The Role of Professionalism & Standards in Penetration Testing

So, why not show me? My name is Professor Abdubile, I'm the University of South Wales, I'm also the lead examiner for the Tigers League. Right, so, why do we need standards? Three main reasons. One, there's lots of bad people out there trying to break into shit. for shits and giggles. How many people here have seen a film called War Game, Matthew Broderick? Excellent. For those of you that haven't, it's homework, you haven't watched it. The film that launched a thousand hackers. I got some really bad news for you. That may have been true 20 years ago, it's not true now. My day job is doing forensics, doing incident investigation, incident management. And in the last 20 years, we've seen a shift away from 15-year-old kids breaking into

the MOD, DOD, looking for aliens. Right? If you take the math, McGinnick case at the moment, his defense was when he broke into the DOD. He was looking for evidence of alien abduction. Because he believed that he'd obviously been watching too many X-Files, right? who's a conspiracy nut. Those kids have gone, pretty much. Now we see organized crime and state-sponsored activity breaking into systems. Why? Well, about 10 years ago, the former head of French DGSE stood up in the public forum and basically said, the Cold War's over. The battle now is for intellectual property. It's all about competitive advantage.

So we see state-sponsored actors targeting companies, we see organized crime gangs targeting companies. Why? Because there's intellectual property there, there's money to be had. Think about the cure for AIDS. We live in a world where effectively its first of the patent office wins. If I break into Smith-Kline DiCleto, and I steal their cure for AIDS, assuming they have one, and I get to the patent office first, I win. All of the millions of pounds that they've spent on R&D is lost. So we see organized crime, we see hackers for hire out there selling their wares, breaking into companies to steal intellectual property. About 20 years ago, a study was done by a guy called Schmidt. and he did a study of companies that have been broken

into. And he found that 18 months after an intrusion, 90% of all companies that had their corporate data stolen had gone bust. That's the world we live in. To counter that, people are taking out cyber insurance. I love that term, because it's actually meaningless. Now, if you read the small print on most cyber insurance policies, they're a complete kind of waste of time. People buy them because they think insurance is good. As part of your cyber insurance, you'll have to show that you're practicing safe sex. Right? That you're doing good stuff on your network. That you've got sensible passwords and things like that. You can go down the road of ISO 270001 accreditation. And again, if you go down the road of ISO 270001 accreditation, it basically

says, you're having a pen test done regularly and the people are coming in and they're examining your systems and they're being bad guys and they're trying to break into shit and they're telling you how to fix shit so that these guys at the bottom can't get in. So those are the driving forces.

We have high profile incidents that are making the press all the time. Companies are becoming a lot more aware of the fact that They're being targeted. You've got viruses like WannaCry recently hit the NHS. As well as 150 other companies around the world. You've got things like Shadow Brokers. Who here hasn't downloaded the exports of Shadow Brokers? So you call yourself a pen tester? There's these shows, Chuck's Air, Flame, Dooku to name just a few. There are loads. Right? And it's interesting because the attack surface has changed. When I started doing pen testing, it was all about remote exploits. It was all about offering phones. Right? Getting in on the network and things like that. And that was the attack surface you were targeting.

What services were running on the box. Now, we see attack services via email. Websites.

right? Social engineering. I email you an email that says I love you. Oh, what a noise. Someone loves me. I'm going to open that email. The love bug entered the university network at 10 to 9 on a Monday morning. At 10 past 9, it had taken out two mail servers, crippled the university's email system, and it took the university in about two weeks to clean up the mess. Now, The universe email systems weren't unprotected. They were using two different antivirus products from different vendors. They were patch management. They had firewalls in front of them. They were doing all of the good stuff you do to protect your mail servers, and yet it's still not through. So we

have all these incidents that people can't protect against. Biggest drive in Europe at the moment, GDPR. new data protection regulations comes into force 18th of May 2018. Why is it having an effect? Because under GDPR all companies are legally required to report a data breach. What is a data breach? Any loss of personal data. What is personal data? Anything that can identify an individual. An email address is personal data. That means if a company loses an email address to the outside world, they legally have to report it to their data commissioner. If they lose a laptop, they legally have to report it to the data commissioner. If they lose a USB stick containing personal data, they legally have to report it to the

