Pentesting Presentation
Pentesting Presentation
Pentesting Presentation
About Me
Been there done that....
IT Systems Infrastructure
IT Architecture & Security
IT Auditor, Financial Services
Cybercrime Investigation
ISACA QAT (CISA Exam)
CISA Exam Boot Camp (GSU)
2014 Reported security breach on TV
Proposed SB386 Privacy Law
Web developer, adjunct professor, HOA
President, aspiring author, etc, etc, etc.
Geek
Agenda
1) Define Pen Testing
2) Types of Tests
3) Benefits of Pen Testing
4) Management Expectations
5) Value for IT Audit
6) Pen Testing vs Vulnerability Assessment
7) Pen Testing Guidance and Standards
8) Plan, Manage, and Survive Pen Test
9) How to Stay Out of Jail
10) What Makes Successful Pen Test
1 Definition
Formal definition
A penetration test simulates the actions of
an external and/or internal cyber attacker
that aims to breach the information
security of the organization.
Using many tools and techniques, the
penetration tester (ethical hacker)
attempts to exploit critical systems and
gain access to sensitive data.
2 Types of Tests
(* typically does not involve US Navy Seals with Live Ammo, but YMMV)
Internal or External
Black box, White box, Gray box
Perimeter Infrastructure
Wireless, WEP/WPA cracking
Cloud Penetration Testing
Telephony systems / VoIP
Vulnerability scanning*
PCI DSS Scanning*
6. Social Engineering
Assess resilience to attacks to human network
Methods include phishing, media drops, tailgating, pretexting
Phishing attacks
Password resets
Imposters fellow employee, or external authority
Third party employees
Tailgating
Social networking scams Facebook, LinkedIn
As well as discovering and fixing potential vulnerabilities, social
engineering penetration testing will help to raise security
awareness within organization.
3 Benefits
4 Expectations
Expectations
Penetration Test:
Highly Anticipated
Typical IT Audit
(Not So Much)
Expectations to Consider
Is main focus meeting compliance requirements?
Or concern that intellectual property is at risk from
a motivated and skilled attacker?
IT Management
IT Security & Technical
IT Audit
Business Units
Senior Management
Your own
Can be easy to do
Find more issues, typically
Normally uses 'white box' mode
Does not exploit the vulnerability.
This is where you add value.
NIST SP800-115
2008
Useful, though
outdated
FedRAMP
Also Excellent!
Even if you have no
FedRAMP
requirements
FedRAMP
Penetration Test
Guidance 1.0.1
OSSTMM v3
Goes way beyond Penetration Testing
Valuable Guide
Lots of Great Insights
1 Pre-engagement Interactions
Pre-engagement Interactions:
Often overlooked
Logistics of testing can be difficult
Tester not understanding your goals
Not considering risks, culture, or best strategy
(e.g. proposes more canned approach)
True partnership vs. Customer
Key factor is need for more project planning
expertise and less selling expertise.
2 Intelligence Gathering
Are you providing information, or is vendor going
to research and provide you with their what they
have found?
Sometimes useful to have them find as much as
they can on their own then provide info to fill in
gaps.
Amount of info given depends on nature of test
(e.g. white box, black box, gray box).
Scope depends on test type
Great way to assess security awareness.
3 Threat Modeling
Identify targets and map attack vectors.
Security testers should be able to take info
from intelligence gathering to inform you
what type of attacks your organization is
susceptible.
Not a formal presentation, synopsis of
weak points they see as vulnerable.
They may see something you do not.
4 Vulnerability Analysis
5 Exploitation
Shows how far an attacker can get (within
scope of test).
Security tester should be able to explain
exploitation technique and:
Why it worked.
What exploit did.
6 Post Exploitation
Many testers fail at this point
Elevating privileges is not "game over".
Goal is to understand methods used to
gain access to valuable information.
(eg: XSS on internal web site = so what?)
7 Reporting
The most important part of the test
Value comes from findings and detailed
explanation of what was found
Well crafted recommendations that come from
years of experience.
Ask vendor about their reporting structure and
how its written.
Output directly from a scan tool = red flag.
