This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it.
Main point that will be covered:
• Overview of Penetration Testing
• Purpose of Penetration testing and benefits
• What are the Rules of Engagement (White, Black and Grey Box Testing)
• Penetration Testing and Phases
Presenter:
Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager,
Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg
2. Christie Oso
Security Consultant | Trainer
Managing Principal Information Security Consultant | Trainer at Intex IT,
responsible for Risk Management, Vulnerability Assessment and Penetration
Testing. Among many she is PECB Certified Lead Pen Tester, CISSP, CISM,
CEH, ISO 27001 Lead Auditor, ISO 27005 Risk Manager
Contact Information
00441634 566 555
admin@intexit.co.uk
www.intexit.co.uk
https://uk.linkedin.com/in/christieo1
Twitter@Christiexto
3. www.intexit.co.uk
Agenda
• Part 1: Overview of Penetration Testing?
• Part 2: Purpose of Penetration Testing
and Benefits
• Part 3: What are the Rules of
Engagement?
• White, Black and Grey Box Testing
• Part 4: Penetration Testing Phases
5. www.intexit.co.uk
What is Penetration Testing?
Penetration Testing is an exercise to identify
vulnerabilities which could be present in an Information
System, Network, Application or the Organizations
overall Information Security Posture
Tests are authorized and carried out by skilled
professionals using techniques that real world attackers
may use
Testing demonstrates the weaknesses, how they can be
exploited and importantly provides guidance on how to
reduce the associated risk
Testing can also identify the organizations ability to
respond to an incident
6. www.intexit.co.uk
Purpose of Penetration Testing
There are many reasons why an organization may wish to
commission a penetration test, these include:
To identify risks or confirm risk scenarios
To gain assurance on security prior to deploying or procuring
a new system/service
To provide assurance to customers and/or business partners
about the security of a system/service
To demonstrate due diligence and due care regarding security
risk
To comply with legal, regulatory and contractual requirements
-PCI DSS requirements 11.3 environment: the entire
cardholder data environment (CDE).
8. www.intexit.co.uk
So what is a Vulnerability assessment?
Vulnerability assessment scans a network for known
security weaknesses.
Vulnerability scanning tools search network segments
for IP-enabled devices and enumerate systems,
operating systems, and applications.
Vulnerability scanners can test systems and network
devices for exposure to common attacks.
Vulnerability scanners can identify common security
configuration mistakes.
8
9. www.intexit.co.uk
Types of penetration test
• Network Security testing:
• Social Engineering testing
• Wireless Security testing
• Web Application testing
10. www.intexit.co.uk
Skill Level of Penetration Tester
Should have basic knowledge of ethical and permissible
issues
Should have primary level knowledge of session hijacking
Should know about hacking wireless networks
Should be good in sniffing
Should know how to handle virus and worms
Should have the basic knowledge of cryptography
Should have the basic knowledge of accounts administration
Should know how to perform system hacking
Knowledge of network and computer technology
– Ability to communicate with management and IT personnel,
Understanding of the laws, Ability to use necessary tools
10
12. www.intexit.co.uk
1. Improvement of security1. Improvement of security
2. Good governance2. Good governance
3. Conformity3. Conformity
4. Cost management4. Cost management
5. Customer and partner assurance5. Customer and partner assurance
ADVANTAGESADVANTAGES
Penetration Testing Benefits
13. www.intexit.co.uk
Rules of Engagement
Penetration involves using techniques used by attackers and
some basic rules of engagement must be followed to stay
legal and meet expectations:
Ensure the scope is clear detailing exactly what tests will/will
not be carried out and the times and dates of such tests
Never carry out tests outside of this scope under any
circumstances
Always have formal written permission from the correct
authority before conducting any form of testing
Always report immediately to the client any major finding and
await the response, a report should never contain surprises!
Ensure you or your company has adequate insurance
coverage
14. www.intexit.co.uk
White, Black and Grey Box Testing
White Box Testing is a test whereby a penetration tester is given full
details of the system to be tested including designs and credentials.
The primary purpose of a whitebox test is to allow the tester to
conduct a through detailed and in depth security test of all
elements of the system.
Black Box Testing is the opposite whereby the tester is simply given
an amount of time to compromise organizational systems with no
prior information.
The primary purpose of a blackbox test is to identify what
individuals without any prior association to the organization
could achieve. This will require the tester to perform
reconnaissance and gather information.
Greybox Testing is the combination of the two
16. www.intexit.co.uk
Performing Reconnaissance
Performing Reconnaissance is focused on
gathering information about the target in a
passive way.
This may involve reviewing the web for
information about key technologies, key staff
(who could be targets for social engineering),
and technical details such as IP address ranges.
The information gathered in this stage will be
useful going forward as it will inform the kind of
tests and techniques that could be used.
