lots of different types of pen tests that are out there. Black box, white box, gray box and the idea behind the black box test that goes back with the pin tester knowing absolutely nothing about the network.
It's like they're looking at the network through black box. They can't see any of its internal workings. I don't have any knowledge of internal users or strategies or structures, so usually what I'm gonna have to do if I have a black box test is I'm gonna have to start with reconnaissance. I'm gonna have to start with Social Engineering
now. The other end of the spectrum is a white box test. What I want to find out is what ISS somebody that has network administrator privileges able to do?
Chances are good. They're able to do quite a bit. But at what point does something fraudulent committed by network admin? At what point in time does that get detected? And what mechanisms air in place? Because, remember, the bad guys aren't always outside the network,
and then we have a gray box test which might be from an everyday user. They have access to internal systems, have a little bit of knowledge about the network, but not to the degree of white box testing. So we have different types of testing. We want to implement them all because they all give us fearing degrees of assurance.
Hey, with application testing code review. If we write our own APS in house, we have to make sure that there is a thorough testing process before an application would ever get approved. And this isn't if we write him in houses is in any instance.
We want to make sure that applications air thoroughly certified and credited
they go through a technical evaluation process before they would ever be implemented. Code review checks the programming for structure and logic, not just functionality, but is it well written
along this? You might have a term called fuzzing.
Buzzing is a type of testing
to see if, uh, applications
can withstand attacks geared towards buffer overflows.
site, cross site scripting, you know, ultimately, with fuzzing, it's a means of pin testing individual applications, not just a system as a whole, which you've just designed a database application. Can it be compromised? And fuzzing is our term
for that fuzzing is definitely testable. Question.
All right, social engineering, a wide range of different types of social engineering. Ultimately, social engineering is some some of impersonation. I'm Impersonating a legitimate network resource or network entity. What information will you give me
now? I mentioned the other day. Fishing is all about Let me throw on a wide enough net and I'll catch some fish. So usually spear fishing is just a mass mailing or mass solicitation, maybe by phone, maybe by email. Could be by instant message could be by text message.
But the whole idea with fishing is
it's indiscriminate. I'm just gonna send out a 1,000,000 different queries and somebody's gonna fall for it.
Where is spear fishing is much more targeted. I made just target the sales department
or and may just target users of a particular company that's spearfishing. Wailing is a special type of spear fishing where I target not just specific individuals. But I target individuals very high up the corporate ladder,
because what you're gonna find is people high up within the company
have whatever access they want,
and they don't always have the skills and the knowledge and the security awareness tohave the degree of permission that they demand. You know, if you've ever worked with the military, you know,
he who has the most stars, calls the shots. So if I have somebody in a high up position of authority that demands access, we often have no choice but to grant them access. Attackers know this. So if I can target somebody high up in the organization, I may just stumble across somebody with a low skill set. But high privilege
hoaxes very frequently spread throughout email. Some can be very innocuous. Come. Some can be more sinister, you know? And if you think about the hoax is that have have bounced around for years. You know, Bill Gates, once you'd afford this email. And if you do, you get $1000.
Um, and in a 1,000,000 of them like that, hoaxes in their most harmless sense are still time wasters. They still overwhelm your mail servers. They still clog up your inboxes, but also hosts hoaxes can alert you. There's a new security virus. And in order
to update your system to prevent being susceptible to this new virus,
install the attached file well again. You know, users air gullible in some instances, especially if I have a spoofed email that makes it look like it comes from your company's network administrator. So we want to make sure that hoaxes air addressed when in all possible we want our mail filters.
You know, Destrade those those hopes is and keep him out of the users
hands. We want himto move them to, ah, safe location. We wanted quarantine, but ultimately it's gonna come down to training your users. Your users need processes and procedures in place. You get a document from, uh, network security purporting to want you to install a file,
pick up the phone and call security.
Ah, your security team should send out, should publish a ah website and should have information where users can check and see. Is this something that's legitimate for other hoaxes? Snopes dot com
Probably familiar with. But they're ton of Internet hoaxes at any given time.
Go to Snopes and check it out. Most of them are on there.
