#CLUS Penetration Testing For Network Engineers Know Yourself and Enemy, Need Not Fear 100 Battles Joseph Muniz – Architect Americas BRKSEC-2460 #CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2460 by the speaker until June 18, 2018. #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 WHY DO WEFAIL? #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Behind the Headlines #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 More than Computer and Phones 500B In 2030 50B In 2020 15B Devices Today #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 More than Computer and Phones 500B In 2030 50B In 2020 15B Devices Today #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 More than Computer and Phones 500B In 2030 50B In 2020 15B Devices Today #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 IoT Challenges Patch Delays Limited Security Development Rogue Devices #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Threats Continue SamSam Nyetya #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Any Many Get It Wrong #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Any Many Get It Wrong #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Any Many Get It Wrong #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Any Many Get It Wrong #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Any Many Get It Wrong #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Option 1: Hope Others Fix It #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Option 2: Validate What’s Going On #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Agenda • Security Language Defined • Penetration Testing Lab • Testing Concepts • Attacking Websites • Attacking Networks • Attacking People • Attacking Mobile Devices • Attacking IoT • Reporting and Next Steps • Conclusion #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Yeay For Giveaways! #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Download The CTR Comic https://www.dropbox.com/s/43qfd9f7p8mk8fm/CTR20- Comic.pdf?dl=0 #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Joseph Muniz Technical Security Architect Security Architect – Americas Sales Organization Security Researcher –www.thesecurityblogger.com Speaker: Cisco Live / DEFCON / RSA / (ISC)2 Avid Futbal (Soccer for USA people) Player and Musician Twitter @SecureBlogger #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Risk Management Cyberattacks Broken Down • Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan. Takes advantage of To deliver Downloading Objective Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Cyberattacks Broken Down • Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan. Takes advantage of To deliver Downloading Objective Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Cyberattacks Broken Down • Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan. Takes advantage of To deliver Downloading Objective Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Cyberattacks Broken Down • Common Language for Security Professionals • Exploit takes advantage of vulnerability. • Exploits are not malware, malware is malicious software. • Vulnerabilities can be exploited. • A dropper or stage 1 payload comes down to the victim. • A RAT is a Remote Access Toolkit/Trojan. Takes advantage of To deliver Downloading Objective Malware Goal RATs Exploit vulnerability Dropper/ Rootkit Payload #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Not a Penetration Test • Risk Management – Dealing with any type of risk • Vulnerability Management – Dealing with vulnerabilities • Incident Response – Responding to attacks • Audit – Checking for compliance • Digital Forensics – Investigating breaches / legal needs • Hacking – Unlocking features / creating new capabilities #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Audit – Specific thing like compliance Assessment – Automated tools looking for vulnerabilities Pentest – Testing vulnerabilities using real exploitation #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Compliance • Legal or Business • Should be minimal security • SOC enforces and reports • Customized dashboards can help! AIM for going beyond compliance #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Why First Perform a Vulnerability Assessment Before Pentest? #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Assessment vs Penetration Test . Assessment – Using automated systems to identify potential vulnerabilities . Penetration Test – Executing attacks against identified vulnerabilities Assessment is good to see your weaknesses Penetration Testing is good if you know you are secure #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Common Vulnerabilities and Exposures (CVE) Vulnerability Type: Apache vulnerability Threat Description: Three vulnerabilities in the Apache Struts 2 package Existing Controls: Firewalled and monitored by IPS Probability: Unlikely (not web facing) Impact: Critical http://cve.mitre.org/about/faqs.html #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Vulnerability Assessment Results Challenges • May not be real • Hard to execute • Not accessible • Critical or not? • Specific requirements #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 How to Prioritize Risk - COBIT #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Vulnerability Management Current State #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Security is a Journey, Not a destination #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 SANS - Vulnerability Management • NAC and Profiling can help with Asset Inventory • Triggers • CVE Identifier may trigger event • Assessment tools • Audits #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Risk Management Best Practice Summary • Automate Network Access • Continuously Assess for vulnerabilities • Develop Risk Rating Strategy • Automate Enforcement (if possible) • Enforce Posture Upon Connection • Enforce Patch Management • Subscribe and Follow Researchers • Don’t Trust Everything You Hear #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Penetration Testing Penetration Testing Starting Points White Box Grey Box Black Box • Know target details • Some details • No details • Topology given • Some topology • Unknown topology • Informed parties • Limited awareness • No awareness • Limited attacks • Many attacks • Any attack Very specific work Hybrid work Attack Anyway Possible #CLUS BRKSEC-2460 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Penetration Testing Services • Internal teams typically perform White Box • Grey Box is typically the best value • Black Box can give interesting results and most realistic • Reconnaissance is typically the most costly service Work must be properly authorized!