Trust but Verify
Why Me?
• I’ve been at this for the past 20 years
• This includes stops at some of the top global retail organizations,
DoD, banks and loyalty/marketing firms.
• I’ve been on both sides of the audit table, both as the requestor
and the provider of evidence.
• I’ve seen when IT groups are giving you exactly what you asked
for…
ISACA - December 8, 2016
|
2
You typically get one of two things:
logging enable
ISACA - December 8, 2016
|
3
So how do we Trust but Verify?
• We get permission FIRST
• Define your engagement (Remediation or Validation)
• We unpack our tool kit and make sure you have the right tool and
the right skillset
• Validate, Document and Report
ISACA - December 8, 2016
|
4
Get Written Permission FIRST!
• This is non-negotiable
• Signed by an executive
• Only test on a system you
own or have permission
ISACA - December 8, 2016
|
5
Define Your Engagement
• Set your Scope
• Perform reconnaissance and identify targets
• Don’t forget the power of the interview!
ISACA - December 8, 2016
|
6
The Tool Kit
• Consider ease of use first. Sometimes the best tools are the simplest.
• We will not cover every tool
• Tool Categories
•
•
•
•
•
All in Wonder Distributions
Sniffers
Scanners (Network, Web Application, Vulnerability)
Log Analysis
Configuration Analysis
• Tools NOT used – Exploitation, Cracking, Packet Crafting
ISACA - December 8, 2016
|
7
All in One Distributions
• Skill Level = Expert
• Complexity= High
• Need a strong UNIX/LINUX background
• Need to be able to read scripting languages at a minimum
• Need a base understanding of the tools and how they work
• Multiple install options
• Very forgiving, great for experimentation
ISACA - December 8, 2016
|
8
All in One Distributions – Kali Linux https://www.kali.org
ISACA - December 8, 2016
|
9
All in One Distributions – Kali Linux https://www.kali.org
ISACA - December 8, 2016
|
10
All in One Distributions – Kali Linux https://www.kali.org
ISACA - December 8, 2016
|
11
All in One Distributions – Deft Linux http://www.deftlinux.net
ISACA - December 8, 2016
|
12
All in One Distributions – Deft Linux http://www.deftlinux.net
ISACA - December 8, 2016
|
13
Sniffers
• Skill Level = Novice to Intermediate
• Complexity= Low/Medium
• Easy to install on Windows and Mac
• Great for watching what is going on during testing and
troubleshooting.
• Lots of data to decode
• Interface is typically straightforward
ISACA - December 8, 2016
|
14
Sniffers - Wireshark https://www.wireshark.org/
• The standard for network packet sniffing and capture
• It can capture wired and wireless interfaces
• Installs on just about anything
• Easy interface and protocol decode
ISACA - December 8, 2016
|
15
Sniffers - Wireshark https://www.wireshark.org/
ISACA - December 8, 2016
|
16
Sniffers – Cain and Abel http://www.oxid.it/cain.html
• A sniffer that captures packets for the purpose of cracking and
monitoring
• It WILL get picked up by every AV vendor
• A password recovery tool for Microsoft Operating Systems. It
allows easy recovery of various kind of passwords by sniffing the
network, cracking encrypted passwords using Dictionary, BruteForce and Cryptanalysis attacks, recording VoIP conversations,
decoding scrambled passwords, recovering wireless network keys,
revealing password boxes, uncovering cached passwords and
analyzing routing protocols.
ISACA - December 8, 2016
|
17
Sniffers - Wireshark https://www.wireshark.org/
ISACA - December 8, 2016
|
18
Sniffers - Kismet http://www.kismetwireless.net/
• A packet capture and sniffer for wireless networks
• Can find hidden SSIDs passively
• Can decode and analyze basic wireless threats for lightweight IDS.
ISACA - December 8, 2016
|
19
Sniffers - Wireshark https://www.wireshark.org/
ISACA - December 8, 2016
|
20
Scanners (Network, Web Application, Vulnerability)
• Skill Level = Intermediate
• Complexity= Medium to High
• Fairly straightforward interfaces, lots of options
• The easiest way to cause significant issues on your network.
ISACA - December 8, 2016
|
21
Web Application Scanners
• Burb Suite Pro - $300 per year https://portswigger.net/burp/
• NIKTO2 - https://cirt.net/Nikto2
• ZAP (Zed Attack Proxy) – Free from OWASP
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proje
ct
• These are kept more up to date than Paros Proxy.
ISACA - December 8, 2016
|
22
Sniffers - Wireshark https://www.wireshark.org/
ISACA - December 8, 2016
|
23
Network and Vulnerability Scanners
• NMAP - http://insecure.org/
• Nexpose by Rapid7 - https://www.rapid7.com/
• Nessus by Tenable - http://www.tenable.com/
• Higher Cost Options include: QualysGuard, GFI LanGuard, Critical
Watch, Retina
ISACA - December 8, 2016
|
24
Log Analysis
• Primarily used when there are large log files that need to be
searched.
• Splunk – https://www.splunk.com/
• Trial license can be converted to free license which is capped at 50
MB of logs per day.
• Graylog - https://www.graylog.org/
• Open source but only installs on Linux. OVA is available for VM
deployments.
ISACA - December 8, 2016
|
25
The Tool Kit
ISACA - December 8, 2016
|
26
The Tool Kit
ISACA - December 8, 2016
|
27
Configuration Analysis
• MBSA by Microsoft - https://technet.microsoft.com/enus/security/cc184924
• Nipper – Sourceforge project
•
Network configuration analysis. The most current version is expensive.
Previous free versions can be found online.
ISACA - December 8, 2016
|
28
The Tool Kit
ISACA - December 8, 2016
|
29
Eric Ballantyne, CISA, CRISC, CISSP, CEH, ISO 27K LA
[email protected]
ISACA - December 8, 2016
|
30