what every it professional needs to know about penetration ... · different test types detail of...

What every IT professional needs to know

about penetration tests

24th April, 2014

TM

Geraint Williams

IT Governance Ltd

www.itgovernance.co.uk

Protect • Comply • Thrive

TM

Protect • Comply • Thrive © IT Governance Ltd 2014

Overview

• So what do IT Professionals need to know about

penetration tests?

– What is a penetration test?

– Why do they need testing?

– What do the tests cover?

– What don’t the tests cover?

– Who can conduct the tests?

– Why should I test?

– When should I test?

– Arranging a test

2

TM


What is a Penetration Test

• A penetration test, or pen test, is an attack on a

computer system with the intention of finding

security weaknesses, potentially gaining access

to it, its functionality and data

3

http://en.wikipedia.org/wiki/Penetration_test

TM


Difference between a Penetration

test and a hack

• Penetration tester has permission to test the system(s).

• Malicious hacker is committing an illegal act.

• Penetration tester is limited in the time taken to complete the attack

on the system(s).

• Malicious hacker has all the time in the world to attempt a hack.

• Penetration tester has to stay within legal and ethical limits.

• Malicious hacker has no legal or ethical restraints other than self-

imposed ones.

• Penetration testing is a snap shot in time, conducted at intervals.

• An attack can occur at any time, vulnerabilities can be discovered at

any time.

4

TM


Gaining Access

• Gaining access to a system from outside

the network by exploiting vulnerabilities

in the user layer



in the application layer



in the network layer

5

Hardest

Easiest

TM


Attack Surface

6

Network Attack

Surface

Application Attack Surface

User Attack Surface

TM


Internal or External view

• Internal simulate

– A malicious insider.

– The actions of a hacker who has gained access.

• External simulate

– An external threat.

– The actions of a hacker trying to gain access.

7

TM


What needs to be tested

• Network Layer

• Application Layer

• User Layer

• Public accessible system

• High risk systems

• High value systems

• Internal systems

• Segmentation

8

TM


What do the tests cover

• Known vulnerabilities and exploits

9

TM


Different test types

Detail of Test Vulnerability Scan ITG Penetration Test – L1 ITG Penetration Test – L2

Alternative names Automated Scan Vulnerability Assessment Full Penetration Testing

Pre-assessment client

scoping and consultation

Scope of assessment Agreed with client Agreed with client Agreed with client

Can be conducted

internally and externally

Identification of potential

vulnerabilities

Identification of

configuration vulnerabilities

Identification of potential

security loopholes

Immediate notification of

critical issues

10

TM


Different test types (cont)….

Detail of Test Vulnerability Scan ITG Penetration Test – L1 ITG Penetration Test – L2

Automated Scanning

Manual Scanning

Manual Testing

Manual grading of

vulnerabilities

Exploitation of potential

vulnerabilities to establish

the impact of an attack

11

TM


What the tests don’t cover

• Not absolute security.

• A penetration tester is unlikely to find all the

security issues.

• New vulnerabilities are being discovered all the

time.

• Constraints on the pen-tester limit success.

12

TM


Lifecycle of a vulnerability

- Heartbleed

13

Vulnerability

Introduced into

Application/system

2 Years 2 weeks

Remediation

activities,

public exploits

and attacks

Discovery by

ethical

researchers

Public

Announcement

Vulnerability

scanners and exploit

tools available.

Vulnerability visible to

testers.

TM


Who conducts the tests

• Internal Testers

– Tiger Teams.

– Red Teams.

• External Testers

– Ethical Hackers.

– Security Researchers.

14

TM


Accreditation

• Number of schemes within the UK

– CHECK

– CREST

– Tiger Team

15

TM


Qualification

• Number of qualifications within the UK

– CHECK

– CREST

– Tiger Team

– EC-Council

– SANS

– BSc or MSc

16

TM


Why should I test

• Regulatory compliance

• Demonstrating due diligence

• Providing risk based assurance that controls are

being implemented effectively

17

TM


Why should you conduct a

regular Penetration Test?

• New vulnerabilities are identified and exploited

by hackers every week.

• In many cases, you won’t even know that your defences

have been successfully breached until it’s too late.

18

http://www.net-security.org/secworld.php?id=14595




TM


Are you doing business

with the government?

• Penetration Testing is a requirement of the UK

central Government Baseline Security Plans.

• Invitation to Tender documents issued by HM

Government departments also reference

penetration tests

19

TM


ISO27001 and Penetration Testing

• As part of the risk assessment process: uncovering

vulnerabilities in any internet-facing IP addresses, web

applications, or internal devices and applications, and

linking them to identifiable threats.

• As part of the Risk Treatment Plan, ensuring that

controls that are implemented do actually work as

designed.

• As part of the on-going corrective action/preventive

action (CAPA) and continual improvement processes,

ensuring that controls continue to work as required and

that new and emerging threats and vulnerabilities are

identified and dealt with.

20

TM


When should I test

• All the time

– Impractical

• Risk based frequency interval

• After deployment of new infrastructure or

applications and after changes to infrastructure

and applications

21

TM


Arranging a test

• Selecting a supplier

• Scoping the engagement

• Understanding the report

• Remediation activities

22

TM


What credentials should I look out

for in a penetration tester?

• Can you provide evidence of a solid reputation, history

and ethics (eg a full trading history, good feedback from

both clients and suppliers, a reliable financial record, and

a strong history of performance)?

• Do you take part in specialised industry events (such as

those run by CREST or OWASP chapters)?

• Are you able to demonstrate exploits or vulnerabilities

you have found in other similar environments?

• Can you provide independent feedback on the quality of

work performed and conduct of staff involved?

• Do you adhere to a formal code of conduct overseen by

an independent industry body?

23

TM


Scoping the penetration test:

questions your provider should ask

• What are the business drivers behind needing/wanting to

do a penetration test?

• What are the outputs you require from the testing?

– Assurance / Governance

• What threats are trying to protect from?

– Internal / external

• What are the systems that require to be tested?

– Critical / high profile / everything

• Are you testing infrastructure and applications or admins

and monitoring systems?

24

TM


3rd Party Permissions required?

25

TM


Reporting – what is included and

what can I expect to receive?

• Provide a detailed technical report on the vulnerabilities

of the system.

• Explain the vulnerabilities in a way that is easily

understood by senior management.

• Report the outcome of the test in business risk terms.

• Identify short term (tactical) recommendations.

• Conclude with and define ‘root cause’ long term

(strategic) recommendations.

• Include a security improvement action plan.

• Provide assistance to the organisation in implementing

the security improvements.

26

TM


Report findings

• Findings identified during the penetration test should be

recorded in an agreed format describing each finding in

both:

– Technical terms that can be acted upon

– Non -technical, business context, so that the justifications for the

corrective actions are understood.

• Reports should describe the vulnerabilities found,

including:

– Test narrative – describing the process that the tester used to

achieve particular results

– Test evidence – results of automated testing tools and screen

shots of successful exploits

– The associated technical risks - and how to address them.

27

TM


Summary

• Penetration testing provides a means of testing

information security controls

• Gives assurance about the effectiveness of

controls

• Requires careful scoping

• Need permission from ALL parties

28

TM


Technical Services

• IT Health Checks

• Web Application Security Testing

• Network Testing

• Wireless Network Testing

• PCI DSS Approved Scanning Vendor (ASV)

Services

• Annual / Quarterly Scanning Contracts

29

TM


Technical & Consultancy Services

• Penetration Testing Service http://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx

• PCI QSA Services http://www.itgovernance.co.uk/pci-qsa-services.aspx

• PCI DSS ASV Scanning Service http://www.itgovernance.co.uk/pci-scanning.aspx

• PCI Hacker Guardian - Standard/ Enterprise Scanning Service http://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx

• PCI DSS Consultancy Services - aligned to either Version 2 or Version 3 – PCI DSS Scoping

– PCI DSS Gap Analysis

– Remediation support

– Consultancy by the Hour - IT Governance LiveOnline

http://www.itgovernance.co.uk/pci-consultancy.aspx

30 Protect • Comply • Thrive

http://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx













http://www.itgovernance.co.uk/pci-qsa-services.aspx





http://www.itgovernance.co.uk/pci-scanning.aspx



http://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx

















TM


Where to find us

• Visit our website: www.itgovernance.co.uk

• E-mail us: [email protected]

• Call us: 0845 070 1750

• Follow us on Twitter: twitter.com/#!/itgovernance

• Read our blog: blog.itgovernance.co.uk/

• Join us on LinkedIn www.linkedin.com/company/it-governance

• Join us on Facebook www.facebook.com/ITGovernanceLtd

31 Protect • Comply • Thrive

TM


Any Questions ?

Contact details

Blogs

http://blog.itgovernance.co.uk/author/geraint-williams/

Linkedin

uk.linkedin.com/in/geraintpwilliams

Twitter

twitter.com/#!/GeraintW

32

what every it professional needs to know about penetration ... · different test types detail of...

Documents