This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
6. BTPSec Ⓒ 2015
Agenda
• What is a Pentest?
• Why should you perform pentesting?
• What are the benefits of Pentesting?
• How are Pentests performed?
• What are the targets of a pentest?
• Attacker profiles in a pentest
• When to perform a pentest?
• Reporting
• Evaluation
• Verification tests
Pentest Service
6
7. BTPSec Ⓒ 2015
• A pentest is a set of authorized cyber attacks, in
order to discover and verify the vulnerabilities of an
information system.
• In a typical pentest session, vulnerabilities are
carefully exploited.
– Customer will be informed of all steps.
– Tests will be performed against all systems of the
customer.
What is a Pentest?
7
8. BTPSec Ⓒ 2015
• Depicting the current security level of a company
• Identifying the gaps, and security consciousness of
both systems and human resources against possible
breaches.
• Pentests find out; How big and what sensitive
information will be lost in case of a cyber attack.
Why to perform a Pen-test?
8
9. BTPSec Ⓒ 2015
• Independent IT-Security Institute reports around
150,000 malwares were produced , in 2014.
• AV-TEST Institute reports 390,000 new malwares
every day.
• Kaspersky LAB reports that;
– 6,167,233,068 malwares were found in year 2014.
– 1,432,660,467 mobile attacks were discovered in 2014.
– Among the surveyed companies involved in E-Business;
half of them have suffered losses because of cyber
attacks.
• Different attack types and methods are discovered
each day.
Why to perform a Pen-test
9
10. BTPSec Ⓒ 2015
• Carbanak: A cyber gang with financial motives
Have stolen 1 billion US Dollars (using malware and
remotely) in 30 different countries.
• Sony: A no pity cyber attack, causing a big reputation
loss by company.
• HSBC Turkey: November, 2014: 2.7 million card info
was stolen
Cyber Security Incidents-2014
10
11. BTPSec Ⓒ 2015
• Vulnerabilites of an information system are exposed.
• Facilitates the analysis of genuine risks.
• Helps sustain Business Continuity
• Decreases the possibility of real attacks
• Protects staff, customers and business partners
• Helps to be compliant with
– ISO27001
– PCI DSS
• Increases know-how and facilitates
analysis for real attacks.
• Preserves company reputation
What are the benefits of a Pen-test?
11
12. BTPSec Ⓒ 2015
• Determining the Scope
– Web App pentest
– End user and social engineering attacks
– Ddos and performance tests
– Network infrastructure tests
– External and Internal network tests
– Mobile App pentest
– Virtualization system pentest
– Database pentest
How is Pentest performed?
12
13. BTPSec Ⓒ 2015
• Performing the Test
– Information gathering
– Analysis and plan
– Discovering vulnerabilities
– Exploitation
– Gaining access
– Privilege Escalation
– Analysis and Reporting
– Post-Fix Verification
How is Pentest performed?
13
★ Our Pentest reports cover each
and only relevant (that is
potentially causing a risk) risk
information.
★ We never deliver auto-scan
results to the customer, and we
employ and encourage our staff
in specific fields of pentesting.
★ We are a team composed of
web pentesters, scada tester,
ddos expert, network pentesters,
social engineer and wireless
pentester.
14. BTPSec Ⓒ 2015
• Following domains are tested against possibility for
information leakage and system malfunction;
• Mistakes/Shortcomings in application development
• Configuration errors
• Security awareness of staff
• System protection level
• Infrastructure security level
• Insecure certificate usage
• Patch level of Applications
• Patch level of Operating Systems
are tested and observed in order to identify the security level of the
determined scope.
Target systems in a pentest
14
15. BTPSec Ⓒ 2015
• External Network test profiles
– Normal user with no insider information
– Unauthorized user with insider information
– Authorized user with insider information
– Admin user with insider information
• Internal network test profiles
– Unauthorized user
– Employee profile
• Unhappy employee profile
• Disgruntled employee profile
– Manager profile
Attacker profiles in a pentest
15
16. BTPSec Ⓒ 2015
• Critical terms for the industry and the company
• Before and After corporate milestones.
• Hiring/Firing critical personnel
• The weak system
• The strong system
When to perform a pentest
16
17. BTPSec Ⓒ 2015
• At least once a year
• After system change & new system deployments
• After new system integrations.
How often are Pentests performed?
17
18. BTPSec Ⓒ 2015
• All findings during the pentest are analyed, verified
and reported.
• A detailed explanation of findings, with solution
recommendation and steps to resolve are submitted
in the report.
• Findings are categorized. Findings by category,
findings by severity are statistically graphed in the
reports.
Reporting
18
20. BTPSec Ⓒ 2015
Security re-evaluation of the company
20
• An executive summary report is delivered to the
executives, which shows the general security status
of the company.
• A project closure meeting will be organized to
discuss the report.
21. BTPSec Ⓒ 2015
• After a detailed explanation of findings and delivery
of final report, the company is expected to close the
gaps.
• After the gap-closure, a time frame is determined by
both parties for verification tests.
• Findings in the report are reevaluated in the
verification tests.
Verification Tests
21