17. www.intexit.co.uk
Scanning and Enumeration
Once you have information from the reconnaissance
activities the next step is to build on that information with
a view to finding potential vulnerabilities.
Scanning and Enumeration is that stage where we
attempt to validate some of our initial information and
find specific facts, such as what actual systems are
running, can we map the network, can we identify
potential vulnerabilities which can be tested for
exploitation in the next phase?
Numerous tools and techniques can be used in this
phase and some will be explored later in this course.
18. www.intexit.co.uk
Gaining Access
Gaining Access is the phase whereby the
potential vulnerabilities identified in the previous
phase are put to the test
In this phase we attempt to gain access to the
system(s) in scope by exploiting the
vulnerabilities
Note: For Denial of Service vulnerabilities
(those effecting availability) it is usual practice to
report such vulnerabilities but not attempt to
exploit them especially on live production
systems
20. www.intexit.co.uk
Elevate Privileges
Once access is gained the next step is to identify
if privileges can be elevated. I.e. once logged in
as a standard user is it now possible to gain
administrator access?
21. www.intexit.co.uk
Maintain Access
In a real world hacking attack this is a key step.
How long can attacker go without being
detected?
Depending on the scope of the test avoiding
detection (whether that be avoiding triggering
alters on an IDS or avoiding being detected
inside a building) may be a fundamental part of
the test.
22. www.intexit.co.uk
Placing Backdoors
Backdoors are used to allow an attacker to
continue gaining access to the system in the
future. A backdoor is a mechanism that allows
access whilst avoiding the normal authentication
approach.
In a penetration test it is important to agree the
scope and identify whether the placement of
backdoors is part of the test. Placing such
backdoors essentially creates a gap in the
security posture of the organization and may not
be an acceptable risk!
24. www.intexit.co.uk
Covering Tracks
Once the backdoors are placed and the attack
complete the attacker wishes to reduce the
likelihood of the attack ever being uncovered.
Covering tracks includes techniques to remove
log entries, hide files and remove all trace of
such attacks.
Such a step in a penetration test maybe used to
identify if an organizations’ protective monitoring
is truly working and indeed is very useful in an
unannounced test.
25. www.intexit.co.uk
Penetration Testing Checklist
These are the typical items to be in place before
the testing
A formally documented and approved scopeA formally documented and approved scope
A signed contract with legal elements and NDAA signed contract with legal elements and NDA
Adequate and complete insurance coverageAdequate and complete insurance coverage
Ensure reporting channles are agreed along with reporting timesEnsure reporting channles are agreed along with reporting times
Is access to the building arranged, user credentials established?Is access to the building arranged, user credentials established?
Is IT Support in place and available when testing commences?Is IT Support in place and available when testing commences?
A process for following up on penetration test findingsA process for following up on penetration test findings
An agreement on how findings will be rated and rankedAn agreement on how findings will be rated and ranked
Agreement on the process and timeframes for follow up testingAgreement on the process and timeframes for follow up testing
27. THANK YOU
?
00441634 566 555
admin@intexit.co.uk
www.intexit.co.uk
https://uk.linkedin.com/in/christieo1
Twitter@Christiexto
Contact Information
Hinweis der Redaktion
There is much discussion and debate about penetration testing in various publications and on the web. A penetration test is an exercise or set of exercises which are:
Pre-authorized and carried out by skilled and qualified professionals
Aim to identify security vulnerabilities in targets such as:
A network – An example of an Infrastructure Penetration Test
A server(s) – An example of an Infrastructure Penetration Test
A web application – An example of an Application Penetration Test
A building – An example of a Physical Security Test (e.g. can the tester gain unauthorized access to a building and then to information or information systems?)
A security posture – In this case the testers maybe looking for what security vulnerabilities generally exist in the organization. This may include using techniques such as Social Engineering to obtain information from staff or to convince people to grant access to information or information systems.
Such tests will demonstrate the vulnerabilities how these can be exploited and the controls which an organization could implement to reduce the risk of such a compromise happening in a real world situation.
There are many types of test including internal and external testing, tests where the tester has no knowledge, partial knowledge or full knowledge of the environment to be tested and tests which are announced and unannounced. The various types of test their purpose benefits and disadvantages will be explored in detail during this course.
Improvement of security:
General improvement of the effectiveness of information security with controls implemented to address real proven vulnerabilities;
Independent review of your information security management system;
Increased awareness of security and how controls can be circumvented and vulnerabilities exploited;
Advice provided to address identified security problems.
Good governance:
Awareness and empowerment of personnel regarding information security;
Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due diligence’’ principles;
The opportunity to identify the weaknesses and to provide corrections;
If linked with a good Information Security Management System (ISMS) the opportunity to increase of the accountability of top management for information security.
Helps in the effort to be conformant with:
ISO standards;
OECD (Organization for Economic Co-operation and Development) principles;
Industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II (for the banking industry);
National and regional laws.
