Hello MsRefusenik,

Once a machine is compromise by an attacker, spending time attempting to recover it is a futile approach.

Take your computer down to a local, well known, Mac store and have them take a backup of your data, then format and reinstall the latest Mac OS operating system.

Have them complete a full update of all the software on the computer and set it to do regular auto updates of the software. While this is happening, change any online account's password to new and strong pass-phrases.

Engage the Mac shop's help to update the router you have at home and reset its password and for things such as wireless access points you may own as well.

This will have you at a point where everything is secure and clean.

To avoid the attacker coming back, don't open email attachments from people you don't know or click on links in emails to web sites. There are plenty of on-line basic security guides to give you a better understanding of how to keep your online presence safe.

The policy we apply is only company owned and managed systems are allowed to connect to the network. Anything else is a breaks of company policy and is dealt with by official channels.

For VPN software, the VPN client is only installed on the company laptops. We don't allow the software to be installed on personal machines.
Yes, they could get a copy of the VPN software, but without a certificate issue from our internal CA, they won't be able to make a connection. Look for a stronger method of authentication if your current solution is simple PPTP or a shared secret.

Without know why home users need to VPN to your network, I can only offer general advice :-)

I'd change your policy to company only managed machines to have access via VPN and look to offer web services for causal use. OWA is a great example of allowing staff to stay connected, as email is one of the top must have access requirements. No VPN required.

To help with remove VPN from home machines and stop personal machines being added to the network, show the cost of:

A) clean up a virus/worm outbreak on the LAN from a home system
b) The cost of installing and managing NAP/NAC
c) The cost of employing extra staff to manage and support 20 new types of computers
d) The addition cost of supporting all the calls on staff with VPN problems on their home machines
e) The cost of having company data saved to employees' personal machines and the company and never being able to get it back or delete it when they leave.

Money and unnecessary expenditure tends to get management attention to change poor policies.

My core test environment is two machines with 8GB of RAM, one running Windows 2008/Hyper-V and the other running Windows 7 with vmware workstation. Hyper V hosts a variety of Windows servers and domains and Win7 box runs all the client machines.  The two boxes were built from parts purchased, as cheaply as possible, on line. I do have lots of disk space on each system for snapshots and to make clones. This allows for testing different approaches, configurations and patch levels.

I have a couple of hubs, switches, routers, WAPs and firewalls which were acquired during refits and updates. Both core machines have four network ports, which allow me to create realistic networks, by mapping the virtual machines to certain NICs. Make for great troubleshooting practice too getting it all working ;-) 

I was also able to get a couple of end of life laptops, which I use for packet capturing/IDS and as attack systems from distros.

If you want to save money, Ms have plenty of 120 day trial software copies of their new products and the are a number of .vhd images of pre-built systems. This allows you to play with Windows having to buy any licenses.

Hardware can be picked up in auctions, from talking to friends working in IT or making friends at user groups. It's amazing what companies dump once the kit hits end of life, which is normally at the 3/4 year mark.

All,

Just looking for recommendations or suggestions on security training courses that aren't part of the main stream SANS, OffSec and EH stables.

A couple have popped up randomly in discussions which started me thinking about what else worthwhile, but not well known, is out there.

I'm interested in ones with a high quality trainer, excellent supporting material and that you'd recommend.

I'm not too worried about the training being on one particular area, topic or even if you don't get a nice cert for doing it - as long as it's excellent plus worth the time and effort.

Thanks!

Chris

You bring up some great points but I’ll respond with the one reason why full exploitation tests doesn’t happen, in my opinion, in most companies: money.

Despite massive media coverage about online threats, breaches and real world monetary loses, for the majority, security isn’t going to be high on the list of priorities. Human nature or just poor awareness leaves companies with a sense it won’t happen to them. It’s easy to argue that it is a failure of communications or lack of a decent security awareness program to the big wigs or to anyone that will listen.

It’s obvious that IT security is important these days, so I classify it in a same context as why do so many people not buy insurance unless force to. They don’t want to spend the money and justify it in a way it suits them.

Reports from Gartner, Forrester, et all state that businesses will spend 15-18% of their IT operating budget on security this year.  Breaking that down, a small company with a IT budget of 50K will use at least half of that as capital spend, that translates around 3,750 for security.

Spin that up to 1mil for a medium company and after the same maths that leaves a respectable 75K. Pull out AV, web filtering and security appliances licences, fees, etc and you’re left with 50K. If other defensive projects are deployed : full disk encryption, HIDS, WAF, NAC or secure remote access, you’d chew up that money without breaking a sweat. Or you could take the approach to hire consultants in to test the a subset of the systems for  5 days. 

