thursday 25th february 2016 - cloud object storage | store ... · 3 penetration testing webinar...
Post on 17-Apr-2018
217 Views
Preview:
TRANSCRIPT
1
PENETRAT ION TEST ING :
HOW A REAL -L IFE ATTACK
IDENT IF I E S SECUR ITY W EAKNESSES
IN YOUR ORGAN ISAT ION
Thursday 25th February 2016
PENETRATION TESTING: HOW A
VULNERABILITY ASSESSMENT
IDENTIFIES SECURITY WEAKNESSES
IN YOUR ORGANISATION
2Penetration Testing
Webinar
Yo ur speake r s t o day :
M i c h e l
We b S e c u r i t y C o n s u l t a n tJ a m e s
Pe n e t ra t i o n Te s t i n g S p e c i a l i s t
3Penetration Testing
Webinar
Part 1: The bas ics of Penetrat ion Test ing
Part 2: Test ing procedures
Part 3: Test report ing and remediat ion
Part 4: Do I need a PenTest?
The Agenda
4Penetration Testing
Webinar
PART 1The bas ics of a PenTest
• W h a t i s a Pe n e t r a t i o n Te s t ?
• W h o a r e t h e t e s t e r s ?
• W h y h a v e a Pe n e t r a t i o n Te s t ?
• H o w d o I k n o w i f I ’ v e b e e n h a c k e d ?
• A u t o m a t e d a n d m a n u a l t e s t i n g
5Penetration Testing
Webinar
WHAT IS A PENETRATION TEST?
• Vulnerability assessment
Performed under real-life conditions, following the same procedures as a
hacker.
The aims Making IT systems more secure by identifying and tackling security risks at all
levels.
Thorough testing of an IT system by intelligent accredited testers.
• Ethical hacking
Controlled via a Scope of Work, not aiming to damage the infrastructure.
6Penetration Testing
Webinar
WHO ARE THE TESTERS?
A variety of accreditations for penetration testers:
• CHECK
• High standards set by CESG (The Communications-Electronics
Security Group) in association with GCHQ
• necessary for assessing public sector bodies
• CREST
• CBEST
Ideally pen test companies should also be ISO 27001 or 9001 certified,
the most widely accepted information security and quality management
systems standards.
These involve a theory exam + practical exam
7Penetration Testing
Webinar
WHY HAVE A PENETRATION TEST?
Financial and reputational impact
Due Diligence/
Good practice
Accreditation Compliance
Supplying to the government may require a PenTest
Responsibility to clients and staff
Maintain trust
8Penetration Testing
Webinar
HOW DO I KNOW IF I’VE BEEN HACKED?
You don’t…
• A Penetration Test would identify this
• There may be some signs
The dangers of a hack:
• The cost and reputational damage can be substantial
• Lost data cannot always be recovered
9Penetration Testing
Webinar
AUTOMATED and MANUAL TESTING
• Run continuously
• Algorithms work at great speed
• Cost-effective solution
Manual tests (Penetration tests)
Automated tests
• Proactively accesses vulnerabilities
• Human interaction
• Uses a variety of tools and techniques
• Tester expertise
Two different and complementary approaches
Together penetration testing and vulnerability scanning are powerful tools.
10Penetration Testing
Webinar
PART 2Test ing procedures
• W h a t i s t e s t e d ?
• H o w i s i t t e s t e d ?
• Ty p e s o f t e s t i n g
• Te s t i n g m e t h o d o l o g y
11Penetration Testing
Webinar
WHAT IS TESTED?
External
Exploitations remotely/outside of the company
Replicates a malicious external hacker
Internal
Inside malicious attacks – those within the company (staff, contractors…)
Web Apps
Testing platforms, administration security, escalating privileges
12Penetration Testing
Webinar
WHAT IS TESTED? (cont.)
We also test…
• Mobile Apps
• Code Reviews
• Build Reviews
• Social Engineering
• Voiceover IP (VoIP)
• Network Fabric
• Wireless (not just Wi-Fi)
• 3G
• Radar
• Microwave
• Bluetooth
• Etc.
13Penetration Testing
Webinar
HOW IS IT TESTED?
• Initial scoping meeting/questionnaire
• A trained specialist & the client’s technical point of contact
established
• Everything is agreed beforehand
• Full proposal including:
• Scope of work
• Testing strategy
• Methodology - based on CESG CHECK standards
• Sample reporting methods
• Suggested tools to be used
14Penetration Testing
Webinar
HOW IS IT TESTED? (cont.)
• Testing is non-invasive and planned via the agreed scope of work.
• No Denial of Service - DoS attacks attempted.
