Next generation pentest your company cannot buy

Next Generation Pentest Your Company Cannot Buy

why both consultants and customers

are doing it

wrong

Vlad Styran

Who’s that guy?

• Security Consultant for BMS Consulting

• Social Engineering researcher

• InfoSec blogger

• Podcaster

Why he is here? • Pentesting since 2006

– Web sites, banking systems, telecom,

• X commercial pre-sale presentations – Saw client’s eyes BEFORE the test

• X-Y pentest reports written – Saw client’s eyes AFTER the test – Writing reports is HELL

• Z pentest reports read – Reading others’ reports is FUN

• CISSP, CEH, CISA… – Because it rarely matters

Why are YOU here?

• This preso is for those who want a great pentest to be done – and someone to benefit from this pentest

• usually it’s a company

• You may be a customer

• Or a consultant

• Or both

• And you should agree that there’s something wrong with pentesting industry

Some definitions

• What is a Penetration Test?

• What is a Vulnerability Assessment?

• What is the difference?

• Why should anyone bother?

• And let’s make it quick and simple

Test

• Testing is deeply interactive

• A test is something a tester and what is tested do both

– We act and see the reaction

– Not just look, measure and record

– We touch, push and kick

– We challenge what we test

• Test has a goal

Penetration Test

• Penetration is getting through obstacles: – Security systems – User awareness – Physical barriers

• The pentest succeeds if we get through – And fails if we don’t

• And this usually means right the opposite to client

• The goal is virtually anything, but – Penetrate a system – Pwnz0r everything: DBA, root, Domain Admin – ‘Get’ the data to show it’s vulnerable – Show that the business might be stopped

Vulnerability Assessment

• Find all vulnerabilities

– Remove false positives (optional)

• And tell us how to fix them

– Usually in couple of deferent ways

• Don’t try to break anything, it might… break!

• Come in few weeks (months?) and check how whether we fixed stuff

The Difference

• Deep interactivity: – Pentest is interactive to the very deep you can get

– Vulnerability Assessment is superficial

• The goal: – Pentest aims at a narrow goal

– Vuln Assessment is as broad as client can pay for

• The PenTest is focused and thorough

• The VA is a mile broad and a feet deep

• You can easily do VA yourself but PT isn’t easy – Not because it’s hard to do, because of conflict of interest

More Difference

• PT not just scans, it exploits

• Most pentest standards do multiple channels – Systems and network

– Wireless and telecom

– Human interaction

– Physical stuff

• VA is purely technical – Systems and network

– And maybe wireless… or telecom…

That was ‘what’ and ‘how’. What about ‘why’?

• And this is the most important and interesting part that everyone should know

• Vulnerability Assessment:

“Let us know how we can fix what is presumably already broken”

• Penetration Test:

“Try to break what is presumably unbreakable”*

*Considering reasonable time and resources available

Now To Work

• Why clients buy pentests?

• How consultants do pentests?

• Why clients get bad pentests?

• What can we do to fix it?

– Clients

– Pentesters

How consultants do pentests?

• We set the scope

– Systems, locations, people, contacts etc.

• We do recon

– Short for ‘reconnaissance’

• We enumerate the targets

– And search for vulnerabilities

• It is pretty much the VA until this point

How consultants do good pentests?

• We validate the vulnerabilities

– ‘Validate’ stand for ‘exploit’ since business people don’t like hacker jargon

• We leverage access gained and pivot further

– Into the network, into the sun, into the cookies…

• We collect evidence of your data compromise

– Without actually compromising the data

– But enough to make your bosses like OMG

How consultants do outstanding Pentest-NG?

• We meet your business people beforehand

– To know how your business lives

– And research on how someone can kill it

• We do all channels and vectors

– We plan for HR interviews and local conferences

– We write custom software and exploit code

• We do virtually anything to make you cry over your spent InfoSec dollars

Why clients buy pentests?

• Want to test the security – The only true reason which is really rare

• Compliance – That mandates pentests

• Want to know the risks – Although there are much better and safer tools

• False compliance – That does not mandate pentests

• We were hacked!! • Have no idea how else to ‘fix it’…

Why clients get/do bad pentests? What clients cannot affect

• Bad pentesters

– Some pentesters just suck

• Most methodologies suck too

– Remember your high school lessons

• Time/cost relation in consulting business models

– Pentests are quick

– ‘Quick’ means ‘cheap’

Why people get/do bad pentests? Clients can and do affect

• Lack of understanding the difference – Most buy a plain VA dressed as a sexy pentest

• Lack of understanding the reason – PCI pentest not to find vulns, you have ASV scan

for that

• Lack of quality assurance – It takes to buy 2-3 bad pentest to understand

they’re bad

• Validation panic

How to clean this s fix this

• Learn and understand the difference – Read the PT standards – there are plenty

• PTES, OSSTMM, NIST, ISACA, ETC.

• Reason which are good for you

– Ask pentesters you know are really good • Twitter, mailing lists, security conferences…

• Learn and understand the reason – Define why are you doing this before posting a PO

– Reason about it and choose the best you need • PT or VA

How else can we fix this? • Change the payment rules

– Create the list of objectives

– Pay a ‘standard’ price for reformatted Qualys report Vulnerability Assessment

– Pay a bonus for each objective in the list

• Choose good pentesters – Ask for papers (sample reports, certs, references)

• NDA excuse is bull s irrelevant

– Arrange demo exercises • (Good) pentesters love exercises

• Honeypots are for free

How else can we fix this? (dirty tricks)

• Have nerve – Stress on the need of PT over VA or vice versa –

based on your need

• Push on compliance – PCI Information Supplement 11.3

• Requires the vulns to be exploited

• Requires channel diversity: social, network, WiFi etc.

• Learn some skill yourself – It really helps

– And it’s really fun

Something to Think About and Discuss

• Vuln Assessment covers a small portion of preventive controls

• PenTest delves into each and every control you have

• Assume you have no need in testing preventive controls… Just assume

• How can you test reactive and corrective controls?

Thank you… in advance!

[email protected] https://secureglaxy.blogspot.com

@saprand