Between You and Me and the Network Security Boundary

Presented at BSidesDC 2017, Oct. 8, 2017, 9 a.m. (50 minutes).

Many organizations have IT environments with zones of varying security requirements. These zones are usually networks that are created to encompass systems that serve different functions, from production web applications to PCI in-scope database servers.

An organization has to make a decision about implementing a security boundary that protects high-security areas from low-security areas. Designing and deploying these solutions can be a complex task, contending with hurdles from compliance requirements and management all the way to just making sure the users can remember how to access all the necessary systems. This complexity leaves many holes that can be exploited by bad guys to get access to the most sensitive data. Most penetration testers will tell you that getting past these barriers, even ones that implement fancy security features such as multi-factor authentication, become bypassable once user systems have been compromised.

This talk will review several common solutions of separating and accessing network zones such as VPNs, bastion hosts, and virtualization along with each solution's most common pitfalls. As we review each implementation, I will talk about both low-hanging and high-hanging fruit in terms of bypass methodologies, while giving real-world examples of leveraging weaknesses such as race conditions and configurations flaws to gain access to secured networks. I will do a deep dive into the architectures that most efficiently secure protected networks such as Microsoft's Privilege Access Workstations (PAWs) as well the management practices that create effective long-term security barriers.


Presenters:

  • Patrick Fussell - Penetration Tester at Payment Software Company, Inc.
    While working in the information security industry over the past seven years Patrick Fussell has worked in numerous roles to increase the security of electronically stored data for customers while always improving his skill set. With a background predominantly in penetration testing, security assessment, and auditing he spent much of the last few years working with a wide range of consulting and analysis based engagements. Currently based out of Monterey, CA he regularly performs penetration tests for clients of all sizes and has a strong desire to contribute to the larger community with his projects.

Links:

Similar Presentations: