what every it professional needs to know about penetration ... · different test types detail of...
TRANSCRIPT
What every IT professional needs to know
about penetration tests
24th April, 2014
TM
Geraint Williams
IT Governance Ltd
www.itgovernance.co.uk
Protect • Comply • Thrive
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Overview
• So what do IT Professionals need to know about
penetration tests?
– What is a penetration test?
– Why do they need testing?
– What do the tests cover?
– What don’t the tests cover?
– Who can conduct the tests?
– Why should I test?
– When should I test?
– Arranging a test
2
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
What is a Penetration Test
• A penetration test, or pen test, is an attack on a
computer system with the intention of finding
security weaknesses, potentially gaining access
to it, its functionality and data
3
http://en.wikipedia.org/wiki/Penetration_test
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Difference between a Penetration
test and a hack
• Penetration tester has permission to test the system(s).
• Malicious hacker is committing an illegal act.
• Penetration tester is limited in the time taken to complete the attack
on the system(s).
• Malicious hacker has all the time in the world to attempt a hack.
• Penetration tester has to stay within legal and ethical limits.
• Malicious hacker has no legal or ethical restraints other than self-
imposed ones.
• Penetration testing is a snap shot in time, conducted at intervals.
• An attack can occur at any time, vulnerabilities can be discovered at
any time.
4
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Gaining Access
• Gaining access to a system from outside
the network by exploiting vulnerabilities
in the user layer
• Gaining access to a system from outside
the network by exploiting vulnerabilities
in the application layer
• Gaining access to a system from outside
the network by exploiting vulnerabilities
in the network layer
5
Hardest
Easiest
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Attack Surface
6
Network Attack
Surface
Application Attack Surface
User Attack Surface
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Internal or External view
• Internal simulate
– A malicious insider.
– The actions of a hacker who has gained access.
• External simulate
– An external threat.
– The actions of a hacker trying to gain access.
7
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
What needs to be tested
• Network Layer
• Application Layer
• User Layer
• Public accessible system
• High risk systems
• High value systems
• Internal systems
• Segmentation
8
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
What do the tests cover
• Known vulnerabilities and exploits
9
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Different test types
Detail of Test Vulnerability Scan ITG Penetration Test – L1 ITG Penetration Test – L2
Alternative names Automated Scan Vulnerability Assessment Full Penetration Testing
Pre-assessment client
scoping and consultation
Scope of assessment Agreed with client Agreed with client Agreed with client
Can be conducted
internally and externally
Identification of potential
vulnerabilities
Identification of
configuration vulnerabilities
Identification of potential
security loopholes
Immediate notification of
critical issues
10
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Different test types (cont)….
Detail of Test Vulnerability Scan ITG Penetration Test – L1 ITG Penetration Test – L2
Automated Scanning
Manual Scanning
Manual Testing
Manual grading of
vulnerabilities
Exploitation of potential
vulnerabilities to establish
the impact of an attack
11
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
What the tests don’t cover
• Not absolute security.
• A penetration tester is unlikely to find all the
security issues.
• New vulnerabilities are being discovered all the
time.
• Constraints on the pen-tester limit success.
12
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Lifecycle of a vulnerability
- Heartbleed
13
Vulnerability
Introduced into
Application/system
2 Years 2 weeks
Remediation
activities,
public exploits
and attacks
Discovery by
ethical
researchers
Public
Announcement
Vulnerability
scanners and exploit
tools available.
Vulnerability visible to
testers.
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Who conducts the tests
• Internal Testers
– Tiger Teams.
– Red Teams.
• External Testers
– Ethical Hackers.
– Security Researchers.
14
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Accreditation
• Number of schemes within the UK
– CHECK
– CREST
– Tiger Team
15
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Qualification
• Number of qualifications within the UK
– CHECK
– CREST
– Tiger Team
– EC-Council
– SANS
– BSc or MSc
16
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Why should I test
• Regulatory compliance
• Demonstrating due diligence
• Providing risk based assurance that controls are
being implemented effectively
17
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Why should you conduct a
regular Penetration Test?
• New vulnerabilities are identified and exploited
by hackers every week.
• In many cases, you won’t even know that your defences
have been successfully breached until it’s too late.
18
http://www.net-security.org/secworld.php?id=14595
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Are you doing business
with the government?
• Penetration Testing is a requirement of the UK
central Government Baseline Security Plans.
