PENTEST. Pentest Services. VoIP & Web.

Transcription

1 PENTEST VoIP & Web Pentest Services

2 VoIP & WEB Penetration Testing The Experinced and National VoIP/Unified Communications R&D organization, NETAŞ NOVA Pentest Services test the applications, infrastructure and devices themselves to ensure they are protected from VoIP, WEB and Unified Communications-related attacks. Ensuring complete vulnerability and risk management, these services start with the discovery of all VoIP, WEB and Unified Communication assets, protocols, and applications on the networks which are then analyzed using the most up-to-date vulnerability information databases. VoIP/UC Targeting both enterprises and services providers looking to assess their VoIP/UC network or OEMs looking to test the latest VoIP/UC device, the VoIP/UC Pentest Service consist of 3 components: VoIP/UC Vulnerability Analysis Risk Assessment Penetration Testing

3 VoIP/UC Vulnerability Analysis The Vulnerability Analysis service evaluates the robustness of the VoIP/UC devices, infrastructure and applications on the network by using the following and other attack vectors: Identity Spoofing (Caller ID/ANI Spoofing) Conversation Eavesdropping / Sniffing Password Cracking Man-In-The-Middle SIP-Bye DoS SIP Bombing RTP Insertion Attacks Web Based Management Console Hacks Fuzzing Default Passwords This analysis is based on the attacker s location includes the network entry points where the attacker could breach the network security. An asset listing, threat analysis and remediation report is included as part of this service. This report highlights new vulnerabilities discovered and/or those fixed since the last threat analysis report if part of an ongoing service.

4 Risk Assessment Threats are carefully assessed and risk is prioritized based on asset value and probability of exploitation. An asset in this context is defined as a value-bearing component in the infrastructure or service where revenue is lost if the asset becomes unavailable. Penetration Testing The Penetration Testing service consists of launching ethical hacks on a controlled environment such as a lab or an isolated piece of a production network. Exploits of known vulnerabilities are launched, using the NOVA V-SPY and other tests, based on the information gathered about the network in the discovery phase. This test also exposes points where the attacker could breach the network security. A penetration testing report is generated which shows evidence of the existence of vulnerabilities along with the necessary recommendations. Components to be tested; VoIP Components 1. User Agents (devices) 6. Redirect Servers 2. Media gateways 7. Registrar Servers 3. Signaling gateways 8. Location Servers 4. Gatekeepers 9. Network management system 5. Proxy Servers 10. Billing systems

5 Web Application Penetration Testing NOVA Web Application Penetration Testing offers the most comprehensive web application penetration testing capabilities available in one solution. With NOVA Penetration Testing, you go beyond scanning to exploit and interact with vulnerable web applications just as an attacker could. In our methodology we integrates web application testing with network, endpoint and wireless testing, enabling you to assess your organization s ability to detect, prevent and respond to real-world, multi-staged threats. Identify weaknesses in web applications, web servers and associated databases Dynamically generate exploits that can compromise security weaknesses Demonstrate the potential consequences of a breach Gather information necessary for addressing security issues and preventing data incidents

6 Attack Vectors Server Vulnerabilities, Misconfiguration, DOSi Zero Day (Fuzzing) Application User Authentication, Session Management, Data validation, Functional Bugs User Social Engineering, Business Logic Used Vulnerability Templates Test Methodology Manual Automatic W-SPY Open Source Tools Commercial Hybrid Testing Process Reconnaicanse Mapping Discovery Exploit Reporting OWASP, CWE, NETAS Audit Checklist

7 KICK-OFF Kick-off Meeting and Preparation FOR Section KICKOFF the following steps achieved NDA Signing Test analysis document is filled by customer Understanding VLAN configuration, Network design and QoS requirements Reliable test tools are deployed on test computers that were wiped Secure encrypted partition is created on team workstation computer for store evidence PENTEST Analysis of Security Vulnerabilities and Weaknesses FOR Section PENTEST the following steps achieved The test environment is monitored and audited with security softwares During the test be required to accompany at least two staff Denial of Service attacks Social Engineering attacks Vulnerability assessment and exploitation of UC Network, Applications Individual test of product specific vulnerabilities In-depth security test of Mobile and Web Apps

8 AUDIT Configuration Check and Best Practices FOR Section AUDIT the following steps achieved Security audit check is fulfilled on network devices, OS, UC servers, UC Applications Topology and Configuration Analysis Voice policy, PSTN usage, security policy and procedures analysis Advanced architecture design review Dial plan, call routing and conference configuration validation Compliance with security standards DOCUMENTATION & CLEAN Detailed Report Presentation Cleaning of Environment FOR Section DOCUMENTATION & CLEAN the following steps achieved Report is generated with the data obtained during the test Test computer are wiped Offering Practical steps to take to solve and prevent UC problems Evidences are deleted

9 RETEST FOR Section RETEST the following steps achieved Required hardening procedures are applied after pentest Existing vulnerabilities are fixed or ignored Required security products, applications or services implementation Repeat the Pentest Detailed Info /NetasTR /NetasTR /NetasTR /company/netas NETAŞ TELEKOMÜNİKASYON A.Ş. Yenişehir Mahallesi Osmanlı Bulvarı No: Kurtköy-Pendik / İstanbul