Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Penetration testing experience at the University of Worcester
1. Penetration testing experience at
the University of Worcester
Experience of the Jisc service and
Lessons learned
Ged Attwood
IT systems manager, staff systems and
telecommunications, University of Worcester
2. Ged Attwood
• IT Systems Manager
• Manage a team of 6 Windows and Linux admins
• Total IT Team 43
2
3. University of Worcester
Overview
• ~11,000 students
• Nursing and teacher training.
• Sport Science, IT, Business, Law and Sciences.
• The University has changed and grown rapidly over the
last 10 years.
3
4. First Penetration Test
External Janet ESIS
•Red flags on an audit
•November 2016 Janet ESIS Pentest external only
•We got Greenbone setup and vulnerability management procedures.
•Big push to deploy Windows 10 and lock down security.
•No more local admin for users, application deployed via SCCM
•We got a lot better.
4
5. Second Penetration Test
Jisc Black Box Penetration Test
•Cyber audit recommendation
•Black Box (secret) pentest April 2018
Two parts
•External & Internal normal technical pentest.
•Internal on site social engineering, internal phishing, "vishing" and "spearphishing"
5
6. Technical Penetration Tests
•Greenbone work proved its worth.
•Modsecurity & Fail2ban frustrated attacks.
•Few legacy services, non validated forms & Xsite scripting vulnerabilities.
6
8. Technical & Process Failures
So what went happened?
•None secured port admin VLAN – IT meeting room!
•Secure boot not enabled on a few public machines
•bypassed NAC allowed booting Kali etc. with network access.
•Dev / Testing boot WIM used in production
•No task sequence password.
•Plain text credentials left in 802.1x network config XML
•Contacts web page phishing goldmine
8
9. Social Engineering
How did they get us
•Registered similar domain ‘worcac.uk’
•Fake file server.
•Emailed link to document with payload.
•‘helpful’ reception staff.
•login request to ‘secure’ document.
•more details harvested and phishing access to more resources.
9
10. Social Engineering
So what went right?
•Service Desk Policies
•Refused to provide a Windows 7 PC
•Windows 10 more secure, LAPs etc.
•Greenbone & procedure removed most easy targets.
•Modsecurity & fail2ban picked up the attack in our logs.
10
11. The Future
How are we going to improve
•Visibility
•Better logging SIEM
•Internal firewall IDS, WAF
•Training
•Greater understanding of risks, less trusting.
•Policy enforcement
•Information
•Too much available – don’t make it easy
•White box testing
11