LiCl lt [pdu) ee Lag Reece acesSecurity News Home (uhi@itizes Company Products Contacts a ‘Ostober 02,2012 City of Tulsa Cyber Attack Was Penetration Test, Not Hack ) The city of Tulsa, Oklahoma last week began notifying residents that thelr personal data may have been accessed but It now turns out that the attack was a penetrat! (City officials didn’t realize that the apparent breach was caused by the security firm, Utah-based SecurityMetrics, until after 90,000 letters had been sent to people whe had applied for city jobs or made crime reports online over the past decade, warning them that their personal identification information might have been accessed," writes Tulsa World's Brian Barber. "The mailing cost the city $20,000, officials said.”Security Assessments Vulnerability Assessment Penetration Testing What Should be Tested? ROI on Penetration Testing ‘Types of Penetration Testing Common Penetration Testing Techniques Pre-Attack Phase Attack Phase Post-Attack Phase Penetration Testing Deliverable Templates Pen Testing Roadmap Web Application Testing Outsourcing Penetration Testing ServicesModule Flow Cece Rete Counce fete coe omy Pecos COC lethal ao OED itl oS ely ee ee eee eene beni EY Every organization uses different types of security on assessments to validate the level of security on its network resources Security { Assessment Categories Each type of security assessment requires the people conducting the assessment to have different skillsJecerty sc A security audit is a systematic evaluation of an organization's compliance to a set of established information security criteria A security audit ensures that an organization has and deploys a set of standard information security policy Security audit includes assessment of a system's software and hardware configuration, physical security measures, data handling processes, and user practices against a checklist of standard policies and procedures Itis generally used to achieve and demonstrate compliance to legal and regulatory requirements such as HIPPA, SOX, PCLDSS, ete. [A lg Recerved. ReAYAti bone Moy bina Cette Ccv us Scanning Tools Vulnerability scanning tools search network os 0 i mein ders i anurans, = ees | wl RE eeu scans a network for known i Pane urats rd 7 Security Mistakes Era Deemed Sa sy nes a for exposure to common aoCOM Ney ith PS as The methodology used as well as Vulnerability scanning software is the diverse vulnerability seanning limited in its ability to detect software packages assess Detection vulnerabilities at a given point security differently intime Security Updat It must be updated when Itdoes not measure the new vulnerabilities are strength of security controls Influence discovered or modifications are made to the software being usedIntroduction to A pentest simulates methods that intruders use to gain unauthorized access to an organization's — networked systems and then compromise them In the context of penetration testing, the tester is limited by resources - namely time, skilled resources, and access to equipment - as outlined in, = the penetration testing agreement Most attackers follow a common approach to penetrate a system [Ales Recerved. RePenetration testing that is not completed professionally BP can result in the loss of services and disruption of the business continuity Penetration testing assesses the security model of the organization as a whole It reveals potential consequences of a real attacker breaking into the network CS) ©) © ‘A penetration tester is differentiated from an attacker only by his intent and lack of malice oes© Identify the threats facing an organization's Information assets © Reduce an organization's expenditure ‘on IT security and enhance Return On ‘Security investment (ROS!) by identifying and remediating ‘wlnerabilities or weaknesses Provide assurance with comprehensive assessment of organization's security including policy, procedure, design, and Implementation Gain and maintain certification to an Industry regulation (857799, HIPAA exc.) Adopt best practlees In compliance +0 legal and Industry regulations nd ———) c—) Fortesting and validating the efficiency ‘of security protections and controls It focuses on high sevarity vulnerabilities and emphastzes application-level security issues to development teams and ‘management Providing comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation Evaluating the efficiency of network security devices such as firewalls, routers, and web servers For changing or upgrading existing Infrastructure of software, hhardware, or network designSecurity Audit Vulnerability Assessment Penetration Testing © A security audit just checks © Avulnersbility assessment focuses whether the organization is on discovering the vulnerabilities following a set of standard inthe information system but security policies and Provides no indication if the procedures vulnerabilities can be exploited or ‘the amount of damage that may result from the successful exploitation of the vulnerabilityComparing Security Audit © Assecurity audit ust checks whether the organization is following a set of standard security policies and procedures mils Vulnerability Assessment © Avulnerability assessment focuses on discovering the