1

PENETRAT ION TEST ING :

HOW A REAL -L IFE ATTACK

IDENT IF I E S SECUR ITY W EAKNESSES

IN YOUR ORGAN ISAT ION

Thursday 25th February 2016

PENETRATION TESTING: HOW A

VULNERABILITY ASSESSMENT

IDENTIFIES SECURITY WEAKNESSES

IN YOUR ORGANISATION

2Penetration Testing

Webinar

Yo ur speake r s t o day :

M i c h e l

We b S e c u r i t y C o n s u l t a n tJ a m e s

Pe n e t ra t i o n Te s t i n g S p e c i a l i s t

3Penetration Testing

Webinar

Part 1: The bas ics of Penetrat ion Test ing

Part 2: Test ing procedures

Part 3: Test report ing and remediat ion

Part 4: Do I need a PenTest?

The Agenda

4Penetration Testing

Webinar

PART 1The bas ics of a PenTest

• W h a t i s a Pe n e t r a t i o n Te s t ?

• W h o a r e t h e t e s t e r s ?

• W h y h a v e a Pe n e t r a t i o n Te s t ?

• H o w d o I k n o w i f I ’ v e b e e n h a c k e d ?

• A u t o m a t e d a n d m a n u a l t e s t i n g

5Penetration Testing

Webinar

WHAT IS A PENETRATION TEST?

• Vulnerability assessment

Performed under real-life conditions, following the same procedures as a

hacker.

The aims Making IT systems more secure by identifying and tackling security risks at all

levels.

Thorough testing of an IT system by intelligent accredited testers.

• Ethical hacking

Controlled via a Scope of Work, not aiming to damage the infrastructure.

6Penetration Testing

Webinar

WHO ARE THE TESTERS?

A variety of accreditations for penetration testers:

• CHECK

• High standards set by CESG (The Communications-Electronics

Security Group) in association with GCHQ

• necessary for assessing public sector bodies

• CREST

• CBEST

Ideally pen test companies should also be ISO 27001 or 9001 certified,

the most widely accepted information security and quality management

systems standards.

These involve a theory exam + practical exam

7Penetration Testing

Webinar

WHY HAVE A PENETRATION TEST?

Financial and reputational impact

Due Diligence/

Good practice

Accreditation Compliance

Supplying to the government may require a PenTest

Responsibility to clients and staff

Maintain trust

8Penetration Testing

Webinar

HOW DO I KNOW IF I’VE BEEN HACKED?

You don’t…

• A Penetration Test would identify this

• There may be some signs

The dangers of a hack:

• The cost and reputational damage can be substantial

• Lost data cannot always be recovered

9Penetration Testing

Webinar

AUTOMATED and MANUAL TESTING

• Run continuously

• Algorithms work at great speed

• Cost-effective solution

Manual tests (Penetration tests)

Automated tests

• Proactively accesses vulnerabilities

• Human interaction

• Uses a variety of tools and techniques

• Tester expertise

Two different and complementary approaches

Together penetration testing and vulnerability scanning are powerful tools.

10Penetration Testing

Webinar

PART 2Test ing procedures

• W h a t i s t e s t e d ?

• H o w i s i t t e s t e d ?

• Ty p e s o f t e s t i n g

• Te s t i n g m e t h o d o l o g y

11Penetration Testing

Webinar

WHAT IS TESTED?

External

Exploitations remotely/outside of the company

Replicates a malicious external hacker

Internal

Inside malicious attacks – those within the company (staff, contractors…)

Web Apps

Testing platforms, administration security, escalating privileges

12Penetration Testing

Webinar

WHAT IS TESTED? (cont.)

We also test…

• Mobile Apps

• Code Reviews

• Build Reviews

• Social Engineering

• Voiceover IP (VoIP)

• Network Fabric

• Wireless (not just Wi-Fi)

• 3G

• Radar

• Microwave

• Bluetooth

• Etc.

13Penetration Testing

Webinar

HOW IS IT TESTED?

• Initial scoping meeting/questionnaire

• A trained specialist & the client’s technical point of contact

established

• Everything is agreed beforehand

• Full proposal including:

• Scope of work

• Testing strategy

• Methodology - based on CESG CHECK standards

• Sample reporting methods

• Suggested tools to be used

14Penetration Testing

Webinar

HOW IS IT TESTED? (cont.)

• Testing is non-invasive and planned via the agreed scope of work.

• No Denial of Service - DoS attacks attempted.

