Introduction
Some Definitions :
Threat: Agent or actor that can cause harm
Vulnerability: A flaw someone can exploit to cause harm
Risk: Where threat and vulnerability overlap
Exploit: Code or technique that a threat uses to take advantage of a vulnerability
Penetration Testing :
Focused on finding security vulnerabilities in a target environment that could let an attacker penetrate the network or computer systems, or steal information Using tools and techniques similar to those employed by criminals To prevent a thief, you may need to think like a thief The goal is actual penetration-compromising target systems and getting access to information to determine business impact.
• Penetration testing is a subset of ethical hacking
• A formal definition of penetration testing involves modeling the techniques used by real-world computer attackers:
- To find vulnerabilities
- To exploit those flaws under controlled circumstances In a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact, all to help the organization improve security practices
Vulnerability Assessments :
Also called security assessments For some people, terms used interchangeably
- Security assessment = vulnerability assessment = penetration testing
- But there are some differences
- Penetration Testing: Focus is on getting in or stealing data
- Security/vulnerability assessment: Focus is on finding security vulnerabilities, which may or may not be used to get in or steal data:
- Penetration testing often is intended to go deeper and focus on technical issues.
- Assessments are broader and often include explicit policy and procedure reviews.
Various organizations have released free network scanning and penetration testing methodologies
The process we cover lines up with many aspects of these methodologies, They can provide helpful source documentation for formalizing your customized test plan Some of the most interesting and valuable are:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Pen Testing Execution Standard {PTES)
- NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment
- Open Web Application Security Project (OWASP) Testing Guide
- Penetration Testing Framework
Preparation :
If applicable, sign a Non-Disclosure Agreement (NDA)
• Discuss the nature of the test with target personnel
-Identify the most salient threats and business concerns
- Agree on Rules of Engagement
- Determine the scope of test $$$$
• Sign off on permission and notice of the danger of testing
• Assign team
Testing :
• Conduct the test
Conclusion :
• Reporting and (possible) presentation
Rules of Engagement :
- If you don't have solid Rules of Engagement, you could encounter some nasty issues
- At a minimum, you'll get low value from your penetration test, wasting time and money
- Calls from business units angry with you
- Calls from other companies angry with you
- Calls from service providers or other third-party companies (web hosting ... ) angry with you
- Plan carefully in advance
Black Box Versus Crystal Box Testing :
Will the testers be given network diagrams and system descriptions?
Reasons for black box testing :
- "More like the real-world attackers" - but is that true?
- Don't let my deficient architecture docs bias your test
Reasons for crystal box testing:
((More cost-effective))
- Attackers may have this stuff (dumpster diving, insider attacks)
- Less chance of an error causing damage to systems
- Although most penetration esters do both types of testing, most prefer the crystal box variety
- Hybrid approaches are possible but more costly
Scoping: What Are the Concerns?
• Ask the target organization: What are your biggest security concerns?
- Disclosure of sensitive information
- Interruption of production processing
- Embarrassment due to defacement of website Compromising of a machine to use as a jump-off point for deeper penetration
- Many, many other possibilities
Scoping: Avoiding Scope Creep :
- Discuss threats, risks, and already-known vulnerabilities ((This is a kind of brainstorming session))
- Discuss how to best test these areas of concern ((Be careful to keep focused))
- Penetration tests typically last 1 to 3 weeks, followed by reporting
- Some are longer, some are shorter
- When determining the time needed for a test, take into account the machine time (automated runs) and human time
- It is often best to have a person conducting manual tests in parallel to automated tools running, letting the person periodically check on the tool progress and verify interim results, if available
Setting the Scope: What to Test?
- Establish a clear and explicit scope for the test
- What is to be tested?
- Specific domain names
- Network address ranges
- Individual hosts
- Particular applications
- What should be explicitly avoided?
- Document these in advance ... and check when additional items are discovered before attacking them
Internal and Pseudo-Internal Access :
- Many penetration tests occur across the Internet
- But what about inside vulnerabilities?
- Methods for testing from the inside:
- Team travels onsite and is granted access
- Team travels onsite and tries to sneak in
- Team travels onsite and looks for wireless
- Team gets VPN or SSH access internally
Setting the Scope: How to Test?
• How should the target systems be tested?
- Ping sweep of network ranges
- Port scan of target hosts
- Vulnerability scan of targets
- Penetration via listening network services
- Penetration via client-side software
- Application-level manipulation
- Physical penetration attempts
- Social engineering of people
Denial of Service :
• Denial of service checks
- Some merely check version numbers to see if you might be vulnerable
- Others explicitly try to kill the service and then check to see if it's dead
- Be explicit
- Dangerous denial of service checks expressly forbidden for the test .. . OR
- Dangerous denial of service is allowed because we'd instead find out that we're vulnerable under controlled circumstances
Keep your eyes open! Always !!