WHEN A VULNERABILITY
ASSESSMENT >
PENTEST
THE ANOMALY
$WHOAMI
Network Security for Dept of VA
Father/Husband
Fan of Futbol (Viva Mexico!)
Fan of Martial Arts
Brazilian JiuJitsu
$WHOAMI
$WHOAMI
$WHOAMI
$WHOAMI
WHAT IS A PENTEST?
Recon
Pwnage
Pillage
Loot
Report
WHAT IS A PENTEST?
http://www.pentest-standard.org/
http://www.sans.org/reading_room/whitepapers/bestprac/writ
ing-penetration-testing-report_33343
http://www.offensive-security.com/offsec/sample-penetrationtest-report/
WHAT IS A PENTEST?
WHAT IS A PENTEST?
WHAT IS A PENTEST?
INJUSTICIA!
PROBANDO
BOLIGRAFOS
- How to Not get a good pentest?
http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html
- Marcus Ranum – “The only favorable or useful outcome of a pentest
is the worst one.”
http://www.ranum.com/security/computer_security/editorials/pointcounterpoint/pentesting.html
PWNING NOOBS
- Cons and breaking stuff tracks/talks
- Social Media: If you break stuff, talk about how to fix it.
- Reporting is Seriously lacking
PENTESTING
PENTESTING –
MI MUJER ME PEGA
“Why don’t you find their
weaknesses and then help them fix
it?”
VULNERABILITY
ASSESSMENT
VULNERABILITY
ASSESSMENT
VULNERABILITY
ASSESSMENT
- Scan, how? Inside, external,
credentials, ips, firewalls
- Agent based vs passive vs
active
- Results integration
- Results reporting
- Team player
SCAN HOW?
- Scanner Location
- inside Network, outside network
- Denial of service
- Nmap
SCAN HOW?
- Exclusions for Scanners
- White box vs. Black box
- Firewalls, IPS
SCAN HOW?
- Credentials
-
Windows Desktops and Servers
Linux/Unix servers with SSH account/keys
SNMP strings
Cisco/Networking SSH credentials
- Be careful with credentials: Dave/Immunity, Ron/Tenable,
Qualys, more.
- https://lists.immunityinc.com/pipermail/dailydave/2013February/000334.html
CREDENTIALS?
- Risks
- Capture credentials
- Use ssh keys
- Never send clear text credentials
- Secure your scanner applications
- Passive Vulnerability (span port)
SCAN HOW?
- Remember HD Moore’s Law
“Casual attacker power grows at the rate of Metaspoit.”
- Joshua Corman
SCAN HOW?
AGENT VS ACTIVE
SCANNING
- Agent Pros
- Near real time
- No network traffic
- No outages caused by scans
- Agent Cons
- May not be installed
- May not be possible to install
- Some vulns cannot be found
VULN ASSESSMENT
AND PATCH MGT
VULN ASSESSMENT
AND PATCH MGT
VULN ASSESSMENT
AND PATCH MGT
VULN SCANNING
DOING IT RIGHT
Internal Scans
Credentialed Scans – Linux, Windows, Network devices
Vendor provided exploit availabilities and frameworks
Coordinate HIPS/NIPS, Firewall exclusions
SCAN DATA
INTEGRATION
Integrate with Org CMDB
SA information
Satellite Server
SCCM
WSUS
BigFix
SCAN DATA
INTEGRATION
Integrate with Org CMDB
SCAN DATA
INTEGRATION
Sys Admin information
SA POC information (part of cmdb)
Sys Admin deemed important information
Manual updates from Sys Admins
SCAN DATA
INTEGRATION
Satellite Server
SCCM
WSUS
BigFix/Tivoli Endpoing Manager(TEM)
Red Hat patch info integration
Compare with Scan info
SCAN DATA
INTEGRATION
Where Does all this data go?
Access DB
Custom App with DB backend
Excel Spreadsheet
GRC – Governance Risk and Compliance
Any other solutions?
SCAN DATA
-
Incident Response
Import into org SIEM or incident correlation tool
SCAN REPORTING
-
Executive reports on important issues
-
Report on Org specified critical findings
-
Organizational severity scoring
SCAN REPORTING
-
Organizational severity scoring
SCAN REPORTING
-
Java JRE vuln – RCE
-
Base Score = 9.3
Temporal Score = 7.7
Final Score = ?
SCAN REPORTING
-
Java JRE vuln – RCE
-
Base Score = 9.3
Temporal Score = 7.7
Final Score = ?
SCAN REPORTING
SCAN REPORTING
-
Default Credentials
Exploitable Vulns
Malware identification vulns
Indicators of Compromise
Configuration Auditing
- More?
CALL TO ACTION
-
Do work!
Improve scanning
Improve Patch Mgt
Integrate
Consolidate data
Customize to org needs
Work as a team ( Security, Sys Admin, Devs, Operations, etc)
QUESTIONS?