Picking the low hanging-fruit – Easy pentest wins (IPC Munich 2023)

Transcript

1. Marcus Bointon – IPC Munich 2023 Picking the low-hanging fruit;

   Easy pentest wins Avoiding security issues with up-front measures

2. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 My name is… • Inigo Montoya • @[email protected] • Radically Open Security • Pentests, code audits • Pentest reports

3. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 Back-to-front security •Cloud provider •Infrastructure •Server con fi g •Client con fi g

4. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 Pentest targets • Information disclosure • Obsolescence • Miscon fi guration • Inconsistency • Errors • Sanitisation, validation, and escaping

5. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 Cloud provider security • IP addresses • Private only • IPv6 • Security groups • Allow what’s needed, no more 
 • Up-to-date OS images • Immutable instances, read-only FS • SSH access • Keys, not passwords • Bastions

6. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 Infrastructure • Firewalls • Block by default • Allow only what’s needed • Rate limits • Consider egress limits • Don’t forget IPv6 
 • SSH access • Do you need it at all? • Keys, not passwords • Non-standard ports • Hardening • Fail2Ban

7. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 Testing access • nmap • Don’t test other people’s servers! • ssh-audit • Harden everything • Look in /var/log/auth.log • Integrate with fail2ban

8. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 UFW firewall example ufw reset ufw default deny ufw allow from x.x.x.x to any app OpenSSH ufw limit from any to any app OpenSSH ufw allow proto udp from any to any port 60000-61000 ufw allow from any to any app "Nginx Full" ufw enable

9. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

   Munich 2023 nmap and firewall demo

10. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Hardening SSH demo

11. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 OS updates • Automate! • Debian/Ubuntu unattended- upgrades • RedHat yum-cron • Windows Update & Defender

12. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Service with a smile • Web servers • TLS con fi g • Security headers • https://ssl-con fi g.mozilla.org/ • Database / cache / queue servers • Should not be accessible from outside • Avoid listening on all interfaces: 0.0.0.0, ::

13. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Testing TLS • Qualys SSL Labs • testssl.sh • securityheaders.com

14. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Security headers • Strict-Transport-Security • Preload if you mean it! • Content-Security-Policy • A talk in its own right • X-Content-Type-Options • Referrer-Policy

15. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Applications • Authentication • Authorisation • Dependencies • Safe coding practices • SQL injection • Cookies

16. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Authentication • Password policy: • Long • Random • Not in known breaches (haveibeenpwned.com) • Strong password hash function • PBKDF2, bcrypt, Argon2ID • Throttle auth routes to prevent brute-force • 2FA – TOTP, PassKeys (WebAuthn)

17. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Authorisation • Principle of least privilege • Privilege separation

18. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Dependencies • PHP: composer audit • roave/security-advisories:dev-master • NodeJS: npm audit • Ruby: ruby-audit • Python: pip-audit

19. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Cookie flags • Secure • Protects against interception • HTTPOnly • Protects against XSS (partly) • SameSite Lax/Strict • Protects against CSRF

20. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Safe coding practices • Use tools to help you • Coding standards • Static analysers • IDE plugins • Pre-commit hooks • Detect secrets, spot debug statements • GPG-sign your commits

21. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Front-end shenanigans • Sanitise • Validate • Escape • Appropriately!

22. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Security is a process • It’s not a thing • A moving target that requires constant vigilance • Made easier with automation

23. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Now let the pentesters do the hard stuff Thank you!