• Testing methodology - black box, grey box or white box (more on this in a moment)
• Open source public discovery exercise – see what information is available that might be used by a malicious hacker planning an attack
• Testing
• Overall rating of test and individual vulnerabilities
• Clean up – to ensure no disruption to service. All attacks will be
removed from the server to ensure no backdoors have been left
15Penetration Testing
Webinar
TYPES OF TESTING
Black box White box Grey box
No information
provided pre-test
• Most realistic type of test
• Simulates a real-life
‘blind’ hacking scenario
All information
provided pre-test
• Knowledge of
internals of target
system
• Information such as
network diagrams, log
in credentials…
• Precise and thorough
testing
• Simulates an inside
job/leak of sensitive
information
Some information
provided pre-test
• Partial information
such as IP addresses,
low-level user
credentials
• Attempts to escalate
access levels
16Penetration Testing
Webinar
TESTING METHODOLOGY
• Passive Reconnaissance
• Fingerprinting
• Vulnerability Discovery
• Exploitation/Verification
• Clean up
17Penetration Testing
Webinar
PART 3Test Report ing
• Re p o r t c o n t e n t
• D e l i v e r y o f r e p o r t
18Penetration Testing
Webinar
1) Management Summary• Key findings; risk ratings
• Remediation time overview
• Impact on the business
2) Technical Overview• Technical evaluation
• Damages to system
3) Detailed Technical Remediation
REPORTING
Reports are produced in 3 parts:
19Penetration Testing
Webinar
The following list summarises the main issues of the assessment
• Password policy was found to be inadequate
• Patches out-of-date
• Ports left open
• Login page vulnerable to cross-site scripting and SQL injection attack
• Might result in Man-in-the-middle attack
Key findings
PART 1: MANAGEMENT SUMMARY
20Penetration Testing
Webinar
PART2: TECHNICAL OVERVIEW
Risk Effort Table (example)
‘In total, 29 vulnerabilities have been identified and documented.’
21Penetration Testing
Webinar
Each recommendation or fix has been assigned an effort rating which
estimates how much remedial work will be required to address the item.
Low:
Moderate:
High:
up to 1 man-day of effort
up to 10 man-days of effort
over 10 man-days of effort
PART 2: TECHNICAL OVERVIEW
22Penetration Testing
Webinar
PART 2: TECHNICAL OVERVIEW
Detailed Summary and Risk Rating (example)
SQL Injection
• Impact: High
• Risk: High
• Likelihood: High
• Fix Effort: Medium
23Penetration Testing
Webinar
PART 3: DETAILED TECHNICAL REMEDIATION
Intended for technical personnel responsible for remediation
• Description of the vulnerability
• How the issue was found
• How it was exploited
• Screen grabs (where appropriate)
• Detailed fixes for remediation
Internal technical and grammatical QA
24Penetration Testing
Webinar
DELIVERY OF REPORT
• Secure delivery
• A secure decrypt key is sent to the nominated Point of Contact’s
mobile phone
• A URL link is sent to the previously agreed Point of Contact to
download and decrypt
• Delivery time
• Usually within 2 or 3 days following the testing. The rule of
thumb is: the reporting takes half the time of the testing.
26Penetration Testing
Webinar
• Every business, no matter how small or large, stands to gain from
a PenTest
A PenTest should be tailored to the requirements of your
business
• If your organisation has a quality accreditation, such as ISO 27001,
regular testing is recommended in order to retain the accreditation
• Some industries handle sensitive data (e.g. financial and medical
industries). Regulators require PenTests in those cases
DOES MY ORGANISATION
REQUIRE A PEN TEST?
27Penetration Testing
Webinar
DOES MY ORGANISATION
REQUIRE A PEN TEST?
List of questions to ask yourself before you commit:
• What do I want to test? What is the scope of the test? What do you
agree to test?
• How frequently do I want to run the Penetration testing? When
was the last time you had a pen test?
• What is the goal of the Penetration Test for me?
28Penetration Testing
Webinar
DOES MY ORGANISATION
REQUIRE A PEN TEST?
Our recommendations:
• Make sure the scope of test is agreed on – get a signed
agreement
• Make sure you have a dedicated expert during the Penetration Test
• Get a sample of the Penetration Test report before you commit
• After the Penetration test, plan a training session for your employees
• Choose a supplier with respected accreditations and web security
experience
• Outsource this service for a better quality and impartiality
30Penetration Testing
Webinar
QUESTIONS AND ANSWERS
Q. Do you know beforehand how long a Pen Test will take?
A. Once we know the scope of work, we will know exactly how long
the Pen Test will take. If it takes any longer, the client will not be
charged.
Q. Once you have identified weaknesses, do you also fix them?
A. No. We don’t do this, because if we fix them we will know how the
system is built, meaning that if we were to undertake another Pen
Test, we would have information an ordinary hacker would not, and
thus the test would not be realistic. However, we will advise as to
how best to fix them, whether you use your IT team or an external
team.
31Penetration Testing
Webinar
Thank you for your attention!
With SSL247®, you don’t have to wait to protect your Online Business Continuity
For a free consultation,
• email now:info@SSL247.co.uk
• or call: 0333 920 6345 (London office)
Website: www.SSL247.co.uk/penetrationtesting
top related