Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.

Published byJoshua Barrie Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed."— Presentation transcript:

1 Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed Security Services 2007

2 What is “Extrusion” If you look it up at Wikipedia: “ Extrusion is a manufacturing process used to create long objects of a fixed cross-sectional profile. A material, often in the form of a billet, is pushed and/or drawn through a die of the desired profile shape. Hollow sections are usually extruded by placing a pin or piercing mandrel inside of the die, and in some cases positive pressure is applied to the internal cavities through the pin. Extrusion may be continuous (producing indefinitely long material) or semi-continuous (producing many short pieces). Some materials are hot drawn whilst others may be cold drawn.” However in Information Security: “Extrusion is the leakage/theft of internal sensitive data.”

3 “Extrusion Attack” Attacking “inside-out”  If you cannot get directly to the data  Let the Users come to you  …and the data will follow

4 “Extrusion Testing” Defined Testing the Threats that matter!  Targeted, Internet-initiated “Extrusion Attacks”  The Objective: –Demonstrate external access to internal system(s)/network(s) –Demonstrate external access to specific data/services  Puts the organization's security controls & capabilities to the test against the professional attacker: –Web access/content security –Endpoint security –Information leak prevention –Network Monitoring –…

5 Extrusion Testing Methodology –e-footprinting & e-Social Engineering »Profile users in the organization »Trick users to access a specific web-site… –Web-born Attack »Use mobile code exploits to get access on internal user system (endpoint) –Full-blown Extrusion Testing »Escalate attack to compromise internal business system(s) and/or network »Demonstrate ability to obtain specific critical data

6 e-footprinting…the power of Google™

7 “e-social engineering”…the power of e- mail

8

9 “Web-born” Attack – drive-by infection Invisible frame  Mobile code (JavaScript, VBScript)  Exploiting browser vulnerability

10 drive-by infection by What???  The Mechanics… –Spawns a IE process, not visible –Controls IE via OLE –Establishes a connection with the attacker –Receives Commands as “HTML pages” from the attacker’s “Web Site”… –Sends output of commands as HTTP Requests (POST)

11 We are in!...now is Extrusion

12 Actions:  Download Files  Upload tools

13 We are in!...now is Extrusion Execute Commands  Under the privileges of the logged-on user  Access internal network

14 We are in!...now is Extrusion Escalate attack  Get access on internal critical systems  Get critical data out of the systems

15 “Extrusion Testing” Facts Usually it takes:  a couple of days to e-footprint an organisation and launch a e-social enginnering attack  1hour to a few days to take control of an internal endpoint…only a matter of determination  …and then a few days, or even hours, to “stealthily” take control of critical internal business systems and data, if not of the entire network,  and thus being able to conduct fraud, industrial espionage, sabotage, you name it

16 www.encodegroup.com _

Download ppt "Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
2012 Taking Complexity out of Information Security …allowing you to focus on your business.

2012 Taking Complexity out of Information Security …allowing you to focus on your business.
Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 
200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 BlueRedGreenPurpleOrange.

BlueRedGreenPurpleOrange.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.

Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
PHP (2) – Functions, Arrays, Databases, email and sessions.

PHP (2) – Functions, Arrays, Databases, and sessions.
1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google