• No results found

Penetration Testing in Romania

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Penetration Testing in Romania"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Penetration Testing

in Romania

Adrian Furtunǎ, Ph.D.

11 October 2011

(2)

Agenda

About penetration testing

Examples

(3)

What is penetration testing?

Method for evaluating the security of an information system or

network by simulating attacks from malicious outsiders or

insiders.

Related terms:

Penetration testing

(RO: teste de penetrare,

Pentesting

teste de intruziune)

Ethical hacking

Tiger Teaming

Red Teaming

Penetration testing is not Vulnerability assessment

Penetration testing is:

authorized

adversary-based

(4)

Penetration testing by example

Insufficient input

validation

Insecure session

configuration

Application logic

flaws

Insecure server

configuration

Internet

Banking

application

External attacker

- hacker

- industrial espionage

- organized crime

Internal attacker

- malicious employee

- collaborator

- consultant

- visitor

Threats

Vulnerabilities

Assets

Risks

Vulnerable?

Exploitable?

SQL injection

OS command

execution

Authentication

bypass

Cross Site

Scripting

Password

Directory

browsing

H

H

H

M

M

L

(5)

Motivation. Why? When?

Verify the effectiveness of protection mechanisms implemented

 Application security mechanisms

 Server configurations

 Network configurations

 Employee security awareness

 Physical security

Test the ability of system defenders to detect and respond to attacks

Obtain a reliable basis for investments in security personnel and

technology

Required by ISO 27001, PCI DSS, etc

As part of risk assessment for risk identification and quantification

As part of ongoing/periodic security assessment

Before a new system is put in production

In the development phase of a new system

(6)

Penetration testing objectives and targets (examples)

External penetration test:

Test the security of internet banking / mobile banking apps

Evaluate the security of internet facing applications

Perform fraudulent transactions in online shops

Access personal data in online medical applications

Gain physical access to company building and install rogue

access point

Internal penetration test:

Obtain access to database server containing customer

information

Gain control of Active Directory

Obtain administrative access to ERP application

Gain access to company assets (sensitive files, project plans,

intellectual property)

(7)

Penetration testing types

According to attacker’s

location:

According to attacker’s

initial information:

External pentest

Internal pentest

Black box test

Gray box test

White box test

Simulated threats

Hackers, corporate espionage,

terrorists, organized crime

Malicious employee, collaborator,

consultant, visitor

Hackers, organized crime, terrorists,

visitors

Consultants, corporate espionage,

business partner, regular employees

Malicious system administrators,

developers, consultants

Test type

According to the attacks performed: - pure technical

- social engineering

- denial of service

(8)

How?

Information gathering

Create attack trees

Prepare tools

Perform collaborative attacks

 Identify vulnerabilities

 Exploit vulnerabilities

 Extract sensitive data

 Gain system access

 Escalate privileges

 Pivot to other systems

Write the report

(9)

Automated vs. Manual

Automated testing:

 Configure scanner

 Run scanner & wait for results

 (Validate findings where possible)

 Deliver report to client

Manual testing:

 Use tools as helpers only

 Validate findings by exploitation (no false positives)

 Dig for sensitive data, escalate privileges, gain access to other systems

Model and simulate real threats: simulate attacker’s way of thinking, consider attacker’s

resources, knowledge, culture, motivation

 Several manual tests for exploitation of specific vulnerabilities

 Strict control, logging, quick feedback

(10)

Resources

Dedicated machines

Dedicated network

Software tools:

 In-house developed

 Open source

 Commercial

Dedicated workspace (IT Security Laboratory)

 Protect client data

(11)

Limitations

Timeframe

Budget

Resources

Personnel awareness

Things change

Does not discover all vulnerabilities but reduces the

number of vulnerabilities that could be found by high

skilled attackers having similar resources and knowledge

Known

Vulnerabilities

All software

vulnerabilities

(12)

Reporting

Executive summary

 Overview

 Key findings

 High-level observations

 Risk matrix

Technical report

 Findings

 Risks

 Recommendations

(13)

Standards, Certifications and Knowledge

Security testing standards:

OSSTMM - Open Source Security Testing Methodology Manual

NIST 800-42 - The National Institute of Standards and Technology Special

Publication

OWASP - The Open Web Application Security Project

Certifications:

Offensive Security OSCE, OSCP, OSWP

ISECOM OPST

SANS GPEN, GWAPT

EC-Council LPT, CEH

CHECK Team Leader, Team Member

CREST Registered Tester, Certified Tester

Knowledge:

System administration

Network administration

Software development

(14)
(15)
(16)
(17)
(18)
(19)
(20)

Thank you!

Questions?

Adrian Furtunǎ, Ph.D.

[email protected]

References

Download now ( PDF - 20 Page - 1.08 MB )

Related documents

Veliki Getsbi

Nisam mogao da pogodim šta su Dejzi i Tom mislili, ali sumnjam da je čak i gospođica Bejker, koja je po svim izgledima majstorski baratala izve- snom dozom drskog skepticizma, bila

President s Message by Carrie Christensen, LCSW

In some ways couples counseling is more like group therapy than individual counseling. To be successful, the therapist must listen, comprehend, and map out all that is being

Outcomes of infants starting Antiretroviral therapy in Southern Africa

Outcomes of Infants starting ART in Southern Africa Appendices 34 1 = Tablet/capsule 2 = Syrup/Suspension 95 = Not ascertained 99 = Unknown despite

OP-AMP AND ITS APPLICATIONS

The adder circuit provides an output voltage proportional to or equal to the algebraic sum of two or more input voltages each multiplied by a constant gain factor.. It is

VLI}IV) ftjfl. 98tMM ojrc. O6if1. SITIIIIITJ ian. c snioq3 avs L -

Ubi Caritas received its North American premiere at the 2007 ACDA National Convention in Miami, where it was performed by the exciting new Swedish professional choir, Voces

Női képviselők - Női képviselet? = Women MP's women's representation

A munkavállalás lehetősége és a szavazati jog által a nők helyzetében bekövetkezett változás nem módosította alapvetően a társadalmi struktúrát: „A világ, amely mindig

Modelling soil detachment rates in rainfed agrosystems in the south-central Pyrenees

Among the different land uses, the MMF model predicted the highest monthly splash detachment rates for barley fields with a total annual rate of 93.8 Mg ha -1 y -1 and a maximum

Economic Thought of Muhammad Baqir al-Sadr: A Study of Iqtisaduna (Our Economics)

Economy: The Views of (Late) Muhammad Baqir al Sadr 13 ”,discusses Baqir al Sadr‟s views on various aspects of Islamic economy like; ownership of property, economic