information commissioner. If they are hacked, effectively they will have lost personal data. Why? because the hacker will be downloading information. If that information contains one name of a person, you have a data breach. You legally have to report it. There is no get out of jail clause. There is no, oh, I'll think about it. It's only like this. You legally are required to report it. And the maximum fine is 5% of the company's global turnover. Not your local turnover, your global turnover. If you're Google, you're talking about a fine running into hundreds of millions of pounds. If you're a bank, it's the same. So certainly in the UK, this is a massive driving force at the moment towards the delivery of pen testing services. In fact, all

the companies, pen testing companies that I know at the moment, working in the UK, are effectively telling me they are all maxed out. People are coming to them and saying, I need a pen test. They're basically saying, yeah, that'll be about nine months from now. No, I need a pen test next month. No chance, sunshine. All our guys are fully booked. What pen testing is not, it is not running Nessus and giving your client a Nessus report. I'm always amazed the number of, quote, pen testers out there. My company's company and they start, you know, can you interpret this report for me, have gone in, charged them a fortune for running Nessus, put their company logo on the front of a Nessus report, given the Nessus report

to the company and said, thank you very much. That's not a pen test. It's running a Nessus scan. Most companies should be running their own Nessus scan. If you take the university, we work an SS scan over our entire infrastructure every single three months. And that's just for us considered good practice and it's true for most organisations in the UK now. So what is professionalism? Why is professionalism important? Well, it's about responsibility and accountability. When you're doing a peg test and you break into the company's networks, you're going to have access to everything. You're going to have access to their corporate data. Right? They're trusting you that you're not going to copy that corporate data and sell it on the internet. So it's about accountability.

It's about accountability. It's about integrity. Right? They're trusting you. How do they know that? How do they know you're competent to do it? Right? Normally, you say, well, of course I'm competent. I'm a pen tester. Look at me. I'm really busy. One of the guys I know, Chris Knapp, who wrote the Net Worth Assessment book, currently works in Las Vegas. And he moved from the UK to Las Vegas to set up a pen test company. He now drives a gold-plated Porsche. Okay, he's a bit of a show off and he can be an arrogant prick at times, right? But driving around with a gold-plated Porsche, that's something about what money he's making. Why? Because he's good,

because he's competent, because people trust him, because he acts in a professional way. So standards are important. They help us in terms of showing that we can comply with regulations because increasingly regulations are taking more of a part in the peg testing and you can demonstrate compliance. When companies have a date breach, and they will, you want to be able to go to your information commissioner and say, we practice safe sex. We are ISO 27001 certified. We have pentest. We have an incident management team. The fact that we got hit by a zero day is not our problem. Why would Monarchai achieve the success it did in breaking into the companies that it did? Well,

because effectively it was a zero day. Yes, Microsoft had published a patch for it, but most companies haven't applied it. general standards we should all be familiar with so things like IEEE and ACM all produce codes of conduct governing how the IT professional should behave you also in the UK have the BCS, the National Computer Society and ISP the Institute for Information Security Professionals that cover code of conducts if you come to pen testing Effectively, the first standard that there was was the GCHQ check scheme. And we can trace a lot of this professionalism back to the check scheme. So if you go back about 30 years, if you were a pen tester operating in the UK and

you wanted to do government work, you had to be check certified. That is to say, you had to have sat the GCHQ assessment and pass it.

And that was the only badge in town. The problem that GCHQ had was they got taken to court. And they got taken to court for something that wasn't their fault. They got taken to court because banks in the UK started saying, we want check-certified staff to work on our system. Because that was the only badge there was, and they wanted people that were competent and trustworthy and things like that.