Let’s say they pick the full exploitation pentest and a detail report is generated while providing actually risk to the business. Clear, reasonable recommendations are handed over on how to fix or mitigate the risk and the consultants move on to the next client.

The company is left with choices on how to handle the recommendations, all of which are cost based. These costs are in time, manpower, staff education, resources and other projects put on hold while the work is completed. Without a senior stake holder to make sure this work get followed through and completed, the other projects will slowly suck time and resources from the remediation work.

My argument is that the business should pick up the bill for security testing. Security is a company concern not just IT, that would then leave IT with money and resources to work on mitigating the findings from a test. That doesn’t happen without the business owner understanding the threat and risk posed to their business. Catch 22 again.

How I’d like to be put on your John the Security engineer’s training path!
From my experience, medium size companies, with a team of 10 IT staff, are unlikely to have a full security engineer role. With standard staff training is around 3-5K a year per person, it would take  determination to get to that level in under three years. Even if that person was given sec training, the focus would be on the current security devices the company have first.  Yes, a pentest may help the training budget increase, but not at the pace to have a skilled employee in under 18 months or before the results of a year pentest.  Increased head count to create a sec role is unlikely to happen either.
 
I don’t believe pentests are super expensive. They are like any other service, so the costs are variable dependant on scope and requirements. If we were to pay for a full exploitation test, I would want the best I could afford, just like any other service. I’d be damn upset if your chimp from the woodshed turned up with his shiny tool kit though.  Hidden costs, such as, assigning the resources to a work with the pentesters, to fix what was found and any system outage times are critical to factor in, but pretty darn hard to work out ahead of time.

Business folk have to work out where and how to spend their cash. We as IT sec folk would like them to spend it with us to protect against certain threats. They have to balance that against staff and building insurance, growth opportunity, staff cost, PR issues and a million other things. Anyone of those million things could result in the business going bust. There are many more public cases of business going bust due to more mundane reasons: greed, short sightedness and all-round stupidity. Lehman Brothers, most of the British and American banks just to name a few of these in the last year alone.  Is the risk of being compromised any greater or less than these, that’s up to sec professionals provide advice, but, on the business to make the final call.

That’s why I’ve never got a full exploitation test off the ground, I’ve talked to businesses, shown them the news clippings of similar companies that have been attacked and the losses they accrued from those attacks and still only want audited and asset. I know I did my due duty and diligence to inform them. You can with the hand you’ve been dealt with :-)

Fair enough sil,I'd imagine the people that hire you in a vested interest in proving if their security is working as expected. I'd be interested to know how many companies take the extra step and purchase the full package.

Fear factory of exploiting systems
The problem with live exploits on live system is that you may break something, even with the upmost care taken.
You find we have well known system X, and have exploit Y for it, and get sign off to run it. Me, as the client, didn’t know that the loony coder had added crappy code to the app and your exploit nails our production SQL server. This stops the factory and Z number of million dollars is lost while we scramble to fix the broken system. This would be an excellent way of generating new career “opportunities” at other companies for me...
Would a bad guy do this to get the gold – without a doubt  - but is a pentest, rather than a code review or assessment, be the safer option to discover this?

Your analogy of the door is very clear, but it highlights the bigger problem of a pentest; it only focuses on what you’re allowed to test. You do a stellar job showing how to get in and how the company can defend it. What about the un-scoped windows, chimney, cellar or garage entry points?  



Or from what I keep seeing, sadly, is to complete a check box for the auditors. This goes along with the any form of compliancy, firewall -check, logs - check, "pentest" of web sites - check.


[side track]

Take the requirements of a medium size company of 2000 staff with standard internet presence (couple of interactive web sites, vpn, remote email). They don't have a secret sauce and their most important data is spread over file shares, in email and in databases. The have a couple of small offices in remote locations. The IT group consists of 10 people, with one server engineer who's done a couple of security courses, out of personal interest, rather than requirement. They have firewalls, AV and keep system relatively up to date. Security has no priory and availability of internal systems is the number one priority.

Would a company like this be aware of what threat agents that are placed to attack the organization?
Would it help to undertake full exploitation testing?
Do you think most small to large companies have that level of awareness or care factor about security?

The company would have to have some cost metric to justify the effort, time and expense of a full test. The need to balance this against what they believe a breach will cost them is paramount.

If that test isn't demanded from the board of directors, then do you think it will get anyone from that company any closer to a better security posture?

