Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Why Pentesting is Vital to the Modern DoD Workforce Slide 1 Why Pentesting is Vital to the Modern DoD Workforce Slide 2 Why Pentesting is Vital to the Modern DoD Workforce Slide 3 Why Pentesting is Vital to the Modern DoD Workforce Slide 4 Why Pentesting is Vital to the Modern DoD Workforce Slide 5 Why Pentesting is Vital to the Modern DoD Workforce Slide 6 Why Pentesting is Vital to the Modern DoD Workforce Slide 7 Why Pentesting is Vital to the Modern DoD Workforce Slide 8 Why Pentesting is Vital to the Modern DoD Workforce Slide 9 Why Pentesting is Vital to the Modern DoD Workforce Slide 10 Why Pentesting is Vital to the Modern DoD Workforce Slide 11 Why Pentesting is Vital to the Modern DoD Workforce Slide 12 Why Pentesting is Vital to the Modern DoD Workforce Slide 13 Why Pentesting is Vital to the Modern DoD Workforce Slide 14 Why Pentesting is Vital to the Modern DoD Workforce Slide 15 Why Pentesting is Vital to the Modern DoD Workforce Slide 16 Why Pentesting is Vital to the Modern DoD Workforce Slide 17 Why Pentesting is Vital to the Modern DoD Workforce Slide 18 Why Pentesting is Vital to the Modern DoD Workforce Slide 19 Why Pentesting is Vital to the Modern DoD Workforce Slide 20 Why Pentesting is Vital to the Modern DoD Workforce Slide 21 Why Pentesting is Vital to the Modern DoD Workforce Slide 22 Why Pentesting is Vital to the Modern DoD Workforce Slide 23 Why Pentesting is Vital to the Modern DoD Workforce Slide 24 Why Pentesting is Vital to the Modern DoD Workforce Slide 25 Why Pentesting is Vital to the Modern DoD Workforce Slide 26 Why Pentesting is Vital to the Modern DoD Workforce Slide 27 Why Pentesting is Vital to the Modern DoD Workforce Slide 28 Why Pentesting is Vital to the Modern DoD Workforce Slide 29 Why Pentesting is Vital to the Modern DoD Workforce Slide 30 Why Pentesting is Vital to the Modern DoD Workforce Slide 31 Why Pentesting is Vital to the Modern DoD Workforce Slide 32 Why Pentesting is Vital to the Modern DoD Workforce Slide 33 Why Pentesting is Vital to the Modern DoD Workforce Slide 34 Why Pentesting is Vital to the Modern DoD Workforce Slide 35 Why Pentesting is Vital to the Modern DoD Workforce Slide 36
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Why Pentesting is Vital to the Modern DoD Workforce

Download to read offline

As more Department of Defense (DoD) weapon and mission support systems become software dependent and networked, government agencies are being increasingly exposed to severe cybersecurity vulnerabilities. For DoD agencies and systems integrators, who support them, understand how pentesting can help secure next generation weapons and mission support systems.

Pentesting has been around for decades, but with the technology evolution we’ve seen radical changes in today’s networks, including ubiquitous encryption, the death of the traditional network perimeter, and the advent of new end point devices, including a myriad of IoT devices.

CompTIA’s chief technology evangelist Dr James Stanger on how pentesting has morphed, and you’ll learn the relevant skills that a pen tester should have today, how organizations use a pen tester, and how to usefully “digest” information gained from a pen test.

Other topics covered include how the IT environment has changed radically in the last five years, pentesting challenges DoD agencies face today, responsible pen testing and the hacker lifecycle as well understanding the “hacker’s dilemma”. There's also a demo of responsible pentesting.

For more information on CompTIA training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/comptia/

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Why Pentesting is Vital to the Modern DoD Workforce