The problem was to be a Czech supplier you had to be a UK national. You had to be able to hold SC security clearance and that prohibited a lot of foreign companies, French, Germany, things like that, for operating in London. So they took GCHQ, GCHQ turned around and said, not our problem, sunshine. Right, it's a banking sector problem, we run the scheme, they're mandating it, off you go. To help address that, they started to drive professionalism and the creation professional bodies. Thus, the Tiger scheme was born. There are effectively two standards in the banking sector. So you have the CAS and SEVEST are pen testing standards in the financial sector. Why are the financial sector concerned about it? Well, there's a great quote

by Bonnie and Clyde. When the FBI were interviewing Bonnie, they said to him, Why do you rob banks? And he said, because that's where the money is, stupid. We've gone online, but that's where the money is. Look at the Zeus program, targeting people, targeting bank accounts.

If you go back to one of the first acts you have in the financial sector, it was done against a bank called Citibank. And Citibank did the honorable thing. They stood up and they said, we've been hacked, we've lost 400 million pounds, we're going to fix it. Overnight, Citibank went from being the number four bank in the UK to a bank that was virtually non-existent. Why? Because everybody thought, shit, if they can be hacked, I've lost my money. So everybody went to Citibank to get their money out of Citibank, and Citibank nearly went past. Consequently, the banking sector woke up and went probably pranked. We need to do something about this. I'll need standards of war. PCI testing.

If you're using credit cards and credit card processing and things like that, you have to be PCI tested. Otherwise you won't be allowed to do it. And PCI, a mandated standard. Right? How many people who do PCI testing?

You have to adhere to this standard. If you don't adhere to this standard, you're not doing your job properly and arguably you're guilty of fraud. But they basically said credit cards are one of the things that people try to attack. If I can get hold of your credit card, I can stop doing things with online banking and things like that. How many people here haven't heard of BOMOS? Don't worry guys, right? OWASP is the basically standard for pen testing web apps. Right? So if you're looking to do pen testing on web apps, you're looking to use OWASP. And effectively most professional bodies now, and titles the same, have adopted OWASP as our standard for web app testing. Right? It

defines all of the major vulnerabilities the classifications of vulnerabilities that you're going to find in a web app. So things like cookie fixation, cross-site scripting, etc, etc, are all there under the OWASP app. If you're doing pen testing on web apps and you're not using the OWASP standard, I would argue you're not doing your job properly. You're not being a professional. In the UK and across Europe and in America as well we've seen the growth of standards. Right? So in America you have, I just didn't have a laser. Yep. You have OSSTM. This has been adopted by the FBI, the Mexican government as the standard that they want. I personally don't like it. I think it's a bit big and bulky, but that's a personal choice.

You pay some money, you take some choice. It is big, it is complicated, it covers everything like wireless and all of that shit. I should mention Satan in passing. How many people here have been depressed? Yeah, get the fuck out of the room.

They are another certification body operating in the UK. Tiger scheme is of course the best. I'm biased, I agree that. By definition, I'm a professor, I'm an academic, therefore I'm right. Accept it, move on. Tiger scheme was set up to certify the individual, to allow an individual to have a set of competencies that they could go to a company and basically say, why are you allowing me to do this test? Because I'm Tiger certified. Wherever you go, you take Tiger Certification with you. So if you look at some other schemes, they tie certification to companies. If you take check as an example, if I want to be a check examiner, I have to be working for a check company. If

I'm working for a non-check company, I cannot be a check examiner. Right? Tiger scheme says you're Tiger Certified wherever you go. It doesn't matter which company you work for, you carry that certification with you. And we're competencies based. So we don't run assessments that are capturing the flag exercises, we run assessments that simulate real world environments and have you doing things in the real world. Thus, when you get around to working on site, people can have confidence that you know what you're doing. That you've proved you've got the skills. in a synthetic environment. You're examined by people that know what they're doing. So what's in the type of standard? Well, one of the problems that you have