Showing that you could become a domain admin in 30 minutes or walking out with a server's contents is a huge, in your face, visual statement, but what if only to the IT group or mid-management? The CEO needs to see the results and the effect it can have on his business for real change to be made.


I'm not disputing that a fully scoped pentest of that level has its place, it is just a difficult sell in most companies I had experience with. The pages of the major business news have been full of TJ Max, RBS, the US government and a large pile of fortune 1000 companies which have been successfully attacked. Why isn't there a line of board level execs demanding security and the best validation that the measures actually work?

Is it that they don't care, understand or think it won’t happen to them?

[/End of side track]



I think we could spend hours debating whether exploits should be use, over beers preferably, but this goes back to my original response to jonas’ question. I'd rather hire someone who can argue his corner and put across why they should go the distance to the business and can adapt to the situation in hand, rather than someone just having shiny pile of tools.

You'll need to work out on your router how to do port forwarding for inbound tcp 80 to your computer with netcat on it.

This does place a certain risk by opening up port 80 to your machine, so make sure your machine is fully patched before trying this.

I think you may want to go with sil's advice and set this up at home first and practice it on your local network.

@ sil & Ketchup,

To me, that's the value of having professionals that help the client scope the review and can advise the client of risk before pressing a button. 

Having all the latest and great tools is way down the list of requirements.
A skilled professional explains how exploits can be chained to achieve to target in terms for non-it folk to comprehend, this beats automated tools showing "bad stuff". It's smart people that work out what the exploit can get them, the tool just gets a # prompt.

The goal and reason of a pentest, as a client, is to display risk and offer cost options to mitigate it (or get a tick from the auditors, but that's just too cynical). Yes, these tests just brush the surface, but if that's what the company wants, it's their choice and risk.

Personally, when working with penetration testers we provide a great deal of detail about the network and systems to avoid the time wasting recon phase. I'm not really interested in having you scan all the ports of my class x networks, especially when I can provide the daily nessus/system7/Qualsys ones we do as SOP. We also shipped them off a standard laptop with the SOE on it, as an example of providing a more rounded review.

I've never been able to convince a company, and frankly had no need, to ask for a red team approach. The current pen test reports and a solid verbal break down has lead to a number of proof of concepts/demos and that's what they (the management) are willing to except. They don't want to spend money to fix old software or on increasing the security expenditure. The business has never been interested in taking the risk and especially with the systems that have been highlighted as prime targets - SAP, SCADA, WOPR etc.


This differs with each company and their level of threats so, each to their own. However, I would love to be on the blue team to either of you working as red team, as those times really do sharpen and develop IR skills and drills.


@Chrisj - With the massive event of virtualization, more companies are able to clone production systems in to a stand alone lab environment. This provides a great place for the security team to play bad guys in. You just have to remember to revert the lab back to it's previous state before the infrastructure team have to practice their tweaks and updates :-)

jonas,

From the number of penetration tests conducted on systems managed by me, the professional penetration testers have never used live exploits on ANY production systems.

Should the penetration testers raise a potential exploit risk, then I may ask them to run it against a lab environment machine. I'd expect them to understand inside and out what the exploit is, does and what the code does.

I always confirm with external companies what tools and methods they will use to scan and test environments. If any one was stupid enough to start fire exploits without permission - open source or closed - they'd be dismiss and taken to the courts as breach of contract.

Having many fancy tools may make a fun time playing in other networks, doesn't make a useful pentester to companies that want to understand risk in their environment.

My suggestion is that you avoid being focused on exploits and look at the bigger picture in which tools play a much smaller part in a penetration tests, because in the long run that's what sorts the script kiddies out from the experts.

If you need to get a better understand of Metasploit or want something visual to reference against Offensive Security's excellent Metasploit Unleashed guide
http://www.offensive-security.com/metasploit-unleashed/

Adrian Crenshaw (irongeek) has posted up videos that he organized with a group of very smart folks to teach. The videos are here:
http://www.irongeek.com/i.php?page=videos/metasploit-class


Be warned - there's a day in front of the computer if you're going to watch all the videos!
Still, there are some great little tips in there for those with even good experience of Metasploit.


Proceeds from the class went to the Hackers For Charity Food for Work program, so if you watch the material, think about dropping a few coins over to http://www.hackersforcharity.org/food-program/

@j0rDy

Wow, evil hackers - day time TV soap style! I wonder if there's a course I can take to develop that smug, I'm evvvvilllll - and all powerful look. I'd be set then with the ladies and everyone data!