  1. 1. Why Pentesting is Vital to the Modern DoD Workforce Presented by James Stanger, PhD Chief Technology Evangelist - CompTIA A+, Network+, Security+, MCSE, LPI LPIC 1 Works with IT pros, managers and executives worldwide. Over 20 years of experience in: • Penetration testing • Security analytics • Risk assessment • Intrusion detection • Linux and open source • Network administration • Virtualization • Web technologies • Certification development • Courseware creation
  2. 2. © Global Knowledge Training LLC. All rights reserved. Page 2 Agenda 1. How the IT environment has changed radically in the last five years 2. Pen testing challenges that DoD agencies face today 3. Responsible pen testing and the hacker lifecycle: Why does the pen tester even exist? 4. Understanding the “hacker’s dilemma” 5. The “hacker’s dilemma” and the hacker lifecycle 6. Mapping IoCs to steps in the hacker process 7. Responsible pen testing: A demo
  3. 3. How the IT environment has changed radically in the last five years
  4. 4. © Global Knowledge Training LLC. All rights reserved. Page 4 How the IT environment has changed NEED FOR NETWORK SEGMENTATION / TRAFFIC ISOLATION CLOUD PROLIFERATION • Automation • Orchestration DISSOLVED PERIMETER EVOLVING ENDPOINT • IoT / Mobile • Sanctioned, and otherwise • Formal and informal tracking • Data leakage • Greater connectivity GLOBAL MILITARY OPERATIONS COMMAND AND CONTROL INFRASTRUCTURE • Modern equipment • Legacy equipment SECURITY POSTURE INCREASED NEED FOR “POP-UP” NETWORKS WORLDWIDE ATTACK SURFACE
  5. 5. Pen testing challenges that DoD agencies face today
  6. 6. © Global Knowledge Training LLC. All rights reserved. Page 6 Social engineering • Most attacks are perpetrated against individuals • Not misconfigured systems • Not software flaws • Millions of potential victims just waiting to be: • Exploited • Tracked • Stolen from
  7. 7. © Global Knowledge Training LLC. All rights reserved. Page 7 Credential harvesting • Stealing authentication information • User names • Passwords • Associated information • The third most popular attack • Involves • Social engineering using a “pretext” • Phishing, spear phishing, whaling • Obtaining physical access • Tricking individuals and groups of users
  8. 8. © Global Knowledge Training LLC. All rights reserved. Page 8 Legacy devices and myriad platforms • They are legion! • Not just PCs, either • Examples: • Servers from 1990s to now • Mainframes • Old notebook / tablet • Communications equipment (e.g., radio) • Drone software • Industrial Control System (ICS) / SCADA
  9. 9. © Global Knowledge Training LLC. All rights reserved. Page 9 Suspect implementations and platforms • Domain Name System (DNS) servers • Recent auditing initiative • Why? • Talented teams tend to get broken up and re- deployed
  10. 10. © Global Knowledge Training LLC. All rights reserved. Page 10 Emerging technology • The DoD uses emerging tech, as well • Examples • Drones (not a contradiction from the previous slide) • Weapon guidance systems • Communications • Augmented Reality • Infrastructure • Robotics • 3D printing • Pumping, filtration, power
  11. 11. © Global Knowledge Training LLC. All rights reserved. Page 11 Increasing reliance on tech • What isn’t on the network or a computing device? • Unprecedented reliance on a relatively brittle set of technologies • How impact resistant is the average PC? • How much can be done to affordably / reliably harden something? • Physically • Logically Therefore, increased risk
  12. 12. © Global Knowledge Training LLC. All rights reserved. Page 12 Lack of context • “Situational awareness” is paramount • Commanders need to: • Be aware • Take proper action • Need for: • Ability to turn data into actionable information • Trend analysis • Correlation • Big data • Cybersecurity perspective
  13. 13. © Global Knowledge Training LLC. All rights reserved. Page 13 Personnel upskilling • Typical profiles • They know how to use tech • They don’t know how to produce real-life solutions with it • Ages • 18 – 22 • 23 – 28 • 30-something • Issues • Implications of actions and decisions • Older tech • Generational issues
  14. 14. © Global Knowledge Training LLC. All rights reserved. Page 14 DevOps / DevSecOps / SOAR  Intelligence platform  Automation  Orchestration  Security Orchestration Automation and Response (SOAR) – More than incident response – Coordinates at multiple levels  Contextualization  Threat analysis  IDS  SIEM
  15. 15. Responsible pen testing and the hacker lifecycle: Why does the pen tester even exist today?
