Der Penetration Test - Compass Security
Transcript of Der Penetration Test - Compass Security
![Page 1: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/1.jpg)
Page 1
Der Penetration Test
Legaler simulierter Hacker Angriff für das
Finden von potenziellen Sicherheitslücken
![Page 2: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/2.jpg)
Page 2
Über mich – Ivan Bütler
… Gründer Compass Security
… Security ist meine Passion
… Dozent an der HSR, HSLU, HWZ
… habe eine enge Zusammenarbeit mit ZHAW
… ich baue CTF games
… Speaker @ Blackhat US, AppSec US, EU, CN
http://e1.compass-security.com/
![Page 3: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/3.jpg)
Page 3
Ist die Dame reich? Wen fragen?
![Page 4: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/4.jpg)
Page 4
Was macht ein
Pentester?
![Page 5: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/5.jpg)
Page 5
Direkte Attacken
BLOCKED
PASSED
BLOCKED
![Page 6: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/6.jpg)
Page 6
Indirekte Attacken
![Page 7: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/7.jpg)
Page 7
Social Engineering
![Page 8: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/8.jpg)
Page 8
USB Attacke
InternetCompany Network
Delivery with USB-Stick/CD-ROM
Start via Auto-Start
Attacker controls thecomputer of the victim
![Page 9: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/9.jpg)
Page 9
Angriff mit E-Mail
Firewall
Victim
Mailserver
Attacker
Server
Internet
Attacker
Victim
Intranet
![Page 10: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/10.jpg)
Page 10
Angriff mit «Wanzen»
![Page 11: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/11.jpg)
Page 11
PlugBot Concept (Inside-Out)
GPRS/UMTS
Covert Channel
![Page 12: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/12.jpg)
Page 12
Ein Pentester macht auch Reviews
Firewall / Active Directory / Sharepoint /
Remote Access / Citrix / PKI / Source Code
Architekturen / WAF / Windows 10 / OSX /
Linux / ...
![Page 13: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/13.jpg)
Page 13
“Meine” Sicht auf
das Thema
Penetration Test
![Page 14: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/14.jpg)
Page 14
Pentest ist ein Lieferant fürs ISMS
Compliance Budget Sign-OffTreiber für
Security TestsAwareness
Firma Lieferant
Information Security Management
Ergebnisse / Gefahren
![Page 15: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/15.jpg)
Page 15
Regulatoren, welche Security Tests
vorschreiben
Finma
PCI DSS
![Page 16: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/16.jpg)
Page 16
Nationale Strategie gegen Cyber
Risiken
http://www.news.admin.ch/NSBSubscriber/me
ssage/attachments/39698.pdf
![Page 17: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/17.jpg)
Page 17
Wie wollen Sie den Pentest haben?
• manuell vs. automatisiert
• einmalig vs. regelmässig
• Blackbox vs. Whitebox
• mit und ohne Login
• Hands-On vs. Review
• mit oder ohne Social Eng.
• mit oder ohne Source Code
• von aussen oder innen?
![Page 18: Der Penetration Test - Compass Security](https://reader030.fdocument.pub/reader030/viewer/2022020910/6200857a344b983ea64772e8/html5/thumbnails/18.jpg)
Page 18
Vielen Dank – Fragen?
Ivan Bütler
http://e1.compass-security.com/