in this space is a lot of people have rushed to do technical standards. Right? So, do you do Metasploits? Do you do Nessus? Can you identify Windows vulnerabilities? Can you exploit a Windows vulnerability? Right? That's their standard. If we do that, we have all of that stuff in here that you would expect about mapping out networking, network topologies, understanding how networks and firewalls will work, understanding how operating systems work, so windows, linux, shit like that. Identifying and validating vulnerabilities, right? Classifying risks to the customer of saying, is this a major thing? Is it not a major thing? I assume companies will come to me and they say, we've had a pen test done, we've had this report done, and they broke in, and

they broke in using a zero day, and how do we fix that? And you say, well, you don't, right? Has Microsoft promised a patch for this? No. Tough. You're vulnerable. Live with it. It's a zero day. There's not a lot you can do with it until the patch comes out. We also deal with a whole bunch of the social stuff about the before and after of running a test. So things like, can you write a report in English? I'm always amazed when I read pen tester's reports that there are lots of guys I know out there that are really technically bright, and you get around to saying, I need you to write a report now, right? And they just basically freeze, right?

Now what do you need to do? Write in an executive summary. I've seen pen test reports that are 150 pages in length with a two-page technical summary. Which bit do you think management reads? It's not a trick question, guys. The two-page management summary. Do they read 250 other pages on the back of it? No. They read the two-page management summary. It tells them what to do. You have these vulnerabilities, these patches are available, go and patch them. Why was the NHS broken into? Because it wasn't running from patch management. Well, yeah, that statement's true. Actually, there's a really interesting reason as an aside why the NHS was broken into, and that is because most of the NHS systems were embedded or

IoT running embedded windows, predominantly embedded XP. Now people say, that's okay, you can patch that. And you say, let's get this right. I'm a patient. I've got a heart monitor running Windows Embedded XP. And you're saying you want it to automatically download and apply patches and reboot itself when it's running a heart monitor. I don't think so, sunshine. You've got a million pounds worth of CT scan running Embedded XP. it's going to automatically download and patch yourself. I don't think so, Sunshine. One of the problems that we have at the moment is this IoT word that gets banded around actually doing pen tests on IoT environments. At one level is very easy, right, because, you know, they're standard, they connect to wireless networks, they're running embedded systems

and things like that. Patch management of IoT is a massive issue at the moment. How many people here are driving Audis, BMWs or Mercedes? Well I know he is. You've got an embedded computer managing your engine. You don't have gone all the days of the Mach 2 Land Rover that had a physical connection between the steering wheel the wheels. Right? If you go back to the old days of cars, you have a physical connection. I turned the wheel that way, there was a physical rod that turned the wheels. It was physical. We don't have that anymore. For years we've had drive-by wire. Right? The steering wheel is connected to a sensor. I move it that way, sensors move your wheels. That's a computer

system. What happens when I hack it? I take over your car.

The last thing you want your car doing when you're doing 70 miles an hour down the motorway is for a little thing to come up on the screen saying, connecting to Windows Update Server, please wait. Downloading patch, applying patch now, rebooting operating system, blue screen of death. Wouldn't it have to inspire confidence, guys? So, IoT, big thing. The bit at the beginning, the management bit of it, the scoping it out, defining the aims of objectives, whitelists, blacklists, getting letters of authorization. I'll tell you the mistake most pen test companies make. You get a letter of authorization. How many companies here check that that letter of authorization is given to you by a person who is authorised to give you a

letter of authorisation? Yeah. See if I say to you, there's Greg's laptop, I give you permission to hack it, right? And you guys go, Greg, I have the authorisation to do it. No you haven't, because I'm not authorised to give you that permission. So checking that the people you're dealing with actually have the authorisation to allow you to do it. Scoping out what that authorization means. Yes, you can hack these IP addresses, but only between nine to five. Can you do active exploitation? Right? So when you identify a vulnerability, can you go and pop the box? Yes or no? Right? You have to be really clear about that. Because if you're dealing with a production system, and you're popping the box, and you're

breaking things, they could stop working. Has the customer backed up its data? Do you know, and I'm always surprised by the number of pen testers that when they're doing it, you talk to them and say, yeah, we did this test, but we made a discovery halfway through the test. And I said, what was that? And they said, we weren't the only people that had popped the box. There were hackers on the box. How many people here pen testers actually know how to do incident management and forensics. Because it's not uncommon when you're doing a test to be going to a customer and basically say, we've discovered evidence that you've been broken into. So somebody's been operating on this box, somebody's been creating accounts, somebody's

been doing this. How do you manage that?