• Invitation to Tender documents issued by HM
Government departments also reference
penetration tests
19
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
ISO27001 and Penetration Testing
• As part of the risk assessment process: uncovering
vulnerabilities in any internet-facing IP addresses, web
applications, or internal devices and applications, and
linking them to identifiable threats.
• As part of the Risk Treatment Plan, ensuring that
controls that are implemented do actually work as
designed.
• As part of the on-going corrective action/preventive
action (CAPA) and continual improvement processes,
ensuring that controls continue to work as required and
that new and emerging threats and vulnerabilities are
identified and dealt with.
20
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
When should I test
• All the time
– Impractical
• Risk based frequency interval
• After deployment of new infrastructure or
applications and after changes to infrastructure
and applications
21
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Arranging a test
• Selecting a supplier
• Scoping the engagement
• Understanding the report
• Remediation activities
22
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
What credentials should I look out
for in a penetration tester?
• Can you provide evidence of a solid reputation, history
and ethics (eg a full trading history, good feedback from
both clients and suppliers, a reliable financial record, and
a strong history of performance)?
• Do you take part in specialised industry events (such as
those run by CREST or OWASP chapters)?
• Are you able to demonstrate exploits or vulnerabilities
you have found in other similar environments?
• Can you provide independent feedback on the quality of
work performed and conduct of staff involved?
• Do you adhere to a formal code of conduct overseen by
an independent industry body?
23
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Scoping the penetration test:
questions your provider should ask
• What are the business drivers behind needing/wanting to
do a penetration test?
• What are the outputs you require from the testing?
– Assurance / Governance
• What threats are trying to protect from?
– Internal / external
• What are the systems that require to be tested?
– Critical / high profile / everything
• Are you testing infrastructure and applications or admins
and monitoring systems?
24
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
3rd Party Permissions required?
25
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Reporting – what is included and
what can I expect to receive?
• Provide a detailed technical report on the vulnerabilities
of the system.
• Explain the vulnerabilities in a way that is easily
understood by senior management.
• Report the outcome of the test in business risk terms.
• Identify short term (tactical) recommendations.
• Conclude with and define ‘root cause’ long term
(strategic) recommendations.
• Include a security improvement action plan.
• Provide assistance to the organisation in implementing
the security improvements.
26
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Report findings
• Findings identified during the penetration test should be
recorded in an agreed format describing each finding in
both:
– Technical terms that can be acted upon
– Non -technical, business context, so that the justifications for the
corrective actions are understood.
• Reports should describe the vulnerabilities found,
including:
– Test narrative – describing the process that the tester used to
achieve particular results
– Test evidence – results of automated testing tools and screen
shots of successful exploits
– The associated technical risks - and how to address them.
27
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Summary
• Penetration testing provides a means of testing
information security controls
• Gives assurance about the effectiveness of
controls
• Requires careful scoping
• Need permission from ALL parties
28
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Technical Services
• IT Health Checks
• Web Application Security Testing
• Network Testing
• Wireless Network Testing
• PCI DSS Approved Scanning Vendor (ASV)
Services
• Annual / Quarterly Scanning Contracts
29
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Technical & Consultancy Services
• Penetration Testing Service http://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx
• PCI QSA Services http://www.itgovernance.co.uk/pci-qsa-services.aspx
• PCI DSS ASV Scanning Service http://www.itgovernance.co.uk/pci-scanning.aspx
• PCI Hacker Guardian - Standard/ Enterprise Scanning Service http://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx
• PCI DSS Consultancy Services - aligned to either Version 2 or Version 3 – PCI DSS Scoping
– PCI DSS Gap Analysis
– Remediation support
– Consultancy by the Hour - IT Governance LiveOnline
http://www.itgovernance.co.uk/pci-consultancy.aspx
30 Protect • Comply • Thrive
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Where to find us
• Visit our website: www.itgovernance.co.uk
• E-mail us: [email protected]
• Call us: 0845 070 1750
• Follow us on Twitter: twitter.com/#!/itgovernance
• Read our blog: blog.itgovernance.co.uk/
• Join us on LinkedIn www.linkedin.com/company/it-governance
• Join us on Facebook www.facebook.com/ITGovernanceLtd
31 Protect • Comply • Thrive
TM
Protect • Comply • Thrive © IT Governance Ltd 2014
Any Questions ?
Contact details
Blogs
http://blog.itgovernance.co.uk/author/geraint-williams/
uk.linkedin.com/in/geraintpwilliams
twitter.com/#!/GeraintW
32