Getting The Most Value From Your Next Network Penetration Test
Jerald Dawkins, Ph.D. True Digital Security
p . o . b o x 3 5 6 2 3 | t u l s a , O K 7 4 1 5 3 | p . 8 6 6 . 4 3 0 . 2 5 9 5 | f . 8 7 7 . 7 2 0 . 4 0 3 0
t r u e d i g i t a l s e c u r i t y . c o m
Goals
• Understanding security testing
– Penetration test
– Vulnerability scanning and analysis
• How to better scope and analyze the scope of a penetration test
Many forms • Vulnerability Scanning • Vulnerability Assessment • Red Teaming • Penetration testing • Threat models
• Block box, grey box, white box • Scope, rules of engagement
What does it all mean!?
Vulnerability Scanning (most common)
• Identifies known vulnerabilities
– OS Patch Management
– Application Patch Management – System Misconfiguration
Problems with Vulnerability Scanning
• Limited control testing
– Patch management and known configuration issues
• Surface evaluation only
– “Yes the building has windows”
– Web applications and custom applications
• Mismanaged by IT and audit
– Typically don’t address fundamental issues – Scanning is the requirement not remediation
• Not aligned with business value (laptop versus server)
Penetration Testing
Use this to verify:
• That configuration standards are adequate
• Assumptions made by the organization are correct • To test the “effectiveness of the internal control
structure and procedures”
– From the question: are procedures being completed are the procedures adequate
– Gaps in compliance
Rise of Attacks • Applications – 2003 • Platform – 2000 • Host – 1995 • Networking Infrastructure – 1990 TCP/IP
Penetration Testing Primer
• Black box, grey box, white box • Noisy versus stealthy
• Disable security features (like IPS) • Simulation versus real attacks
• Credentialed versus unauthenticated • Specialized penetration testing
– Oracle, SCADA, etc.
– Custom applications or deployments
Test what you can control…
• From a real penetration test:
– JTAGs are sometime not blown
– Keys embedded in firmware C12.21 authenticated not implemented
– SNMP, DHCP, dynamic ARP, embedded NTP vulnerabilities
• Vendor Management is critical
• Focus on what you can control and validate those controls
– Assume compromised cellular network – encrypted communication
RFP Preparation
• Number of machines, operating systems, architecture…
• Target of the penetration test
– Credit card information, certain data set, internal access – Specific system or custom application
• Rules of engagement
– Social engineering, actual exploit, communication plan
• Leverage the penetration testing team to build plan • Time equals money
– Black box attack should be a white box attack – Stealthy versus noisy
• IT versus Audit Report
What You Need To Know…
• Test the entire process not just response • Can your team identify the initial scan? • Can your team track the attack?
– System logs
– System configuration changes – User administration
– Service up time
• Adequacy of your Incident Response Plan • Map engagement to your security controls to
Penetration Test Example
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
• Intrusion Detection System • Incident Response
• Firewall Configuration
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
• Intrusion Detection System • Anti-Virus Software • File Integrity Monitoring
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
• Log Management
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
• Log Management
• Anti-Virus Software • File Integrity Monitoring
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege 8. Scan Other Internal Systems
• Log Management
Timeline Cross Reference
1. Initial Vulnerability Scan 2. Exploit Vulnerability 3. Access System 4. Access Secure File 5. Download Toolset 6. Execute Toolset 7. Escalate Privilege
8. Scan Other Internal Systems
• Intrusion Detection System • Incident Response
• Firewall Configuration
• Change Management
Advice to IT Auditors
• Focus on scope of the test (Vulnerability or Pen)
– Are you scanning the correct systems? – Are vulnerabilities being properly managed?
– What is the focus of the Pen Test, and what controls are actually being tested?
• Focus on what you can control
– SCADA Protocols (Research versus Practical) – Vendor Systems Application (Vendor Management)
• Map engagement to your security controls to evaluate effectiveness