If you look at the check scheme, started off basically saying pen testing is pen testing. It started to diversify. So we started to see as the networks have grown companies offering particular brands of pen testing. So there are some companies I know that basically say we do pen testing on Cisco. We only pen test your Cisco kit or pen test your routers, your switches, your firewalls, etc. Why? Because there are rootkits out there for Cisco pick. There's rootkits out there for a Cisco switch, a Cisco router that they can break into. There are some companies I know that say, we'll do pen tests on Windows. We'll pen test your Active Directory, your Windows infrastructure. We

don't worry about the networking infrastructure. There are companies out there I know doing Linux and Unix and embedded systems and things like that. We've got web apps, right? Lots of pen testers that I know these days spend their days doing nothing but testing web apps. So PHP, JSON, JavaScript, back-end databases and things like that. They don't care about the active directors and things like that, so these standards have emerged. Also, you're looking at things like certification of forensic investigators. So branching out a bit here, when we talk about professionalism and things like that, scene of crime management what do you do when the system has been broken into? right? because I'll tell you something you don't do you do not let the system administrator anywhere

near the system when the system has been broken into because he will run around like a little teddy bear on steroids accessing files and changing timestamps right? malware analytics

Increasingly, we see malware being one of the frontline vehicles for people breaking into systems. Doing the social engineering. How many people here have heard of the term red teaming? Can you imagine most of you have? Yeah? So red teaming is basically looking at, linking together physical security, online security, so social media and things like that, social engineering and advanced high-end pen testing. Here's an example of a real forensic case that I worked on. These guys spent six months social engineering profiling a guy. He was a classic car nut. He had a beautiful, mint condition, E-type racing jack. It was the love of his life. He went out to classic car shows to show his car off. They built a proper functioning classic car website

purely to attract this guy. They spent six months building up a relationship with him to get him to a point where somebody could send him an email about, hey, here's a link to a classic car website for him to go to. This classic car website was built and tailored for him to access. So it detected when he accessed the system and it exploited his browser. It was a proper website. They weren't interested in hacking anyone else, just this one guy. They probably spent the best part of half a million to a million pounds social engineering this one guy because of who he was and what he had access to. So they're getting better, they're getting more sophisticated. The other final key requirement I would

say is if you're a pen tester, and it's certainly true for the UK, Most of the pain testers that I know in the UK are borderline alcoholics. So being able to drink like a fish if you're a pain tester, certainly in the UK, I've got to speak for Greece, is a critical requirement.

Questions?

Nobody? Last chance, yes sir?

If you are talking

about At a state-sponsored level, you're dealing with well-resourced, well-trained, well-educated individuals. Detecting a state-sponsor attack is difficult and hard because they've got resources, the effort and the energy to make themselves stealthy. There is also an active market out there at the moment where you can go and buy zero days. So I used to work for the MOD as a cyber lead. So I ran all of the MOD cyber programs and we would buy zero days. It's perfectly just about companies you worked with, there's nothing illegal about it. You know, there were companies like Endgame and things like that that I could go to and I could buy zero day and buy them. A state level

defending against that type of attack is very, very difficult because we're talking about detecting zero day and the zero day by definition is unknown.