vulnerabilities In the information system but provides na indication if the ‘vulnerabilities can be exploited or ‘the amount of damage that may result from the successful exploitation of the vulnerability Penetration Testing Penetration testing is a methodological approach to security assessment that ‘encompasses the security audit and vulnerability assessment and demonstrates ifthe vulnerabilities in system can be successfully exp attackersc| What Should be An organization should conduct a risk assessment operation before the penetration testing that will help to identify the main threats, such as: Communieations Public facing systems; failure and websites, email gateways, FIP, IIS, ‘commerce failure and remote access platforms and web servers Loss of confidential Mall, DNS, firewalls, Information and passwords Note: Testing should be performed on all hardware and software components of a network security systemWhat Makes a Ez it Establishing the parameters for the penetration test such as objectives, limitations, | and the justification of procedures Hiring skilled and experienced professionals to perform the test Choosing a suitable set of tests that balance cost and benefits Following a methodology with proper planning and documents Documenting the result carefully and making it comprehensible for the client Stating the potential risks and findings clearly in the final reportDemonstration of ROlis a critical process for the success in selling the Pen-test Demonstrate the ROI for Pen- test with the help of a business sd case scenario, which includes the expenditure and the profits involved in it = ‘Companies will spend on the pen-test only if they have / a proper knowledge on the benefits of the Pen-testnena toreach a consensus ree cnies Coney ert Ree Ce umdTesting Locations ata Sie ee en Cue ae Co Creme Ee eee a Dee acd CO ed occur Sn eat ee heretics fey & Es: ee ee eee eaeCeCe fetes Ceca Lire Do aoe COC Perry Coprnahe © by ound omy Meee n-a Rony ented ee eeeWag oly Ez External Testing External testing involves analysis of publicly available information, a network enumeration phase, and the behavior of the security devices analyzed satan Internal testing involves testing computers and devices within the company © Black-hat testing/zero-knowledge testing © Gray-hat testing/partial-knowledge testing © White-hat testing/eamplate- knowledge testing © Announced testing © Unannounced testing oesPenetration Testing Ez ‘© External penetration testing involves a comprehensive analysis of company’s externally visible servers or devices, such as: "A=4\/a-A | Routers A _ The goal of an external penetration testing is to eee een demonstrate the existence of known vulnerabilities eae that could be explotted by an external attacker Itcan be performed without prior knowledge of the “G__Ithelps the testers to check if system is properly siget to be tested or with full disclosure of the target's managed and kept up-to-date protecting the business and environment from information lost and disclosureSecurity Assessment Internal penetration testing focuses on company’s Internal resources such as DMZs, network connections, application services, etc and comprehensive analysis of threats and risks that arise within the company The goal of internal penetration testing is to demonstrate the exposure of information or other organization assets to an unauthorized An internal security assessment follows a similar methodology to external testing, but provides a more complete view of the site security oesBlack-box Penetration Testing Ez Ez =~ e interact oe Ie takes considerable amount rtm tor dceerng the saturate nantectre Time consuming and expensive type of test You will be given just a company name and how it works Penetration test must be carried out after extensive information gathering and research This test simulates the process of a real hackerPenetration Testing (C\EH Security Assessment as Perera cory or eee that tests for all ee ey Cee) eo’ Cay Seg rete) : core Cee eres ey oes eee ee easWhite-box Penetration Testing © Complete knowledge of the infrastructure that needs to be tested is known © This test simulates the process of company’s employees | Information is provided such as ™ " Cg Cee Cee eda é ae ce ff in Type your test hee, Type your test here Type your test here, Type your test here Type pour test hee. Type your text here Type your test here. Type your test here Type pour test here. Tre your test here Type your test hee. Trp your test here Type your test hee. Trp your test here Type your test here, Type your test here Type sourest here. Type your text here. ‘Al aghs Reserved, Reproducton stn Prohibiteda é ee Ee oii 7s a Announced Testing Unannounced Testing Is an attempt to compromise @ Is anattempt to compromise systems on the client with the full systems on the client networks cooperation and knowledge of without the knowledge of IT the IT staff security personnel Examines the existing security Allows only the upper infrastructure for possible management to be aware of vulnerabilities these tests Involves the security staff on the Examines the security penetration testing teams to infrastructure and conduct audits responsiveness of the IT staff % ‘Al aghs