  16. 16. © Global Knowledge Training LLC. All rights reserved. Page 16 Teamwork: red team / blue team Courts  To improve the blue team  To create Indicators of Compromise (IoC)  Then, the blue team creates the right thresholds and metrics  Responsible pen testing – Why else would you have these teams? – Adjust tactics / strategy Penetration Testing / Vulnerability managers Security Analysts Blue team Red team These teams work together with management to create – and act upon – useful metrics This approach helps avoid the “whack-a-mole” approach to security
  17. 17. © Global Knowledge Training LLC. All rights reserved. Page 17 Searching for gaps - interstices • “Space” where one technology connects with another • The “hard to reach” places  Where “meat space” and “cyber space” converge  ICS / SCADA systems  Physical access to a building  SMS/mobile and Web technologies  SQL and Web servers (SQL injection)  Domain Name Service (DNS)  Networking systems, including 5g!  Blockchain implementations!
  18. 18. © Global Knowledge Training LLC. All rights reserved. Page 18 The hacker lifecycle Related to pen tester lifecycle Many models Planning and scoping Information gathering Investigation Clean up Reporting 1 2 3 4 5 6 7
  19. 19. © Global Knowledge Training LLC. All rights reserved. Page 19 Models (attack, and security) 1. Lockheed cyber kill chain (https://www.lockheedmartin.com/en- us/capabilities/cyber/cyber-kill-chain.html)  Threat-based  How to stop attacks 2. ATT&CK (https://attack.mitre.org /wiki/Main_Page)  Not just preventing threats  How to find them once they’re in 3. NIST 800 blah, blah, blah 4. Carnegie Mellon CMMI
  20. 20. © Global Knowledge Training LLC. All rights reserved. Page 20 Tool overview (pen tester) • Don’t get lost in the “tool parade” • Know when to use them, and why • Many other tools available for pursuing the hacker lifecycle Tools and job roles Discovery (e.g., OSINT tools, Shodan, Nmap, Maltego) Penetration / persistence / action on objectives (e.g., Metasploit, BeEF, peach, AirCrack-ng, Netcat, Burp Suite) Crackers (John the Ripper, THC Hydra) Kali Linux or Parrot (Debian/Ubuntu Linux – includes many tools)
  21. 21. The hacker’s dilemma and the hacker lifecycle: Mapping Indicators of Compromise (IoC)
  22. 22. © Global Knowledge Training LLC. All rights reserved. Page 22 Look for indicators of compromise (IoC) Locard’s exchange principle  The perpetrator of a crime will: – Bring something to the crime scene – Leave something at the crime scene  Essential for success  Also for metrics What does this mean for IT security?  Map controls to indicators of compromise  Essential resources – Servers (application layer) – End users – End points  Processes
  23. 23. © Global Knowledge Training LLC. All rights reserved. Page 23 The hacker’s dilemma and security frameworks DMV Corrections Municipal County State Federal Law Enforcement Message Switch  It’s vital to focus on identifying the hacker lifecycle  Mitigation involves inhibiting the hacker as well as detection and response Copyright (c) 2017 Target You can use any framework. It could be the NIST Cybersecurity Framework, or NIST 800-53 or COSO or ISO whatever. Regardless of framework, the key is to create – and use – a matrix that helps you focus your security activities as a company.
  24. 24. © Global Knowledge Training LLC. All rights reserved. Page 24 Activity Description Pen testing tool Security analyst tool Discovery / Reconnaissance Use active and passive scanning techniques to identify vulnerable people, processes, and systems. Whois, Shodan, Nmap, Metagoofil Phone call logs, End point log files (e.g., Windows / mobile phone logs) Penetration Use social engineering to deliver attack vector End user / Metasploit, shell commands Antivirus, centralized logging tools for end point and firewall Pen / escalation / lateral movement Transfer the Windows SAM, or the Linux /etc./shadow file. Metasploit (includes Meterpreter), BeEF Active Directory / Keberos / LDAP logs, SGUIL Pen / Persistence Decrypt the accounts database file/info John the Ripper / Online password cracking resources Tripwire, Splunk Persistence Insert a specific registry key to open a port or activate a service such as the Remote Desktop Protocol (RDP) Meterpreter / BeEF, scripts Regshot, WinMerge, RegistryChangesView Action on objectives / Data egress Obtain or change sensitive information Native tools on victim system Process Explorer, Snort, Sagan, Bro, any SIEM tool Lateral movement Identify pre-existing shares and stored credentials Native tools / Meterpreter AlienVault, Suricata
  25. 25. Responsible pen testing: A demo
  26. 26. © Global Knowledge Training LLC. All rights reserved. Page 26 Discovery / Reconnaissance nmap -O 10.0.2.20 • Types • Passive • Active • nmap – (active) • Whois (passive) • Maltego (passive) • Shodan (passive_ • Web site • Command line • Used with other applications