This 4 19 fraud. I can't see anything on the exam about that. But that was the one with the Nigerian prince. And there are so many spinoffs on that ultimately someone very graciously needs you to help them launder Money is ultimately what it comes down to,
so they're going to send you a check for a $1,000,000. All you need to do is cash it, return a small portion of money to them and blah blah, blah.
So, uh, and you know what's interesting is a lot of thes have been around forever. You know, fishing's been around for hundreds of years. Whether it was done in person, whether it's been done over the phone or via mail,
there's nothing new under the sun. People want to commit crime. They want your money. We're just finding different ways to cast that net, so to speak.
Now fishing. This is, uh, fishing with Voight systems Voice over I p. And the idea once again is if I'm trying to authenticate to you. And I tell you, I'm from your branch office in Seattle and you look down and you see the phone number to your branch office in Seattle that legitimizes name.
OK, so fishing is Ah, it's just using a VoIP system. Nothing. Nothing new there. There's also smashing. Seriously, I don't make this stuff up, but SMS being the format for text, so trying to solicit information via text messages.
And, you know, every now and then you'll you'll get something that seems a little odd. I had just a couple of weeks ago
somebody that seemed like they were picking up in the middle of a conversation. And it, you know, could easily have been have been taken for somebody just sending a text to the wrong number. What What they were actually doing is they were trying to see. Is this a legitimate number?
Is it a legitimate number that accepts texts?
Is this somebody on the other end that's gonna respond because, you know, whether it's just for junk mail and marketing and spam or is it a number that we might say, Hey, would you like to help? You know, I remember all the messages when there was the hurricane in hate and not the hurricane earthquake in Haiti,
and it seems like it takes people about 15 minutes
to figure out how to profit off of somebody else's tragedy. So I got several text messages, you know, type. Yes, if you would like to donate $10 to the hurricane in the earthquake victims. Well, yeah, I don't mind donating $10 but I'm not gonna do it to some random stranger through a text message on my phone.
And again, it just comes down to educating our users for some of this stuff and making sure that we understand how many threats are out there today.
The best way I know whether or not my users air falling for these attacks. Test them.
Somebody in I T. Needs to be calling random phone numbers. What information will you solicit? Will Will. Can I elicit from you? What type? Are you willing to open up an application that's not digitally signed? Would you open up an application from an outside person that you have no previous relationship with?
You know, we've got to test these things,
whether or not it's the only way we know if our users will fall for it and we must hold our users accountable. I had a guy in a class. It's been months ago,
and we were talking about social engineering pen tests, and I always ask my students how many of you work somewhere that does social engineering pen tests. So this guy raised his hand and said, Yeah, you wanna hear something funny?
My department has failed our social engineering pin test the last seven times
A. That's not funny.
if there are no repercussions for you failing a social engineering pin test seven times,
they need to stop calling you.
They're wasting their time. They're wasting your time. You could hurry up and get back to work and disclose some more sensitive information.
All right, we've gotta hold our people accountable. What should happen the first time somebody fails a social engineering pin test
retraining immediately doesn't mean you send them off the 40 hours worth of security classes. But it does mean that they're immediately trained what they did wrong and how to avoid that situation in the future. But once you have somebody who's failing a social engineering pen test 23 times,
you gotta think about administrative action for that employee.
You either believe this is a real threat or you don't.
And if you believe this is a real threat and I don't know of any other way to convince you that it is, we've got to start holding people accountable.
This is how target got compromised. ultimately. Yeah, we talked about that H fat guy. But how did the malicious software get on the system that made its way to production? H fat guy opened up an infected email message that had backdoor software. Same thing with the R s. A security violation.
That's how Attackers were getting on networks today. Why Doe? I want to spend 20 hours trying to brute force access to a system when I can walk up to somebody in the office and say, Look, I'm here for my tea. We're pushing out some security updates today. Let me have access to your system for about 10 minutes. Go grab a cup of coffee.
By the time you get back, I should be done.
Oh, no. You don't even have to log off. I got this spoke. Grab yourself some coffee.
That's infinitely easier than breaking out my technical tools and going through all the many possible ways. Start with social engineering. Your pen tests and your vulnerability assessment should start there as well