Reserved, Reproducton stn ProhibitedManual Testing The objective of the professional is to assess the security posture of the organization from an Paty attacker’s perspective professionalModule Flow i CeCe Doo fetes coe Pecos Coated Lire Perry ounces Techniques lien dy Rea onc ee ee eeCommon Penetration Testing Techniques a ee ee PassivelRessarchus 0 Seen a ee Network Mapping and 5 Fingerprinting - reer cepcis ete Network Sniffing, [eee ees CEE ene nn diaadiinci ee een et | ree Tc eae pSrurtoree guzel ee eee oe er . . en eee es Vulnerability Scanning [seater i i esses oNUsing DNS Domain Name and IP Address Information Se ‘the target network 's network Fa ‘The IP block of an orgenization can be discemed by looking up the domain name and contact information for personnel iF The DNS record also provides some a -* valuable information regarding the OS or applications that are run on the server4 about:Hosts ClEH on Publicly Available Networks fond roy Website crawlers can mirror the Additionally, the effort can provide screened ane subnets and a comprehensive list of the types of traffic that are allowed in and out of the network Enumeration can be done using port scanning tools, IP protocols, The testing team can then visualize 2 detailed network diagram that and listening to TCP/UDP ports can be publicly accessedModule Flow CeCe Doo fetes coe E Cocos Coated frees Perry Counce omy lien dy Rea onc ee ee eee eei of Penetration Testing Ez — — ™ “ Phase & & fa s a hee oe oePre-Attack Phase: Define CCS poets coe ere Po a Recor) (iseren seek og Peau engagement (ROE) co aCe ihe , pecs De ed ca) F canes « ay eer Coe ota Peete es ee eePre-Attack Phase: © Before proceeding with the penetration testing, a pen tester should identify what needs to be tested con ‘of testing 2) requirements Ses Identify the time frame and coed testing hours Firewalls Identify who will be involved in the reporting ‘and document delivery en Seed Cn ey Crt Telecommunieations Coprnehe © by ee eeePre-Attack Phase: Create a of the (Cont'd) What security controls ifthe organization if the organization requires are deployed across requires assessment assessment of analog the organization? of wireless networks? davices in the network? = Ifthe organization deploy @ mobile workforea? If so, if the mobile security assessment Is required? 15 14 13 What workstation and Ifthe organization What are the web server operating requires the application and serviees systems are deployed assessment of web —_ offered by the client? ‘across the organization? Infrastructure? be.i Pre-Attack Phase: EzPre-Attack Phase: be | © The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the campany © The contract must clearly state the following: Objective of the Sensitive Indemnification _ penetration test information clause 6 ’ Non-disclosure Fees and project Confidential Reporting and clause schedule information responsibilities ToePre-Attack Phase: Cae ee eo Cire tea a A Geen tess fee ey Italso protects testers from legal liabilities in the event Crea during pen testing Many documents and other information regarding pen-test contain critical information that could Tiare eae ee) ‘Agreements are designed to be used by both the parties to protect sensitive information from disclosure Coprnahe © by ToePre-Attack Phase: and (Gont’a) etd rt =_ a Both parties bear responsibility to protect tools, techniques, vulnerabilities, and information from disclosure beyond the terms specified by a written agreement Non-disclosure agreements should be narrowly drawn to protect sensitive information Specific areas to consider include: © Ownership © Use of the evaluation reports © Results; use the testing methodology in custorner documentation. oesPre-Attack Phase: Information Gathering W Pre-attack phase addresses the mode of the attack and the goals to be achieved @ Reconnaissance is considered as the first in the pre-attack phase, which attempts to collect information about the target @ Hackers try to find out as much information as possible about a target @ Hackers gather information in different ways that allows them to formulate a plan of attack Types of Reconnaissance Acti ance oa Involve ut i Involves i ing through a target! ble social sits, sources, uo| Information retrieved in this phase Network Operating system Physical and Competitive registration and user's Analog, logical location of intelligence information information connections the organization Pre-Attack Phase: (eens) Any other information, DNS and Authentication Contact and — Product range and that has the potential mail server credentials website service offerings of to result in 3 possible information information information | the target company exploitation estes ict. ae te Penetrate Perimeter Escalate Privileges my . Acquire Target Execute, Implant, RetractCola hala ‘@ Testing methods for perimeter security include but are not limited to: Checking aecess control lists by forging responces with crafted packets Evaluating error reporting and error management with ICMP probes ‘Measuring the threshold for Evaluating protocol filtering cules denial of service by attempting by attempting connections using persistent TCP connections, various protocols such a: SSH, evaluating trancitary