I can only imagine the back story to that episode was: (Fade to voice over)
 
If only Ron, the evil haxor, discovered that he was actually the son of the half brother, former janitor and hard drinking ex-navy SEAL, to the CEO of the company he's hacking! Will his mother, who's been in a comma for the last six years due to a mysterious fire at the family mansion, wake up and let her confused son know the man who taught him his 3l1t3 skillz is no other than the man who shot his twin brother and caused him to turn to the Dark side...

;-)

@hitmonkey

We did a similar thing to help a friend practice pentesting.
He started getting a lot of hostile scans on those web services, which ending up being quite annoying and chewed up bandwidth.

In the end we set up a VPN from where he could SSH into a local machine running BT4. From there he could attack the systems in peace and quiet.

These are the conversation I really enjoy as it makes me think about defenses and mindsets.


@Ketchup 
In my mind the main reason you'll never see stats on hacks comes down to businesses refusing to report them from the fear it will have on their share prices. However, having looked over a number of the major court cases in the stats where convictions have been handed out, even the very smart bad guys have been caught out eventually. I know these folks covered their tracks, but have been caught and are now serving jail time. With the US slowly change their approach to disclosure I think we'll start to see more and more of what the smart attackers are really up to and can do.

@hayabusa
I completely agree that sensible, well trained attacker would hid their tracks, but tampering with logs, accounts, creating backdoors and files time stamps is the easiest way to get caught. If you have good security practices in place and staff skilled in understanding what they are seeing making changes to productions boxes is a red flag.

I'm just don't believe there are that many ninjas out there. Plenty of people dressing as as one, but the real one are far and few between. If you leave a commonly exploitable box open to the public, then you'd need your head examined. That's just asking for a good kicking!

From the 300-400 registered attacks per second I see on our logs, 95% of them are bots, scripts, loonies or the very seriously confused. Yes, I do get to see some serious probes, but they are 1-2% of the total. The ones I'm most concerned are the one that don't register on the logs. Catch 22 applies here ;-)

The hope is that other measures and procedures will detect anomalies and give me time to react. Again to cite the recent Apache attack, the attackers were smart, skilled and well motivated but got caught out. They didn't have the time or get far enough to start hiding their tracks.

Back to the point I've failed to make clearly (twice now :-)) is the tools from Metasploit make it easy for anyone with little skill to change details and hide files, but all of that makes noise - that noise increases the chances of me knowing and bring in help to track down what's happened.
The unskilled, malicious or those will little understanding use these tools with default setting are the majority. We see enough requests here on "how do I break in to x, to get revenge for x" to know that good security practices will keep the majority of my systems safe from ankle biters.
The "but" is I have to keep up to date and avoid resting on my laurels, thinking that I'm fine.
 
Slap me around if you don't think that's the case

All - most of the attacks/intrusions I'm able to detect fit into the 80% of using tools or techniques which have been written by smarter folk, not the current user. That's what I'm basing my "normal" attacker profile on, the lower end of the scale.

I was attempting to say these tools would mainly be used attackers looking to make a mess of systems to thwart the non-forensics IT pro or just make it hell in the clean up. Guess that didn't come across to clearly ;-)

To qualify my comment about the insider, I've seen two recent incidents where internal staff attempting to cover their tracks by Googling how to do this. In both cases they actually brought attention on to them by running these tools and causing a real, very obvious mess.

Above average attackers probably have more skills, practice and treads much more lightly avoid some many alerts and don't raise as many of the warning flags.

I happily bow to others knowledge and skills in forensics, but respectfully disagree with hayabusa comment that most attackers clean up after themselves. I tend to find quite a bit of obvious tell-tail signs of attackers progress, especially if you have a defense in depth approach. Sure you may compromise the web server, but what about the log shipping, IDS, firewall and other monitoring systems? These give a wealth of info about what actually happened and when.

I hope to take Rob Lee's SANS 508 class sometime in the next year or so to get a better and more rounded knowledge on this area. So much to learn and so little time!

These tools are really for an insider threat or an attacker that has been on your system for a while and want to make life a real mess. I don't see a normal attacker deploying these tools. Why would they bother?

I've reported dozens of infected and attack jump points to the correct authorities and most times there's no response. In the end, we black list their IP address ranges. The site just moves on to attack others.

If you read the recent Apache attack, the bad guys never had time to even clean up their attack paths before being discovered. Similar stories of attackers messing up systems, from honey pot projects, display a willfulness to break stuff, somewhat like a dis-affected teen having a hissy fit ;-)