Goals
Have Goals and Targets:
Get to PII
Establish specific attack vectors
Compromise specific systems or apps
Bypass security / stealth attacks
Identify most sensitive data
Consider what data/access has material impact
Include any hot buttons you want addressed.
Define Location
Where testers will sit? (Cost vs Secuity Risk)
Some can be done remotely, some not
Physical/social engineering engagements and
wireless assessments
Internal pen tests via VPN connection?
Logical location in network (e.g. VLANs)
Same state/country?
Data privacy laws, time zones, language,
culture
Define Scope
Define Approach
Covert/Overt: Blackbox/Whitebox.
Whitebox (full knowledge or partial "gray)
Less time spent on discovery, more breaking into things
Better assess insider threat (insiders did discovery)
Blackbox (zero knowledge)
Most realistic external attack result.
Better gauge of controls related to public info disclosure.
Better test of social engineering awareness.
Teach risks of social engineering and public data
Consider Timing
Scheduling
Non-production times of day
Red flag would be if test team did not ask
Frequency
Annual assessment (VA or PT: YMMV)
Before upgrades/patching?
After upgrades/patching?
Balance realism vs. desired end state.
How to Do it Wrong
Vague scope
Heavy scanning with automated tools
Exploit with Metasploit
Poke around with other tools
Produce a generic report
by
Mark Rasch
November 26, 2013
SecurityCurrent.com
Legal Authority
Computer crime laws and what constitutes
authorization can quickly get muddy.
Security expert performed pen test, results
were bad, authorization unclear, GBI
called to arrest and investigate.
Houston security expert took news
reporter on war-driving excursion, arrested,
thousands in legal costs, acquitted.
Damage Control
Reducing all production systems to
smoking heap could happen.
All damages even incidental/coincidental
are customer's problem.
Agreement needs to spell that out clearly.
Indemnification
(def: compensation for damages)
Contract needs to address liability for
damage to third parties.
Liability can be huge risk.
No Hack-backs
Hacking is illegal.
If pen tester attacks and organization
launches counter-attack, that's not legal.
If pen tester is attacking shared
infrastructure, without permission they
have no legal right to do that.
All needs to be spelled out, scope carefully
defined.
Scope of Work
Pen test agreement needs to state clearly
what is in-scope, or implied warranty may
lead to bigger issues.
Each term of scope must be defined, e.g.
what does 'off peak' mean, and what
internal vs internal means.
Professionalism
Standard of care
What is warranty
Will find 'substantially all' issues?
Privacy Issues
Pen tester may access sensitive personal
information, credit card information,
personally identifiable information (PII) or
Private Health Information (PHI).
Some jurisdictions could consider this a
reportable breach, even though the testing
was intentional.
Pen tester overseas who accidentally
moves PII may be breaking laws.
Data Ownership
Pen tester owns methods/template
Customer owns results
If pen tester writes custom code while
working for customer, who owns that?
Duty To Warn
If pen tester discovers wider issue that
could impact others, must they report it?
Even if customer owns results, does pen
tester own knowledge of dangerous issue?
Takeaways
1) Define Pen Testing
2) Types of Tests
3) Benefits of Pen Testing
4) Management Expectations
5) Value for IT Audit
6) Pen Testing vs Vulnerability Assessment
7) Pen Testing Guidance and Standards
8) Plan, Manage, and Survive Pen Test
9) How to stay out of jail.
10) What Makes Successful Pen Test
97
Questions?
Thanks!
98
References
References
1) Dave Shackleford A Penetration Testing Maturity and Scoring Model RSA Security
Conference 2014
2) Mark Rasch Legal Issues in Penetration Testing November 26, 2013
3) David A. Shinberg A Management Guide to Penetration Testing SANS Hacker
Techniques, Exploits, and Incident Handling, 2003
Links
https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
http://dx.doi.org/10.6028/NIST.SP.80053Ar4
http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf
https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Securit
y_Testing
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://azure.microsoft.com/blog/2014/11/11/red-teaming-using-cutting-edge-threatsimulation-to-harden-the-microsoft-enterprise-cloud/