  27. 27. © Global Knowledge Training LLC. All rights reserved. Page 27 Nmap (active) nmap -Pn -sS 10.0.2.20 nmap –O -sV -iL targets.txt nmap -T3 -d 10.0.2.20 -oX stanger.xml OS fingerprint, deep ports target file Timing, debugging, output (XML) Disable ping, SYN only nmap -Pn -sT -D 192.168.0.2,193.5.6.7 10.0.2.20 Disable ping, full connect, decoy
  28. 28. © Global Knowledge Training LLC. All rights reserved. Page 28 Shodan (passive) • Search engine – passive scanning • Spider service reads banners • Provides searchable results • The Google for pen testers • Three modes • Web site • API • Application (Python)
  29. 29. © Global Knowledge Training LLC. All rights reserved. Page 29 Maltego – providing more (passive) context • Information gathering  Accurate  Quick • Visual representation of how information flows between systems • Interconnections • Search • Context-specific • Helps find indicators of compromise
  30. 30. © Global Knowledge Training LLC. All rights reserved. Page 30 Penetration / password dumping
  31. 31. © Global Knowledge Training LLC. All rights reserved. Page 31 When it goes wrong  Not every attack is successful at first  Sometimes, the exploit goes too far  Consider the IoCs – System reboots – Memory dump files
  32. 32. © Global Knowledge Training LLC. All rights reserved. Page 32 Overview of the hack – Using an online password cracker
  33. 33. © Global Knowledge Training LLC. All rights reserved. Page 33 Persistence / upgrading
  34. 34. © Global Knowledge Training LLC. All rights reserved. Page 34 Courses Security+ Certification Prep Course CASP+ CompTIA Advanced Security Practitioner Prep Course CySA+ Cybersecurity Analyst+ Prep Course
  35. 35. © Global Knowledge Training LLC. All rights reserved. Page 35 Learning More GlobalKnowledge.com For additional on-demand and live webinars, white papers, courses, special offers and more, visit us at…
  36. 36. James Stanger, PhD jstanger@comptia.org +1 (360) 970-5357 Twitter: @jamesstanger Skype: stangernet Thank you! My CompTIA hub: https://certification.comptia.org/it- career-news/hub/James-Stanger Latest articles and blog entries: Two sides of the same coin: Pen testing and security analytics Penetration, persistence, and future attacks (forthcoming, Admin Magazine) What’s hot in network certifications (NetworkWorld) Escaping the Cybersecurity Metrics Matrix (CompTIA) Private Eye: Open source tools for automated pen testing Admin Magazine Thoughts about the help desk (YouTube) The Hunt for the Meaning of the Red team (CompTIA) The IT security disconnect (HP Enterprise) A blockchain manifesto? A report from the RSA 2018 Blockchain Focus Group Cloud Orchestration with Chef – Admin Magazine No more close shaves: Talking end user security How CIOs can optimize ITSM software (SearchCIO) Vulnerability management: How to target bug bounty programs (TechTarget) My career change journey: The importance of networking The role of the service desk in the cybersecurity kill chain (HDI) How to prevent insiders from breaching your data (Forbes) Threat Hunting with Yara – Admin Magazine 10 critical security skills every IT team needs (interview, CIO Magazine) How AI can help you stay ahead of cybersecurity threats (CSO Magazine) Don’t hack me, bro! (Admin Magazine) At the hop: Security testing with hping3 (Linux Magazine)

As more Department of Defense (DoD) weapon and mission support systems become software dependent and networked, government agencies are being increasingly exposed to severe cybersecurity vulnerabilities. For DoD agencies and systems integrators, who support them, understand how pentesting can help secure next generation weapons and mission support systems. Pentesting has been around for decades, but with the technology evolution we’ve seen radical changes in today’s networks, including ubiquitous encryption, the death of the traditional network perimeter, and the advent of new end point devices, including a myriad of IoT devices. CompTIA’s chief technology evangelist Dr James Stanger on how pentesting has morphed, and you’ll learn the relevant skills that a pen tester should have today, how organizations use a pen tester, and how to usefully “digest” information gained from a pen test. Other topics covered include how the IT environment has changed radically in the last five years, pentesting challenges DoD agencies face today, responsible pen testing and the hacker lifecycle as well understanding the “hacker’s dilemma”. There's also a demo of responsible pentesting. For more information on CompTIA training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/comptia/

Views

Total views

249

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

7

Shares

0

Comments

0

Likes

0

×