Customer contractual requirements
Cost management:
Decision makers often ask to justify the profitability of projects or security control and demand concrete and measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the information security field: Return on Security Investment (ROSI). ROSI is a concept derived from Return on Investment (ROI). It can be interpreted as a security controls financial profit taking into account its total cost over a given period of time.
Understanding the clear risks by analyzing the results of a well constructed penetration test can help in the selection of the correct and most effective controls which will address the real business risks and issues.
Customer and partner assurance:
Differentiation provides a competitive advantage for the organization;
Satisfaction of requirements of customer and/or other stakeholders;
Meeting customer contractual obligations;
Consolidating confidence of customers, suppliers and partners of the organization.
Whilst it may be interesting to find the next vulnerability or prove a specific security concept it must be considered that only the items in the scope may be tested at the agreed times using the agreed techniques. The scope for the test must be formally documented and a letter of authority and legal contract must be signed by the relevant person(s) with authority before the test commences. There are several key reasons for this:
Penetration tests always carry a risk of system outage due to the fact that testers maybe performing activities that are outside of that expected by the system. When authorizing activities the organization are accepting this risk in very specific circumstances. Testing outside of these parameters can introduced un expected risk and in the worst case result in damage and systems outages which the tester and his company maybe held liable for.
Penetration testing involves using techniques to circumvent security controls. In many cases such techniques would be a criminal offence under computer misuse law. Working outside of scope is likely to be considered a criminal act.
From an insurance point of view a professional tester should have adequate professional indemnity cover. Often this cover is only valid if activities are being performed within clear formal boundaries.
If there is an area outside of scope where you suspect vulnerabilities may exist which are relevant or feel there maybe a benefit to extending the scope this should be brought to the attention of the organization along with an explanation of the benefits purpose of such a scope change. As above this must be authorized formally in writing before proceeding.
In terms of reporting a formal report will be presented to the relevant management representatives at the end of the engagement. Whilst this maybe the case it is important that any finding deemed major or critical is reported immediately to the organization. The purpose here is to allow the organization to take a view as to whether they need to work on the vulnerability immediately. Consider the scenario, a test is being undertaken on a public facing website and it is identified that an individual could easily gain access to the accounts of other users and the impact of this would be significant. It would not be fair on the organization to leave them further exposed to this risk until the end of the testing (which could be several days) it is our professional duty to report that finding and provide the necessary advice. It maybe that the organization postpones the testing whilst the issue addressed. Ultimately the organization being tested must make the necessary judgment with the right advice. It is important to note that the role of the penetration tester is to work with organizations to help them reduce risk not spring surprises at the end of the test or to demonstrate their technical skill set (the technical skills will be demonstrated by working in a positive manner).
As tester I have sometimes been asked why Penetration Testers need to be given credentials (white box test) surely a good penetration tester could just “hack in”. The simple answer is it depends on what risk scenario is being tested. If we are testing what an internal user could achieve then it makes sense for the tester to assume the credentials of such a user and also saves time and cost on the test. If the risk being tested is purely focused on the external person with no knowledge then the black box approach is appropriates. This shows that before any decision is taken on test type the risk scenarios, purpose and objectives of the test should be clearly defined ad agreed.
On some occasions I have heard organizations stating that they have never had a security breach as way to justify the failure to implement controls In most cases however the approach to proactive protective monitoring is limited meaning attackers could have easily conducted attacks and covered their tracks. Sometimes convincing an organization to invest in security controls (and indeed monitoring for something which they may think does not exist) is an extremely difficult task. A penetration test which also examines how easy it is for an attacker to hide their activity is a very useful way of showing whether a real case for such monitoring applies.
Prior to starting penetration testing activities it is critical that the key points are addressed:
A formal scope is agreed, documented and approved;
A clear contract is in place with authorizes the tests, addresses confidentiality issues and ensures the tests are conducted legally and inline with business requirements;
Clarity that the adequate professional indemnity insurance is in place in case of any errors or incidents which result in immediate or future damage and subsequent losses;
It is important to ensure that the reporting channels are clear. What happens when major or critical vulnerabilities are found, who should they be reported to? What about the report when the test is completed?;
All the logistics for the actual tests should be agreed and organisaed such as access to buildings, information systems and remote access as required dependent on the scope of brief of the assignment;
Ensuring that IT Support is available during the testing is recommended in order to allow any issues or problems to be addressed rapidly;
The way in which the findings are presented is critical. It can cause potential problems if the test team rate everything as “high” and the client disagrees or if the presentation of the findings are unclear (see Day 4 for a discussion on reporting);
Agreement should be reached on who will be responsible for managing remediation actions and how follow up activities will be carried out if necessary.
Considering and addressing all of these factors will significantly reduce the risks associated with testing and increase the liklihood of a succesful testing exercise.