07/09/15 © NCC Group 1

07/09/15
© NCC Group
1
Who am I? Martin Hansen Senior Security Consultant Background
FortConsult A/S part of NCC Group, Senior Security
Consultant – 2014 - present
Ernst & Young, Manager – 2005 – 2014
Cand.Merc.Aud, Master of Science in Business Economics
and Auditing 2005 - 2009
HA (dat.) Bachelor of Computer Science and Business
Administration 2002 – 2005
Fields of expertise
Specializes in the following areas of information
security:
Advanced Internal and External penetration testing Web applications, Network, Application Security and
Social Engineering.
PCI (Payment Card Industry)
Critical IT Security Controls
IT Security Audit
07/09/15
Certifications
PCI Council – PCI Payment Card Industry PCI QSA Qualified
Security Assessor
SANS GIAC Critical Controls Certification – GCCC since 2014
(ISC)2 Certified Information Systems Security Professional –
CISSP since 2011
SANS GIAC Penetration Tester – GPEN since 2011
ISO 27001 Lead Auditor – EY Certify Point, 2011, Denmark
ISACA - Certified Information Systems Auditor - CISA since
2010
© NCC Group
2
♦  Global IT-­‐Security company, HQ Copenhagen ♦  Delivering security assessment, review, test and incident response ♦  Working with financial, government, tech and top 100 companies worldwide ♦  Owned by NCC Group PLC, 1500 skilled security professionals in 18 location ♦  World largest team of penetration testers 07/09/15
© NCC Group
3
FortConsult udfører sikkerhedstest for virksomheder som er ISO27001 compliant, får en 3402 revisionserklæring, som er PCI Compliant eller som lever op til andre sikkerhedsstandarder. Selvom disse virksomheder på papiret lever op til diverse krav som stilles igennem diverse frameworks finder vi stadig simple sårbarheder som gør at vi kan gennemtrænge deres netværk. Hvilke sårbarheder er det som FortConsult finder igen og igen når vi udfører vores sikkerhedstest og hvordan kan du som virksomhed indføre simple kontroller for at opdage disse sårbarheder inden en Hacker udnytter disse sikkerhedsbrister. 07/09/15
© NCC Group
4
Agenda 1.  Password 2.  Segmentation 3.  Social Engineering 4.  Patching of business critical systems 5.  Default/hardening/Baseline 07/09/15
© FortConsult
5
Password 07/09/15
© FortConsult
6
Password How real users interpret password rules !!!! -­‐ ”#!!#!# ♦  “Passwords must contain at least 1 upper, 1 lower, 1 number, and be at least 7 characters long” ♦  Take a base word of 6, 7 or 8 characters ♦  Chose only one upper ♦  Make first character upper ♦  Add numbers on the end (one, two, or four numbers) ♦  Or, substitute numbers and symbols for letters which look like numbers and symbols (“P@ssw0rd!”) ♦  For password changes, users increment the number: "Manunited1!", "Manunited2!", "Manunited3!"… 07/09/15
© FortConsult
7
Password Problem: User!! Lars&Mikkel
Welcome1
Password1
Vinter2014
Martin12
Fortconsult10
07/09/15
Top 5 most used 1 Password1 2 12345678 3 Welcome1 4 Sommer2014 5 opret123 Sommer2014
Bigger Problem: Not only users; Also Admins and Service Accounts!!!!! © FortConsult
8
07/09/15
© FortConsult
9
Password 1. 
2. 
3. 
4. 