TCP FTP, and Telnet connections, and attempting to stream UDP connections Evaunting the I easly by erg malicious content (uch as malformed URL) and scanning the tort variously for responding to abnormal afi Examining the perimeter security system's response to web server ‘scans using multiple methods such as POST, DELETE, and COPYEnumerating Devices A device inventory is a collection of network devices together with some relevant information about each device that is recorded in a document After the network has been mapped and the business assets identified, the next logical step is to make an inventory of the devices vices A physical check may be conducted additionally to ensure that the enumerated devices have been located Enumerate De: 'Activity: Acquiring Target @ Acquiring target refers to the set of activities undertaken where the ti ¢ to more intrusive challenges such as vulnerability scans and security assessment Testing methods f et include but are not limited to: Active probing assaults: Running vulnerability scans: sioarteslevetemny st tosted Use results of the network scans to gather further information that can lead toa compromise | | inthis phase vulnerability scans are completed ri 5 Gomme A gms Reserves Reproducvon i Stn PronbiedActivity: © Once the target has been acquired, the tester attempts to exploit the system and gain greater ‘access to the protected resources The tester may take advantage of poor security policies and take —* Advantage of email or unsafe (1. web code to gather information \ that ean lens to eeeslation of privlages Use of techniques such as brute force to achieve privileged status. Examples of tools Include get admin and password crackers Activities include / (but are not \ limited to) Use of information gleaned through techniques such as social engineering to gain unauthorized access to the privileged resources Use of Trojans and protocol analyzers tteActivity: Execute, Implant, and Alec Keil In this phase, the tester effectively m the acquired system by Penetrate System The objective of system penetration is to explore t! to which the s as Execute Exploits already available or specially crafted to take advantage o| Identified in the target system Seestr nsession © This phase is critical to any penetration test as it is the responsibility of the tester to restore the systems to their pre-test states Remaving all files uploaded on the system b QQ cening at repsty ees nc removng vanes rested Post-attack phase activities include some af —/ Removing all tools and exploits from the tested systems the following: © semorngshe neta the preety eosin shes nd ono $B ching si nina rst sme the orationPenetration Testing = e A pentest report will carry details of the incidents that have uae Eka eu Reet nan sec) eee Ta ca CoS ecm Ley Pete me eens act] De een) Poe Roms sen eee ie ees aePenetration Testing IViethodology Information Gathering web ‘Application Penetration ‘Testing outer and ‘Swatches Penetration Testing Socal Engineering Penetration Testing External Penetration Testing Vulnerabitity ‘Analysis Denial of service Penetration Testing stolen Poas ‘and Laptop Penetration Testing Sa. Injection Penetration Testing Firewall Penetration Testing Internal Network Penetration Testing Password cracking Penetration Testing Copyraht © by EE Council All aghts Reserved Reproducvons sinc ProhibedSecurity Assessment © Application security assessment is an in-depth analysis of applications to identify and assess security vulnerabilities that can expose the organization's sensitive information This test checks on application so that a malicious user cannot access, modify, or destroy data or services within the system HE gRUEHE: iWeb Application Testing - I Input Pe = Output Sanitization Beare teh) CCU noe script injection, SQL Access Control Peete oC injection, and cross- ertyWeb Application Testing - II Mim 1 checking for Buffer Overflows ow g Checking for buffer overflows include attacks against stack overflows, heap everfowa and format ting overiows aa ces Checking (3 ee eee eels righ pees a eae don ne ane DoS checking tests for Do induend bymalormed wero wr (EEE) lotovt and appletin lsteut ue to alle ovtons, transection MY ; Data and error checking checks for data-related security lapses ‘uch storage of enti dat inthe ace o tough teense dang IML Sa proereieConfidentiality Check For applications using secure protocols and encryption, check for lapses in key exchange mechanism, adequate key length, and weak algorithms =, : : Web Application Testing - III Session Management It checks time validity of session tokens, length of tokens, expiration of session tokens while transiting from SSL to non-$S1 resources, presence of any session tokens in the browser history cor cache, and randomness of session ID (check for use of User data in generating ID) GA Configuration Verification Ie attempts to manipulate resources using HTTP. methods cuch as DELETE and PUT, check for version content availability and any visible restricted source code in } public domains, attempt directory and file isting, and test for known vulnerabilities and accessibility of ‘aclministrative interfaces in servers and server components ee ee eae daea Assessment Ps rao Fee