• Testing methodology - black box, grey box or white box (more on this in a moment)

• Open source public discovery exercise – see what information is available that might be used by a malicious hacker planning an attack

• Testing

• Overall rating of test and individual vulnerabilities

• Clean up – to ensure no disruption to service. All attacks will be

removed from the server to ensure no backdoors have been left

15Penetration Testing

Webinar

TYPES OF TESTING

Black box White box Grey box

No information

provided pre-test

• Most realistic type of test

• Simulates a real-life

‘blind’ hacking scenario

All information

provided pre-test

• Knowledge of

internals of target

system

• Information such as

network diagrams, log

in credentials…

• Precise and thorough

testing

• Simulates an inside

job/leak of sensitive

information

Some information

provided pre-test

• Partial information

such as IP addresses,

low-level user

credentials

• Attempts to escalate

access levels

16Penetration Testing

Webinar

TESTING METHODOLOGY

• Passive Reconnaissance

• Fingerprinting

• Vulnerability Discovery

• Exploitation/Verification

• Clean up

17Penetration Testing

Webinar

PART 3Test Report ing

• Re p o r t c o n t e n t

• D e l i v e r y o f r e p o r t

18Penetration Testing

Webinar

1) Management Summary• Key findings; risk ratings

• Remediation time overview

• Impact on the business

2) Technical Overview• Technical evaluation

• Damages to system

3) Detailed Technical Remediation

REPORTING

Reports are produced in 3 parts:

19Penetration Testing

Webinar

The following list summarises the main issues of the assessment

• Password policy was found to be inadequate

• Patches out-of-date

• Ports left open

• Login page vulnerable to cross-site scripting and SQL injection attack

• Might result in Man-in-the-middle attack

Key findings

PART 1: MANAGEMENT SUMMARY

20Penetration Testing

Webinar

PART2: TECHNICAL OVERVIEW

Risk Effort Table (example)

‘In total, 29 vulnerabilities have been identified and documented.’

21Penetration Testing

Webinar

Each recommendation or fix has been assigned an effort rating which

estimates how much remedial work will be required to address the item.

Low:

Moderate:

High:

up to 1 man-day of effort

up to 10 man-days of effort

over 10 man-days of effort

PART 2: TECHNICAL OVERVIEW

22Penetration Testing

Webinar

PART 2: TECHNICAL OVERVIEW

Detailed Summary and Risk Rating (example)

SQL Injection

• Impact: High

• Risk: High

• Likelihood: High

• Fix Effort: Medium

23Penetration Testing

Webinar

PART 3: DETAILED TECHNICAL REMEDIATION

Intended for technical personnel responsible for remediation

• Description of the vulnerability

• How the issue was found

• How it was exploited

• Screen grabs (where appropriate)

• Detailed fixes for remediation

Internal technical and grammatical QA

24Penetration Testing

Webinar

DELIVERY OF REPORT

• Secure delivery

• A secure decrypt key is sent to the nominated Point of Contact’s

mobile phone

• A URL link is sent to the previously agreed Point of Contact to

download and decrypt

• Delivery time

• Usually within 2 or 3 days following the testing. The rule of

thumb is: the reporting takes half the time of the testing.

25Penetration Testing

Webinar

PART 4Do I need a PenTest?

26Penetration Testing

Webinar

• Every business, no matter how small or large, stands to gain from

a PenTest

A PenTest should be tailored to the requirements of your

business

• If your organisation has a quality accreditation, such as ISO 27001,

regular testing is recommended in order to retain the accreditation

• Some industries handle sensitive data (e.g. financial and medical

industries). Regulators require PenTests in those cases

DOES MY ORGANISATION

REQUIRE A PEN TEST?

27Penetration Testing

Webinar

DOES MY ORGANISATION

REQUIRE A PEN TEST?

List of questions to ask yourself before you commit:

• What do I want to test? What is the scope of the test? What do you

agree to test?

• How frequently do I want to run the Penetration testing? When

was the last time you had a pen test?

• What is the goal of the Penetration Test for me?

28Penetration Testing

Webinar

DOES MY ORGANISATION

REQUIRE A PEN TEST?

Our recommendations:

• Make sure the scope of test is agreed on – get a signed

agreement

• Make sure you have a dedicated expert during the Penetration Test

• Get a sample of the Penetration Test report before you commit

• After the Penetration test, plan a training session for your employees

• Choose a supplier with respected accreditations and web security

experience

• Outsource this service for a better quality and impartiality

29Penetration Testing

Webinar

Questions & Answers

30Penetration Testing

Webinar

QUESTIONS AND ANSWERS

Q. Do you know beforehand how long a Pen Test will take?

A. Once we know the scope of work, we will know exactly how long

the Pen Test will take. If it takes any longer, the client will not be

charged.

Q. Once you have identified weaknesses, do you also fix them?

A. No. We don’t do this, because if we fix them we will know how the

system is built, meaning that if we were to undertake another Pen

Test, we would have information an ordinary hacker would not, and

thus the test would not be realistic. However, we will advise as to

how best to fix them, whether you use your IT team or an external

team.

31Penetration Testing

Webinar

Thank you for your attention!

With SSL247®, you don’t have to wait to protect your Online Business Continuity

For a free consultation,

• email now:info@SSL247.co.uk

• or call: 0333 920 6345 (London office)

Website: www.SSL247.co.uk/penetrationtesting