Transcript How To Fail A Penetration Test

How to Fail A Penetration Test
Concepts in Securing a Network
Scott Teeters, Jr.
MicroSolved, Inc.
in partnership with
Sogeti USA
Background
• Sogeti USA
– Sogeti USA LLC, part of the Sogeti Group, provides information
technology services to businesses and public sector organizations.
• MicroSolved,Inc.
– MicroSolved, Inc. provides information security services and
consulting to Sogeti USA customers.
http://www.secureassure.com
Today’s Agenda
• Common issues that cause an
organization to fail penetration tests
• Some suggestions on how an
organization may improve their
security posture
http://www.secureassure.com
Note:
All ideas mentioned in this presentation also
apply to any wireless or modem (dialup)
systems as well.
http://www.secureassure.com
> Policy Issues
http://www.secureassure.com
Problems with Policies and Processes
• Inconsistent application of policies
throughout the organization
• Poorly designed policies and standards
• Example: Password are not required for
all forms of network and application
access
http://www.secureassure.com
Proper Use Of Policies and Processes
• Policies and Processes are developed in
accordance with industry standard best
practices, and/or an appropriate
regulatory guideline
• Policies are broad enough to establish
the expected behavior in the user
population
• Policies are consistently applied across
the organization
http://www.secureassure.com
Example:
• A proper password policy
– Passwords are required for all forms of
network and application access
– Password strength is mandated to meet a
specific level (IE: 7 Chars, Alpha-Num,
w/special characters and mixed case)
– Password rotation is large enough to prevent
password reuse issues
– Administrative/root access is strongly
protected, requiring a token
http://www.secureassure.com
Another Policy Issue:
• Poor Domain Trust Choices
Who trusts who?
– Weak trust structure
• Types of trust
• Some domains have less security than others
Development
Production
http://www.secureassure.com
Example:
• Good Domain Trust Choices
Who trusts who?
– Unidirectional trust
• Allows work to be done
• Protects Production domain
Development
Production
http://www.secureassure.com
Process Issues:
• Information Leakage Problems
Who’s saying what?
– Example of Usenet leakage
"Gary Smith" <Gary [email protected]> wrote in message
news:#nKxhAAGAHA.281@cppssbbsa04...
I have a data communication application that uses TAPI 2.x for
doing async modem protocols. This application has been in
use for three years. I have discovered a problem, and can
recreate it where data is lost somewhere between the modem
and my application but it only happens on Windows 2000
machines. If I run it on a Windows NT 4.0 machine, it works
fine...
http://www.secureassure.com
Process Solution:
•
Combating Information Leakage
Who’s saying what?
•
•
•
Have technical staff members use email and
Usenet posting addresses not associated with
the organization
Make sure users know not to post corporate
identifiers online
Monitor the Internet for information leakage
problems and address them ASAP
http://www.secureassure.com
> Problems with
Patching
http://www.secureassure.com
Poor Patch Management
• Systems are not current on
patches/hotfixes
• Patches are not consistently applied
throughout the organization
• Patches are more than security, they also
may provide:
– Stability
– New Features
– New Ways to Prevent Illicit Access
• Patch problems can hurt you!
http://www.secureassure.com
Patching Details Matter
• Sometimes, patches have to be
applied in a specific order or manner
– Failing to do so, may actually
INCREASE your vulnerability!
http://www.secureassure.com
Proper Patch Management
• Patch levels are monitored on a regular basis
using manual processes or automated
vulnerability assessments
• Patches are tested in a isolated environment
before being applied to production systems and
devices
• Patches apply to operating systems,
applications and even hardware devices
• Policies and standards clearly define the
mechanisms and frameworks for acquiring,
testing and deploying patches, fixes and version
upgrades
http://www.secureassure.com
> Configuration
Downfalls
http://www.secureassure.com
Configuration Issues
• Poorly configured perimeter implementations
– Example: Firewall rules are not granular or allow too
much access
• Internal network does not meet industry
standard best practices
– Example: Unnecessary services offer footholds for
attackers
• Systems are not adequately hardened
– Example: Access controls allow easy access to
confidential data
http://www.secureassure.com
Proper Perimeters
• Access controls systems (ie: firewalls, router, etc.) start
with a deny all attitude
• Services are added with specific granularity as required
for business
• Internet visible systems are physically and logically
segregated from production networks
• Intrusion detection tools allow for easy anomaly and
danger identification
• Systems are carefully monitored via log files or agents
using a manual or automated process
• Alternate forms of access (ie: remote management,
VPN, RAS, etc.) terminate in a DMZ or segregated
segment
http://www.secureassure.com
Proper Network Configuration
• Domain trusts are properly applied and implemented
• Unneeded services are not running on network
connected systems and devices
• Proper egress controls assist in preventing malware
spreading and attacks against other networks
• IDS is deployed to assist with problem detection and
troubleshooting
• The network is monitored for changes in performance
and traffic levels which could indicate a security or other
type of issue
http://www.secureassure.com
Proper System Configuration
• Systems are hardened in accordance with a baseline
– Examples: SANS configurations, CIS baselines
• Systems are up to date on patches and fixes
• Unneeded services have been disabled
• All systems use anti-virus software with regular
automatic updates
• Personal firewalls are deployed where appropriate, at a
minimum on all laptops and notebooks
• Access controls have been appropriately applied to
each device and its file system
• Users are aware of existing policies and guidelines
http://www.secureassure.com
Keeping it All Together
• You have a complex environment
• Not all users will behave as expected
• Patches and fixes come fast and furious
• How do you keep all these variables under control?
REGULAR ASSESSMENT & MONITORING
http://www.secureassure.com
How To Fail A Penetration Test
1. Implement poor policies and
processes
•
No policies and processes also count!
2. Mismanage patches and fixes
3. Misconfigure your perimeter, network
and/or systems
4. Take a number, attackers will be right
with you…
http://www.secureassure.com
Thank You
Sogeti USA
http://www.sogeti-usa.com
more information
Chris Rice
[email protected]
Or
Scott Teeters
[email protected]