If you're talking about organized crime, it gets a bit easier because organized crime doesn't necessarily have the money or access to those types of companies to buy zero days and things like that. They do have access to some very, very bright hackers and very, very bright people to doing things. The reality is that we will always be playing catch up. We're like the virus companies, anti-virus companies. We'll always be playing catch up with the people that are out there that are developing the exploits and things like that. Having said that, there are things that we can do to get companies to change their culture and for companies to behave in a better way. So things like patch

management, having intelligent passwords, doing all of that safe sex stuff that we talk about. I always say to companies, if you have a firewall, if you do patch management, if you have antivirus and you keep those things up to date, you've just mitigated 95% of the threats that are out there. So behaving in this professional manner actually has a really, really big impact because it makes it harder for the bad guys to get in. The problem that we have is, and it's a problem we can do nothing about, is the same problem that the Americans have in battling Al-Qaeda. They take out the commanders that are bad, that have bad operational security. What are they

left with? The people that know what they're doing. the people who have good operational security, the people who are hard to detect. The same thing is true in the hacker world. Every now and again we'll stand up and we'll say, we arrested little Johnny, we've arrested this group, we've arrested that group. When you look at why they were arrested, it's pretty much because they had bad operational security. They didn't know what they were doing.

Most hackers now, they've woken up to the fact that if you want a hacker system, you want to be at the end of a VPN. Preferably, you want to be at the end of two or three VPNs, probably tunneling it through a Tor network somewhere in the middle. To all intents and purposes, if I've got a VPN connecting to a Tor network connecting to a VPN, I am undetectable. Okay, I'm gonna have SHIB network bandwidth, Let me put a proposition to you. If you're a hacker and you're doing bad shit, which would you rather do? Have really bad bandwidth and not be arrested or have really good bandwidth, be arrested, be expedited to the US to share a

cell with a big guy that when you walk into the cell says, your ma puppy now, boy.

I think that day, maybe this is supposed to be, but now it's not. But then there's a lot of ways between this now that everybody's going to make it, everybody's sending this to us information. This is true. Right, but we all have mobile phones. OK, I don't, because mine's currently not charged, but I don't have my charge in the UK. And this is continuous risk in the, you know, in the environment of the problem. So, yeah. But there are, I mean, you know, You can buy a zero day for an Android phone. You can buy a zero day for an Android phone. You can target these people, you can target these networks, if you know what you're doing. Again,

it's a different sound of end testing and things like that. So if you're targeting somebody's phone, what you're effectively doing is the way you're going to infect that phone is you're going to trick them into going to a website of some description that allows you to exploit the phone and things like that. Again, one of the things that we've just seen with organized crime and other high-end hacking groups is that they will put the time, the money, the effort, and the energy into building the test rates. Right? You know, those pen test companies that are good, when you look at how they arrange a pen test, they give their hackers time, they give their pen testers time to do research. So before they go

out on a job, they'll be given a sheet that says, These are the operating systems you're going to be targeting. You've got two days on our test infrastructure to make sure you know what you're doing. To make sure you tested the exploits, to make sure your exploit kit is up to date. Most pen testing, if you go back to the early days of pen testing, it was all about your laptop and the kit that you had on your laptop and everything like that. Now, we don't talk about that. Why? Because companies are managing corporate VMware images. You take all of the major test companies in the UK and basically you'll get a laptop and they'll say to you, well you don't care what make and model

that laptop is. Why? Because it'll have no tools on it. In fact, it'll only have two things, well three things on it. It'll have VMware, it'll have Microsoft Office and it'll have an operating system. And those are the only three things that they are effectively running on those laptops and everything else is running in a VMware environment. So we talk about pallets and units and things like that, the other running corporate VMware images and stuff like that. So they do. So the time, the effort and energy to test things. But yeah, you're right. The attack surfaces are getting big up all the time. Look at the car of the future. They're talking about your car being the internet hotspots that wherever you go, your phone is linked into

your car and that's linking in. And that's going to generate massive attack surface. What does that mean? or work for us, right? Do I see as being out of business any time soon? No. What I do see, certainly in the UK, and I would argue it's gonna happen across, certainly here, is things like GDPR, driving the need for pen testing and therefore driving the need for professionalism and things like that, of people that go in and know what they're doing and aren't going in and just running stuff like SS. And I think Greg's about to kick us out. Loads time. Loads time. Thank you.