07/09/15
Extract password hashes Crack password hashes Force password change Awareness training for users © FortConsult
10
Password How many in this room has a secure password??? 07/09/15
© FortConsult
11
Segmentation 07/09/15
© FortConsult
12
Segmentation Development
DMZ
Servers
Test
Clients
Secure zone
Different
Geographical
Locations
07/09/15
© FortConsult
13
Segmentation – Firewall Review remark *** Access to router *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.144 permit udp host 0.0.0.0 host 255.255.255.255 remark *** raste.blob.com *** permit icmp 192.168.168.0 0.0.0.255 host 192.168.168.1 permit ip 10.210.220.14 0.0.0.8 host 10.4.65.11 permit udp 192.168.168.0 0.0.0.255 host 192.168.168.1 eq ntp remark *** mdm.limo.blob.com *** remark *** Access to FRY *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.148 permit ip 192.168.168.0 0.0.0.255 host 10.210.220.2 remark *** mobile.blob.com *** remark *** KJU access *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.218 permit ip 192.168.168.0 0.0.0.255 10.210.8.0 0.0.0.255 remark *** melllpo.apple.com *** remark *** XX access *** permit ip 10.210.220.14 0.0.0.8 host 10.4.200.184 permit ip 192.168.168.0 0.0.0.255 10.210.192.0 0.0.15.255 remark *** proxy.kimh.blob.com *** permit ip 192.168.168.0 0.0.0.255 10.210.208.0 0.0.8.255 permit tcp 10.210.220.14 0.0.0.8 host 10.4.200.129 eq www permit ip 192.168.168.0 0.0.0.255 10.99.0.0 0.0.64.255 permit tcp 10.210.220.14 0.0.0.8 host 10.4.200.129 range 8088 8088 remark *** IL access *** remark *** DHCP *** permit ip 192.168.168.0 0.0.0.255 10.210.190.0 0.0.0.41 permit udp any eq bootpc host 255.255.255.255 eq bootps remark *** Access to INT *** permit udp host 10.210.220.98 eq bootps host 255.255.255.255 eq bootpc permit ip 192.168.168.0 0.0.0.255 10.0.0.0 0.4.255.255 remark *** range for future use *** remark *** Support access *** permit ip 10.210.220.14 0.0.0.8 10.4.5.192 0.0.0.64 permit ip 192.168.168.0 0.0.0.255 10.210.20.0 0.0.4.255 deny ip any any log permit icmp 192.168.168.0 0.0.0.255 10.210.0.0 0.1.255.255 ip access-­‐list extended vlan210-­‐in deny ip any any log remark *** Access to router *** ip access-­‐list extended vlan106-­‐in permit udp host 0.0.0.0 host 255.255.255.255 remark *** DNS *** permit icmp 10.210.220.104 0.0.0.8 host 10.210.220.105 permit udp 10.210.220.14 0.0.0.8 host 10.210.8.11 eq domain permit udp 10.210.220.104 0.0.0.8 host 10.210.220.105 eq ntp permit udp 10.210.220.14 0.0.0.8 host 10.210.8.16 eq domain remark *** BP access *** remark *** rasmor.blob.com *** permit ip 10.210.220.104 0.0.0.8 10.210.8.0 0.0.0.255 07/09/15
© FortConsult
14
Segmentation 07/09/15
© FortConsult
15
Social Engineering 07/09/15
© FortConsult
16
Patching of business critical systems ♦  Policy – all servers should patched in 90 days? ♦  Is this ok.? ♦  How is the patch process? 07/09/15
© FortConsult
17
Patching of business critical systems ♦  What we still find… ♦  Critical vulnerabilities -­‐ Exploiting MS14-­‐068, ms08_067 – HeartBleed? ♦  Not all systems are covered ♦  Third party vendors don’t update/patch ♦  Hosting don’t always update/patch all layers 07/09/15
© FortConsult
18
Patching of business critical systems ♦  Microsoft Baseline Security Analyzer 2.3 (MBSA) ♦  http://www.microsoft.com/en-­‐us/download/details.aspx?id=7558 07/09/15
© FortConsult
19
Default/hardening/Baseline ♦  Baseline security policy is in place? ♦  Is the baseline applied to relevant servers/
workstations/network devices? ♦  Check! 07/09/15
© FortConsult
20
Default/hardening/Baseline 1. Connect to \\PrinterFF
Victim
2. Dont know \\ PrinterFF
DNS
3. Who is \\PrinterFF
4. I am \\ PrinterFF
5. Here is my credentials
ADMIN:[NTLMv2-hash]
07/09/15
Attacker
© FortConsult
21
Default/hardening/Baseline 07/09/15
© FortConsult
22
Controls ♦  Password -­‐ Extract password hashes – Crack password hashes (24 hours of cracking) ♦  Segmentation – Test can be done automaticly with script ♦  Social Engineering – NEXT TOPIC!!!!! No spoilers... ♦  Patch – MBSA ♦  Baseline -­‐ Test new exploits/attack scenarios on a periodic basis 07/09/15
© FortConsult
23
07/09/15
© NCC Group
24