WHEN A VULNERABILITY ASSESSMENT > PENTEST THE ANOMALY $WHOAMI Network Security for Dept of VA Father/Husband Fan of Futbol (Viva Mexico!) Fan of Martial Arts Brazilian JiuJitsu $WHOAMI $WHOAMI $WHOAMI $WHOAMI WHAT IS A PENTEST? Recon Pwnage Pillage Loot Report WHAT IS A PENTEST? http://www.pentest-standard.org/ http://www.sans.org/reading_room/whitepapers/bestprac/writ ing-penetration-testing-report_33343 http://www.offensive-security.com/offsec/sample-penetrationtest-report/ WHAT IS A PENTEST? WHAT IS A PENTEST? WHAT IS A PENTEST? INJUSTICIA! PROBANDO BOLIGRAFOS - How to Not get a good pentest? http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html - Marcus Ranum – “The only favorable or useful outcome of a pentest is the worst one.” http://www.ranum.com/security/computer_security/editorials/pointcounterpoint/pentesting.html PWNING NOOBS - Cons and breaking stuff tracks/talks - Social Media: If you break stuff, talk about how to fix it. - Reporting is Seriously lacking PENTESTING PENTESTING – MI MUJER ME PEGA “Why don’t you find their weaknesses and then help them fix it?” VULNERABILITY ASSESSMENT VULNERABILITY ASSESSMENT VULNERABILITY ASSESSMENT - Scan, how? Inside, external, credentials, ips, firewalls - Agent based vs passive vs active - Results integration - Results reporting - Team player SCAN HOW? - Scanner Location - inside Network, outside network - Denial of service - Nmap SCAN HOW? - Exclusions for Scanners - White box vs. Black box - Firewalls, IPS SCAN HOW? - Credentials - Windows Desktops and Servers Linux/Unix servers with SSH account/keys SNMP strings Cisco/Networking SSH credentials - Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more. - https://lists.immunityinc.com/pipermail/dailydave/2013February/000334.html CREDENTIALS? - Risks - Capture credentials - Use ssh keys - Never send clear text credentials - Secure your scanner applications - Passive Vulnerability (span port) SCAN HOW? - Remember HD Moore’s Law “Casual attacker power grows at the rate of Metaspoit.” - Joshua Corman SCAN HOW? AGENT VS ACTIVE SCANNING - Agent Pros - Near real time - No network traffic - No outages caused by scans - Agent Cons - May not be installed - May not be possible to install - Some vulns cannot be found VULN ASSESSMENT AND PATCH MGT VULN ASSESSMENT AND PATCH MGT VULN ASSESSMENT AND PATCH MGT VULN SCANNING DOING IT RIGHT Internal Scans Credentialed Scans – Linux, Windows, Network devices Vendor provided exploit availabilities and frameworks Coordinate HIPS/NIPS, Firewall exclusions SCAN DATA INTEGRATION Integrate with Org CMDB SA information Satellite Server SCCM WSUS BigFix SCAN DATA INTEGRATION Integrate with Org CMDB SCAN DATA INTEGRATION Sys Admin information SA POC information (part of cmdb) Sys Admin deemed important information Manual updates from Sys Admins SCAN DATA INTEGRATION Satellite Server SCCM WSUS BigFix/Tivoli Endpoing Manager(TEM) Red Hat patch info integration Compare with Scan info SCAN DATA INTEGRATION Where Does all this data go? Access DB Custom App with DB backend Excel Spreadsheet GRC – Governance Risk and Compliance Any other solutions? SCAN DATA - Incident Response Import into org SIEM or incident correlation tool SCAN REPORTING - Executive reports on important issues - Report on Org specified critical findings - Organizational severity scoring SCAN REPORTING - Organizational severity scoring SCAN REPORTING - Java JRE vuln – RCE - Base Score = 9.3 Temporal Score = 7.7 Final Score = ? SCAN REPORTING - Java JRE vuln – RCE - Base Score = 9.3 Temporal Score = 7.7 Final Score = ? SCAN REPORTING SCAN REPORTING - Default Credentials Exploitable Vulns Malware identification vulns Indicators of Compromise Configuration Auditing - More? CALL TO ACTION - Do work! Improve scanning Improve Patch Mgt Integrate Consolidate data Customize to org needs Work as a team ( Security, Sys Admin, Devs, Operations, etc) QUESTIONS?