Penetration Testing in Romania

Full text

(1)

Penetration Testing

in Romania

Adrian Furtunǎ, Ph.D.

11 October 2011

(2)

Agenda

About penetration testing

Examples

(3)

What is penetration testing?

Method for evaluating the security of an information system or

network by simulating attacks from malicious outsiders or

insiders.

Related terms:

Penetration testing

(RO: teste de penetrare,

Pentesting

teste de intruziune)

Ethical hacking

Tiger Teaming

Red Teaming

Penetration testing is not Vulnerability assessment

Penetration testing is:

authorized

adversary-based

(4)

Penetration testing by example

Insufficient input

validation

Insecure session

configuration

Application logic

flaws

Insecure server

configuration

Internet

Banking

application

External attacker

- hacker

- industrial espionage

- organized crime

Internal attacker

- malicious employee

- collaborator

- consultant

- visitor

Threats

Vulnerabilities

Assets

Risks

Vulnerable?

Exploitable?

SQL injection

OS command

execution

Authentication

bypass

Cross Site

Scripting

Password

Directory

browsing

H

H

H

M

M

L

(5)

Motivation. Why? When?

Verify the effectiveness of protection mechanisms implemented

 Application security mechanisms

 Server configurations

 Network configurations

 Employee security awareness

 Physical security

Test the ability of system defenders to detect and respond to attacks

Obtain a reliable basis for investments in security personnel and

technology

Required by ISO 27001, PCI DSS, etc

As part of risk assessment for risk identification and quantification

As part of ongoing/periodic security assessment

Before a new system is put in production

In the development phase of a new system

(6)

Penetration testing objectives and targets (examples)

External penetration test:

Test the security of internet banking / mobile banking apps

Evaluate the security of internet facing applications

Perform fraudulent transactions in online shops

Access personal data in online medical applications

Gain physical access to company building and install rogue

access point

Internal penetration test:

Obtain access to database server containing customer

information

Gain control of Active Directory

Obtain administrative access to ERP application

Gain access to company assets (sensitive files, project plans,

intellectual property)

(7)

Penetration testing types

According to attacker’s

location:

According to attacker’s

initial information:

External pentest

Internal pentest

Black box test

Gray box test

White box test

Simulated threats

Hackers, corporate espionage,

terrorists, organized crime

Malicious employee, collaborator,

consultant, visitor

Hackers, organized crime, terrorists,

visitors

Consultants, corporate espionage,

business partner, regular employees

Malicious system administrators,

developers, consultants

Test type

According to the attacks performed: - pure technical

- social engineering

- denial of service

(8)

How?

Information gathering

Create attack trees

Prepare tools

Perform collaborative attacks

 Identify vulnerabilities

 Exploit vulnerabilities

 Extract sensitive data

 Gain system access

 Escalate privileges

 Pivot to other systems

Write the report

(9)

Automated vs. Manual

Automated testing:

 Configure scanner

 Run scanner & wait for results

 (Validate findings where possible)

 Deliver report to client

Manual testing:

 Use tools as helpers only

 Validate findings by exploitation (no false positives)

 Dig for sensitive data, escalate privileges, gain access to other systems

Model and simulate real threats: simulate attacker’s way of thinking, consider attacker’s

resources, knowledge, culture, motivation

 Several manual tests for exploitation of specific vulnerabilities

 Strict control, logging, quick feedback

(10)

Resources

Dedicated machines

Dedicated network

Software tools:

 In-house developed

 Open source

 Commercial

Dedicated workspace (IT Security Laboratory)

 Protect client data

(11)

Limitations

Timeframe

Budget

Resources

Personnel awareness

Things change

Does not discover all vulnerabilities but reduces the

number of vulnerabilities that could be found by high

skilled attackers having similar resources and knowledge

Known

Vulnerabilities

All software

vulnerabilities

(12)

Reporting

Executive summary

 Overview

 Key findings

 High-level observations

 Risk matrix

Technical report

 Findings

 Risks

 Recommendations

(13)

Standards, Certifications and Knowledge

Security testing standards:

OSSTMM - Open Source Security Testing Methodology Manual

NIST 800-42 - The National Institute of Standards and Technology Special

Publication

OWASP - The Open Web Application Security Project

Certifications:

Offensive Security OSCE, OSCP, OSWP

ISECOM OPST

SANS GPEN, GWAPT

EC-Council LPT, CEH

CHECK Team Leader, Team Member

CREST Registered Tester, Certified Tester

Knowledge:

System administration

Network administration

Software development

(14)
(15)
(16)
(17)
(18)
(19)
(20)

Thank you!

Questions?

Adrian Furtunǎ, Ph.D.

afurtuna@kpmg.com

Figure

Updating...

References

Updating...

Related subjects :