o- a Dee a eee ee ea aeMethods for wireless testing include but are not limited to: Check ifthe access point’ default Service Set Identifier (SSID) is easly available. Test for “broadcast SSID" and accessibility te the LAN through this. Tests can Include brute forcing the ‘SID character string using tools like Kismet Check for vulnerabilities in accessing the WLAN through the wireless router, access point, or gateway. Ths can inciude verifying ifthe default Wired Equivalent Privacy (WEP) encryption key can be captured and decrypted ‘Audit for broadcast beacon of any access point and check all protocols avaliable on the access points. checkif Layer 2 switched networks are being used instead of hubs for access point connectivity Subject authentication to playback of previous authentications in order to check for privilege escalation and unauthorized access Verify that access is granted only to client machines with registered MAC addresses [Aes Recerved. Reeo Ei bat ae Cotta A telephony security assessment is performed to identity vulnerabilities in corporate voice technologies that might result in toll fraud, eavesdropping on calls, unauthorized access to vaice mail systems, DoS attack, ete, Telephone security assessment includes security assessment of PBXs, Voice over IP (VoIP} systems, modems, mailboxes, et. 28‘© Social engineering refers to the non- technical information system attacks that rely on tricking people to divulge sensitive information ‘= Itexploits trust, fear, and helping nature of humans to extract the sensitive data such as security policies, sensitive documents, office network infrastructure, passwords, etc. oe oesTesting Devices Penetration testing is a method of evaluating the security of an Testing involves active analysis of information system or network 7 system configurations, design by simulating an attack to find 4 s weaknesses, network architecture, out vulnerabilities that an attacker could exploit technical flaws, and vulnerabilities \ 2 attack from sameone who has * no prior knowledge of the system, and white box testing simulates an attack from someone who has ‘complete knowledge about the system comprehensive report with, details of vulnerabilities ee discovered and suite of recommended countermeasures is delivered to the executive, management, and technical audiences,WY DoS attacks can be Simulating DoS attacks can ees simulated using hardware be resource intensive and software tools ‘These tests are meant to Some online services can be check the effectiveness of used to simulate DoS attacks anti-DoS devices Be for a nominal charge oesCeCe fetes Pecos Lire Doo coe COC Perry Coprnahe © by Fes ound omy enemy Rea ee eeePenetration Testing Services @ Toget the network audited by an external agency to acquire an intruder’s point of view @ Professional liability insurance pays for settlements or judgments for which pen testers become liable as a result of their actions, or failure to perform profession services The organization may require a specific security assessment and suggestive corrective measures @ tis also known as E&O professional indemnity insurance‘An organization sanctions a penetration test against any of its production systems after it agrees upon explicitly stated rules of engagement It must state the terms of reference under which the agency can interact with the organization It can specify the desired code of conduct, the procedures to be followed, and the nature of the interaction between the testers and the organization ‘Al aghts Reserved. ReDetermining the scope of the pentest is essential to decide if the test is a targeted test ora comprehensive test Comprehensive assessments are to uncover as much vulnerability as possible throughout the organization A targeted test will seek to identify vulnerabilities in specific systems and practices [Ales Recerved. ReA service level agreement is a contract that details the as terms of service that an a | outsourcer will provide actions will be taken in the event of serious disruption SLAs done by experts or professionals can include both remedies and penaltiesPenetration Testing Main role of penetration testing consultants Indlude validation of security controls Implemented across ‘an organization's external or internal resources such 5 firewalls, servers, routers, etc, and develop security polices and procedures Hiring qualified penetration tester results in the quality of the penetration testing A proficient pen tester shauld posses experience in differant IT fields such as software development, systerns administration, and consultancy Each area of the network must be examined in-depthDA pen test simulates methods that intruders use to gain unauthorized access to an organization’s networked systems and then compromise them Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network (Internal testing involves testing computers and devices within the company Pen testing test components depends on the client's operating environment, threat perception, security and compliance requirement, ROE and budget The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company O Security assessment categories are security audits, vulnerability assessments, and penetration testing ee