport Protocol Port Number Registry • www.iana.org/assignments/service-names-port-numbers/service-names-portnumbers.xhtml

• As a pen tester/auditor, you must determine if there is a risk associated with a protocol being exposed to unintended users. Many resources on the Internet provide info of this nature. One is here: http://www.darkreading.com/analytics/security-monitoring/5protocols-that-should-be-closely-watched/d/d-id/1140977?

INTERNET GOOGLES ARE YOUR FRIENDS IN RESEARCH

DOCUMENT FINDINGS IN AUDIT REPORT

DOCUMENT FINDINGS IN AUDIT REPORT

We’ll populate these fields during the hands-on exercises. This is an excerpt from Page 8 of ISACA’s report template found at http://www.isaca.org/Education/Conferences/Documents/NACACS-Presentations/141Auditing-IT-Projects-Audit-Report-Template.doc